| SRG-NET-000019-RTR-000002 | High | The router must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. | Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not... |
| SRG-NET-000205-RTR-000093 | High | The router must monitor and control traffic at both the external and internal boundary interfaces. | Audit logs are necessary to provide a trail of evidence in case the network is compromised. With this information, the network administrator can devise ways to block the attack and possibly... |
| SRG-NET-000168-RTR-000077 | High | The router must encrypt all methods of configured authentication. | Network elements not protected with strong passwords provide the opportunity for anyone to crack the password thus gaining access to the system and the network. All passwords must be kept and... |
| SRG-NET-000025-RTR-000019 | High | The router must uniquely authenticate source domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000230-RTR-000111 | High | The router must protect the authenticity of communications sessions. | Peering neighbors must have a level of trust with each other since information sharing is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information... |
| SRG-NET-000132-RTR-000036 | High | The router must prohibit or restrict network traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000027-RTR-000032 | High | The router must uniquely authenticate destination domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000191-RTR-000079 | High | The router must protect against or limit the effects of denial of service attacks. | A router experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU load caused by a DoS attack will also have an effect on control keep-alives and... |
| SRG-NET-000015-RTR-NA | High | The network element must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device. | The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. Privilege levels, as well as what... |
| SRG-NET-000019-RTR-000008 | Medium | The router must be configured with a filter to deny all traffic applied to all inactive interfaces. | Without a filter configured to deny all traffic on inactive interfaces, a router interface connected to an external network will expose the router and backbone network to malicious traffic. |
| SRG-NET-000019-RTR-000009 | Medium | The router must protect perimeter routers connected to an Alternate Gateway by configuring an inbound filter that only permits packets with destination addresses within the site's address space. | Enclave's with Alternate Gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Without verifying the destination address of traffic... |
| SRG-NET-000019-RTR-000004 | Medium | The router must bind a PIM neighbor filter to interfaces that have PIM enabled. | Protocol Independent Multicast (PIM) is a routing protocol used to build multicast distribution trees for forwarding multicast traffic across the network infrastructure. PIM traffic must be... |
| SRG-NET-000019-RTR-000005 | Medium | The router must establish boundaries for Admin-local or Site-local scope multicast traffic. | A scope zone is an instance of a connected region for a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. ... |
| SRG-NET-000019-RTR-000006 | Medium | The router must have control plane protection enabled. | The Route Processor (RP) is critical to all network operations as it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental... |
| SRG-NET-000019-RTR-000007 | Medium | The router must be configured so inactive router interfaces are disabled. | An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on those interfaces. Disgruntled or unsatisfied employees are an inside threat, launching... |
| SRG-NET-000019-RTR-000003 | Medium | The router must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing. | A scope zone is an instance for a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. ... |
| SRG-NET-000165-RTR-NA | Medium | The network element must enforce authorized access to the corresponding private key for PKI-based authentication. | The principal factor of PKI implementation is the private key used to encrypt or digitally sign information. If the private key is discovered, an attacker can use the key to authenticate as an... |
| SRG-NET-000132-RTR-000043 | Medium | The router must not have Courier Remote Procedure Call (COURIER) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000205-RTR-000094 | Medium | The router must block all inbound traceroutes to prevent network discovery by unauthorized users. | The traceroute tool will display routes and trip times on an IP network. An attacker can use traceroute responses to create a map of the subnets and hosts behind the perimeter router, just as... |
| SRG-NET-000205-RTR-000095 | Medium | The router must apply ingress filters entering the network to the external interface in the inbound direction. | Filters are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of... |
| SRG-NET-000205-RTR-000096 | Medium | The router must apply egress filters leaving the network to the internal interface in the inbound direction. | Filters are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of... |
| SRG-NET-000205-RTR-000097 | Medium | The router must block, deny, or drop inbound IP packets with a local host loopback address (127.0.0.0/8) at the perimeter device. | This type of IP address spoofing occurs when someone outside the network uses a local host address to gain access to systems or devices on the internal network. If the intruder is successful,... |
| SRG-NET-000205-RTR-000098 | Medium | The router must block, deny, or drop inbound IP packets using a link-local address space (169.254.0.0/16) at the perimeter device. | This type of IP address spoofing occurs when someone outside the network uses a link-local address to gain access to systems or devices on the internal network. If the intruder is successful,... |
| SRG-NET-000205-RTR-000099 | Medium | The router must block, deny, or drop inbound IP packets using an RFC 1918 address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) at the perimeter device. | This type of IP address spoofing occurs when someone outside the network uses an RFC1918 address to gain access to systems or devices on the internal network. If the intruder is successful, they... |
| SRG-NET-000132-RTR-000048 | Medium | The router must prohibit or restrict Protocol-Independent Multicast Source Specific Multicast (PIM-SSM) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000123-RTR-NA | Medium | The network element must limit privileges to change software resident within software libraries, including privileged programs. | Changes to any software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be... |
| SRG-NET-000268-RTR-NA | Medium | The network element must respond to security function anomalies in accordance with organizationally defined responses and alternative actions. | The need to verify security functionality is necessary to ensure that the network element's defense is enabled. For those security functions that are not able to execute automated self-tests the... |
| SRG-NET-000016-RTR-NA | Medium | The network element must enforce dual authorization based on organizational policies and procedures for organization defined privileged commands. | Dual authorization mechanisms require two forms of approval to execute. An organization may determine certain commands or network element configuration changes require dual-authorization before... |
| SRG-NET-000152-RTR-NA | Medium | The network element must dynamically manage identifiers, attributes, and associated access authorizations. | Web services are web applications that provide a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. ... |
| SRG-NET-000189-RTR-NA | Medium | The network element must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | The network element isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| SRG-NET-000194-RTR-000082 | Medium | The router must limit the use of resources by priority. | Different applications have unique requirements and tolerance levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network... |
| SRG-NET-000201-RTR-000087 | Medium | The router must prevent access into the organization's internal networks except as explicitly permitted and controlled by employing boundary protection devices. | The enclave's internal network contains the servers where mission critical data and applications reside. There should never be connection attempts made to these devices from any host outside of... |
| SRG-NET-000187-RTR-NA | Medium | The network element must implement an isolation boundary to minimize the number of non-security functions included within the boundary containing security functions. | The network element isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| SRG-NET-000186-RTR-NA | Medium | The network element must isolate security functions used to enforce access and information flow control from both non-security functions and other security functions. | The network element isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| SRG-NET-000038-RTR-NA | Medium | The network element must enforce the organizationally defined maximum number of consecutive invalid login attempts. | A malicious or unauthorized user could gain access to a network element by guessing or using methods such as dictionary attack, word list substitution, or brute force attack; --all of which... |
| SRG-NET-000026-RTR-000029 | Medium | The router must uniquely identify destination domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000037-RTR-NA | Medium | The network element must be configured to automatically disable the device if any of the organization defined list of security violations are detected. | To reduce or eliminate the risk of the network or the network element itself being compromised, the device must be configured to disable itself depending on the violation or when it is not able to... |
| SRG-NET-000029-RTR-NA | Medium | The network element must enforce dynamic traffic flow control based on policy allowing or disallowing flows based on traffic types and rates within or out of profile. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000063-RTR-NA | Medium | The network element must be configured to use cryptography to protect the integrity of remote access sessions. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Remote... |
| SRG-NET-000229-RTR-NA | Medium | The network element must take corrective action when unauthorized mobile code is identified. | The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for... |
| SRG-NET-000127-RTR-NA | Medium | The network element must employ automated mechanisms to centrally verify configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network... |
| SRG-NET-000205-RTR-000102 | Medium | The router must ensure IPv6 Site-Local Unicast addresses are not defined in the enclave, (FEC0::/10). Note that this consists of all addresses that begin with FEC, FED, FEE, and FEF. | As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of... |
| SRG-NET-000205-RTR-000103 | Medium | The router must block IPv6 Site-Local Unicast addresses on the ingress filter, (FEC0::/10). Note that this consists of all addresses that begin with FEC, FED, FEE, and FEF. | Currently defined, site-local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of... |
| SRG-NET-000205-RTR-000100 | Medium | The router must be configured to reject the Routing Header extension types 0, 1, and 3 - 255 in an IPv6 enclave. | The Routing Header is used by an IPv6 source to specify a list of intermediate nodes that a packet has to traverse on the path to its destination. If the packet cannot take the path, it is... |
| SRG-NET-000205-RTR-000101 | Medium | The router must drop IPv6 6-to-4 addresses with a prefix of 2002::/16 at the perimeter by the ingress and egress filters. | "6-to-4" is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, which assumes that 6-to-4 is not being used as an IPv6 transition mechanism.
