UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Router Security Requirements Guide


Overview

Date Finding Count (375)
2013-07-30 CAT I (High): 9 CAT II (Med): 218 CAT III (Low): 148
STIG Description
The Router Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
SRG-NET-000019-RTR-000002 High The router must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
SRG-NET-000205-RTR-000093 High The router must monitor and control traffic at both the external and internal boundary interfaces.
SRG-NET-000168-RTR-000077 High The router must encrypt all methods of configured authentication.
SRG-NET-000025-RTR-000019 High The router must uniquely authenticate source domains for information transfer.
SRG-NET-000230-RTR-000111 High The router must protect the authenticity of communications sessions.
SRG-NET-000132-RTR-000036 High The router must prohibit or restrict network traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000027-RTR-000032 High The router must uniquely authenticate destination domains for information transfer.
SRG-NET-000191-RTR-000079 High The router must protect against or limit the effects of denial of service attacks.
SRG-NET-000015-RTR-NA High The network element must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
SRG-NET-000019-RTR-000008 Medium The router must be configured with a filter to deny all traffic applied to all inactive interfaces.
SRG-NET-000019-RTR-000009 Medium The router must protect perimeter routers connected to an Alternate Gateway by configuring an inbound filter that only permits packets with destination addresses within the site's address space.
SRG-NET-000019-RTR-000004 Medium The router must bind a PIM neighbor filter to interfaces that have PIM enabled.
SRG-NET-000019-RTR-000005 Medium The router must establish boundaries for Admin-local or Site-local scope multicast traffic.
SRG-NET-000019-RTR-000006 Medium The router must have control plane protection enabled.
SRG-NET-000019-RTR-000007 Medium The router must be configured so inactive router interfaces are disabled.
SRG-NET-000019-RTR-000003 Medium The router must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
SRG-NET-000165-RTR-NA Medium The network element must enforce authorized access to the corresponding private key for PKI-based authentication.
SRG-NET-000132-RTR-000043 Medium The router must not have Courier Remote Procedure Call (COURIER) enabled.
SRG-NET-000205-RTR-000094 Medium The router must block all inbound traceroutes to prevent network discovery by unauthorized users.
SRG-NET-000205-RTR-000095 Medium The router must apply ingress filters entering the network to the external interface in the inbound direction.
SRG-NET-000205-RTR-000096 Medium The router must apply egress filters leaving the network to the internal interface in the inbound direction.
SRG-NET-000205-RTR-000097 Medium The router must block, deny, or drop inbound IP packets with a local host loopback address (127.0.0.0/8) at the perimeter device.
SRG-NET-000205-RTR-000098 Medium The router must block, deny, or drop inbound IP packets using a link-local address space (169.254.0.0/16) at the perimeter device.
SRG-NET-000205-RTR-000099 Medium The router must block, deny, or drop inbound IP packets using an RFC 1918 address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) at the perimeter device.
SRG-NET-000132-RTR-000048 Medium The router must prohibit or restrict Protocol-Independent Multicast Source Specific Multicast (PIM-SSM) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000123-RTR-NA Medium The network element must limit privileges to change software resident within software libraries, including privileged programs.
SRG-NET-000268-RTR-NA Medium The network element must respond to security function anomalies in accordance with organizationally defined responses and alternative actions.
SRG-NET-000016-RTR-NA Medium The network element must enforce dual authorization based on organizational policies and procedures for organization defined privileged commands.
SRG-NET-000152-RTR-NA Medium The network element must dynamically manage identifiers, attributes, and associated access authorizations.
SRG-NET-000189-RTR-NA Medium The network element must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
SRG-NET-000194-RTR-000082 Medium The router must limit the use of resources by priority.
SRG-NET-000201-RTR-000087 Medium The router must prevent access into the organization's internal networks except as explicitly permitted and controlled by employing boundary protection devices.
SRG-NET-000187-RTR-NA Medium The network element must implement an isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.
SRG-NET-000186-RTR-NA Medium The network element must isolate security functions used to enforce access and information flow control from both non-security functions and other security functions.
SRG-NET-000038-RTR-NA Medium The network element must enforce the organizationally defined maximum number of consecutive invalid login attempts.
SRG-NET-000026-RTR-000029 Medium The router must uniquely identify destination domains for information transfer.
SRG-NET-000037-RTR-NA Medium The network element must be configured to automatically disable the device if any of the organization defined list of security violations are detected.
SRG-NET-000029-RTR-NA Medium The network element must enforce dynamic traffic flow control based on policy allowing or disallowing flows based on traffic types and rates within or out of profile.
SRG-NET-000063-RTR-NA Medium The network element must be configured to use cryptography to protect the integrity of remote access sessions.
SRG-NET-000229-RTR-NA Medium The network element must take corrective action when unauthorized mobile code is identified.
SRG-NET-000127-RTR-NA Medium The network element must employ automated mechanisms to centrally verify configuration settings.
SRG-NET-000205-RTR-000102 Medium The router must ensure IPv6 Site-Local Unicast addresses are not defined in the enclave, (FEC0::/10). Note that this consists of all addresses that begin with FEC, FED, FEE, and FEF.
SRG-NET-000205-RTR-000103 Medium The router must block IPv6 Site-Local Unicast addresses on the ingress filter, (FEC0::/10). Note that this consists of all addresses that begin with FEC, FED, FEE, and FEF.
