Remote access to perform privileged or network management tasks must employ endpoint devices that are controlled (documented), managed (e.g., use a transient NAC agent), and kept updated and compliant with applicable DoD security policies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18855	SRC-EPT-010	SV-20626r2_rule	ECSC-1	High

Description
If endpoint devices used to access restricted networks and systems are not compliant with security policies and able to pass policy assessment then privileged information and systems may be at immediate risk. Devices are government owned (GFE), contractor owned, or personally owned. Devices are categorized as government owned (GFE), contractor owned, or personally owned. A personally-owned device is not managed, owned, or leased by the government. Personally owned devices do not meet DoD security standards for privileged access. This type of access from an untrusted device puts the network at immediate risk since these devices may have ensured confidentiality and integrity requirements. These devices may be managed devices. However, even when subjected to policy assessment, personally owned devices are not allowed for processing classified or for remote access to privileged data or functions. The intention is to allow approved and limited usage (e.g., for email). However, note that a policy assessment solution must be in place for all unmanaged devices to enter trusted zones. Contractor owned endpoints are provided in compliance with a government contract to perform management services. These endpoints must be STIG compliant using the OS STIG and other applicable STIGs and must follow DoD requirements for remaining compliant. The configuration and connection method for privileged access must also comply with government confidentiality and integrity requirements. Thus, the configuration of devices must be approved by the government as STIG compliant and kept up to date. Remote access for these devices must meet network access control and automated policy assessment requirements.

Description

If endpoint devices used to access restricted networks and systems are not compliant with security policies and able to pass policy assessment then privileged information and systems may be at immediate risk. Devices are government owned (GFE), contractor owned, or personally owned. Devices are categorized as government owned (GFE), contractor owned, or personally owned. A personally-owned device is not managed, owned, or leased by the government. Personally owned devices do not meet DoD security standards for privileged access. This type of access from an untrusted device puts the network at immediate risk since these devices may have ensured confidentiality and integrity requirements. These devices may be managed devices. However, even when subjected to policy assessment, personally owned devices are not allowed for processing classified or for remote access to privileged data or functions. The intention is to allow approved and limited usage (e.g., for email). However, note that a policy assessment solution must be in place for all unmanaged devices to enter trusted zones. Contractor owned endpoints are provided in compliance with a government contract to perform management services. These endpoints must be STIG compliant using the OS STIG and other applicable STIGs and must follow DoD requirements for remaining compliant. The configuration and connection method for privileged access must also comply with government confidentiality and integrity requirements. Thus, the configuration of devices must be approved by the government as STIG compliant and kept up to date. Remote access for these devices must meet network access control and automated policy assessment requirements.

STIG	Date
Remote Access Policy STIG	2015-09-16

Details

Check Text ( C-22661r4_chk )
Interview the network administrator or site representatives. Verify if system administrators are informed of the requirement to use only authorized endpoint devices when remotely accessing DoD networks and systems for configuration, management, or restricted access. Verify there is a configuration management process that ensures STIG compliance. For contractor owned equipment, verify systems used are documented and approved by a government representative.

Check Text ( C-22661r4_chk )

Interview the network administrator or site representatives.

Verify if system administrators are informed of the requirement to use only authorized endpoint devices when remotely accessing DoD networks and systems for configuration, management, or restricted access.

Verify there is a configuration management process that ensures STIG compliance. For contractor owned equipment, verify systems used are documented and approved by a government representative.

Fix Text (F-19560r2_fix)
Train individuals authorized to perform configuration, management, and other privileged tasks using remote access to use only government-owned or authorized devices. Establish a STIG compliance process. For contractor owned endpoints, obtain approval/authorization for configuration, access method, and compliance process from government representative. Configure systems for policy assessment (e.g., NAC) upon access if contractor devices are used.

Fix Text (F-19560r2_fix)

Train individuals authorized to perform configuration, management, and other privileged tasks using remote access to use only government-owned or authorized devices. Establish a STIG compliance process. For contractor owned endpoints, obtain approval/authorization for configuration, access method, and compliance process from government representative. Configure systems for policy assessment (e.g., NAC) upon access if contractor devices are used.