Drop all inbound... |
| SRG-NET-000205-RTR-000106 | Medium | The router must block IPv6 well-known multicast addresses on the ingress and egress inbound filters, (FF00::/8). | The following well-known multicast addresses are predefined and shall never be assigned to any multicast group.
Reserved Multicast Addresses: FF00:0:0:0:0:0:0:0 FF08:0:0:0:0:0:0:0
... |
| SRG-NET-000205-RTR-000107 | Medium | The router must block IPv6 Unique Local Unicast addresses on the ingress and egress filters, (FC00::/7). Note that this consists of all addresses that begin with FC or FD. | The IANA has assigned the FC00::/7 prefix to Unique Local Unicast addresses. Unique Local Address (ULA) is a routable address that is not intended to be on the Internet. Site border routers... |
| SRG-NET-000205-RTR-000104 | Medium | The router must restrict the device from accepting any inbound IP packets with a local host loopback address, (::1/128). | The unicast address 0:0:0:0:0:0:0:1, also defined ::1/128 is called the loopback address. A node could use it to send an IPv6 packet to itself. It should never be assigned to any physical... |
| SRG-NET-000205-RTR-000105 | Medium | The router must restrict the acceptance of any IP packets from the unspecified address (::/128). | The address 0:0:0:0:0:0:0:0, also defined ::/128 is called the unspecified address. It must never be assigned to any node. It indicates the absence of an address. One example of its use is... |
| SRG-NET-000205-RTR-000108 | Medium | The router must configure the maximum hop limit value to at least the value of 32. | The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message to be used by hosts instead of the standardized default value. If a very... |
| SRG-NET-000205-RTR-000109 | Medium | The perimeter router must be configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with invalid option type values. | These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do... |
| SRG-NET-000071-RTR-NA | Medium | The network element must monitor for unauthorized connections of mobile devices to information systems. | Wireless services enable users within close proximity of access points to have access to data and services within the private network. The security boundary of a Wireless LAN extends from the... |
| SRG-NET-000168-RTR-000078 | Medium | The router must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms. This applies to passwords, and routing protocol authentication. | Network elements not protected with strong passwords provide the opportunity for anyone to crack the password thus gaining access to the system and the network. All passwords must be kept and... |
| SRG-NET-000220-RTR-NA | Medium | The network element must employ FIPS-validated cryptography to protect unclassified information. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing... |
| SRG-NET-000125-RTR-NA | Medium | The network element must employ automated mechanisms to centrally manage configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network... |
| SRG-NET-000060-RTR-NA | Medium | The network element must allow the association of security attributes with information by authorized system administrators. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| SRG-NET-000061-RTR-NA | Medium | The network element must employ automated mechanisms to monitor and control remote access methods. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring... |
| SRG-NET-000070-RTR-NA | Medium | The network element must protect wireless access to the network using encryption. | The security boundary of a Wireless LAN (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most... |
| SRG-NET-000132-RTR-000053 | Medium | The router must not have Internet Relay Chat (IRC) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000052 | Medium | The router must prohibit or restrict Multicast Source Discovery Protocol (MSDP) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000050 | Medium | The router must not have Identification (IDENT) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000057 | Medium | The router must not have SHELL enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000056 | Medium | The router must not have Microsoft Teredo enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000055 | Medium | The router must not have Remote Login (LOGIN) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000054 | Medium | The router must prohibit or restrict Intermediate System To Intermediate System (IS-IS) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000219-RTR-NA | Medium | The network element must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. | Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. ... |
| SRG-NET-000132-RTR-000059 | Medium | The router must not have Simple File Transfer Protocol (SFTP) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000058 | Medium | The router must not have SIDEWINDER-COBRA enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000025-RTR-000024 | Medium | The router must enable authentication for all IS-IS peers. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed... |
| SRG-NET-000134-RTR-NA | Medium | The network element must employ automated mechanisms to detect the addition of unauthorized components or devices. | Centrally managing configuration changes for network elements can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that... |
| SRG-NET-000161-RTR-NA | Medium | The network element must enforce password encryption for transmission. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000177-RTR-NA | Medium | The network element must enforce identification and authentication for the establishment of nonlocal maintenance and diagnostic sessions. | Lack of authentication enables anyone to gain access to the network or possibly a network element providing opportunity for intruders to compromise resources within the network infrastructure. ... |
| SRG-NET-000133-RTR-NA | Medium | The network element must employ automated mechanisms to prevent program execution in accordance with organizationally defined specifications. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000264-RTR-NA | Medium | The network element must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000199-RTR-NA | Medium | The network element must prevent discovery of specific system components or devices comprising a managed interface. | Allowing neighbor discovery messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information about the network infrastructure that can be useful to... |
| SRG-NET-000191-RTR-000081 | Medium | The router must ensure all eBGP routers are configured to use Generalized TTL Security Mechanism (GTSM). | As described in RFC 3682, the GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by... |
| SRG-NET-000191-RTR-000080 | Medium | The router must protect against Inbound IP packets using RFC5735, RFC6598 and other network address space allocated by IANA but not assigned by the RIRs for ISP and other end-customer use by blocking, denying, or dropping them at the perimeter device. | This type of IP address spoofing occurs when someone outside the network uses an address that should not be routed or has not been officially assigned to an ISP for use by the RIRs to gain access... |
| SRG-NET-000020-RTR-000015 | Medium | The router must enforce information flow control using explicit security attributes on information, source, and destination objects. Security attributes used as a basis for flow control decisions may include, but are not limited to IP addresses, Port numbers, Protocol, Autonomous System Path, and interfaces. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000210-RTR-NA | Medium | The network element must protect the confidentiality of transmitted information. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000024-RTR-000017 | Medium | The router must uniquely identify source domains for information transfer. | Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy... |
| SRG-NET-000141-RTR-NA | Medium | The network element must use multifactor authentication for local access to privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000163-RTR-NA | Medium | The network element must enforce maximum password lifetime restrictions. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000204-RTR-000092 | Medium | The router must monitor and enforce filtering of internal addresses posing a threat to external information systems. | Monitoring and filtering the outbound traffic adds a layer of protection to the enclave, by preventing your network from being used as an attack base. |
| SRG-NET-000132-RTR-000051 | Medium | The router must prohibit or restrict ROUTER a.k.a. Routing Information Protocol (RIP) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000170-RTR-NA | Medium | The network element must employ automated mechanisms to assist in the tracking of security incidents. | Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the firewall. An... |
| SRG-NET-000260-RTR-NA | Medium | The network element must take an organizationally defined list of least-disruptive actions to terminate suspicious events. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000256-RTR-NA | Medium | The network element must monitor inbound and outbound communications for unusual or unauthorized activities or conditions. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000049-RTR-NA | Medium | The network element must notify the user of the number of unsuccessful login attempts since the last successful login. | Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to... |