SRG-NET-000205-RTR-000100 Medium The router must be configured to reject the Routing Header extension types 0, 1, and 3 - 255 in an IPv6 enclave.
SRG-NET-000205-RTR-000101 Medium The router must drop IPv6 6-to-4 addresses with a prefix of 2002::/16 at the perimeter by the ingress and egress filters.
SRG-NET-000205-RTR-000106 Medium The router must block IPv6 well-known multicast addresses on the ingress and egress inbound filters, (FF00::/8).
SRG-NET-000205-RTR-000107 Medium The router must block IPv6 Unique Local Unicast addresses on the ingress and egress filters, (FC00::/7). Note that this consists of all addresses that begin with FC or FD.
SRG-NET-000205-RTR-000104 Medium The router must restrict the device from accepting any inbound IP packets with a local host loopback address, (::1/128).
SRG-NET-000205-RTR-000105 Medium The router must restrict the acceptance of any IP packets from the unspecified address (::/128).
SRG-NET-000205-RTR-000108 Medium The router must configure the maximum hop limit value to at least the value of 32.
SRG-NET-000205-RTR-000109 Medium The perimeter router must be configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with invalid option type values.
SRG-NET-000071-RTR-NA Medium The network element must monitor for unauthorized connections of mobile devices to information systems.
SRG-NET-000168-RTR-000078 Medium The router must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms. This applies to passwords, and routing protocol authentication.
SRG-NET-000220-RTR-NA Medium The network element must employ FIPS-validated cryptography to protect unclassified information.
SRG-NET-000125-RTR-NA Medium The network element must employ automated mechanisms to centrally manage configuration settings.
SRG-NET-000060-RTR-NA Medium The network element must allow the association of security attributes with information by authorized system administrators.
SRG-NET-000061-RTR-NA Medium The network element must employ automated mechanisms to monitor and control remote access methods.
SRG-NET-000070-RTR-NA Medium The network element must protect wireless access to the network using encryption.
SRG-NET-000132-RTR-000053 Medium The router must not have Internet Relay Chat (IRC) enabled.
SRG-NET-000132-RTR-000052 Medium The router must prohibit or restrict Multicast Source Discovery Protocol (MSDP) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000132-RTR-000050 Medium The router must not have Identification (IDENT) enabled.
SRG-NET-000132-RTR-000057 Medium The router must not have SHELL enabled.
SRG-NET-000132-RTR-000056 Medium The router must not have Microsoft Teredo enabled.
SRG-NET-000132-RTR-000055 Medium The router must not have Remote Login (LOGIN) enabled.
SRG-NET-000132-RTR-000054 Medium The router must prohibit or restrict Intermediate System To Intermediate System (IS-IS) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000219-RTR-NA Medium The network element must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SRG-NET-000132-RTR-000059 Medium The router must not have Simple File Transfer Protocol (SFTP) enabled.
SRG-NET-000132-RTR-000058 Medium The router must not have SIDEWINDER-COBRA enabled.
SRG-NET-000025-RTR-000024 Medium The router must enable authentication for all IS-IS peers.
SRG-NET-000134-RTR-NA Medium The network element must employ automated mechanisms to detect the addition of unauthorized components or devices.
SRG-NET-000161-RTR-NA Medium The network element must enforce password encryption for transmission.
SRG-NET-000177-RTR-NA Medium The network element must enforce identification and authentication for the establishment of nonlocal maintenance and diagnostic sessions.
SRG-NET-000133-RTR-NA Medium The network element must employ automated mechanisms to prevent program execution in accordance with organizationally defined specifications.
SRG-NET-000264-RTR-NA Medium The network element must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies.
SRG-NET-000199-RTR-NA Medium The network element must prevent discovery of specific system components or devices comprising a managed interface.
SRG-NET-000191-RTR-000081 Medium The router must ensure all eBGP routers are configured to use Generalized TTL Security Mechanism (GTSM).
SRG-NET-000191-RTR-000080 Medium The router must protect against Inbound IP packets using RFC5735, RFC6598 and other network address space allocated by IANA but not assigned by the RIRs for ISP and other end-customer use by blocking, denying, or dropping them at the perimeter device.
SRG-NET-000020-RTR-000015 Medium The router must enforce information flow control using explicit security attributes on information, source, and destination objects. Security attributes used as a basis for flow control decisions may include, but are not limited to IP addresses, Port numbers, Protocol, Autonomous System Path, and interfaces.
SRG-NET-000210-RTR-NA Medium The network element must protect the confidentiality of transmitted information.
SRG-NET-000024-RTR-000017 Medium The router must uniquely identify source domains for information transfer.
SRG-NET-000141-RTR-NA Medium The network element must use multifactor authentication for local access to privileged accounts.
SRG-NET-000163-RTR-NA Medium The network element must enforce maximum password lifetime restrictions.
SRG-NET-000204-RTR-000092 Medium The router must monitor and enforce filtering of internal addresses posing a threat to external information systems.
SRG-NET-000132-RTR-000051 Medium The router must prohibit or restrict ROUTER a.k.a. Routing Information Protocol (RIP) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000170-RTR-NA Medium The network element must employ automated mechanisms to assist in the tracking of security incidents.
SRG-NET-000260-RTR-NA Medium The network element must take an organizationally defined list of least-disruptive actions to terminate suspicious events.
SRG-NET-000256-RTR-NA Medium The network element must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
SRG-NET-000049-RTR-NA Medium The network element must notify the user of the number of unsuccessful login attempts since the last successful login.
