{
"stig": {
"date": "2020-12-14",
"description": "This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-234275": {
"checkid": "C-37460r617394_chk",
"checktext": "Verify the UEM server limits the number of concurrent sessions per privileged user account to three or less concurrent sessions.\n\nIf the UEM server does not limit the number of concurrent sessions per privileged user account to three or less concurrent sessions, this is a finding.",
"description": "Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. \n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system. \n\nSatisfies:FMT_SMF.1.1(2) b \nReference:PP-MDM-431010",
"fixid": "F-37425r617395_fix",
"fixtext": "Configure the UEM server to limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.",
"iacontrols": null,
"id": "V-234275",
"ruleID": "SV-234275r617395_rule",
"severity": "medium",
"title": "The UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.",
"version": "SRG-APP-000001-UEM-000001"
},
"V-234276": {
"checkid": "C-37461r613838_chk",
"checktext": "Verify the UEM server conceals, via the session lock, information previously visible on the display with a publicly viewable image.\n\nIf the UEM server does not conceal via the session lock information previously visible on the display with a publicly viewable image, this is a finding.",
"description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. \n\nThe session lock is implemented at the point where session activity can be determined. This is typically at the operating system level, but may be at the application level. \n\nWhen the application design specifies the application rather than the operating system will determine when to lock the session, the application session lock event must include an obfuscation of the display screen to prevent other users from reading what was previously displayed. \n\nPublicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. \n\nSatisfies:FMT_SMF.1.1(2) b \nReference:PP-MDM-431011",
"fixid": "F-37426r613839_fix",
"fixtext": "Configure the UEM server to conceal via the session lock information previously visible on the display with a publicly viewable image.",
"iacontrols": null,
"id": "V-234276",
"ruleID": "SV-234276r617355_rule",
"severity": "medium",
"title": "The UEM server must conceal, via the session lock, information previously visible on the display with a publicly viewable image.",
"version": "SRG-APP-000002-UEM-000002"
},
"V-234277": {
"checkid": "C-37462r613841_chk",
"checktext": "Verify the UEM server initiates a session lock after a 15-minute period of inactivity.\n\nIf the UEM server does not initiate a session lock after a 15-minute period of inactivity, this is a finding.",
"description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead. \n\nSatisfies:FMT_SMF.1.1(2) c.8 \nReference:PP-MDM-411047",
"fixid": "F-37427r613842_fix",
"fixtext": "Configure the UEM server to initiate a session lock after a 15-minute period of inactivity.",
"iacontrols": null,
"id": "V-234277",
"ruleID": "SV-234277r617355_rule",
"severity": "medium",
"title": "The UEM server must initiate a session lock after a 15-minute period of inactivity.",
"version": "SRG-APP-000003-UEM-000003"
},
"V-234278": {
"checkid": "C-37463r613844_chk",
"checktext": "Verify the UEM server provides the capability for users to directly initiate a session lock.\n\nIf the UEM server does not provide the capability for users to directly initiate a session lock, this is a finding.",
"description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not want to log out because of the temporary nature of the absence. \n\nThe session lock is implemented at the point where session activity can be determined. This is typically at the operating system level, but may be at the application level. Rather than be forced to wait for a period of time to expire before the user session can be locked, applications need to provide users with the ability to manually invoke a session lock so users may secure their application should the need arise for them to temporarily vacate the immediate physical vicinity. \n\nSatisfies:FMT_SMF.1.1(2) b \nReference:PP-MDM-431012",
"fixid": "F-37428r613845_fix",
"fixtext": "Configure the UEM server to provide the capability for users to directly initiate a session lock.",
"iacontrols": null,
"id": "V-234278",
"ruleID": "SV-234278r617355_rule",
"severity": "medium",
"title": "The MDM server must provide the capability for users to directly initiate a session lock.",
"version": "SRG-APP-000004-UEM-000004"
},
"V-234279": {
"checkid": "C-37464r613847_chk",
"checktext": "Verify the UEM server retains the session lock until the user reestablishes access using established identification and authentication procedures.\n\nIf the UEM server does not retain the session lock until the user reestablishes access using established identification and authentication procedures, this is a finding.",
"description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not want to log out because of the temporary nature of the absence. \n\nThe session lock is implemented at the point where session activity can be determined. This is typically determined and performed at the operating system level, but in some instances it may be at the application level. \n\nRegardless of where the session lock is determined and implemented, once invoked the session lock must remain in place until the user re-authenticates. No other system or application activity aside from re-authentication will unlock the system. \n\nSatisfies:FMT_SMF.1.1(2) b \nReference:PP-MDM-431013",
"fixid": "F-37429r613848_fix",
"fixtext": "Configure the MDM server to retain the session lock until the user reestablishes access using established identification and authentication procedures.",
"iacontrols": null,
"id": "V-234279",
"ruleID": "SV-234279r617355_rule",
"severity": "medium",
"title": "The MDM server must retain the session lock until the user reestablishes access using established identification and authentication procedures.",
"version": "SRG-APP-000005-UEM-000005"
},
"V-234283": {
"checkid": "C-37468r613859_chk",
"checktext": "Verify the UEM server uses TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.\n\nIf the UEM server does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access, this is a finding.",
"description": "Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nThis requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DoD-only or on public-facing servers. \n\nSatisfies:FCS_TLSC_EXT.1.1 \nReference:PP-MDM-412061",
"fixid": "F-37433r613860_fix",
"fixtext": "Configure the UEM server to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.",
"iacontrols": null,
"id": "V-234283",
"ruleID": "SV-234283r617355_rule",
"severity": "medium",
"title": "The UEM server must use TLS 1.2, or higher, to protect the confidentiality of sensitive data during electronic dissemination using remote access.",
"version": "SRG-APP-000014-UEM-000009"
},
"V-234286": {
"checkid": "C-37471r613868_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server provides automated mechanisms for supporting account management functions.\n\nIf the UEM server does not provide automated mechanisms for supporting account management functions, this is a finding.",
"description": "Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. \n\nA comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.\n\nThe application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements.\n\nAccount management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.",
"fixid": "F-37436r613869_fix",
"fixtext": "Configure the UEM server to provide automated mechanisms for supporting account management functions.",
"iacontrols": null,
"id": "V-234286",
"ruleID": "SV-234286r617355_rule",
"severity": "medium",
"title": "The UEM server must provide automated mechanisms for supporting account management functions.",
"version": "SRG-APP-000023-UEM-000012"
},
"V-234287": {
"checkid": "C-37472r613871_chk",
"checktext": "Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server automatically removes or disables temporary user accounts after 72 hours, if supported by the UEM server.\n\nIf the UEM server does not automatically remove or disable temporary user accounts after 72 hours, if supported by the UEM server, this is a finding.",
"description": "If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary user accounts must be set upon account creation.\n\nTemporary user accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. \n\nIf temporary user accounts are used, the application must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.",
"fixid": "F-37437r613872_fix",
"fixtext": "Configure the UEM server to automatically remove or disable temporary user accounts after 72 hours, if supported by the UEM server.",
"iacontrols": null,
"id": "V-234287",
"ruleID": "SV-234287r617355_rule",
"severity": "medium",
"title": "The UEM server must automatically remove or disable temporary user accounts after 72 hours if supported by the UEM server.",
"version": "SRG-APP-000024-UEM-000013"
},
"V-234288": {
"checkid": "C-37473r613874_chk",
"checktext": "Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server automatically disables accounts after a 35-day period of account inactivity.\n\nIf the UEM server does not automatically disable accounts after a 35-day period of account inactivity, this is a finding.",
"description": "Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.\n\nThis policy does not apply to either emergency accounts or infrequently used accounts. Infrequently used accounts are local login administrator accounts used by system administrators when network or normal logon/access is not available. Emergency accounts are administrator accounts created in response to crisis situations. \n\nSatisfies:FMT_SMF.1(2)b. \nReference:PP-MDM-431027",
"fixid": "F-37438r613875_fix",
"fixtext": "Configure the UEM server to automatically disable accounts after a 35-day period of account inactivity.",
"iacontrols": null,
"id": "V-234288",
"ruleID": "SV-234288r617355_rule",
"severity": "medium",
"title": "The UEM server must automatically disable accounts after a 35-day period of account inactivity.",
"version": "SRG-APP-000025-UEM-000014"
},
"V-234289": {
"checkid": "C-37474r613877_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server automatically audits account creation.\n\nIf the UEM server does not automatically audit account creation, this is a finding.",
"description": "Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37439r613878_fix",
"fixtext": "Configure the UEM server to automatically audit account creation.",
"iacontrols": null,
"id": "V-234289",
"ruleID": "SV-234289r617355_rule",
"severity": "medium",
"title": "The UEM server must automatically audit account creation.",
"version": "SRG-APP-000026-UEM-000015"
},
"V-234290": {
"checkid": "C-37475r613880_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server automatically audits account modification.\n\nIf the UEM server does not automatically audit account modification, this is a finding.",
"description": "Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. \n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37440r613881_fix",
"fixtext": "Configure the UEM server to automatically audit account modification.",
"iacontrols": null,
"id": "V-234290",
"ruleID": "SV-234290r617355_rule",
"severity": "medium",
"title": "The UEM server must automatically audit account modification.",
"version": "SRG-APP-000027-UEM-000016"
},
"V-234291": {
"checkid": "C-37476r613883_chk",
"checktext": "Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server automatically audits account disabling actions.\n\nIf the UEM server does not automatically audit account disabling actions, this is a finding.",
"description": "When application accounts are disabled, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to disable authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account disabling actions provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37441r613884_fix",
"fixtext": "Configure the UEM server to automatically audit account disabling actions.",
"iacontrols": null,
"id": "V-234291",
"ruleID": "SV-234291r617355_rule",
"severity": "medium",
"title": "The UEM server must automatically audit account disabling actions.",
"version": "SRG-APP-000028-UEM-000017"
},
"V-234292": {
"checkid": "C-37477r613886_chk",
"checktext": "Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server automatically audits account removal actions.\n\nIf the UEM server does not automatically audit account removal actions, this is a finding.",
"description": "When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account removal actions provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37442r613887_fix",
"fixtext": "Configure the UEM server to automatically audit account removal actions.",
"iacontrols": null,
"id": "V-234292",
"ruleID": "SV-234292r617355_rule",