| SRG-NET-000176-RTR-NA | Medium | The network element must employ cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications. | Network management is the process of monitoring network elements and links, configuring network elements, and enabling network services. Network management also includes the collection of... |
| SRG-NET-000131-RTR-000035 | Medium | The router must not have unnecessary services and functions enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000037 | Medium | The router must not have FINGER enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000246-RTR-NA | Medium | The network element must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000025-RTR-000028 | Medium | The router must enable authentication for all RIPng peers. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed... |
| SRG-NET-000025-RTR-000025 | Medium | The router must enable authentication for all iBGP peers. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed... |
| SRG-NET-000025-RTR-000027 | Medium | The router must enable authentication for all OSPF v3 peers. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed... |
| SRG-NET-000025-RTR-000026 | Medium | The router must enable authentication for all eBGP peers. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed... |
| SRG-NET-000025-RTR-000021 | Medium | The router must enable authentication for all RIPv2 peers. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed... |
| SRG-NET-000025-RTR-000020 | Medium | The router must enable authentication for all IGP and EGP peers. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed... |
| SRG-NET-000025-RTR-000023 | Medium | The router must enable authentication for all OSPF peers. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed... |
| SRG-NET-000025-RTR-000022 | Medium | The router must enable authentication for all EIGRP peers. | A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed... |
| SRG-NET-000035-RTR-NA | Medium | The network element must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts. | Each account should grant access to only those privileges for which the system administrator is authorized. By not restricting system administrators to their proper privilege levels, access to... |
| SRG-NET-000288-RTR-NA | Medium | The network element must prevent the download of prohibited mobile code. | Decisions regarding the employment of mobile code within network elements are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| SRG-NET-000146-RTR-NA | Medium | The network element must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts. | Authorization for access to any network element requires an approved and assigned individual account identifier. The authenticator must be a separate device than the target device to which the... |
| SRG-NET-000251-RTR-NA | Medium | The network element must automatically update malicious code protection mechanisms and rule definitions. | Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, web accesses, removable media, or other common means. Malicious... |
| SRG-NET-000224-RTR-NA | Medium | The network element must protect the integrity and availability of publicly available information and applications. | Public-facing servers enable access to information to clients outside of the enclave. These servers are subject to greater exposure to attacks. It is imperative that the integrity of the data be... |
| SRG-NET-000069-RTR-NA | Medium | The network element must protect wireless access to the network using authentication. | The security boundary of a Wireless LAN (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most... |
| SRG-NET-000269-RTR-NA | Medium | The network element must provide notification of failed automated security tests. | Upon detection of a failure of an automated security self-test, the network element must respond in accordance with organization defined responses and alternative actions. Without taking any... |
| SRG-NET-000064-RTR-NA | Medium | The network element must route all remote access traffic through managed access control points. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Regardless... |
| SRG-NET-000214-RTR-NA | Medium | The network element must establish a trusted communications path between the user and organizationally defined security functions within the information system. | To safeguard critical information that could be used by a malicious user to compromise the device or the entire network infrastructure, a trusted path is required for high-confidence connections... |
| SRG-NET-000058-RTR-NA | Medium | The network element must allow the change of security attributes by authorized administrators. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| SRG-NET-000014-RTR-NA | Medium | The network element must be configured to dynamically manage administrative privileges and associated command authorizations. | Web services are web applications that provide a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. ... |
| SRG-NET-000164-RTR-000076 | Medium | The router must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor for routing protocol authentication. | A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the "root certificate" or "trust anchor" such as a Certification... |
| SRG-NET-000039-RTR-NA | Medium | The network element must enforce the organizationally defined time period over which the number of invalid login attempts are counted. | A malicious or unauthorized user could gain access to a network element by guessing or using methods such as dictionary attack, word list substitution, or brute force attack; --all of which... |
| SRG-NET-000286-RTR-NA | Medium | The network element must protect the audit records of nonlocal accesses to privileged accounts and the execution of privileged functions. | Auditing may not be reliable when performed by the network element to which the user being audited has privileged access. The privileged user may inhibit auditing or modify audit records. This... |
| SRG-NET-000154-RTR-NA | Medium | The network element must prohibit password reuse for the organizationally defined number of generations. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000167-RTR-NA | Medium | The network element must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure that only the assigned individual is using the account, the account... |
| SRG-NET-000132-RTR-000044 | Medium | The router must not have Filter List Manager/Anti Network Terrorism (FLM-ANT) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000045 | Medium | The router must prohibit or restrict Open Shortest Path First (OSPF) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000046 | Medium | The router must prohibit or restrict Protocol-Independent Multicast Dense Mode (PIM-DM) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000047 | Medium | The router must prohibit or restrict Protocol-Independent Multicast Sparse Mode (PIM-SM) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000040 | Medium | The router must prohibit or restrict Bidirectional Protocol-Independent Multicast (BIDIR-PIM) in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000041 | Medium | The router must prohibit or restrict Border Gateway Protocol (BGP) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000042 | Medium | The router must not have Background File Transfer Program (BFTP) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000049 | Medium | The router must not have Gopher Protocol (GOPHER) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000181-RTR-NA | Medium | The router must be configured to detect the presence of unauthorized software on organizational information systems. | Malicious software such as Trojan horses, hacker tools, DDoS (Distributed Denial of Service) agents, and spyware can establish a base on individual desktops and servers. Many of these are not... |
| SRG-NET-000174-RTR-NA | Medium | The network element must protect nonlocal maintenance sessions through the use of multifactor authentication which is tightly bound to the user. | Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure.... |
| SRG-NET-000266-RTR-NA | Medium | The network element must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000059-RTR-NA | Medium | The network element must maintain the binding of security attributes to information with sufficient assurance that the information-to-attribute association can be used as the basis for automated policy actions. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| SRG-NET-000178-RTR-NA | Medium | The network element must terminate all sessions when nonlocal maintenance is completed. | In the event the remote node has abnormally terminated or an upstream link from the managed device is down, the management session will be terminated, thereby freeing device resources and... |
| SRG-NET-000253-RTR-NA | Medium | The network element must only update malicious code protection mechanisms when directed by a privileged user. | Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, web accesses, removable media, or other common means. Malicious... |
| SRG-NET-000287-RTR-NA | Medium | The network element must support organizational requirements to disable the user identifiers after an organizationally defined time period of inactivity.
| Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Attackers that are... |
| SRG-NET-000308-RTR-NA | Medium | The network element must employ FIPS-validated or NSA-approved cryptography to implement digital signatures. | Cryptography is only as strong as the encryption algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect... |
| SRG-NET-000158-RTR-NA | Medium | The network element must enforce password complexity by the number of special characters used. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000193-RTR-NA | Medium | The router must manage excess capacity and bandwidth, or have other redundancies to limit the effects of information flooding types of denial of service attacks. | A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU load caused by a DoS attack will also have an effect on control... |
| SRG-NET-000132-RTR-000039 | Medium | The router must not have ARINC GATEWAY PROTOCOL (ARINC-GATEWAY) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000038 | Medium | The router must not have TELNET Service enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000129-RTR-NA | Medium | The network element must ensure detected unauthorized security-relevant configuration changes are tracked. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network... |
| SRG-NET-000257-RTR-NA | Medium | The network element must provide near real-time alerts when any of the organizationally defined list of compromise or potential compromise indicators occur. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000160-RTR-NA | Medium | The network element must enforce password encryption for storage. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000106-RTR-NA | Medium | The network element must use cryptographic mechanisms to protect the integrity of audit log information. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000002-RTR-NA | Medium | The network element must automatically terminate temporary accounts after an organization defined time period for each type of account. | Authentication for administrative access to the device is required at all times. A single account can be created on the device's local database for use in an emergency such as when the... |
| SRG-NET-000273-RTR-NA | Medium | The network element must generate error messages providing information necessary for corrective actions without revealing organizationally defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. | The extent to which the network element is able to identify and handle error conditions is guided by organizational policy and operational requirements. However, it is imperative that the network... |
| SRG-NET-000258-RTR-NA | Medium | The network element must prevent non-privileged users from circumventing intrusion detection and prevention capabilities. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000175-RTR-NA | Medium | The network element must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the device, by using either physically separated communications paths, or logically separated communications paths based upon encryption. | Network management is the process of monitoring network elements and links, configuring network elements, and enabling network services. Network management also includes the collection of... |
| SRG-NET-000124-RTR-NA | Medium | The network element must automatically implement organizationally defined safeguards and countermeasures if security functions or mechanisms are changed inappropriately.
| Changes to any software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be... |
| SRG-NET-000122-RTR-NA | Medium | The network element must enforce a two-person rule for changes to organizationally defined information system components and system-level information. | Changes to any software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be... |
| SRG-NET-000144-RTR-NA | Medium | The network element must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the network element being accessed. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000032-RTR-NA | Medium | The network element must enforce organization defined one-way traffic flows using hardware mechanisms. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000023-RTR-000016 | Medium | The router must enforce security policies regarding information on interconnected systems. | Transferring information between interconnected information systems of differing security policies introduces the risk of the transfers violating one or more policies. It is imperative that... |
| SRG-NET-000228-RTR-NA | Medium | The network element must implement detection and inspection mechanisms to identify unauthorized mobile code. | The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for... |
| SRG-NET-000267-RTR-NA | Medium | The network element must verify the correct operation of security functions, in accordance with organizationally identified conditions and frequency. | The need to verify security functionality is necessary to ensure that the network element's defense is enabled. For those security functions that are not able to execute automated self-tests the... |
| SRG-NET-000132-RTR-000075 | Medium | The router must prohibit or restrict Internet Group Management Protocol (IGMP) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000074 | Medium | The router must prohibit or restrict Internet Control message Protocol version 6 (ICMPv6) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000071 | Medium | The router must not have Virtual Network Computing Server (VNC-SERVER) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000070 | Medium | The router must not have Symantec-Intruder Alert Agent (SYMANTEC-IA) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000073 | Medium | The router must prohibit or restrict Internet Control Message Protocol (ICMP) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000072 | Medium | The router must not have Yak Winsock Personal Chat (YAK-CHAT) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000021-RTR-NA | Medium | The network element must implement role-based management to allow authorized administrators to enable/disable organizationally defined security policy filters. | The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the network... |
| SRG-NET-000211-RTR-NA | Medium | The network element must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission, unless otherwise protected by alternative physical measures. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000206-RTR-000110 | Medium | The router must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture. | The router will build a state to allow return traffic for all initiated traffic that is permitted outbound. Monitoring and filtering the outbound traffic adds a layer of protection to the... |
| SRG-NET-000213-RTR-NA | Medium | The network element must terminate the connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network... |
| SRG-NET-000025-RTR-000085 | Medium | The router must be configured so that rotating keys are not used for authenticating IGP peers that have a duration exceeding 180 days. | If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Changing the... |
| SRG-NET-000153-RTR-NA | Medium | The network element must enforce minimum password length. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000062-RTR-NA | Medium | The network element must use approved cryptography to protect the confidentiality of remote access sessions. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Remote... |
| SRG-NET-000239-RTR-NA | Medium | The network element must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest. | This control is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the network element. It is imperative... |
| SRG-NET-000231-RTR-NA | Medium | The network element must invalidate session identifiers upon user logout or other session termination. | Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous... |
| SRG-NET-000289-RTR-NA | Medium | The network element must prevent the execution of prohibited mobile code. | Decisions regarding the employment of mobile code within network elements are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| SRG-NET-000197-RTR-NA | Medium | The network element must isolate organizationally defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets. | Implementing defense-in-depth by deploying various network security elements at strategic locations, and segregating the enclave into separate subnets with unique security policies to provide... |
| SRG-NET-000200-RTR-NA | Medium | The router must enforce strict adherence to protocol format. | Crafted packets not conforming to Institute of Electrical and Electronics Engineers (IEEE) standards can be used by malicious users to exploit a host's protocol stack to create a Denial of Service... |
| SRG-NET-000033-RTR-NA | Medium | The network element must enforce information flow control using organization defined security policy filters as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000120-RTR-NA | Medium | The network element must use automated mechanisms to support auditing of the enforcement actions. | Changes to the hardware or software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals... |
| SRG-NET-000057-RTR-NA | Medium | The network element must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| SRG-NET-000040-RTR-NA | Medium | The network element must automatically lock an account after the maximum number of unsuccessful login attempts is exceeded and remain locked for an organizationally defined time period or until released by an administrator. | A malicious or unauthorized user could gain access to a network element by guessing or using methods such as dictionary attack, word list substitution, or brute force attack; --all of which... |
| SRG-NET-000019-RTR-000013 | Medium | The router must enforce that the managed network domain and the management network domain are separate routing domains and the IGP instances are not redistributed or advertised to each other. | If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. Since the managed... |
| SRG-NET-000019-RTR-000012 | Medium | The router must enforce IGP instances configured on the Out Of Band Management (OOBM) gateway router only peer with their own routing domain. | If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the... |
| SRG-NET-000019-RTR-000011 | Medium | The router must enforce redistribution and advertisements from alternate gateway service provider IP addresses to the NIPRNet or to other AS. | Stopping redistribution and advertisements from unsolicited traffic from Alternate Gateway service providers from attempting to enter the NIPRNet by traversing the enclave's perimeter router is... |
| SRG-NET-000019-RTR-000010 | Medium | The router must enforce the use of static routes for perimeter routers peered with other routers belonging to an Autonomous System (AS) of an alternate gateway. | The perimeter router will not use a routing protocol to advertise NIPRNet addresses to AGs. Most ISPs use Border Gateway Protocol (BGP) to share route information with other autonomous systems,... |
| SRG-NET-000019-RTR-000014 | Medium | The router must enforce that any interface used for OOBM traffic is configured to be passive for the IGP that is utilized on that interface. | The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the... |
| SRG-NET-000150-RTR-NA | Medium | The network element must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices. | Without authentication, an unauthorized user can easily connect to a nearby access point (AP) within the enclave. In addition, a rogue AP owned by an attacker can accept connections from ... |
| SRG-NET-000151-RTR-NA | Medium | The network element must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices. | A network element must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network, or a router wanting to... |
| SRG-NET-000139-RTR-NA | Medium | The network element must use multifactor authentication for network access to privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000172-RTR-NA | Medium | The network element must use automated mechanisms to restrict the use of maintenance tools to authorized personnel only. | With the growth of widespread network-delivered malware infections, organizations tend to overlook the spread of malware from system to system through removable media. Once an infected medium is... |
| SRG-NET-000271-RTR-NA | Medium | The network element must detect unauthorized changes to software and information. | Anomalous behavior and unauthorized changes must be detected before the network element is breached or no longer in service. Identifying the source and method used to make the unauthorized change... |
| SRG-NET-000065-RTR-NA | Medium | The network element must monitor for unauthorized remote connections to specific information systems on an organizationally defined frequency. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring... |
| SRG-NET-000250-RTR-NA | Medium | The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000227-RTR-NA | Medium | The network element must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider. | For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key... |
| SRG-NET-000265-RTR-NA | Medium | The network element must detect attack attempts to the wireless network. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000261-RTR-NA | Medium | The network element must protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.
| Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000022-RTR-NA | Medium | The network element must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies. | The network element must be configured to restrict management access according to the privilege level the user has been granted. Authorization to add, modify, or delete security policies must... |
| SRG-NET-000280-RTR-NA | Medium | The network element must enforce information flow control based on organizationally defined metadata. | Metadata is defined as data providing information about one or more other pieces of data such as the purpose of the data, the author or creator of the data, and the network location of where the... |
| SRG-NET-000225-RTR-NA | Medium | The network element must associate security attributes with information exchanged between information systems. | Security attributes are associated with internal structures within the network element used to enable the implementation of access control and flow control policies or support other aspects of the... |
| SRG-NET-000028-RTR-NA | Medium | The network element must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000162-RTR-NA | Medium | The network element must enforce minimum password lifetime restrictions. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000143-RTR-NA | Medium | The network element must support the organizational requirement to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.
| To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated.
Organizational users include organizational... |
| SRG-NET-000195-RTR-000083 | Medium | The router must check inbound traffic to ensure the communications are coming from an authorized source and are routed to an authorized destination. | Spoofing source addresses occurs when a malicious user outside the network has created packets with a source address belonging to the private address space of the target network. This is an... |
| SRG-NET-000249-RTR-NA | Medium | The network element must be configured to perform organizationally defined actions in response to malicious code detection. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000118-RTR-NA | Medium | The network element must enforce access restrictions associated with changes to the system components. | Changes to the hardware or software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals... |
| SRG-NET-000263-RTR-NA | Medium | The network element must analyze outbound traffic at the external boundary of the network. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000226-RTR-NA | Medium | The network element must validate the integrity of security attributes exchanged between information systems. | Security attributes are associated with internal structures within the network element used to enable the implementation of access control and flow control policies or support other aspects of the... |
| SRG-NET-000279-RTR-NA | Medium | The network element must prevent access to organizationally defined security-relevant information except during secure, non-operable system states. | Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce... |
| SRG-NET-000272-RTR-NA | Medium | The network element must identify and respond to potential security-relevant error conditions. | Error messages generated by various components and services of the network element can indicate a possible security violation or breach. It is imperative the network element be configured to be... |
| SRG-NET-000103-RTR-NA | Medium | The network element must protect audit tools from unauthorized deletion. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000259-RTR-NA | Medium | The network element must notify an organizationally defined list of incident response personnel of suspicious events. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000128-RTR-NA | Medium | The network element must employ automated mechanisms to respond to unauthorized changes to organizationally defined configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network... |
| SRG-NET-000031-RTR-NA | Medium | The router must enforce organizationally defined limitations on the embedding of data types within other data types. | Allowing traffic to bypass the security checkpoints such as firewalls and intrusion detection systems puts the network infrastructure and critical data at risk. Malicious traffic could enter the... |
| SRG-NET-000156-RTR-NA | Medium | The network element must enforce password complexity by the number of lowercase characters used. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000198-RTR-NA | Medium | The network element must route all management traffic through a dedicated management interface. | From an architectural perspective, implementing out of band management (OOBM) for network elements is a best practice and the first step in the deployment of a management network. OOBM networks... |
| SRG-NET-000192-RTR-NA | Medium | The network element must restrict the ability of individuals to launch denial of service attacks against other information systems or networks. | A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU load caused by a DoS attack will also have an effect on control... |
| SRG-NET-000190-RTR-NA | Medium | The network element must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information produced by the actions of a prior user, role, or the actions of a process acting on behalf of a prior user/role from being available to any... |
| SRG-NET-000072-RTR-NA | Medium | The network element must enforce requirements for the connection of mobile devices to organizational information systems. | Wireless services enable users within close proximity of access points to have access to data and services within the private network. The security boundary of a Wireless LAN extends from the... |
| SRG-NET-000132-RTR-000068 | Medium | The router must not have SoftwareAG WebMethods Broker (SOFTWAREAG-WEBMETHODS BROKER) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000069 | Medium | The router must not have Super Duper Telnet (SUPDUP) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000066 | Medium | The router must not have NEI-Management Port enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000067 | Medium | The router must not have ORACLE Names Client Connector (ORACLENAMES) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000064 | Medium | The router must not have Hewlitt Packard Integrated Lights Out Virtual Media (HP-ILO-VM) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000065 | Medium | The router must not have Hypertext Transfer protocol management Service (HTTP-MGMT) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000062 | Medium | The router must not have TIMBUKTU enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000063 | Medium | The router must not have C-Cubed-MVS DIRECT API enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000060 | Medium | The router must not have SNARE enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000132-RTR-000061 | Medium | The router must not have Terminal Access Controller Access Control System (TACACS) enabled. | A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control... |
| SRG-NET-000208-RTR-NA | Medium | The network element must use cryptographic mechanisms to detect changes to information during transmission, unless otherwise protected by alternative physical measures. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000166-RTR-NA | Medium | The network element must map the authenticated identity to the user account for PKI-based authentication. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure that only the assigned individual is using the account, the account must... |
| SRG-NET-000203-RTR-NA | Medium | The network element must route organizationally defined internal communications traffic destined for organizationally defined external networks through authenticated application firewalls (application proxy servers) at managed interfaces. | A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network such as a web server, web mail, and chat rooms. This prevents any... |
| SRG-NET-000244-RTR-NA | Medium | The network element must employ malicious code protection mechanisms to detect and block malicious code at the network perimeter. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000207-RTR-NA | Medium | The network element must protect the integrity of transmitted information. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service, it may be more difficult to obtain the... |
| SRG-NET-000030-RTR-NA | Medium | All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms. | Allowing traffic to bypass the security checkpoints such as firewalls and intrusion detection systems puts the network infrastructure and critical data at risk. Malicious traffic could enter the... |
| SRG-NET-000119-RTR-NA | Medium | The network element must use automated mechanisms to enforce access restrictions. | Changes to the hardware or software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals... |
| SRG-NET-000005-RTR-NA | Low | The network element must automatically audit the creation of accounts. | Account management and distribution is vital to the security of any network element. Account management by a designated authority ensures access to network elements is being controlled in a... |
| SRG-NET-000066-RTR-NA | Low | The network element must audit remote sessions for accessing an organizationally defined list of security functions and security-relevant information. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring... |
| SRG-NET-000067-RTR-NA | Low | The network element must disable the use of organizationally defined networking protocols deemed non-secure, except for explicitly identified components in support of specific operational requirements. | Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the... |
| SRG-NET-000079-RTR-NA | Low | The network element must capture and log sufficient information to establish the identity of user accounts associated with an audit event. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000241-RTR-NA | Low | The network element must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. | Information can be subjected to unauthorized changes (e.g., malicious or unintentional modification) at information aggregation or protocol transformation points. This requirement is applicable... |
| SRG-NET-000068-RTR-NA | Low | The network element must enforce requirements for remote connections to the network. | Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Enabling... |
| SRG-NET-000180-RTR-NA | Low | The network element must employ cryptographic mechanisms to protect information in storage. | When data is written to digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and... |
| SRG-NET-000184-RTR-NA | Low | The network element must isolate security functions from non-security functions. | The network element isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| SRG-NET-000274-RTR-NA | Low | The network element must activate an organizationally defined alarm when a system component failure is detected. | A network element with a failing security component can potentially put the entire network at risk. If key components to maintaining network security fail to function, it is possible the network... |
| SRG-NET-000300-RTR-NA | Low | The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distribution. | This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the... |
| SRG-NET-000243-RTR-NA | Low | The network element must be configured to implement automated patch management tools to facilitate flaw remediation to network components. | It is imperative that the organization promptly install security-relevant software updates to mitigate the risk of new vulnerabilities. Flaws discovered during security assessments, continuous... |
| SRG-NET-000056-RTR-NA | Low | The network element must support and maintain the binding of organizationally defined security attributes to information in transmission. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| SRG-NET-000236-RTR-NA | Low | The network element must preserve organizationally defined system state information in the event of a system failure. | Failure to a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality,... |
| SRG-NET-000108-RTR-NA | Low | The network element must protect against an individual falsely denying having performed a particular action. | Nonrepudiation of actions taken by an administrator is required in order to maintain integrity of the configuration management process. This requires that all configuration changes to the network... |
| SRG-NET-000147-RTR-NA | Low | The network element must use organizationally defined replay-resistant authentication mechanisms for network access to non-privileged accounts. | Authorization for access to any network element requires an approved and assigned individual account identifier. The authenticator must be a separate device than the target device to which the... |
| SRG-NET-000242-RTR-NA | Low | The network element must be configured to automatically check for security updates to the application software on an organizationally defined frequency. | It is imperative that the organization promptly install security-relevant software updates to mitigate the risk of new vulnerabilities. Flaws discovered during security assessments, continuous... |
| SRG-NET-000034-RTR-NA | Low | The network element must implement separation of duties through assigned information system access authorizations.
