| V-16412 | Medium | The Sun Ray Session Server (SRSS) is used to host other applications. | The availability of the Sun Ray Session Server (SRSS) is critical since it manages the sessions associated with the Desktop Units. The Sun Ray software controls user authentication, encryption... |
| V-16413 | Medium | The Sun Ray system and user logs are not reviewed weekly. | If a system administrator does not review Sun Ray logs weekly, there is the potential that an attack or other security issue can go unnoticed for a week or more, which is unacceptable in DoD environments. |
| V-16397 | Medium | There is no up-to-date documentation or diagrams of the Sun Ray infrastructure. | Without current and accurate documentation, any changes to the Sun Ray infrastructure may jeopardize the network’s integrity. To assist in the management, auditing, and security of the network,... |
| V-16411 | Medium | Applications published to users are not approved by the IAO/SA. | Publishing applications to users via the Kiosk mode bypasses a login mode. Therefore, some applications may or may not provide security to identify and authorize users to the application. For... |
| V-16416 | Medium | There is no spare Sun Ray Desktop Unit available for use in the event of a Sun Ray Desktop Unit malfunction or failure. | Users will not be able to access the required applications for their job function if the Sun Ray Desktop Unit fails or malfunctions. Having a spare Sun Ray Desktop Unit will provide users a quick... |
| V-16414 | Medium | The disaster recovery plan does not include the Sun Ray system (network infrastructure and peripherals). | If the disaster recovery plan does not include the Sun Ray system, recovering from a disaster would not be possible. All peripherals and necessary equipment must be included in the disaster... |
| V-16418 | Medium | The site has not configured the Sun Ray server in the PNP database. | DoDI 8550.1 Ports, Protocols, and Services Management (PPSM) is the DoD’s policy on IP Ports, Protocols, and Services (PPS). It controls the PPS that are permitted or approved to cross DoD network... |
| V-16409 | Medium | The IAO/SA is not receiving Sun Ray security and patch notifications. | Organizations need to stay current with all applicable Sun Ray Server software updates that are released from Sun. In order to be aware of updates as they are released, Sun Ray system... |
| V-16417 | Medium | The Sun Ray system is not under direct control of a site Configuration Control Board. | Security integrity of the system and the ability to back-up and recover from failures cannot be maintained without the control of the system configuration. Unless the configuration is controlled... |
| V-16400 | Low | User Registration process is not clearly documented. | Without proper user registration documentation, users and system administrators may not register users in the Sun Ray system properly and potentially grant users more privileges than necessary. |
| V-16415 | Low | There are no backup and recovery procedures for the Sun Ray system. | Backup and recovery procedures are critical to the availability and protection of the Sun Ray system. Availability of the system will be hindered if the system is compromised, shutdown, or not... |