"severity": "medium",
"title": "The UEM server must automatically audit account removal actions.",
"version": "SRG-APP-000029-UEM-000018"
},
"V-234310": {
"checkid": "C-37495r617396_chk",
"checktext": "Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.\n\nIf the UEM server does not enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period, this is a finding.",
"description": "By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. \n\nSatisfies:FMT_SMF.1(2)b. \nReference:PP-MDM-431028",
"fixid": "F-37460r613941_fix",
"fixtext": "Configure the UEM server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.",
"iacontrols": null,
"id": "V-234310",
"ruleID": "SV-234310r617396_rule",
"severity": "medium",
"title": "The UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.",
"version": "SRG-APP-000065-UEM-000036"
},
"V-234311": {
"checkid": "C-37496r613943_chk",
"checktext": "Verify the UEM server displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.\n\nIf the UEM server does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application, this is a finding.",
"description": "Display of the DoD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\" \n\nSatisfies:FTA_TAB.1.1, FMT_SMF.1.1(2) c.2 \nReference:PP-MDM-411056",
"fixid": "F-37461r613944_fix",
"fixtext": "Configure the UEM server to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.",
"iacontrols": null,
"id": "V-234311",
"ruleID": "SV-234311r617355_rule",
"severity": "medium",
"title": "The UEM server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.",
"version": "SRG-APP-000068-UEM-000037"
},
"V-234312": {
"checkid": "C-37497r613946_chk",
"checktext": "Verify the UEM server retains the access banner until the user acknowledges acceptance of the access conditions.\n\nIf the UEM server does not retain the access banner until the user acknowledges acceptance of the access conditions, this is a finding.",
"description": "The banner must be acknowledged by the user prior to allowing the user access to the application. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. \n\nTo establish acceptance of the application usage policy, a click-through banner at application logon is required. The application must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\". \n\nSatisfies:FTA_TAB.1.1 \nReference:PP-MDM-413003",
"fixid": "F-37462r613947_fix",
"fixtext": "Configure the UEM server to retain the access banner until the user acknowledges acceptance of the access conditions.",
"iacontrols": null,
"id": "V-234312",
"ruleID": "SV-234312r617355_rule",
"severity": "low",
"title": "The UEM server must retain the access banner until the user acknowledges acceptance of the access conditions.",
"version": "SRG-APP-000069-UEM-000038"
},
"V-234315": {
"checkid": "C-37500r613955_chk",
"checktext": "Verify the UEM server notifies the user, upon successful logon (access) to the application, of the date and time of the last logon (access).\n\nIf the UEM server does not notify the user, upon successful logon (access) to the application, of the date and time of the last logon (access), this is a finding.",
"description": "Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.\n\nThis requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures).",
"fixid": "F-37465r613956_fix",
"fixtext": "Configure the UEM server to notify the user, upon successful logon (access) to the application, of the date and time of the last logon (access).",
"iacontrols": null,
"id": "V-234315",
"ruleID": "SV-234315r617355_rule",
"severity": "medium",
"title": "The UEM server must notify the user, upon successful logon (access) to the application, of the date and time of the last logon (access).",
"version": "SRG-APP-000075-UEM-000041"
},
"V-234316": {
"checkid": "C-37501r613958_chk",
"checktext": "Verify the UEM server notifies the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).\n\nIf the UEM server does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.",
"description": "Users need to be aware of activity that occurs regarding their application account. Providing users with information regarding the number of unsuccessful attempts made to log in to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.\n\nThis requirement is intended to cover both traditional logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures).",
"fixid": "F-37466r613959_fix",
"fixtext": "Configure the UEM server to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).",
"iacontrols": null,
"id": "V-234316",
"ruleID": "SV-234316r617355_rule",
"severity": "medium",
"title": "The UEM server must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).",
"version": "SRG-APP-000076-UEM-000042"
},
"V-234318": {
"checkid": "C-37503r613964_chk",
"checktext": "Verify the UEM server protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.\n\nIf the UEM server does not protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation this is a finding.",
"description": "Without non-repudiation, it is impossible to positively attribute an action to an individual (or process acting on behalf of an individual). \n\nNon-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. The application will be configured to provide non-repudiation services for an organization-defined set of commands that are used by the user (or processes action on behalf of the user).\n\nDoD PKI provides for non-repudiation through the use of digital signatures. Non-repudiation requirements will vary from one application to another and will be defined based on application functionality, data sensitivity, and mission requirements. \n\nSatisfies:FCS_COP.1.1(3), FCS_COP.1.1(4)",
"fixid": "F-37468r613965_fix",
"fixtext": "Configure the UEM server to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.",
"iacontrols": null,
"id": "V-234318",
"ruleID": "SV-234318r617355_rule",
"severity": "medium",
"title": "The UEM server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.",
"version": "SRG-APP-000080-UEM-000044"
},
"V-234323": {
"checkid": "C-37508r613979_chk",
"checktext": "Verify the UEM server provides audit record generation capability for DoD-defined auditable events within all application components.\n\nIf the UEM server does not provide audit record generation capability for DoD-defined auditable events within all application components, this is a finding.",
"description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the application will provide an audit record generation capability as the following: \n\n(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and\n\n(iii) All account creation, modification, disabling, and termination actions.\n\nDoD Required auditable events:\n- Change in enrollment status\n- Failure to apply policies to a mobile device\n- Start up and shut down of the UEM System\n- All administrative actions\n- Commands issued to the UEM Agent\n- Server component failure\n- All system alerts, including system integrity verification failures \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37473r613980_fix",
"fixtext": "Configure the UEM server to provide audit record generation capability for DoD-defined auditable events within all application components.",
"iacontrols": null,
"id": "V-234323",
"ruleID": "SV-234323r617355_rule",
"severity": "medium",
"title": "The UEM server must provide audit record generation capability for DoD-defined auditable events within all application components.",
"version": "SRG-APP-000089-UEM-000049"
},
"V-234324": {
"checkid": "C-37509r613982_chk",
"checktext": "Verify the UEM server provides audit records in a manner suitable for the Authorized Administrators to interpret the information.\n\nIf the UEM server does not provide audit records in a manner suitable for the Authorized Administrators to interpret the information, this is a finding.",
"description": "Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted. \n\nSegregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems.\n\nAutomated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. \n\nSatisfies:FAU_SAR.1.2 \nReference:PP-MDM-413050",
"fixid": "F-37474r613983_fix",
"fixtext": "Configure the UEM server to be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.",
"iacontrols": null,
"id": "V-234324",
"ruleID": "SV-234324r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.",
"version": "SRG-APP-000089-UEM-000050"
},
"V-234325": {
"checkid": "C-37510r613985_chk",
"checktext": "Verify the UEM server allows only specific administrator roles to select which auditable events are to be audited.\n\nIf the UEM server does not allow only specific administrator roles to select which auditable events are to be audited, this is a finding.",
"description": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. \n\nSatisfies:FMT_SMR.1.1(1) \nReference:PP-MDM-411058",
"fixid": "F-37475r613986_fix",
"fixtext": "Configure the UEM server to be configured to allow only specific administrator roles to select which auditable events are to be audited.",
"iacontrols": null,
"id": "V-234325",
"ruleID": "SV-234325r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to allow only specific administrator roles to select which auditable events are to be audited.",
"version": "SRG-APP-000090-UEM-000051"
},
"V-234326": {
"checkid": "C-37511r613988_chk",
"checktext": "Verify the UEM server generates audit records when successful/unsuccessful attempts to access privileges occur.\n\nIf the UEM server does not generate audit records when successful/unsuccessful attempts to access privileges occur, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_GEN.1.1(1)",
"fixid": "F-37476r613989_fix",
"fixtext": "Configure the UEM server to generate audit records when successful/unsuccessful attempts to access privileges occur.",
"iacontrols": null,
"id": "V-234326",
"ruleID": "SV-234326r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records when successful/unsuccessful attempts to access privileges occur.",
"version": "SRG-APP-000091-UEM-000052"
},
"V-234327": {
"checkid": "C-37512r613991_chk",
"checktext": "Verify the UEM server initiate session auditing upon startup.\n\nIf the UEM server does not initiate session auditing upon startup, this is a finding.",
"description": "If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. \n\nSatisfies:FAU_GEN.1.1(1)",
"fixid": "F-37477r613992_fix",
"fixtext": "Configure the UEM server to initiate session auditing upon startup.",
"iacontrols": null,
"id": "V-234327",
"ruleID": "SV-234327r617355_rule",
"severity": "medium",
"title": "The UEM server must initiate session auditing upon startup.",
"version": "SRG-APP-000092-UEM-000053"
},
"V-234328": {
"checkid": "C-37513r613994_chk",
"checktext": "Verify the UEM server produces audit records containing information to establish what type of events occurred.\n\nIf the UEM server does not produce audit records containing information to establish what type of events occurred, this is a finding.",
"description": "Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit record content that may be necessary to satisfy the requirement of this policy includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. \n\nSatisfies:FAU_GEN.1.2(1) \nReference:PP-MDM-412060",
"fixid": "F-37478r613995_fix",
"fixtext": "Configure the UEM server to be configured to produce audit records containing information to establish what type of events occurred.",
"iacontrols": null,
"id": "V-234328",
"ruleID": "SV-234328r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to produce audit records containing information to establish what type of events occurred.",
"version": "SRG-APP-000095-UEM-000055"
},
"V-234329": {
"checkid": "C-37514r613997_chk",
"checktext": "Verify the UEM server produces audit records containing information to establish when (date and time) the events occurred.\n\nIf the UEM server does not produce audit records containing information to establish when (date and time) the events occurred, this is a finding.",
"description": "Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.\n\nIn order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time). \n\nAssociating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. \n\nSatisfies:FAU_GEN.1.2(1) \nReference:PP-MDM-412060",
"fixid": "F-37479r613998_fix",
"fixtext": "Configure the UEM server to be configured to produce audit records containing information to establish when (date and time) the events occurred.",
"iacontrols": null,
"id": "V-234329",
"ruleID": "SV-234329r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to produce audit records containing information to establish when (date and time) the events occurred.",
"version": "SRG-APP-000096-UEM-000056"
},
"V-234330": {
"checkid": "C-37515r614000_chk",
"checktext": "Verify the UEM server produces audit records containing information to establish where the events occurred.\n\nIf the UEM server does not produce audit records containing information to establish where the events occurred, this is a finding.",