SRG-NET-000176-RTR-NA Medium The network element must employ cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
SRG-NET-000131-RTR-000035 Medium The router must not have unnecessary services and functions enabled.
SRG-NET-000132-RTR-000037 Medium The router must not have FINGER enabled.
SRG-NET-000246-RTR-NA Medium The network element must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
SRG-NET-000025-RTR-000028 Medium The router must enable authentication for all RIPng peers.
SRG-NET-000025-RTR-000025 Medium The router must enable authentication for all iBGP peers.
SRG-NET-000025-RTR-000027 Medium The router must enable authentication for all OSPF v3 peers.
SRG-NET-000025-RTR-000026 Medium The router must enable authentication for all eBGP peers.
SRG-NET-000025-RTR-000021 Medium The router must enable authentication for all RIPv2 peers.
SRG-NET-000025-RTR-000020 Medium The router must enable authentication for all IGP and EGP peers.
SRG-NET-000025-RTR-000023 Medium The router must enable authentication for all OSPF peers.
SRG-NET-000025-RTR-000022 Medium The router must enable authentication for all EIGRP peers.
SRG-NET-000035-RTR-NA Medium The network element must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts.
SRG-NET-000288-RTR-NA Medium The network element must prevent the download of prohibited mobile code.
SRG-NET-000146-RTR-NA Medium The network element must use organizationally defined replay-resistant authentication mechanisms for network access to privileged accounts.
SRG-NET-000251-RTR-NA Medium The network element must automatically update malicious code protection mechanisms and rule definitions.
SRG-NET-000224-RTR-NA Medium The network element must protect the integrity and availability of publicly available information and applications.
SRG-NET-000069-RTR-NA Medium The network element must protect wireless access to the network using authentication.
SRG-NET-000269-RTR-NA Medium The network element must provide notification of failed automated security tests.
SRG-NET-000064-RTR-NA Medium The network element must route all remote access traffic through managed access control points.
SRG-NET-000214-RTR-NA Medium The network element must establish a trusted communications path between the user and organizationally defined security functions within the information system.
SRG-NET-000058-RTR-NA Medium The network element must allow the change of security attributes by authorized administrators.
SRG-NET-000014-RTR-NA Medium The network element must be configured to dynamically manage administrative privileges and associated command authorizations.
SRG-NET-000164-RTR-000076 Medium The router must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor for routing protocol authentication.
SRG-NET-000039-RTR-NA Medium The network element must enforce the organizationally defined time period over which the number of invalid login attempts are counted.
SRG-NET-000286-RTR-NA Medium The network element must protect the audit records of nonlocal accesses to privileged accounts and the execution of privileged functions.
SRG-NET-000154-RTR-NA Medium The network element must prohibit password reuse for the organizationally defined number of generations.
SRG-NET-000167-RTR-NA Medium The network element must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.
SRG-NET-000132-RTR-000044 Medium The router must not have Filter List Manager/Anti Network Terrorism (FLM-ANT) enabled.
SRG-NET-000132-RTR-000045 Medium The router must prohibit or restrict Open Shortest Path First (OSPF) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000132-RTR-000046 Medium The router must prohibit or restrict Protocol-Independent Multicast Dense Mode (PIM-DM) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000132-RTR-000047 Medium The router must prohibit or restrict Protocol-Independent Multicast Sparse Mode (PIM-SM) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000132-RTR-000040 Medium The router must prohibit or restrict Bidirectional Protocol-Independent Multicast (BIDIR-PIM) in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000132-RTR-000041 Medium The router must prohibit or restrict Border Gateway Protocol (BGP) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000132-RTR-000042 Medium The router must not have Background File Transfer Program (BFTP) enabled.
SRG-NET-000132-RTR-000049 Medium The router must not have Gopher Protocol (GOPHER) enabled.
SRG-NET-000181-RTR-NA Medium The router must be configured to detect the presence of unauthorized software on organizational information systems.
SRG-NET-000174-RTR-NA Medium The network element must protect nonlocal maintenance sessions through the use of multifactor authentication which is tightly bound to the user.
SRG-NET-000266-RTR-NA Medium The network element must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network.
SRG-NET-000059-RTR-NA Medium The network element must maintain the binding of security attributes to information with sufficient assurance that the information-to-attribute association can be used as the basis for automated policy actions.
SRG-NET-000178-RTR-NA Medium The network element must terminate all sessions when nonlocal maintenance is completed.
SRG-NET-000253-RTR-NA Medium The network element must only update malicious code protection mechanisms when directed by a privileged user.
SRG-NET-000287-RTR-NA Medium The network element must support organizational requirements to disable the user identifiers after an organizationally defined time period of inactivity.
SRG-NET-000308-RTR-NA Medium The network element must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.
SRG-NET-000158-RTR-NA Medium The network element must enforce password complexity by the number of special characters used.
SRG-NET-000193-RTR-NA Medium The router must manage excess capacity and bandwidth, or have other redundancies to limit the effects of information flooding types of denial of service attacks.
SRG-NET-000132-RTR-000039 Medium The router must not have ARINC GATEWAY PROTOCOL (ARINC-GATEWAY) enabled.
SRG-NET-000132-RTR-000038 Medium The router must not have TELNET Service enabled.
SRG-NET-000129-RTR-NA Medium The network element must ensure detected unauthorized security-relevant configuration changes are tracked.