| The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the network... |
| SRG-NET-000088-RTR-NA | Low | The network element must be configured to send an alert to designated personnel in the event of an audit processing failure. | Auditing and logging are key components of any security architecture. It is essential that security personnel know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000009-RTR-NA | Low | The network element must automatically audit account disabling actions. | Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and... |
| SRG-NET-000107-RTR-NA | Low | The network element must use cryptography to protect the integrity of audit tools. | Auditing and logging are key components of any security architecture. It is essential that security personnel know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000007-RTR-NA | Low | The network element must automatically audit account modification. | Account management and distribution is vital to the security of any network element. Account management by a designated authority ensures access to network elements is being controlled in a... |
| SRG-NET-000221-RTR-NA | Low | The network element must employ NSA-approved cryptography to protect classified information. | Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. ... |
| SRG-NET-000075-RTR-NA | Low | The network element must produce audit log records containing sufficient information to establish when an event occurred. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000051-RTR-NA | Low | The network element must notify the user of the number of unsuccessful login attempts occurring during an organizationally defined time period. | Providing users with information regarding the date and time of their last unsuccessful login to the device allows the user to determine if any unauthorized activity has occurred and gives them an... |
| SRG-NET-000055-RTR-NA | Low | The network element must support and maintain the binding of organizationally defined security attributes to information in process. | The binding of these attribute assignments to information must be maintained while the data is in process such as switching, traffic classification, QoS marking, packet filtering, address... |
| SRG-NET-000054-RTR-NA | Low | The network element must support and maintain the binding of organizationally defined security attributes to information in storage. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| SRG-NET-000145-RTR-NA | Low | The network element must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the network element being accessed. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000099-RTR-NA | Low | The network element must protect audit log information from unauthorized modification. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000098-RTR-NA | Low | The network element must protect audit log information from unauthorized read access. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000013-RTR-NA | Low | The network element must monitor for irregular usage of administrative user accounts. | Atypical account usage is behavior that is not part of normal usage cycles, e.g., accounts logging in after hours or on weekends. This requirement is applicable to network device management and... |
| SRG-NET-000091-RTR-NA | Low | The network element must centralize the review and analysis of audit records from multiple network elements within the network. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000222-RTR-NA | Low | The network element must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| SRG-NET-000309-RTR-NA | Low | The network element must protect against unauthorized physical connections across the boundary protections implemented at an organizationally defined list of managed interfaces. | Local access to the network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Eliminating... |
| SRG-NET-000110-RTR-NA | Low | The network element must compile audit records from multiple components into a system-wide audit trail that is time-correlated to within an organizationally defined level of tolerance for the relationship between timestamps of individual records in the audit trail. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000149-RTR-NA | Low | The network element must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices. | A network element must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network, or a router wanting to... |
| SRG-NET-000050-RTR-NA | Low | The network element must notify the user of the number of successful login attempts occurring during an organizationally defined time period. | Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to... |
| SRG-NET-000036-RTR-NA | Low | The network element must provide finer-grained allocation of account privileges through the use of separate processing domains. | Each account should grant access to only those privileges for which the system administrator is authorized. By not restricting system administrators to their proper privilege levels, access to... |
| SRG-NET-000212-RTR-NA | Low | The network element must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000078-RTR-NA | Low | The network element must produce audit log records containing sufficient information to determine if an event was a success or failure. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000042-RTR-NA | Low | The network element must display the approved system use notification message or banner on the screen until the administrator takes explicit action to acknowledge the message. | All network devices must present a DoD approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide... |
| SRG-NET-000087-RTR-NA | Low | The network element must reject or delay network traffic generated above configurable traffic volume thresholds, as defined by the organization. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log,... |
| SRG-NET-000234-RTR-NA | Low | The network element must generate unique session identifiers with organizationally defined randomness requirements. | Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous... |
| SRG-NET-000202-RTR-000088 | Low | The router must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter. | All inbound and outbound traffic must be denied by default. Firewalls and perimeter routers should only allow traffic through that is explicitly permitted. The initial defense for the internal... |
| SRG-NET-000281-RTR-NA | Low | The network element must identify information flows by data type specification and usage when transferring information between different security domains. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000148-RTR-NA | Low | The network element must authenticate an organizationally defined list of specific devices by device type before establishing a connection. | A network element must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network, or a router wanting to... |
| SRG-NET-000215-RTR-NA | Low | The network element must produce, control, and distribute symmetric cryptographic keys, using NIST-approved key management technology and processes. | The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| SRG-NET-000245-RTR-NA | Low | The network element must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000085-RTR-NA | Low | The network element must provide a real-time alert when organizationally defined audit failure events occur. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000232-RTR-NA | Low | The network element must generate a unique session identifier for each session. | Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous... |
| SRG-NET-000053-RTR-NA | Low | The network element must limit the number of concurrent sessions for each account to an organizationally defined number. | This requirement addresses concurrent sessions for a given information system account and does not address concurrent sessions by a single user via multiple accounts. Limiting the number of... |
| SRG-NET-000086-RTR-NA | Low | The network element must enforce configurable traffic volume thresholds representing audit logging capacity for network traffic to be logged. | Auditing of account use and user actions is a critical part of the security architecture. Auditable events must be logged. If the network element becomes unable to write events to the audit log,... |
| SRG-NET-000095-RTR-NA | Low | The network element must provide the capability to automatically process audit log records for events of interest based upon selectable event criteria. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was... |
| SRG-NET-000102-RTR-NA | Low | The network element must protect audit tools from unauthorized modification. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000024-RTR-000018 | Low | The router must reject any outbound IP packets that contain an illegitimate address in the source address field through the enabling of uRPF strict mode or egress filter. | Unicast Reverse Path Forwarding (uRPF) provides an IP address spoof protection capability. When uRPF is enabled in strict mode, the packet must be received on the interface that the router would... |
| SRG-NET-000202-RTR-000089 | Low | The router must suppress router advertisements on all external-facing IPv6-enabled interfaces. | Many of the known attacks in stateless autoconfiguration defined in RFC 3756 were present in IPv4 ARP attacks. IPSec AH was originally suggested as mitigation for link-local attacks, but has... |
| SRG-NET-000254-RTR-NA | Low | The network element must not allow users to introduce removable media into the information system. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000093-RTR-NA | Low | The network element must provide an audit log reduction capability. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000282-RTR-NA | Low | The network element must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000303-RTR-NA | Low | The network element must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service. | A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients.