"description": "Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary. \n\nSatisfies:FAU_GEN.1.2(1) \nReference:PP-MDM-412060",
"fixid": "F-37480r614001_fix",
"fixtext": "Configure the UEM server to be configured to produce audit records containing information to establish where the events occurred.",
"iacontrols": null,
"id": "V-234330",
"ruleID": "SV-234330r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to produce audit records containing information to establish where the events occurred.",
"version": "SRG-APP-000097-UEM-000057"
},
"V-234331": {
"checkid": "C-37516r614003_chk",
"checktext": "Verify the UEM server produces audit records containing information to establish the source of the events.\n\nIf the UEM server does not produce audit records containing information to establish the source of the events, this is a finding.",
"description": "Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nIn addition to logging where events occur within the application, the application must also produce audit records that identify the application itself as the source of the event.\n\nIn the case of centralized logging, the source would be the application name accompanied by the host or client name. \n\nIn order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know the source of the event, particularly in the case of centralized logging.\n\nAssociating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. \n\nSatisfies:FAU_GEN.1.2(1) \nReference:PP-MDM-412060",
"fixid": "F-37481r614004_fix",
"fixtext": "Configure the UEM server to be configured to produce audit records containing information to establish the source of the events.",
"iacontrols": null,
"id": "V-234331",
"ruleID": "SV-234331r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to produce audit records containing information to establish the source of the events.",
"version": "SRG-APP-000098-UEM-000058"
},
"V-234332": {
"checkid": "C-37517r614006_chk",
"checktext": "Verify the UEM server produces audit records that contain information to establish the outcome of the events.\n\nIf the UEM server does not produce audit records that contain information to establish the outcome of the events, this is a finding.",
"description": "Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system.\n\nEvent outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. \n\nSatisfies:FAU_GEN.1.2(1) \nReference:PP-MDM-412060",
"fixid": "F-37482r614007_fix",
"fixtext": "Configure the UEM server to be configured to produce audit records that contain information to establish the outcome of the events.",
"iacontrols": null,
"id": "V-234332",
"ruleID": "SV-234332r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to produce audit records that contain information to establish the outcome of the events.",
"version": "SRG-APP-000099-UEM-000059"
},
"V-234333": {
"checkid": "C-37518r614009_chk",
"checktext": "Verify the UEM server generates audit records containing information that establishes the identity of any individual or process associated with the event.\n\nIf the UEM server does not generate audit records containing information that establishes the identity of any individual or process associated with the event, this is a finding.",
"description": "Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.\n\nEvent identifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, user names, or process identifiers. \n\nSatisfies:FAU_GEN.1.2(1) \nReference:PP-MDM-412060",
"fixid": "F-37483r614010_fix",
"fixtext": "Configure the UEM server to be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.",
"iacontrols": null,
"id": "V-234333",
"ruleID": "SV-234333r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.",
"version": "SRG-APP-000100-UEM-000060"
},
"V-234334": {
"checkid": "C-37519r614012_chk",
"checktext": "Verify the UEM server generates audit records containing the full-text recording of privileged commands or the individual identities of group account users.\n\nIf the UEM server does not generate audit records containing the full-text recording of privileged commands or the individual identities of group account users, this is a finding.",
"description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. \n\nOrganizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit either full-text recording of privileged commands or the individual identities of group users, or both. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. \n\nIn addition, the application must have the capability to include organization-defined additional, more detailed information in the audit records for audit events. \n\nSatisfies:FAU_GEN.1.2(1) \nReference:PP-MDM-412060",
"fixid": "F-37484r614013_fix",
"fixtext": "Configure the UEM server to be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.",
"iacontrols": null,
"id": "V-234334",
"ruleID": "SV-234334r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.",
"version": "SRG-APP-000101-UEM-000061"
},
"V-234335": {
"checkid": "C-37520r614015_chk",
"checktext": "Verify the UEM server alerts the ISSO and SA (at a minimum) in the event of an audit processing failure.\n\nIf the UEM server does not alert the ISSO and SA (at a minimum) in the event of an audit processing failure, this is a finding.",
"description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. \n\nSatisfies:FAU_ALT_EXT.1.1 \nReference:PP-MDM-412059",
"fixid": "F-37485r614016_fix",
"fixtext": "Configure the UEM server to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.",
"iacontrols": null,
"id": "V-234335",
"ruleID": "SV-234335r617355_rule",
"severity": "medium",
"title": "The UEM SRG must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.",
"version": "SRG-APP-000108-UEM-000062"
},
"V-234340": {
"checkid": "C-37525r614030_chk",
"checktext": "Verify the UEM server uses host operating system clocks to generate time stamps for audit records.\n\nIf the UEM server does not use host operating system clocks to generate time stamps for audit records, this is a finding",
"description": "Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. \n\nIf the internal clock is not used, the system may not be able to provide time stamps for log messages. Additionally, externally generated time stamps may not be accurate. Applications can use the capability of an operating system or purpose-built module for this purpose. \n\nSatisfies: OE.TIMESTAMP, FAU_GEN.1.2(1)",
"fixid": "F-37490r614031_fix",
"fixtext": "Configure the UEM server to use host operating system clocks to generate time stamps for audit records.",
"iacontrols": null,
"id": "V-234340",
"ruleID": "SV-234340r617403_rule",
"severity": "medium",
"title": "The UEM server must use host operating system clocks to generate time stamps for audit records.",
"version": "SRG-APP-000116-UEM-000067"
},
"V-234341": {
"checkid": "C-37526r614033_chk",
"checktext": "Verify the UEM server protects audit information from any type of unauthorized read access.\n\nIf the UEM server does not protect audit information from any type of unauthorized read access, this is a finding",
"description": "If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access.\n\nThis requirement can be achieved through multiple methods, which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories.\n\nAdditionally, applications with user interfaces to audit records must not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. \n\nSatisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)",
"fixid": "F-37491r614034_fix",
"fixtext": "Configure the UEM server to protect audit information from any type of unauthorized read access.",
"iacontrols": null,
"id": "V-234341",
"ruleID": "SV-234341r617355_rule",
"severity": "medium",
"title": "The UEM server must protect audit information from any type of unauthorized read access.",
"version": "SRG-APP-000118-UEM-000068"
},
"V-234342": {
"checkid": "C-37527r614036_chk",
"checktext": "Verify the UEM server protects audit information from unauthorized modification.\n\nIf the UEM server does not protect audit information from unauthorized modification, this is a finding.",
"description": "If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. \n\nThis requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. \n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. \n\nSatisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)",
"fixid": "F-37492r614037_fix",
"fixtext": "Configure the UEM server to protect audit information from unauthorized modification.",
"iacontrols": null,
"id": "V-234342",
"ruleID": "SV-234342r617355_rule",
"severity": "medium",
"title": "The UEM server must protect audit information from unauthorized modification.",
"version": "SRG-APP-000119-UEM-000069"
},
"V-234343": {
"checkid": "C-37528r614039_chk",
"checktext": "Verify the UEM server protects audit information from unauthorized deletion.\n\nIf the UEM server does not protect audit information from unauthorized deletion, this is a finding",
"description": "If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. \n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. \n\nSome commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained.\n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information may include data from other applications or be included with the audit application itself. \n\nSatisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)",
"fixid": "F-37493r614040_fix",
"fixtext": "Configure the UEM server to protect audit information from unauthorized deletion.",
"iacontrols": null,
"id": "V-234343",
"ruleID": "SV-234343r617355_rule",
"severity": "medium",
"title": "The UEM server must protect audit information from unauthorized deletion.",
"version": "SRG-APP-000120-UEM-000070"
},
"V-234347": {
"checkid": "C-37532r614051_chk",
"checktext": "Verify the UEM server backs up audit records at least every seven days onto a log management server.\n\nIf the UEM server does not back up audit records at least every seven days onto a log management server, this is a finding.",
"description": "Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. \n\nThis helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.\n\nThis requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. \n\nSatisfies:FAU_STG_EXT.1.1, FMT_SMF.1.1(2) Refinement b",
"fixid": "F-37497r614052_fix",
"fixtext": "Configure the UEM server to back up audit records at least every seven days onto a log management server.",
"iacontrols": null,
"id": "V-234347",
"ruleID": "SV-234347r617355_rule",
"severity": "medium",
"title": "The UEM server must back up audit records at least every seven days onto a log management server.",
"version": "SRG-APP-000125-UEM-000074"
},
"V-234349": {
"checkid": "C-37534r614057_chk",
"checktext": "Verify the UEM server prevents the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.\n\nIf the UEM server does not prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization, this is a finding.",
"description": "Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and that it has been provided by a trusted vendor. \n\nAccordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. \n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The application should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. \n\nSatisfies:FIA_X509_EXT.1.1(1)",
"fixid": "F-37499r614058_fix",
"fixtext": "Configure the UEM server to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.",
"iacontrols": null,
"id": "V-234349",
"ruleID": "SV-234349r617355_rule",
"severity": "medium",
"title": "The UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.",
"version": "SRG-APP-000131-UEM-000076"
},
"V-234351": {
"checkid": "C-37536r614063_chk",
"checktext": "Verify the UEM server limits privileges to change the software resident within software libraries.\n\nIf the UEM server does not limit privileges to change the software resident within software libraries, this is a finding.",
"description": "If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to applications with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs, which execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. \n\nSatisfies:FMT_SMR.1.1(1), FPT_TUD_EXT.1.2",
"fixid": "F-37501r614064_fix",
"fixtext": "Configure the UEM server to limit privileges to change the software resident within software libraries.",
"iacontrols": null,
"id": "V-234351",
"ruleID": "SV-234351r617355_rule",
"severity": "medium",
"title": "The UEM server must limit privileges to change the software resident within software libraries.",
"version": "SRG-APP-000133-UEM-000078"
},
"V-234352": {
"checkid": "C-37537r614066_chk",
"checktext": "Verify the UEM server has disabled non-essential capabilities.\n\nIf the UEM server has not disabled non-essential capabilities, this is a finding.",
"description": "It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nApplications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). \n\nExamples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled. \n\nSatisfies:FMT_SMF.1.1(2) c.2 \nReference:PP-MDM-411064",