SRG-NET-000257-RTR-NA Medium The network element must provide near real-time alerts when any of the organizationally defined list of compromise or potential compromise indicators occur.
SRG-NET-000160-RTR-NA Medium The network element must enforce password encryption for storage.
SRG-NET-000106-RTR-NA Medium The network element must use cryptographic mechanisms to protect the integrity of audit log information.
SRG-NET-000002-RTR-NA Medium The network element must automatically terminate temporary accounts after an organization defined time period for each type of account.
SRG-NET-000273-RTR-NA Medium The network element must generate error messages providing information necessary for corrective actions without revealing organizationally defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
SRG-NET-000258-RTR-NA Medium The network element must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
SRG-NET-000175-RTR-NA Medium The network element must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the device, by using either physically separated communications paths, or logically separated communications paths based upon encryption.
SRG-NET-000124-RTR-NA Medium The network element must automatically implement organizationally defined safeguards and countermeasures if security functions or mechanisms are changed inappropriately.
SRG-NET-000122-RTR-NA Medium The network element must enforce a two-person rule for changes to organizationally defined information system components and system-level information.
SRG-NET-000144-RTR-NA Medium The network element must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the network element being accessed.
SRG-NET-000032-RTR-NA Medium The network element must enforce organization defined one-way traffic flows using hardware mechanisms.
SRG-NET-000023-RTR-000016 Medium The router must enforce security policies regarding information on interconnected systems.
SRG-NET-000228-RTR-NA Medium The network element must implement detection and inspection mechanisms to identify unauthorized mobile code.
SRG-NET-000267-RTR-NA Medium The network element must verify the correct operation of security functions, in accordance with organizationally identified conditions and frequency.
SRG-NET-000132-RTR-000075 Medium The router must prohibit or restrict Internet Group Management Protocol (IGMP) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000132-RTR-000074 Medium The router must prohibit or restrict Internet Control message Protocol version 6 (ICMPv6) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000132-RTR-000071 Medium The router must not have Virtual Network Computing Server (VNC-SERVER) enabled.
SRG-NET-000132-RTR-000070 Medium The router must not have Symantec-Intruder Alert Agent (SYMANTEC-IA) enabled.
SRG-NET-000132-RTR-000073 Medium The router must prohibit or restrict Internet Control Message Protocol (ICMP) traffic in accordance with organizationally defined requirements for non-secure ports, protocols, and/or services.
SRG-NET-000132-RTR-000072 Medium The router must not have Yak Winsock Personal Chat (YAK-CHAT) enabled.
SRG-NET-000021-RTR-NA Medium The network element must implement role-based management to allow authorized administrators to enable/disable organizationally defined security policy filters.
SRG-NET-000211-RTR-NA Medium The network element must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission, unless otherwise protected by alternative physical measures.
SRG-NET-000206-RTR-000110 Medium The router must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.
SRG-NET-000213-RTR-NA Medium The network element must terminate the connection associated with a communications session at the end of the session or after an organizationally defined time period of inactivity.
SRG-NET-000025-RTR-000085 Medium The router must be configured so that rotating keys are not used for authenticating IGP peers that have a duration exceeding 180 days.
SRG-NET-000153-RTR-NA Medium The network element must enforce minimum password length.
SRG-NET-000062-RTR-NA Medium The network element must use approved cryptography to protect the confidentiality of remote access sessions.
SRG-NET-000239-RTR-NA Medium The network element must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest.
SRG-NET-000231-RTR-NA Medium The network element must invalidate session identifiers upon user logout or other session termination.
SRG-NET-000289-RTR-NA Medium The network element must prevent the execution of prohibited mobile code.
SRG-NET-000197-RTR-NA Medium The network element must isolate organizationally defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets.
SRG-NET-000200-RTR-NA Medium The router must enforce strict adherence to protocol format.
SRG-NET-000033-RTR-NA Medium The network element must enforce information flow control using organization defined security policy filters as a basis for flow control decisions.
SRG-NET-000120-RTR-NA Medium The network element must use automated mechanisms to support auditing of the enforcement actions.
SRG-NET-000057-RTR-NA Medium The network element must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
SRG-NET-000040-RTR-NA Medium The network element must automatically lock an account after the maximum number of unsuccessful login attempts is exceeded and remain locked for an organizationally defined time period or until released by an administrator.
SRG-NET-000019-RTR-000013 Medium The router must enforce that the managed network domain and the management network domain are separate routing domains and the IGP instances are not redistributed or advertised to each other.
SRG-NET-000019-RTR-000012 Medium The router must enforce IGP instances configured on the Out Of Band Management (OOBM) gateway router only peer with their own routing domain.
SRG-NET-000019-RTR-000011 Medium The router must enforce redistribution and advertisements from alternate gateway service provider IP addresses to the NIPRNet or to other AS.
SRG-NET-000019-RTR-000010 Medium The router must enforce the use of static routes for perimeter routers peered with other routers belonging to an Autonomous System (AS) of an alternate gateway.
SRG-NET-000019-RTR-000014 Medium The router must enforce that any interface used for OOBM traffic is configured to be passive for the IGP that is utilized on that interface.
SRG-NET-000150-RTR-NA Medium The network element must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices.
SRG-NET-000151-RTR-NA Medium The network element must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices.
SRG-NET-000139-RTR-NA Medium The network element must use multifactor authentication for network access to privileged accounts.