Authoritative DNS... |
| SRG-NET-000017-RTR-NA | Low | The network element must implement nondiscretionary access control policies over an organization defined set of users and resources. | Access control policies (e.g., identity-based policies, role-based policies, etc.) and access enforcement mechanisms (e.g., access control lists, policy maps, cryptography) are employed by... |
| SRG-NET-000278-RTR-NA | Low | The network element must display security attributes in human readable form on each object output from the system to system output devices to identify an organizationally identified set of special dissemination, handling, or distribution instructions using organizationally identified human readable, standard naming conventions. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are... |
| SRG-NET-000255-RTR-NA | Low | The network element must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000237-RTR-NA | Low | The network element must include components that proactively seek to identify web-based malicious code.
| A honeypot simulates multiple platforms and services used to attract and contain the attackers.
To the attacker, it appears to be part of a production network providing services. A honeypot can... |
| SRG-NET-000004-RTR-NA | Low | The network element must automatically disable inactive accounts after an organization defined time period of inactivity. | There is always a risk of inactive accounts being compromised by unauthorized users who could then gain full control of the device, thereby enabling them to trigger a Denial of Service, intercept... |
| SRG-NET-000101-RTR-NA | Low | The network element must protect audit tools from unauthorized access.
| Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000083-RTR-NA | Low | The network element logging function must be configured to reduce the likelihood of audit log record capacity being exceeded. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000138-RTR-NA | Low | The network element must enforce the identification and authentication of all organizational users. | Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user,... |
| SRG-NET-000196-RTR-NA | Low | The network element must implement host-based boundary protection mechanisms. | Network elements, dependent on the underlying operating system, are at greater risk due to software vulnerabilities and access capabilities. It is critical these devices have host-based intrusion... |
| SRG-NET-000121-RTR-NA | Low | The network element must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key. | Changes to any software components of the network element can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation... |
| SRG-NET-000096-RTR-NA | Low | The network element must use internal system clocks to generate timestamps for audit records. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000305-RTR-NA | Low | The network element that collectively provides name/address resolution service for an organization must implement internal/external role separation. | A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are... |
| SRG-NET-000217-RTR-NA | Low | The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material. | The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| SRG-NET-000216-RTR-NA | Low | The network element must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes. | The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| SRG-NET-000285-RTR-NA | Low | The network element must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000270-RTR-NA | Low | The network element must provide automated support for the management of distributed security testing. | The need to verify security functionality is necessary to ensure that the network element's defense is enabled. To scale the deployment of the verification process, the network element must... |
| SRG-NET-000136-RTR-NA | Low | The network element must support organizational requirements to conduct backups of system-level information contained in the information system per organizationally defined frequency. | System information contained on a network element contains default and customized attributes as well as software required for the execution and operation of the device. If this information... |
| SRG-NET-000081-RTR-NA | Low | The network element must transmit audit events to the organization's central audit log server. | Centrally managing audit data provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of... |
| SRG-NET-000105-RTR-NA | Low | The network element must backup system-level audit event log records on an organizationally defined frequency onto a different system or media. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000157-RTR-NA | Low | The network element must enforce password complexity by the number of numeric characters used. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000290-RTR-NA | Low | The network element must prevent the automatic execution of mobile code in organizationally defined software applications and require organizationally defined actions prior to executing the code. | Decisions regarding the employment of mobile code within network elements are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| SRG-NET-000082-RTR-NA | Low | The network element must allocate audit record storage capacity. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000126-RTR-NA | Low | The network element must employ automated mechanisms to centrally apply configuration settings. | Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network... |
| SRG-NET-000089-RTR-NA | Low | The network element must be capable of taking organizationally defined actions upon audit failure. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000159-RTR-NA | Low | The network element must enforce the number of characters changed when passwords are changed. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000277-RTR-NA | Low | The network element must block network access by unauthorized devices and must log the information as a security violation. | Local access to the private network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Remote... |
| SRG-NET-000104-RTR-NA | Low | The network element must produce audit records on hardware-enforced write-once media. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000248-RTR-NA | Low | The network element must be configured to perform real-time monitoring of files from external sources as they are downloaded and prior to being opened or executed. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000080-RTR-NA | Low | The network element must capture and log organizationally defined additional information (identified by type, location, or subject) to the audit records for audit events. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, for example,... |
| SRG-NET-000302-RTR-NA | Low | The network element must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. | A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients.
Authoritative DNS... |
| SRG-NET-000202-RTR-000091 | Low | The router must block IPv6 6bone address space on the ingress and egress filters (3FEE::/16). | The decommissioned 6bone allocation (3FFE::/16), RFC 3701 must be blocked. It is no longer a trusted source. |
| SRG-NET-000202-RTR-000090 | Low | The router must block the undetermined transport packet at the perimeter of an IPv6 enclave. | One of the fragmentation weaknesses known in IPv6 is the undetermined transport packet. This packet contains an undetermined protocol due to fragmentation. Depending on the length of the IPv6... |
| SRG-NET-000094-RTR-NA | Low | The network element must provide a report generation capability for the audit log. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000135-RTR-NA | Low | The network element must support organizational requirements to conduct backups of user-level information contained in the device per an organizationally defined frequency that is consistent with recovery time and recovery point objectives. | User information contained on a network element is associated to the users account and the resources the user is authorized to access. If this information becomes corrupted by hardware failures... |
| SRG-NET-000077-RTR-NA | Low | The network element must produce audit log records containing sufficient information to establish the source of an event. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000169-RTR-NA | Low | The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. | Non-organizational users shall be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use... |
| SRG-NET-000238-RTR-NA | Low | The network element must protect the confidentiality and integrity of system information at rest. | This control is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the network element. It is imperative... |
| SRG-NET-000171-RTR-NA | Low | The network element must invoke a system shutdown in the event of a log failure, unless an alternative audit capability exists. | It is critical that when a network device is at risk of failing to process audit logs as required, it takes action to mitigate the effects of failure. If the device were to continue processing... |
| SRG-NET-000112-RTR-NA | Low | The network element must produce a system-wide audit trail composed of log records in a standardized format. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000011-RTR-NA | Low | The network element must automatically audit account termination. | Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and... |
| SRG-NET-000092-RTR-NA | Low | The network element must use automated mechanisms to alert security personnel to an organizationally defined list of inappropriate or unusual activities with security implications. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000074-RTR-NA | Low | The network element must produce audit log records that contain sufficient information to establish what type of event occurred. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000137-RTR-NA | Low | The network element must support organizational requirements to conduct backups of information system documentation, including security-related documentation, per an organizationally defined frequency that is consistent with recovery time and recovery point objectives. | System information contained on a network element contains default and customized attributes as well as software required for the execution and operation of the device. If this information... |
| SRG-NET-000043-RTR-NA | Low | The network element must display a DoD-approved system use notification message or banner before granting access to the device. | All network devices must present a DoD approved warning banner before granting access to the device. The banner shall be formatted in accordance with the DoD policy "Use of DoD Information... |
| SRG-NET-000183-RTR-NA | Low | The network element must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users. | Network management is the process of monitoring network elements and links, configuring network elements to turn up and disable network services; and the collection of performance, diagnostics,... |
| SRG-NET-000140-RTR-NA | Low | The network element must use multifactor authentication for network access to non-privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000301-RTR-NA | Low | The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. | A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients.