"fixid": "F-37502r614067_fix",
"fixtext": "Configure the UEM server to be configured to disable non-essential capabilities.",
"iacontrols": null,
"id": "V-234352",
"ruleID": "SV-234352r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to disable non-essential capabilities.",
"version": "SRG-APP-000141-UEM-000079"
},
"V-234353": {
"checkid": "C-37538r614069_chk",
"checktext": "Verify the firewall protecting the UEM server platform is configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD PPSM CAL list for DoD-approved ports, protocols, and services).\n\nIf the firewall protecting the UEM server platform is not configured so that only DoD-approved ports, protocols, and services are enabled, this is a finding.",
"description": "All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary. \n\nSatisfies:FMT_SMF.1.1(2) Refinement b \nReference:PP-MDM-431006",
"fixid": "F-37503r614070_fix",
"fixtext": "Configure the firewall protecting the UEM server platform so that only DoD-approved ports, protocols, and services are enabled. (See the DoD PPSM CAL list for DoD-approved ports, protocols, and services).",
"iacontrols": null,
"id": "V-234353",
"ruleID": "SV-234353r617355_rule",
"severity": "medium",
"title": "The firewall protecting the UEM server platform must be configured so only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).",
"version": "SRG-APP-000142-UEM-000080"
},
"V-234354": {
"checkid": "C-37539r614072_chk",
"checktext": "Verify the UEM server uses only documented platform APIs.\n\nIf the UEM server does not use only documented platform APIs, this is a finding.",
"description": "Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.\n\nApplication communication sessions are protected utilizing transport encryption protocols, such as TLS. TLS provides web applications with a means to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. \n\nThis requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). \n\nThis requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TLS mutual authentication (two-way/bidirectional). \n\nSatisfies:FPT_API_EXT.1.1",
"fixid": "F-37504r614073_fix",
"fixtext": "Configure the UEM server to be configured to use only documented platform APIs.",
"iacontrols": null,
"id": "V-234354",
"ruleID": "SV-234354r617397_rule",
"severity": "medium",
"title": "The UEM server must be configured to use only documented platform APIs.",
"version": "SRG-APP-000142-UEM-000081"
},
"V-234355": {
"checkid": "C-37540r614075_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).\n\nIf the UEM server does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.",
"description": "To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. \n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following.\n\n(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and \n(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. \n\nSatisfies: FIA \nReference:PP-MDM-414003",
"fixid": "F-37505r614076_fix",
"fixtext": "Configure the UEM server to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).",
"iacontrols": null,
"id": "V-234355",
"ruleID": "SV-234355r617404_rule",
"severity": "medium",
"title": "The UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).",
"version": "SRG-APP-000148-UEM-000082"
},
"V-234356": {
"checkid": "C-37541r614078_chk",
"checktext": "Verify the UEM server uses a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.\n\nIf the UEM server does not use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts, this is a finding.",
"description": "A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). \n\nSatisfies: FIA \nReference:PP-MDM-414003",
"fixid": "F-37506r614079_fix",
"fixtext": "Configure the UEM server to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.",
"iacontrols": null,
"id": "V-234356",
"ruleID": "SV-234356r617405_rule",
"severity": "medium",
"title": "The UEM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.",
"version": "SRG-APP-000149-UEM-000083"
},
"V-234358": {
"checkid": "C-37543r614084_chk",
"checktext": "Verify all UEM server local accounts created during application installation and configuration have been removed. \n\nNote: In this context \"local\" accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.\n\nIf all UEM server local accounts created during application installation and configuration have not been removed, this is a finding.",
"description": "A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). \n\nSatisfies:FMT_SMF.1.1(2) b / IA-5(1)(a) \nReference:PP-MDM-431007",
"fixid": "F-37508r614085_fix",
"fixtext": "Remove all UEM server local accounts created during application installation. \n\nNote: In this context \"local\" accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.",
"iacontrols": null,
"id": "V-234358",
"ruleID": "SV-234358r617355_rule",
"severity": "medium",
"title": "All UEM server local accounts created during application installation and configuration must be removed. \n\nNote: In this context local accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.",
"version": "SRG-APP-000151-UEM-000085"
},
"V-234360": {
"checkid": "C-37545r614090_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server ensures users are authenticated with an individual authenticator prior to using a group authenticator.\n\nIf the UEM server does not ensure users are authenticated with an individual authenticator prior to using a group authenticator, this is a finding.",
"description": "To ensure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated. \n\nIndividual accountability mandates that each user is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the application using a single account. \n\nIf an application allows or provides for group authenticators, it must first individually authenticate users prior to implementing group authenticator functionality. \n\nSome applications may not have the need to provide a group authenticator; this is considered a matter of application design. In those instances where the application design includes the use of a group authenticator, this requirement will apply.\n\nThere may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. An example of this type of access is a web server which contains publicly releasable information. \n\nSatisfies: FIA \nReference:PP-MDM-414003",
"fixid": "F-37510r614091_fix",
"fixtext": "Configure the UEM server to ensure users are authenticated with an individual authenticator prior to using a group authenticator.",
"iacontrols": null,
"id": "V-234360",
"ruleID": "SV-234360r617406_rule",
"severity": "medium",
"title": "The UEM server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.",
"version": "SRG-APP-000153-UEM-000087"
},
"V-234361": {
"checkid": "C-37546r614093_chk",
"checktext": "Verify the UEM server uses DoD PKI for multifactor authentication.\n\nIf the UEM server does not use DoD PKI for multifactor authentication, this is a finding.",
"description": "Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. \n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards, such as the U.S. Government Personal Identity Verification card and the DoD common access card.\n\nA privileged account is any information system account with authorizations of a privileged user. \n\nNetwork access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.",
"fixid": "F-37511r614094_fix",
"fixtext": "Configure the UEM server to use DoD PKI for multifactor authentication.",
"iacontrols": null,
"id": "V-234361",
"ruleID": "SV-234361r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to use DoD PKI for multifactor authentication. This requirement is included in SRG-APP-000149. ",
"version": "SRG-APP-000154-UEM-000088"
},
"V-234363": {
"checkid": "C-37548r614099_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server uses FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.\n\nIf the UEM server does not use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.",
"description": "A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.\n\nAnti-replay is a cryptographically based mechanism; thus, it must use FIPS-approved algorithms. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Note that the anti-replay service is implicit when data contains monotonically increasing sequence numbers and data integrity is assured. Use of DoD PKI is inherently compliant with this requirement for user and device access. Use of Transport Layer Security (TLS), including application protocols, such as HTTPS and DNSSEC, that use TLS/SSL as the underlying security protocol is also complaint.\n\nNote: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards.\n\nConfigure the information system to use the hash message authentication code (HMAC) algorithm for authentication services to Kerberos, SSH, web management tool, and any other access method. \n\nSatisfies: FIA \nReference:PP-MDM-414003",
"fixid": "F-37513r614100_fix",
"fixtext": "Configure the UEM server to use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.",
"iacontrols": null,
"id": "V-234363",
"ruleID": "SV-234363r617407_rule",
"severity": "high",
"title": "The UEM server must use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.",
"version": "SRG-APP-000156-UEM-000090"
},
"V-234364": {
"checkid": "C-37549r614102_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server implements replay-resistant authentication mechanisms for network access to non-privileged accounts.\n\nIf the UEM server does not implement replay-resistant authentication mechanisms for network access to non-privileged accounts, this is a finding.",
"description": "A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.\n\nAn authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. \n\nA non-privileged account is any operating system account with authorizations of a non-privileged user. \n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. \n\nSatisfies: FIA \nReference:PP-MDM-414003",
"fixid": "F-37514r614103_fix",
"fixtext": "Configure the UEM server to implement replay-resistant authentication mechanisms for network access to non-privileged accounts.",
"iacontrols": null,
"id": "V-234364",
"ruleID": "SV-234364r617408_rule",
"severity": "medium",
"title": "The UEM server must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.",
"version": "SRG-APP-000157-UEM-000091"
},
"V-234366": {
"checkid": "C-37551r614108_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server disables identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.\n\nIf the UEM server does not disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity, this is a finding.",
"description": "Inactive identifiers pose a risk to systems and applications. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. \n\nApplications need to track periods of inactivity and disable application identifiers after 35 days of inactivity. \n\nManagement of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual.\n\nTo avoid having to build complex user management capabilities directly into their application, wise developers leverage the underlying OS or other user account management infrastructure (AD, LDAP) that is already in place within the organization and meets organizational user account management requirements.",
"fixid": "F-37516r614109_fix",
"fixtext": "Configure the UEM server to disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.",
"iacontrols": null,
"id": "V-234366",
"ruleID": "SV-234366r617355_rule",
"severity": "medium",
"title": "The UEM server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.",
"version": "SRG-APP-000163-UEM-000093"
},
"V-234367": {
"checkid": "C-37552r614111_chk",
"checktext": "Verify the UEM server enforces a minimum 15-character password length.\n\nIf the UEM server does not enforce a minimum 15-character password length, this is a finding.",
"description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431018",
"fixid": "F-37517r614112_fix",
"fixtext": "Configure the UEM server to enforce a minimum 15-character password length.",
"iacontrols": null,
"id": "V-234367",
"ruleID": "SV-234367r617355_rule",
"severity": "medium",
"title": "The UEM server must enforce a minimum 15-character password length.",
"version": "SRG-APP-000164-UEM-000094"
},
"V-234368": {
"checkid": "C-37553r614114_chk",
"checktext": "Verify the UEM server prohibits password reuse for a minimum of five generations.\n\nIf the UEM server does not prohibit password reuse for a minimum of five generations, this is a finding.",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nTo meet password policy requirements, passwords need to be changed at specific policy-based intervals. \n\nIf the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431025",
"fixid": "F-37518r614115_fix",
"fixtext": "Configure the UEM server to prohibit password reuse for a minimum of five generations.",
"iacontrols": null,
"id": "V-234368",
"ruleID": "SV-234368r617355_rule",