SRG-NET-000172-RTR-NA Medium The network element must use automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
SRG-NET-000271-RTR-NA Medium The network element must detect unauthorized changes to software and information.
SRG-NET-000065-RTR-NA Medium The network element must monitor for unauthorized remote connections to specific information systems on an organizationally defined frequency.
SRG-NET-000250-RTR-NA Medium The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
SRG-NET-000227-RTR-NA Medium The network element must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.
SRG-NET-000265-RTR-NA Medium The network element must detect attack attempts to the wireless network.
SRG-NET-000261-RTR-NA Medium The network element must protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.
SRG-NET-000022-RTR-NA Medium The network element must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies.
SRG-NET-000280-RTR-NA Medium The network element must enforce information flow control based on organizationally defined metadata.
SRG-NET-000225-RTR-NA Medium The network element must associate security attributes with information exchanged between information systems.
SRG-NET-000028-RTR-NA Medium The network element must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions.
SRG-NET-000162-RTR-NA Medium The network element must enforce minimum password lifetime restrictions.
SRG-NET-000143-RTR-NA Medium The network element must support the organizational requirement to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.
SRG-NET-000195-RTR-000083 Medium The router must check inbound traffic to ensure the communications are coming from an authorized source and are routed to an authorized destination.
SRG-NET-000249-RTR-NA Medium The network element must be configured to perform organizationally defined actions in response to malicious code detection.
SRG-NET-000118-RTR-NA Medium The network element must enforce access restrictions associated with changes to the system components.
SRG-NET-000263-RTR-NA Medium The network element must analyze outbound traffic at the external boundary of the network.
SRG-NET-000226-RTR-NA Medium The network element must validate the integrity of security attributes exchanged between information systems.
SRG-NET-000279-RTR-NA Medium The network element must prevent access to organizationally defined security-relevant information except during secure, non-operable system states.
SRG-NET-000272-RTR-NA Medium The network element must identify and respond to potential security-relevant error conditions.
SRG-NET-000103-RTR-NA Medium The network element must protect audit tools from unauthorized deletion.
SRG-NET-000259-RTR-NA Medium The network element must notify an organizationally defined list of incident response personnel of suspicious events.
SRG-NET-000128-RTR-NA Medium The network element must employ automated mechanisms to respond to unauthorized changes to organizationally defined configuration settings.
SRG-NET-000031-RTR-NA Medium The router must enforce organizationally defined limitations on the embedding of data types within other data types.
SRG-NET-000156-RTR-NA Medium The network element must enforce password complexity by the number of lowercase characters used.
SRG-NET-000198-RTR-NA Medium The network element must route all management traffic through a dedicated management interface.
SRG-NET-000192-RTR-NA Medium The network element must restrict the ability of individuals to launch denial of service attacks against other information systems or networks.
SRG-NET-000190-RTR-NA Medium The network element must prevent unauthorized and unintended information transfer via shared system resources.
SRG-NET-000072-RTR-NA Medium The network element must enforce requirements for the connection of mobile devices to organizational information systems.
SRG-NET-000132-RTR-000068 Medium The router must not have SoftwareAG WebMethods Broker (SOFTWAREAG-WEBMETHODS BROKER) enabled.
SRG-NET-000132-RTR-000069 Medium The router must not have Super Duper Telnet (SUPDUP) enabled.
SRG-NET-000132-RTR-000066 Medium The router must not have NEI-Management Port enabled.
SRG-NET-000132-RTR-000067 Medium The router must not have ORACLE Names Client Connector (ORACLENAMES) enabled.
SRG-NET-000132-RTR-000064 Medium The router must not have Hewlitt Packard Integrated Lights Out Virtual Media (HP-ILO-VM) enabled.
SRG-NET-000132-RTR-000065 Medium The router must not have Hypertext Transfer protocol management Service (HTTP-MGMT) enabled.
SRG-NET-000132-RTR-000062 Medium The router must not have TIMBUKTU enabled.
SRG-NET-000132-RTR-000063 Medium The router must not have C-Cubed-MVS DIRECT API enabled.
SRG-NET-000132-RTR-000060 Medium The router must not have SNARE enabled.
SRG-NET-000132-RTR-000061 Medium The router must not have Terminal Access Controller Access Control System (TACACS) enabled.
SRG-NET-000208-RTR-NA Medium The network element must use cryptographic mechanisms to detect changes to information during transmission, unless otherwise protected by alternative physical measures.
SRG-NET-000166-RTR-NA Medium The network element must map the authenticated identity to the user account for PKI-based authentication.
SRG-NET-000203-RTR-NA Medium The network element must route organizationally defined internal communications traffic destined for organizationally defined external networks through authenticated application firewalls (application proxy servers) at managed interfaces.
SRG-NET-000244-RTR-NA Medium The network element must employ malicious code protection mechanisms to detect and block malicious code at the network perimeter.
SRG-NET-000207-RTR-NA Medium The network element must protect the integrity of transmitted information.
SRG-NET-000030-RTR-NA Medium All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.
SRG-NET-000119-RTR-NA Medium The network element must use automated mechanisms to enforce access restrictions.
SRG-NET-000005-RTR-NA Low The network element must automatically audit the creation of accounts.
SRG-NET-000066-RTR-NA Low The network element must audit remote sessions for accessing an organizationally defined list of security functions and security-relevant information.