Authoritative DNS... |
| SRG-NET-000155-RTR-NA | Low | The network element must enforce password complexity by the number of uppercase characters used. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder... |
| SRG-NET-000173-RTR-NA | Low | The network element must log nonlocal maintenance and diagnostic sessions. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000041-RTR-NA | Low | The network element must display an approved system use notification message (or banner) before granting access to the system. | All network devices must present a DoD-- approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide... |
| SRG-NET-000113-RTR-NA | Low | The network element must provide audit record generation capability for organizationally defined auditable events occurring within the network element. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000090-RTR-NA | Low | The network element must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000209-RTR-NA | Low | The network element must maintain the integrity of information during aggregation and encapsulation in preparation for transmission. | If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it... |
| SRG-NET-000008-RTR-NA | Low | The network element must notify the appropriate individuals when accounts are modified. | Account management and distribution is vital to the security of any network element. Account management by a designated authority ensures access to network elements is being controlled in a... |
| SRG-NET-000283-RTR-NA | Low | The network element must implement policy filters that constrain data structure and content to organizationally defined information security policy requirements when transferring information between different security domains. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000304-RTR-NA | Low | The network element that collectively provides name/address resolution service for an organization must be fault-tolerant. | A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are... |
| SRG-NET-000026-RTR-000031 | Low | The router must be configured to restrict it from accepting outbound IP packets that contains an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding in an IPv6 enclave. | Unicast Reverse Path Forwarding (uRPF) provides a mechanism for IP address spoof protection. When uRPF is enabled on an interface, the router examines all packets received as input on that... |
| SRG-NET-000026-RTR-000030 | Low | The router must only permit BGP connections with known IP addresses of neighbor routers from trusted Autonomous Systems. | Advertisement of routes by an autonomous system for networks that do not belong to any of its trusted peers pulls traffic away from the authorized network. This causes DoS on the network that... |
| SRG-NET-000142-RTR-NA | Low | The network element must use multifactor authentication for local access to non-privileged accounts. | Multifactor authentication is defined as: using two or more factors to achieve authentication.
Factors include:
(i) something you know (e.g., password/PIN);
(ii) something you have (e.g.,... |
| SRG-NET-000247-RTR-NA | Low | The network element must employ malicious code protection mechanisms to perform periodic monitoring of the information system on an organizationally defined frequency. | Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. It... |
| SRG-NET-000195-RTR-000086 | Low | The router must restrict BGP connections to known IP addresses of neighbor routers from trusted Autonomous Systems (AS). | Advertisement of routes by an autonomous system for networks that do not belong to any of its trusted peers pulls traffic away from the authorized network. This causes DoS on the network that... |
| SRG-NET-000195-RTR-000084 | Low | The router must enforce IP source routing is disabled. | Source routing is a feature of IP, whereby individual packets can specify routes. This feature is used in several different network attacks by bypassing perimeter and internal defense mechanisms. |
| SRG-NET-000012-RTR-NA | Low | The network element must notify the appropriate individuals for account termination. | Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and... |
| SRG-NET-000262-RTR-NA | Low | The network element must ensure all encrypted traffic is visible to network monitoring tools. | Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ... |
| SRG-NET-000097-RTR-NA | Low | The network element must synchronize internal system clocks on an organizationally defined frequency with an organizationally defined authoritative time source. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000235-RTR-NA | Low | The network element must fail to an organizationally defined known state for organizationally defined types of failures. | Failure to a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality,... |
| SRG-NET-000252-RTR-NA | Low | The network element must prevent non-privileged users from circumventing malicious code protection capabilities. | Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, web accesses, removable media, or other common means. Malicious... |
| SRG-NET-000084-RTR-NA | Low | The network element must provide a warning when the logging storage capacity reaches an organizationally defined percentage of maximum allocated audit record storage capacity. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000306-RTR-NA | Low | The network element must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights. | Access control policies (e.g., identity-based policies, role-based policies, etc.) and access enforcement mechanisms (e.g., access control lists, policy maps, cryptography) are employed by... |
| SRG-NET-000179-RTR-NA | Low | The network element must use cryptographic mechanisms to protect and restrict access to information on portable digital media. | When data is written to portable digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and... |
| SRG-NET-000006-RTR-NA | Low | The network element must notify the appropriate individuals when accounts are created. | Account management and distribution is vital to the security of any network element. Account management by a designated authority ensures access to network elements is being controlled in a... |
| SRG-NET-000048-RTR-NA | Low | The network element must notify the user of the date and time of the last login, upon successful login. | Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to... |
| SRG-NET-000218-RTR-NA | Low | The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. | The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily... |
| SRG-NET-000307-RTR-NA | Low | The network element must enforce a DAC policy that includes or excludes access to the granularity of a single user. | Access control policies (e.g., identity-based policies, role-based policies, etc.) and access enforcement mechanisms (e.g., access control lists, policy maps, cryptography) are employed by... |
| SRG-NET-000031-RTR-000034 | Low | The router must ensure that IPv6 addresses with embedded IPv4-mapped IPv6 addresses are blocked by ingress and egress filters. | The IPv6 transition mechanisms include a technique for hosts and routers to dynamically tunnel IPv6 packets over IPv4 routing infrastructure. IPv6 nodes that use this technique are assigned... |
| SRG-NET-000031-RTR-000033 | Low | The router must ensure that IPv6 addresses with IPv4-compatible IPv6 addresses are blocked on both ingress and egress filters. | The IPv6 transition mechanisms include a technique for hosts and routers to dynamically tunnel IPv6 packets over IPv4 routing infrastructure. IPv6 nodes that use this technique are assigned... |
| SRG-NET-000100-RTR-NA | Low | The network element must protect audit logs from unauthorized deletion. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000233-RTR-NA | Low | The network element must allow only system generated session identifiers. | Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous... |
| SRG-NET-000182-RTR-NA | Low | The network element must separate user functionality (including user interface services) from information system management functionality. | Network management is the process of monitoring network elements and links, configuring network elements to turn up and disable network services; and the collection of performance, diagnostics,... |
| SRG-NET-000052-RTR-NA | Low | The network element must notify the user of organizationally defined security-related changes to the user's account occurring during the organizationally defined time period. | Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to... |
| SRG-NET-000073-RTR-NA | Low | The network element must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction. | Auto execution vulnerabilities can result in malicious programs being executed that can be used to cause a denial of service on the device and hence disrupt network services. Examples of... |
| SRG-NET-000114-RTR-NA | Low | The network element must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000010-RTR-NA | Low | The network element must notify the appropriate individuals when account disabling actions are taken. | Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and... |
| SRG-NET-000001-RTR-NA | Low | The network element must provide automated support for account management functions. | Account management and distribution is vital to the security of any network element. Account management by a designated authority ensures access to network elements is being controlled in a... |
| SRG-NET-000284-RTR-NA | Low | The network element must detect unsanctioned information when transferring information between different security domains. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so... |
| SRG-NET-000018-RTR-000001 | Low | The router must enforce approved authorizations for controlling the flow of information within the network in accordance with applicable policy. | Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not... |
| SRG-NET-000076-RTR-NA | Low | The network element must produce audit log records containing sufficient information to establish where an event occurred. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000115-RTR-NA | Low | The network element must generate audit log events for a locally developed list of auditable events. | Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what was attempted to be done, where it was done, when it... |
| SRG-NET-000003-RTR-NA | Low | The network element must automatically terminate emergency accounts after an organization defined time period. | Authentication for administrative access to the device is required at all times. A single account can be created on the device's local database for use in an emergency such as when the... |