"severity": "medium",
"title": "The UEM server must prohibit password reuse for a minimum of five generations.",
"version": "SRG-APP-000165-UEM-000095"
},
"V-234369": {
"checkid": "C-37554r614117_chk",
"checktext": "Verify the UEM server enforces password complexity by requiring that at least one uppercase character be used.\n\nIf the UEM server does not enforce password complexity by requiring that at least one uppercase character be used, this is a finding.",
"description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431020",
"fixid": "F-37519r614118_fix",
"fixtext": "Configure the UEM server to enforce password complexity by requiring that at least one uppercase character be used.",
"iacontrols": null,
"id": "V-234369",
"ruleID": "SV-234369r617355_rule",
"severity": "medium",
"title": "The UEM server must enforce password complexity by requiring that at least one uppercase character be used.",
"version": "SRG-APP-000166-UEM-000096"
},
"V-234370": {
"checkid": "C-37555r614120_chk",
"checktext": "Verify the UEM server enforces password complexity by requiring that at least one lowercase character be used.\n\nIf the UEM server does not enforce password complexity by requiring that at least one lowercase character be used, this is a finding.",
"description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431019",
"fixid": "F-37520r614121_fix",
"fixtext": "Configure the UEM server to enforce password complexity by requiring that at least one lowercase character be used.",
"iacontrols": null,
"id": "V-234370",
"ruleID": "SV-234370r617355_rule",
"severity": "medium",
"title": "The UEM server must enforce password complexity by requiring that at least one lowercase character be used.",
"version": "SRG-APP-000167-UEM-000097"
},
"V-234371": {
"checkid": "C-37556r614123_chk",
"checktext": "Verify the UEM server enforces password complexity by requiring that at least one numeric character be used.\n\nIf the UEM server does not enforce password complexity by requiring that at least one numeric character be used, this is a finding.",
"description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431021",
"fixid": "F-37521r614124_fix",
"fixtext": "Configure the UEM server to enforce password complexity by requiring that at least one numeric character be used.",
"iacontrols": null,
"id": "V-234371",
"ruleID": "SV-234371r617355_rule",
"severity": "medium",
"title": "The UEM server must enforce password complexity by requiring that at least one numeric character be used.",
"version": "SRG-APP-000168-UEM-000098"
},
"V-234372": {
"checkid": "C-37557r614126_chk",
"checktext": "Verify the UEM server enforces password complexity by requiring that at least one special character be used.\n\nIf the UEM server does not enforce password complexity by requiring that at least one special character be used, this is a finding.",
"description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431022",
"fixid": "F-37522r614127_fix",
"fixtext": "Configure the UEM server to enforce password complexity by requiring that at least one special character be used.",
"iacontrols": null,
"id": "V-234372",
"ruleID": "SV-234372r617355_rule",
"severity": "medium",
"title": "The UEM server must enforce password complexity by requiring that at least one special character be used.",
"version": "SRG-APP-000169-UEM-000099"
},
"V-234373": {
"checkid": "C-37558r614129_chk",
"checktext": "Verify the UEM server requires the change of at least 15 of the total number of characters when passwords are changed.\n\nIf the UEM server does not require the change of at least 15 of the total number of characters when passwords are changed, this is a finding.",
"description": "If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.",
"fixid": "F-37523r614130_fix",
"fixtext": "Configure the UEM server to require the change of at least 15 of the total number of characters when passwords are changed.",
"iacontrols": null,
"id": "V-234373",
"ruleID": "SV-234373r617355_rule",
"severity": "medium",
"title": "The UEM server must require the change of at least 15 of the total number of characters when passwords are changed.",
"version": "SRG-APP-000170-UEM-000100"
},
"V-234374": {
"checkid": "C-37559r614132_chk",
"checktext": "If the UEM server is using password authentication, verify the server stores only cryptographic representations of passwords.\n\nIf the UEM server is using password authentication but does not store only cryptographic representations of passwords, this is a finding.",
"description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. \n\nExamples of situations where a user ID and password might be used include:\n\n- When the user does not use a CAC and is not a current DoD employee, member of the military, or DoD contractor.\n\n- When a user has been officially designated as temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) (i.e., Temporary Exception User) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied.\n\n- When the application is publicly available and or hosting publicly releasable data requiring some degree of need-to-know protection.\n\nIf the password is already encrypted and not a plaintext password, this meets this requirement. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security.\n\nVerifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the hash. A more secure version of verifying a user knowing a password is to store the result of an iterating hash function and a large random salt value as follows:\n\nH0 = H(pwd, H(salt))\nHn = H(Hn-1,H(salt))\n\nIn the above, \"n\" is a cryptographically-strong random [*3] number. \"Hn\" is stored along with the salt. When the application wishes to verify that the user knows a password, it simply repeats the process and compares \"Hn\" with the stored \"Hn\". A salt is essentially a fixed-length cryptographically strong random value.\n\nAnother method is using a keyed-hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key.\n\nThis requirement applies to all accounts including authentication server, AAA, and local account, including the root account and the account of last resort. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431008",
"fixid": "F-37524r614133_fix",
"fixtext": "For a UEM server using password authentication, configure the server to store only cryptographic representations of passwords.",
"iacontrols": null,
"id": "V-234374",
"ruleID": "SV-234374r617355_rule",
"severity": "medium",
"title": "For UEM server using password authentication, the application must store only cryptographic representations of passwords.",
"version": "SRG-APP-000171-UEM-000101"
},
"V-234375": {
"checkid": "C-37560r614135_chk",
"checktext": "For UEM server using password authentication, verify the network element uses FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.\n\nIf UEM server using password authentication but the network element does not use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process, this is a finding.",
"description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nThe information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption.\n\nNote: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems must not be configured to use SHA-1 for integrity of remote access sessions. \n\nThis requirement applies to all accounts, including authentication server; Authorization, Authentication, and Accounting (AAA); and local accounts such as the root account and the account of last resort.\n\nThis requirement only applies to components where this is specific to the function of the device (e.g., TLS VPN or ALG). This does not apply to authentication for the purpose of configuring the device itself (management). \n\nSatisfies:FIA_ENR_EXT.1.1, FCS_COP.1.1(2) Refinement",
"fixid": "F-37525r614136_fix",
"fixtext": "For a UEM server using password authentication, configure the network element to use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.",
"iacontrols": null,
"id": "V-234375",
"ruleID": "SV-234375r617355_rule",
"severity": "high",
"title": "For UEM server using password authentication, the network element must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.",
"version": "SRG-APP-000172-UEM-000102"
},
"V-234376": {
"checkid": "C-37561r614138_chk",
"checktext": "Verify the UEM server enforces 24 hours/1 day as the minimum password lifetime.\n\nIf the UEM server does not enforce 24 hours/1 day as the minimum password lifetime, this is a finding.",
"description": "Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.\n\nRestricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431023",
"fixid": "F-37526r614139_fix",
"fixtext": "Configure the UEM server to enforce 24 hours/1 day as the minimum password lifetime.",
"iacontrols": null,
"id": "V-234376",
"ruleID": "SV-234376r617355_rule",
"severity": "medium",
"title": "The UEM server must enforce 24 hours/1 day as the minimum password lifetime.",
"version": "SRG-APP-000173-UEM-000103"
},
"V-234377": {
"checkid": "C-37562r614141_chk",
"checktext": "Verify the UEM server enforces a 60-day maximum password lifetime restriction.\n\nIf the UEM server does not enforce a 60-day maximum password lifetime restriction, this is a finding.",
"description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. \n\nOne method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. \n\nThis requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431024",
"fixid": "F-37527r614142_fix",
"fixtext": "Configure the UEM server to enforce a 60-day maximum password lifetime restriction.",
"iacontrols": null,
"id": "V-234377",
"ruleID": "SV-234377r617355_rule",
"severity": "medium",
"title": "The UEM server must enforce a 60-day maximum password lifetime restriction.",
"version": "SRG-APP-000174-UEM-000104"
},
"V-234378": {
"checkid": "C-37563r614144_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nWhen using PKI-based authentication for user access, verify the UEM server validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nIf the UEM server uses PKI-based authentication for user access but does not validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor, this is a finding.",
"description": "Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information system must create trusted channels between itself and remote trusted authorized IT product (e.g., syslog server) entities that protect the confidentiality and integrity of communications. The information system must create trusted paths between itself and remote administrators and users that protect the confidentiality and integrity of communications.\n\nA trust anchor is an authoritative entity represented via a public key and associated data. It is most often used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. However, applications that do not use a trusted path are not approved for non-local and remote management of DoD information systems.\n\nUse of SSHv2 to establish a trusted channel is approved. Use of FTP, TELNET, HTTP, and SNMPV1 is not approved since they violate the trusted channel rule set. Use of web management tools that are not validated by common criteria my also violate trusted channel rule set.\n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. \n\nThis requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. \n\nSatisfies:FIA_X509_EXT.1.1(1), FIA_X509_EXT.2.1, FIA_X509_EXT.2.2",
"fixid": "F-37528r614145_fix",
"fixtext": "When using PKI-based authentication for user access, configure the UEM server to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.",
"iacontrols": null,
"id": "V-234378",
"ruleID": "SV-234378r617412_rule",
"severity": "medium",
"title": "When using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.",
"version": "SRG-APP-000175-UEM-000105"
},
"V-234379": {
"checkid": "C-37564r614147_chk",
"checktext": "Verify the UEM server does not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate.\n\nIf the UEM server automatically accepts a certificate when it cannot establish a connection to determine the validity of a certificate, this is a finding.",
"description": "When an UEM server accepts an unverified certificate, it may be trusting a malicious actor. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. \n\nSatisfies:FIA_X509_EXT.2.2 \nReference:PP-MDM-412003",
"fixid": "F-37529r614148_fix",
"fixtext": "Configure the UEM server to not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate.",
"iacontrols": null,
"id": "V-234379",
"ruleID": "SV-234379r617355_rule",
"severity": "medium",
"title": "When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate.",
"version": "SRG-APP-000175-UEM-000106"
},
"V-234380": {
"checkid": "C-37565r614150_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the he UEM server, when using PKI-based authentication, enforces authorized access to the corresponding private key.\n\nIf the UEM server, when using PKI-based authentication, does not enforce authorized access to the corresponding private key, this is a finding",