SRG-NET-000067-RTR-NA Low The network element must disable the use of organizationally defined networking protocols deemed non-secure, except for explicitly identified components in support of specific operational requirements.
SRG-NET-000079-RTR-NA Low The network element must capture and log sufficient information to establish the identity of user accounts associated with an audit event.
SRG-NET-000241-RTR-NA Low The network element must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
SRG-NET-000068-RTR-NA Low The network element must enforce requirements for remote connections to the network.
SRG-NET-000180-RTR-NA Low The network element must employ cryptographic mechanisms to protect information in storage.
SRG-NET-000184-RTR-NA Low The network element must isolate security functions from non-security functions.
SRG-NET-000274-RTR-NA Low The network element must activate an organizationally defined alarm when a system component failure is detected.
SRG-NET-000300-RTR-NA Low The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distribution.
SRG-NET-000243-RTR-NA Low The network element must be configured to implement automated patch management tools to facilitate flaw remediation to network components.
SRG-NET-000056-RTR-NA Low The network element must support and maintain the binding of organizationally defined security attributes to information in transmission.
SRG-NET-000236-RTR-NA Low The network element must preserve organizationally defined system state information in the event of a system failure.
SRG-NET-000108-RTR-NA Low The network element must protect against an individual falsely denying having performed a particular action.
SRG-NET-000147-RTR-NA Low The network element must use organizationally defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
SRG-NET-000242-RTR-NA Low The network element must be configured to automatically check for security updates to the application software on an organizationally defined frequency.
SRG-NET-000034-RTR-NA Low The network element must implement separation of duties through assigned information system access authorizations.
SRG-NET-000088-RTR-NA Low The network element must be configured to send an alert to designated personnel in the event of an audit processing failure.
SRG-NET-000009-RTR-NA Low The network element must automatically audit account disabling actions.
SRG-NET-000107-RTR-NA Low The network element must use cryptography to protect the integrity of audit tools.
SRG-NET-000007-RTR-NA Low The network element must automatically audit account modification.
SRG-NET-000221-RTR-NA Low The network element must employ NSA-approved cryptography to protect classified information.
SRG-NET-000075-RTR-NA Low The network element must produce audit log records containing sufficient information to establish when an event occurred.
SRG-NET-000051-RTR-NA Low The network element must notify the user of the number of unsuccessful login attempts occurring during an organizationally defined time period.
SRG-NET-000055-RTR-NA Low The network element must support and maintain the binding of organizationally defined security attributes to information in process.
SRG-NET-000054-RTR-NA Low The network element must support and maintain the binding of organizationally defined security attributes to information in storage.
SRG-NET-000145-RTR-NA Low The network element must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the network element being accessed.
SRG-NET-000099-RTR-NA Low The network element must protect audit log information from unauthorized modification.
SRG-NET-000098-RTR-NA Low The network element must protect audit log information from unauthorized read access.
SRG-NET-000013-RTR-NA Low The network element must monitor for irregular usage of administrative user accounts.
SRG-NET-000091-RTR-NA Low The network element must centralize the review and analysis of audit records from multiple network elements within the network.
SRG-NET-000222-RTR-NA Low The network element must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
SRG-NET-000309-RTR-NA Low The network element must protect against unauthorized physical connections across the boundary protections implemented at an organizationally defined list of managed interfaces.
SRG-NET-000110-RTR-NA Low The network element must compile audit records from multiple components into a system-wide audit trail that is time-correlated to within an organizationally defined level of tolerance for the relationship between timestamps of individual records in the audit trail.
SRG-NET-000149-RTR-NA Low The network element must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices.
SRG-NET-000050-RTR-NA Low The network element must notify the user of the number of successful login attempts occurring during an organizationally defined time period.
SRG-NET-000036-RTR-NA Low The network element must provide finer-grained allocation of account privileges through the use of separate processing domains.
SRG-NET-000212-RTR-NA Low The network element must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
SRG-NET-000078-RTR-NA Low The network element must produce audit log records containing sufficient information to determine if an event was a success or failure.
SRG-NET-000042-RTR-NA Low The network element must display the approved system use notification message or banner on the screen until the administrator takes explicit action to acknowledge the message.
SRG-NET-000087-RTR-NA Low The network element must reject or delay network traffic generated above configurable traffic volume thresholds, as defined by the organization.
SRG-NET-000234-RTR-NA Low The network element must generate unique session identifiers with organizationally defined randomness requirements.
SRG-NET-000202-RTR-000088 Low The router must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.
SRG-NET-000281-RTR-NA Low The network element must identify information flows by data type specification and usage when transferring information between different security domains.
SRG-NET-000148-RTR-NA Low The network element must authenticate an organizationally defined list of specific devices by device type before establishing a connection.
SRG-NET-000215-RTR-NA Low The network element must produce, control, and distribute symmetric cryptographic keys, using NIST-approved key management technology and processes.
SRG-NET-000245-RTR-NA Low The network element must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.
SRG-NET-000085-RTR-NA Low The network element must provide a real-time alert when organizationally defined audit failure events occur.
SRG-NET-000232-RTR-NA Low The network element must generate a unique session identifier for each session.
SRG-NET-000053-RTR-NA Low The network element must limit the number of concurrent sessions for each account to an organizationally defined number.
SRG-NET-000086-RTR-NA Low The network element must enforce configurable traffic volume thresholds representing audit logging capacity for network traffic to be logged.