"description": "If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n\nThe cornerstone of the PKI is the private key used to encrypt or digitally sign information. \n\nIf the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. \n\nBoth the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. \n\nSatisfies:FIA_X509_EXT.1.1(1)",
"fixid": "F-37530r614151_fix",
"fixtext": "Configure the UEM server, when using PKI-based authentication, to enforce authorized access to the corresponding private key.",
"iacontrols": null,
"id": "V-234380",
"ruleID": "SV-234380r617355_rule",
"severity": "medium",
"title": "The UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.",
"version": "SRG-APP-000176-UEM-000107"
},
"V-234381": {
"checkid": "C-37566r614153_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server maps the authenticated identity to the individual user or group account for PKI-based authentication.\n\nIf the UEM server does not map the authenticated identity to the individual user or group account for PKI-based authentication, this is a finding.",
"description": "Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. \n\nSatisfies: FIA \nReference:PP-MDM-414003",
"fixid": "F-37531r614154_fix",
"fixtext": "Configure the UEM server to map the authenticated identity to the individual user or group account for PKI-based authentication.",
"iacontrols": null,
"id": "V-234381",
"ruleID": "SV-234381r617409_rule",
"severity": "medium",
"title": "The UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication.",
"version": "SRG-APP-000177-UEM-000108"
},
"V-234382": {
"checkid": "C-37567r614156_chk",
"checktext": "Verify the UEM server obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.\n\nIf the UEM server does not obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals, this is a finding.",
"description": "To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the information system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. \n\nObfuscation of user-provided information when typed into the system is a method used in addressing this risk. \n\nFor example, displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431026",
"fixid": "F-37532r614157_fix",
"fixtext": "Configure the UEM server to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.",
"iacontrols": null,
"id": "V-234382",
"ruleID": "SV-234382r617355_rule",
"severity": "medium",
"title": "The UEM server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.",
"version": "SRG-APP-000178-UEM-000109"
},
"V-234383": {
"checkid": "C-37568r614159_chk",
"checktext": "Verify the UEM server uses FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.\n\nIf the UEM server does not use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications, this is a finding.",
"description": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nNonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. \n\nNote: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. \n\nTo protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512.\n\nApplications also include HMAC, KDFs, Random Bit Generation, and hash-only applications (e.g., hashing passwords and use for compute a checksum). For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only, but this is discouraged by DoD.\n\nSeparate requirements for configuring applications and protocols used by each product (e.g., SNMPv3, SSH, NTP, and other protocols and applications that require server/client authentication) are required to implement this requirement. \n\nSatisfies:FCS_COP.1.1(2)",
"fixid": "F-37533r614160_fix",
"fixtext": "Configure the UEM server to use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.",
"iacontrols": null,
"id": "V-234383",
"ruleID": "SV-234383r617355_rule",
"severity": "high",
"title": "The UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.",
"version": "SRG-APP-000179-UEM-000110"
},
"V-234390": {
"checkid": "C-37575r614180_chk",
"checktext": "Verify the UEM server provides a trusted communication channel between itself and authorized IT entities using [selection:\n-IPsec,\n-SSH,\n-mutually authenticated TLS, \n-mutually authenticated DTLS, \n-HTTPS].\n\nIf the UEM server does not provide a trusted communication channel between itself and authorized IT entities using [selection:\n-IPsec,\n-SSH,\n-mutually authenticated TLS, \n-mutually authenticated DTLS, \n-HTTPS], this is a finding.",
"description": "Examples of authorized IT entities: audit server, Active Directory, software update server, and database server.\n\nWithout confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nNonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. \n\nSatisfies:FTP_ITC.1.1(1) Refinement \nReference:PP-MDM-412062",
"fixid": "F-37540r614181_fix",
"fixtext": "Configure the UEM server to provide a trusted communication channel between itself and authorized IT entities using [selection:\n-IPsec,\n-SSH,\n-mutually authenticated TLS, \n-mutually authenticated DTLS, \n-HTTPS].",
"iacontrols": null,
"id": "V-234390",
"ruleID": "SV-234390r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to provide a trusted communication channel between itself and authorized IT entities using [selection:\n-IPsec,\n-SSH,\n-mutually authenticated TLS, \n-mutually authenticated DTLS, \n-HTTPS].",
"version": "SRG-APP-000191-UEM-000117"
},
"V-234391": {
"checkid": "C-37576r614183_chk",
"checktext": "Verify the UEM server invokes either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:\n-IPsec,\n-SSH,\n-TLS, \n-HTTPS].\n\nIf the UEM server does not invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:\n-IPsec,\n-SSH,\n-TLS, \n-HTTPS], this is a finding.",
"description": "Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nNonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. \n\nSatisfies:FTP_TRP.1.1(1) Refinement",
"fixid": "F-37541r615961_fix",
"fixtext": "Configure the UEM server to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:\n-IPsec,\n-SSH,\n-TLS, \n-HTTPS].",
"iacontrols": null,
"id": "V-234391",
"ruleID": "SV-234391r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:-IPsec,-SSH,-TLS, -HTTPS].",
"version": "SRG-APP-000191-UEM-000118"
},
"V-234392": {
"checkid": "C-37577r614186_chk",
"checktext": "Verify the UEM server invokes either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:\n-TLS, \n-HTTPS].\n\nIf the UEM server does not invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:\n-TLS, \n-HTTPS], this is a finding.",
"description": "Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nNonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. \n\nSatisfies:FTP_TRP.1.1(2) Refinement",
"fixid": "F-37542r615963_fix",
"fixtext": "Configure the UEM server to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:\n-TLS, \n-HTTPS].",
"iacontrols": null,
"id": "V-234392",
"ruleID": "SV-234392r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:-TLS, -HTTPS].",
"version": "SRG-APP-000191-UEM-000119"
},
"V-234405": {
"checkid": "C-37590r614225_chk",
"checktext": "Verify the UEM server protects the authenticity of communications sessions.\n\nIf the UEM server does not protect the authenticity of communications sessions, this is a finding.",
"description": "Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.\n\nApplication communication sessions are protected utilizing transport encryption protocols, such as TLS. TLS provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. \n\nThis requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). \n\nThis requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TLS mutual authentication (two-way/bidirectional). \n\nSatisfies:FIA_ENR_EXT.1.1, FTP_TRP.1.1(2), FTP_TRP.1.1(1)",
"fixid": "F-37555r614226_fix",
"fixtext": "Configure the UEM server to protect the authenticity of communications sessions.",
"iacontrols": null,
"id": "V-234405",
"ruleID": "SV-234405r617355_rule",
"severity": "medium",
"title": "The UEM server must protect the authenticity of communications sessions.",
"version": "SRG-APP-000219-UEM-000132"
},
"V-234406": {
"checkid": "C-37591r614228_chk",
"checktext": "Verify the UEM server invalidates session identifiers upon user logout or other session termination.\n\nIf the UEM server does not invalidate session identifiers upon user logout or other session termination, this is a finding.",
"description": "Captured sessions can be reused in \"replay\" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs.\n\nThis requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). \n\nSession IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. Unique session identifiers or IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the application must terminate the user session to minimize the potential for an attacker to hijack that particular user session.",
"fixid": "F-37556r614229_fix",
"fixtext": "Configure the UEM server to invalidate session identifiers upon user logout or other session termination.",
"iacontrols": null,
"id": "V-234406",
"ruleID": "SV-234406r617355_rule",
"severity": "medium",
"title": "The UEM server must invalidate session identifiers upon user logout or other session termination.",
"version": "SRG-APP-000220-UEM-000133"
},
"V-234407": {
"checkid": "C-37592r614231_chk",
"checktext": "Verify the UEM server recognizes only system-generated session identifiers.\n\nIf the UEM server does not recognize only system-generated session identifiers, this is a finding.",
"description": "Applications utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the session may be compromised.\n\nUnique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.\n\nThis requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).",
"fixid": "F-37557r614232_fix",
"fixtext": "Configure the UEM server to recognize only system-generated session identifiers.",
"iacontrols": null,
"id": "V-234407",
"ruleID": "SV-234407r617355_rule",
"severity": "medium",
"title": "The UEM server must recognize only system-generated session identifiers.",
"version": "SRG-APP-000223-UEM-000134"
},
"V-234408": {
"checkid": "C-37593r614234_chk",
"checktext": "Verify the UEM server generates unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm.\n\nIf the UEM server does not generate unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm, this is a finding.",
"description": "Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers.\n\nUnique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. \n\nThe DRBGs Hash_DRBG, HMAC_DRBG, and CTR_DRBG are recommended for use with RNGs. \n\nThis requirement is applicable to devices that use a web interface for device management. \n\nSatisfies:FCS_RBG_EXT.1.1, FIA_UAU.1.1, FIA_UAU.1.2",
"fixid": "F-37558r614235_fix",
"fixtext": "Configure the UEM server to generate unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm.",
"iacontrols": null,
"id": "V-234408",
"ruleID": "SV-234408r617355_rule",
"severity": "high",
"title": "The UEM server must generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.",
"version": "SRG-APP-000224-UEM-000135"
},
"V-234409": {
"checkid": "C-37594r614237_chk",
"checktext": "Verify the UEM server fails to a secure state if system initialization fails, shutdown fails, or aborts fail.\n\nIf the UEM server does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.",
"description": "Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Applications or systems that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection capability. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption of mission-essential processes. \n\nIn general, application security mechanisms should be designed so that a failure will follow the same execution path as disallowing the operation. For example, security methods, such as isAuthorized(), isAuthenticated(), and validate(), should all return false if there is an exception during processing. If security controls can throw exceptions, they must be very clear about exactly what that condition means. \n\nAbort refers to stopping a program or function before it has finished naturally. The term abort refers to both requested and unexpected terminations. \n\nSatisfies:FPT_TST_EXT.1.2",
"fixid": "F-37559r614238_fix",
"fixtext": "Configure the UEM server to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.",
"iacontrols": null,
"id": "V-234409",
"ruleID": "SV-234409r617355_rule",
"severity": "medium",
"title": "The UEM server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.",
"version": "SRG-APP-000225-UEM-000136"
},
"V-234410": {
"checkid": "C-37595r614240_chk",
"checktext": "Verify the UEM server preserves any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure.\n\nIf the UEM server does not preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure, this is a finding.",
"description": "Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes. \n\nSatisfies:FAU_GEN.1.1(1)",
"fixid": "F-37560r617413_fix",
"fixtext": "Configure the UEM server to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure.",
"iacontrols": null,
"id": "V-234410",
"ruleID": "SV-234410r617413_rule",
"severity": "medium",
"title": "In the event of a system failure, the UEM server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.",
"version": "SRG-APP-000226-UEM-000137"
},
"V-234421": {
"checkid": "C-37606r617398_chk",
"checktext": "Verify the UEM server checks the validity of all data inputs.\n\nIf the UEM server does not check the validity of all data inputs, this is a finding.",
"description": "Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid input is one of the primary methods employed when attempting to compromise an application. \n\nChecking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.",
"fixid": "F-37571r614274_fix",
"fixtext": "Configure the UEM server to check the validity of all data inputs.",
"iacontrols": null,
"id": "V-234421",
"ruleID": "SV-234421r617398_rule",
"severity": "medium",
"title": "The UEM server must check the validity of all data inputs.",
"version": "SRG-APP-000251-UEM-000148"
},
"V-234424": {
"checkid": "C-37609r614282_chk",
"checktext": "Verify the UEM server generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.\n\nIf the UEM server does not generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries, this is a finding.",
"description": "Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. \n\nOrganizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. \n\nSatisfies:FAU_ALT_EXT.1.1, FPT_TST_EXT.1, FAU_GEN.1.2(1), FIA_UAU.1.2, FMT_SMR.1.1(1)",
"fixid": "F-37574r614283_fix",
"fixtext": "Configure the UEM server to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.",
"iacontrols": null,
"id": "V-234424",
"ruleID": "SV-234424r617355_rule",
"severity": "medium",
"title": "The UEM server must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.",
"version": "SRG-APP-000266-UEM-000151"
},
"V-234425": {
"checkid": "C-37610r614285_chk",
"checktext": "Verify the UEM server reveals error messages only to the ISSM and ISSO.\n\nIf the UEM server does not reveal error messages only to the ISSM and ISSO, this is a finding.",
"description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the application. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. \n\nSatisfies:FPT_TST_EXT.1, FAU_GEN.1.2(1), FIA_UAU.1.2, FMT_SMR.1.1(1)",
"fixid": "F-37575r614286_fix",
"fixtext": "Configure the UEM server to reveal error messages only to the ISSM and ISSO.",
"iacontrols": null,
"id": "V-234425",
"ruleID": "SV-234425r617355_rule",
"severity": "medium",
"title": "The UEM server must reveal error messages only to the Information System Security Manager (ISSM) and Information System Security Officer (ISSO).",
"version": "SRG-APP-000267-UEM-000152"
},
"V-234426": {
"checkid": "C-37611r614288_chk",
"checktext": "Verify the UEM server, when a component failure is detected, activates an organization-defined alarm and/or automatically shuts down the application or the component.\n\nIf the UEM server, when a component failure is detected, does not activate an organization-defined alarm and/or automatically shut down the application or the component, this is a finding.",
"description": "Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue operating in an insecure state. The organization must be prepared and the application must support requirements that specify if the application must alarm for such conditions and/or automatically shut down the application or the system. \n\nThis can include conducting a graceful application shutdown to avoid losing information. Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37576r614289_fix",
"fixtext": "Configure the UEM server to activate an organization-defined alarm and/or automatically shut down the application or the component when a component failure is detected.",
"iacontrols": null,
"id": "V-234426",
"ruleID": "SV-234426r617355_rule",
"severity": "medium",
"title": "The UEM server must, when a component failure is detected, activate an organization-defined alarm and/or automatically shut down the application or the component.",
"version": "SRG-APP-000268-UEM-000153"
},
"V-234430": {
"checkid": "C-37615r614300_chk",
"checktext": "Verify the UEM server notifies the ISSO and ISSM of failed security verification tests.\n\nIf the UEM server does not notify the ISSO and ISSM of failed security verification tests, this is a finding.",
"description": "If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. \n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis requirement applies to applications performing security functions and the applications performing security function verification/testing. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37580r614301_fix",
"fixtext": "Configure the UEM server to notify the ISSO and ISSM of failed security verification tests.",
"iacontrols": null,
"id": "V-234430",
"ruleID": "SV-234430r617355_rule",
"severity": "medium",
"title": "The application must notify the Information System Security Manager (ISSM) and Information System Security Officer (ISSO) of failed security verification tests.",
"version": "SRG-APP-000275-UEM-000157"
},
"V-234438": {
"checkid": "C-37623r614324_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server notify system administrators and ISSO when accounts are created.\n\nIf the UEM server does not notify system administrators and the ISSO when accounts are created, this is a finding.",
"description": "Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method for mitigating this risk.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37588r614325_fix",
"fixtext": "Configure the UEM server to notify system administrators and the ISSO when accounts are created.",
"iacontrols": null,
"id": "V-234438",
"ruleID": "SV-234438r617355_rule",
"severity": "medium",
"title": "The UEM server must notify system administrators and the Information System Security Officer (ISSO) when accounts are created.",
"version": "SRG-APP-000291-UEM-000165"
},
"V-234439": {
"checkid": "C-37624r614327_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server notifies system administrators and the ISSO when accounts are modified.\n\nIf the UEM server does not notify system administrators and the ISSO when accounts are modified, this is a finding.",
"description": "When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.\n\nTo address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37589r614328_fix",
"fixtext": "Configure the UEM server to notify system administrators and the ISSO when accounts are modified.",
"iacontrols": null,
"id": "V-234439",
"ruleID": "SV-234439r617355_rule",
"severity": "medium",
"title": "The UEM server must notify system administrators and the Information System Security Officer (ISSO) when accounts are modified.",
"version": "SRG-APP-000292-UEM-000166"
},
"V-234440": {
"checkid": "C-37625r614330_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server notifies system administrators and the ISSO for account disabling actions.\n\nIf the UEM server does not notify system administrators and the ISSO for account disabling actions, this is a finding.",
"description": "When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account disabling events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.\n\nTo address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37590r614331_fix",
"fixtext": "Configure the UEM server to notify system administrators and the ISSO for account disabling actions.",
"iacontrols": null,
"id": "V-234440",
"ruleID": "SV-234440r617355_rule",
"severity": "medium",
"title": "The UEM server must notify system administrators and the Information System Security Officer (ISSO) for account disabling actions.",
"version": "SRG-APP-000293-UEM-000167"
},
"V-234441": {
"checkid": "C-37626r617414_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server notifies system administrators and the ISSO for account removal actions.\n\nIf the UEM server does not notify system administrators and the ISSO for account removal actions, this is a finding.",
"description": "When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.\n\nTo address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37591r614334_fix",
"fixtext": "Configure the UEM server to notify system administrators and the ISSO for account removal actions.",
"iacontrols": null,
"id": "V-234441",
"ruleID": "SV-234441r617414_rule",
"severity": "medium",
"title": "The UEM server must notify system administrators and the Information System Security Officer (ISSO) for account removal actions.",
"version": "SRG-APP-000294-UEM-000168"
},
"V-234442": {
"checkid": "C-37627r614336_chk",
"checktext": "Verify the UEM server automatically terminates a user session after an organization-defined period of user inactivity.\n\nIf the UEM server does not automatically terminate a user session after an organization-defined period of user inactivity, this is a finding.",
"description": "Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.\n\nSession termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. \n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific application system functionality where the system owner, data owner, or organization requires additional assurance. Based upon requirements and events specified by the data or application owner, the application developer must incorporate logic into the application that will provide a control mechanism that disconnects users upon the defined event trigger. The methods for incorporating this requirement will be determined and specified on a case-by-case basis during the application design and development stages. \n\nSatisfies:FMT_SMF.1.1(2) b \nReference:PP-MDM-431014",
"fixid": "F-37592r614337_fix",
"fixtext": "Configure the UEM server to automatically terminate a user session after an organization-defined period of user inactivity.",
"iacontrols": null,
"id": "V-234442",
"ruleID": "SV-234442r617355_rule",
"severity": "medium",
"title": "The UEM server must automatically terminate a user session after an organization-defined period of user inactivity.",
"version": "SRG-APP-000295-UEM-000169"
},
"V-234443": {
"checkid": "C-37628r614339_chk",
"checktext": "Verify the UEM server provides a logout capability for user-initiated communication sessions.\n\nIf the UEM server does not provide a logout capability for user-initiated communication sessions, this is a finding.",
"description": "If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.\n\nInformation resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions. \n\nSatisfies:FMT_SMF.1.1(2) b \nReference:PP-MDM-431015",
"fixid": "F-37593r614340_fix",
"fixtext": "Configure the UEM server to provide a logout capability for user-initiated communication sessions.",
"iacontrols": null,
"id": "V-234443",
"ruleID": "SV-234443r617355_rule",
"severity": "medium",
"title": "The UEM server must provide logout capability for user-initiated communication sessions.",
"version": "SRG-APP-000296-UEM-000170"
},
"V-234444": {
"checkid": "C-37629r614342_chk",
"checktext": "Verify the UEM server displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.\n\nIf the UEM server does not display an explicit logout message to users indicating the reliable termination of authenticated communications sessions, this is a finding.",
"description": "If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated.\n\nInformation resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. Logout messages for web page access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions.",
"fixid": "F-37594r614343_fix",
"fixtext": "Configure the UEM server to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.",
"iacontrols": null,
"id": "V-234444",
"ruleID": "SV-234444r617355_rule",
"severity": "medium",
"title": "The UEM server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.",
"version": "SRG-APP-000297-UEM-000171"
},
"V-234465": {
"checkid": "C-37650r614405_chk",
"checktext": "Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server automatically audits account enabling actions.\n\nIf the UEM server does not automatically audit account enabling actions, this is a finding.",
"description": "Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Automatically auditing account enabling actions provides logging that can be used for forensic purposes.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37615r614406_fix",
"fixtext": "Configure the UEM server to automatically audit account enabling actions.",
"iacontrols": null,
"id": "V-234465",
"ruleID": "SV-234465r617355_rule",
"severity": "medium",
"title": "The UEM server must automatically audit account-enabling actions.",
"version": "SRG-APP-000319-UEM-000192"
},
"V-234466": {
"checkid": "C-37651r617399_chk",
"checktext": "Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server notifies the system administrator and the ISSO of account enabling actions.\n\nIf the UEM server does not notify the system administrator and the ISSO of account enabling actions, this is a finding.",