SRG-NET-000095-RTR-NA Low The network element must provide the capability to automatically process audit log records for events of interest based upon selectable event criteria.
SRG-NET-000102-RTR-NA Low The network element must protect audit tools from unauthorized modification.
SRG-NET-000024-RTR-000018 Low The router must reject any outbound IP packets that contain an illegitimate address in the source address field through the enabling of uRPF strict mode or egress filter.
SRG-NET-000202-RTR-000089 Low The router must suppress router advertisements on all external-facing IPv6-enabled interfaces.
SRG-NET-000254-RTR-NA Low The network element must not allow users to introduce removable media into the information system.
SRG-NET-000093-RTR-NA Low The network element must provide an audit log reduction capability.
SRG-NET-000282-RTR-NA Low The network element must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains.
SRG-NET-000303-RTR-NA Low The network element must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
SRG-NET-000017-RTR-NA Low The network element must implement nondiscretionary access control policies over an organization defined set of users and resources.
SRG-NET-000278-RTR-NA Low The network element must display security attributes in human readable form on each object output from the system to system output devices to identify an organizationally identified set of special dissemination, handling, or distribution instructions using organizationally identified human readable, standard naming conventions.
SRG-NET-000255-RTR-NA Low The network element must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.
SRG-NET-000237-RTR-NA Low The network element must include components that proactively seek to identify web-based malicious code.
SRG-NET-000004-RTR-NA Low The network element must automatically disable inactive accounts after an organization defined time period of inactivity.
SRG-NET-000101-RTR-NA Low The network element must protect audit tools from unauthorized access.
SRG-NET-000083-RTR-NA Low The network element logging function must be configured to reduce the likelihood of audit log record capacity being exceeded.
SRG-NET-000138-RTR-NA Low The network element must enforce the identification and authentication of all organizational users.
SRG-NET-000196-RTR-NA Low The network element must implement host-based boundary protection mechanisms.
SRG-NET-000121-RTR-NA Low The network element must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key.
SRG-NET-000096-RTR-NA Low The network element must use internal system clocks to generate timestamps for audit records.
SRG-NET-000305-RTR-NA Low The network element that collectively provides name/address resolution service for an organization must implement internal/external role separation.
SRG-NET-000217-RTR-NA Low The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
SRG-NET-000216-RTR-NA Low The network element must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
SRG-NET-000285-RTR-NA Low The network element must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.
SRG-NET-000270-RTR-NA Low The network element must provide automated support for the management of distributed security testing.
SRG-NET-000136-RTR-NA Low The network element must support organizational requirements to conduct backups of system-level information contained in the information system per organizationally defined frequency.
SRG-NET-000081-RTR-NA Low The network element must transmit audit events to the organization's central audit log server.
SRG-NET-000105-RTR-NA Low The network element must backup system-level audit event log records on an organizationally defined frequency onto a different system or media.
SRG-NET-000157-RTR-NA Low The network element must enforce password complexity by the number of numeric characters used.
SRG-NET-000290-RTR-NA Low The network element must prevent the automatic execution of mobile code in organizationally defined software applications and require organizationally defined actions prior to executing the code.
SRG-NET-000082-RTR-NA Low The network element must allocate audit record storage capacity.
SRG-NET-000126-RTR-NA Low The network element must employ automated mechanisms to centrally apply configuration settings.
SRG-NET-000089-RTR-NA Low The network element must be capable of taking organizationally defined actions upon audit failure.
SRG-NET-000159-RTR-NA Low The network element must enforce the number of characters changed when passwords are changed.
SRG-NET-000277-RTR-NA Low The network element must block network access by unauthorized devices and must log the information as a security violation.
SRG-NET-000104-RTR-NA Low The network element must produce audit records on hardware-enforced write-once media.
SRG-NET-000248-RTR-NA Low The network element must be configured to perform real-time monitoring of files from external sources as they are downloaded and prior to being opened or executed.
SRG-NET-000080-RTR-NA Low The network element must capture and log organizationally defined additional information (identified by type, location, or subject) to the audit records for audit events.
SRG-NET-000302-RTR-NA Low The network element must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
SRG-NET-000202-RTR-000091 Low The router must block IPv6 6bone address space on the ingress and egress filters (3FEE::/16).
SRG-NET-000202-RTR-000090 Low The router must block the undetermined transport packet at the perimeter of an IPv6 enclave.
SRG-NET-000094-RTR-NA Low The network element must provide a report generation capability for the audit log.
SRG-NET-000135-RTR-NA Low The network element must support organizational requirements to conduct backups of user-level information contained in the device per an organizationally defined frequency that is consistent with recovery time and recovery point objectives.
SRG-NET-000077-RTR-NA Low The network element must produce audit log records containing sufficient information to establish the source of an event.
SRG-NET-000169-RTR-NA Low The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
SRG-NET-000238-RTR-NA Low The network element must protect the confidentiality and integrity of system information at rest.
SRG-NET-000171-RTR-NA Low The network element must invoke a system shutdown in the event of a log failure, unless an alternative audit capability exists.
SRG-NET-000112-RTR-NA Low The network element must produce a system-wide audit trail composed of log records in a standardized format.
SRG-NET-000011-RTR-NA Low The network element must automatically audit account termination.
SRG-NET-000092-RTR-NA Low The network element must use automated mechanisms to alert security personnel to an organizationally defined list of inappropriate or unusual activities with security implications.
SRG-NET-000074-RTR-NA Low The network element must produce audit log records that contain sufficient information to establish what type of event occurred.
SRG-NET-000137-RTR-NA Low The network element must support organizational requirements to conduct backups of information system documentation, including security-related documentation, per an organizationally defined frequency that is consistent with recovery time and recovery point objectives.
SRG-NET-000043-RTR-NA Low The network element must display a DoD-approved system use notification message or banner before granting access to the device.
SRG-NET-000183-RTR-NA Low The network element must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.
SRG-NET-000140-RTR-NA Low The network element must use multifactor authentication for network access to non-privileged accounts.
SRG-NET-000301-RTR-NA Low The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.
SRG-NET-000155-RTR-NA Low The network element must enforce password complexity by the number of uppercase characters used.
SRG-NET-000173-RTR-NA Low The network element must log nonlocal maintenance and diagnostic sessions.
SRG-NET-000041-RTR-NA Low The network element must display an approved system use notification message (or banner) before granting access to the system.
SRG-NET-000113-RTR-NA Low The network element must provide audit record generation capability for organizationally defined auditable events occurring within the network element.
SRG-NET-000090-RTR-NA Low The network element must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
SRG-NET-000209-RTR-NA Low The network element must maintain the integrity of information during aggregation and encapsulation in preparation for transmission.
SRG-NET-000008-RTR-NA Low The network element must notify the appropriate individuals when accounts are modified.
SRG-NET-000283-RTR-NA Low The network element must implement policy filters that constrain data structure and content to organizationally defined information security policy requirements when transferring information between different security domains.
SRG-NET-000304-RTR-NA Low The network element that collectively provides name/address resolution service for an organization must be fault-tolerant.
SRG-NET-000026-RTR-000031 Low The router must be configured to restrict it from accepting outbound IP packets that contains an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding in an IPv6 enclave.
SRG-NET-000026-RTR-000030 Low The router must only permit BGP connections with known IP addresses of neighbor routers from trusted Autonomous Systems.
SRG-NET-000142-RTR-NA Low The network element must use multifactor authentication for local access to non-privileged accounts.
SRG-NET-000247-RTR-NA Low The network element must employ malicious code protection mechanisms to perform periodic monitoring of the information system on an organizationally defined frequency.
SRG-NET-000195-RTR-000086 Low The router must restrict BGP connections to known IP addresses of neighbor routers from trusted Autonomous Systems (AS).
SRG-NET-000195-RTR-000084 Low The router must enforce IP source routing is disabled.
SRG-NET-000012-RTR-NA Low The network element must notify the appropriate individuals for account termination.
SRG-NET-000262-RTR-NA Low The network element must ensure all encrypted traffic is visible to network monitoring tools.
SRG-NET-000097-RTR-NA Low The network element must synchronize internal system clocks on an organizationally defined frequency with an organizationally defined authoritative time source.
SRG-NET-000235-RTR-NA Low The network element must fail to an organizationally defined known state for organizationally defined types of failures.
SRG-NET-000252-RTR-NA Low The network element must prevent non-privileged users from circumventing malicious code protection capabilities.
SRG-NET-000084-RTR-NA Low The network element must provide a warning when the logging storage capacity reaches an organizationally defined percentage of maximum allocated audit record storage capacity.
SRG-NET-000306-RTR-NA Low The network element must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
SRG-NET-000179-RTR-NA Low The network element must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
SRG-NET-000006-RTR-NA Low The network element must notify the appropriate individuals when accounts are created.
SRG-NET-000048-RTR-NA Low The network element must notify the user of the date and time of the last login, upon successful login.
SRG-NET-000218-RTR-NA Low The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.
SRG-NET-000307-RTR-NA Low The network element must enforce a DAC policy that includes or excludes access to the granularity of a single user.
SRG-NET-000031-RTR-000034 Low The router must ensure that IPv6 addresses with embedded IPv4-mapped IPv6 addresses are blocked by ingress and egress filters.
SRG-NET-000031-RTR-000033 Low The router must ensure that IPv6 addresses with IPv4-compatible IPv6 addresses are blocked on both ingress and egress filters.
SRG-NET-000100-RTR-NA Low The network element must protect audit logs from unauthorized deletion.
SRG-NET-000233-RTR-NA Low The network element must allow only system generated session identifiers.
SRG-NET-000182-RTR-NA Low The network element must separate user functionality (including user interface services) from information system management functionality.
SRG-NET-000052-RTR-NA Low The network element must notify the user of organizationally defined security-related changes to the user's account occurring during the organizationally defined time period.
SRG-NET-000073-RTR-NA Low The network element must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction.
SRG-NET-000114-RTR-NA Low The network element must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
SRG-NET-000010-RTR-NA Low The network element must notify the appropriate individuals when account disabling actions are taken.
SRG-NET-000001-RTR-NA Low The network element must provide automated support for account management functions.
SRG-NET-000284-RTR-NA Low The network element must detect unsanctioned information when transferring information between different security domains.
SRG-NET-000018-RTR-000001 Low The router must enforce approved authorizations for controlling the flow of information within the network in accordance with applicable policy.
SRG-NET-000076-RTR-NA Low The network element must produce audit log records containing sufficient information to establish where an event occurred.
SRG-NET-000115-RTR-NA Low The network element must generate audit log events for a locally developed list of auditable events.
SRG-NET-000003-RTR-NA Low The network element must automatically terminate emergency accounts after an organization defined time period.