"description": "Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Sending notification of account enabling events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.\n\nIn order to detect and respond to events that affect user accessibility and application processing, applications must notify the appropriate individuals so they can investigate the event.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37616r614409_fix",
"fixtext": "Configure the UEM server to notify system administrator and the ISSO of account enabling actions.",
"iacontrols": null,
"id": "V-234466",
"ruleID": "SV-234466r617399_rule",
"severity": "medium",
"title": "The UEM server must notify system administrator and Information System Security Officer (ISSO) of account enabling actions.",
"version": "SRG-APP-000320-UEM-000193"
},
"V-234473": {
"checkid": "C-37658r614429_chk",
"checktext": "Verify the UEM server employs an audited override of automated access control mechanisms under organization-defined conditions.\n\nIf the UEM server does not employ an audited override of automated access control mechanisms under organization-defined conditions, this is a finding.",
"description": "Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Actions that could adversely impact the system must be audited for forensic analysis. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37623r614430_fix",
"fixtext": "Configure the UEM server to employ an audited override of automated access control mechanisms under organization-defined conditions.",
"iacontrols": null,
"id": "V-234473",
"ruleID": "SV-234473r617355_rule",
"severity": "medium",
"title": "The UEM server must employ an audited override of automated access control mechanisms under organization-defined conditions.",
"version": "SRG-APP-000327-UEM-000200"
},
"V-234475": {
"checkid": "C-37660r615068_chk",
"checktext": "Verify the UEM server has at least one user in defined administrator roles.\n\nIf the UEM server does not have at least one user in defined administrator roles, this is a finding.",
"description": "Having several administrative roles for the UEM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations of which they may not understand or approve, which can weaken overall security and increase the risk of compromise.\n\nDefined roles:\n- Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS.\n- Security configuration administrator: Responsible for security configuration of the server, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators.\n- Device user group administrator: Responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Responsible for defining which apps user groups or individual users have access to in the MAS. Can only perform administrative functions assigned by the security configuration administrator.\n- Auditor: Responsible for reviewing and maintaining server and mobile device audit logs. \n\nSatisfies:FMT_SMR.1.1(1) \nReference:PP-MDM-411058",
"fixid": "F-37625r615069_fix",
"fixtext": "Configure the UEM server to have at least one user in defined administrator roles.",
"iacontrols": null,
"id": "V-234475",
"ruleID": "SV-234475r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to have at least one user in defined administrator roles.",
"version": "SRG-APP-000329-UEM-000202"
},
"V-234489": {
"checkid": "C-37674r615110_chk",
"checktext": "Verify the UEM server audits the execution of privileged functions.\n\nIf the UEM server does not audit the execution of privileged functions, this is a finding.",
"description": "Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and identify the risk from insider threats and the advanced persistent threat. \n\nSatisfies:FAU_GEN.1.1(1), b.",
"fixid": "F-37639r615111_fix",
"fixtext": "Configure the UEM server to audit the execution of privileged functions.",
"iacontrols": null,
"id": "V-234489",
"ruleID": "SV-234489r617355_rule",
"severity": "medium",
"title": "The UEM server must audit the execution of privileged functions.",
"version": "SRG-APP-000343-UEM-000216"
},
"V-234491": {
"checkid": "C-37676r615965_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server automatically locks the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.\n\nIf the UEM server does not automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded, this is a finding.",
"description": "By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. \n\nSatisfies:FMT_SMF.1(2)b \nReference:PP-MDM-431030",
"fixid": "F-37641r615117_fix",
"fixtext": "Configure the UEM server to automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.",
"iacontrols": null,
"id": "V-234491",
"ruleID": "SV-234491r617355_rule",
"severity": "medium",
"title": "The UEM server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.",
"version": "SRG-APP-000345-UEM-000218"
},
"V-234500": {
"checkid": "C-37685r615967_chk",
"checktext": "Verify the UEM server transfers UEM server logs to another server for storage, analysis, and reporting.\n\nIf the UEM server does not transfer UEM server logs to another server for storage, analysis, and reporting, this is a finding.\n\nNote: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.",
"description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nNote: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices. \n\nSatisfies:FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) \nReference:PP-MDM-411054",
"fixid": "F-37650r615144_fix",
"fixtext": "Configure the UEM server to be configured to transfer UEM server logs to another server for storage, analysis, and reporting.\n\nNote: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.",
"iacontrols": null,
"id": "V-234500",
"ruleID": "SV-234500r617411_rule",
"severity": "medium",
"title": "The UEM server must be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.",
"version": "SRG-APP-000358-UEM-000228"
},
"V-234516": {
"checkid": "C-37701r615191_chk",
"checktext": "Verify the UEM server records time stamps for audit records that can be mapped to UTC or GMT.\n\nIf the UEM server does not record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.",
"description": "If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. \n\nSatisfies:FAU_GEN.1.2(1)",
"fixid": "F-37666r615192_fix",
"fixtext": "Configure the UEM server to be configured to record time stamps for audit records that can be mapped to UTC or GMT.",
"iacontrols": null,
"id": "V-234516",
"ruleID": "SV-234516r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).",
"version": "SRG-APP-000374-UEM-000244"
},
"V-234517": {
"checkid": "C-37702r615969_chk",
"checktext": "Verify the UEM server records time stamps for audit records that meet a granularity of one second for a minimum degree of precision.\n\nIf the UEM server does not record time stamps for audit records that meet a granularity of one second for a minimum degree of precision, this is a finding.",
"description": "Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. \n\nTime stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.",
"fixid": "F-37667r615195_fix",
"fixtext": "Configure the UEM server to be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.",
"iacontrols": null,
"id": "V-234517",
"ruleID": "SV-234517r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.",
"version": "SRG-APP-000375-UEM-000245"
},
"V-234519": {
"checkid": "C-37704r615971_chk",
"checktext": "Verify the UEM server verifies the digital signature of software before installation and alert the ISSM, ISSO, and other designated personnel if unauthorized software is detected.\n\nIf the UEM server does not verify the digital signature of software before installation and alert the ISSM, ISSO, and other designated personnel if unauthorized software is detected, this is a finding.",
"description": "Unauthorized software not only increases risk by increasing the number of potential vulnerabilities, it also can contain malicious code. Sending an alert (in real time) when unauthorized software is detected allows designated personnel to take action on the installation of unauthorized software.\n\nThis requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers). \n\nSatisfies:FPT_TUD_EXT.1.3",
"fixid": "F-37669r615201_fix",
"fixtext": "Configure the UEM server to verify the digital signature of software before installation and alert the ISSM, ISSO, and other designated personnel if unauthorized software is detected.",
"iacontrols": null,
"id": "V-234519",
"ruleID": "SV-234519r617355_rule",
"severity": "medium",
"title": "The UEM server must verify the digital signature of software before installation and alert the Information System Security Officer (ISSO), Information System Security Manager (ISSM), and other designated personnel if unauthorized software is detected.",
"version": "SRG-APP-000377-UEM-000247"
},
"V-234520": {
"checkid": "C-37705r615973_chk",
"checktext": "Verify the UEM server prohibits user installation of software by an administrator without the appropriate assigned permission for software installation.\n\nIf the UEM server does not prohibit user installation of software by an administrator without the appropriate assigned permission for software installation, this is a finding.",
"description": "Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.\n\nApplication functionality will vary, and while users are not permitted to install unapproved applications, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. \n\nThe application must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. \n\nThis requirement applies, for example, to applications that provide the ability to extend application functionality (e.g., plug-ins, add-ons) and software management applications. \n\nSatisfies:FPT_TUD_EXT.1.2",
"fixid": "F-37670r615204_fix",
"fixtext": "Configure the UEM server to prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.",
"iacontrols": null,
"id": "V-234520",
"ruleID": "SV-234520r617355_rule",
"severity": "medium",
"title": "The UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.",
"version": "SRG-APP-000378-UEM-000248"
},
"V-234521": {
"checkid": "C-37706r615975_chk",
"checktext": "Verify the UEM server allows only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.\n\nIf the UEM server does not allow only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications, this is a finding.",
"description": "If the application install policy is not enforced, malicious applications and vulnerable applications can be installed on managed mobile devices, which could compromise DoD data. \n\nSatisfies:FMT_MOF.1.1(3) \nReference:PP-MDM-423206",
"fixid": "F-37671r615207_fix",
"fixtext": "Configure the UEM server to allow only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.",
"iacontrols": null,
"id": "V-234521",
"ruleID": "SV-234521r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.",
"version": "SRG-APP-000378-UEM-000249"
},
"V-234523": {
"checkid": "C-37708r615212_chk",
"checktext": "Verify the UEM server enforces access restrictions associated with changes to the server configuration.\n\nIf the UEM server does not enforce access restrictions associated with changes to the server configuration, this is a finding.",
"description": "Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. \n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). \n\nSatisfies:FMT_SMR.1.1(1)",
"fixid": "F-37673r615213_fix",
"fixtext": "Configure the UEM server to enforce access restrictions associated with changes to the server configuration.",
"iacontrols": null,
"id": "V-234523",
"ruleID": "SV-234523r617355_rule",
"severity": "medium",
"title": "The UEM server must enforce access restrictions associated with changes to the server configuration.",
"version": "SRG-APP-000380-UEM-000251"
},
"V-234524": {
"checkid": "C-37709r615977_chk",
"checktext": "Verify the UEM server audits the enforcement actions used to restrict access associated with changes to the application.\n\nIf the UEM server does not audit the enforcement actions used to restrict access associated with changes to the application, this is a finding.",
"description": "Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. \n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact. \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37674r615216_fix",
"fixtext": "Configure the UEM server to audit the enforcement actions used to restrict access associated with changes to the application.",
"iacontrols": null,
"id": "V-234524",
"ruleID": "SV-234524r617355_rule",
"severity": "medium",
"title": "The UEM server must audit the enforcement actions used to restrict access associated with changes to the application.",
"version": "SRG-APP-000381-UEM-000252"
},
"V-234526": {
"checkid": "C-37711r615979_chk",
"checktext": "Verify the UEM server disables organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.\n\nIf the UEM server does not disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure, this is a finding.",
"description": "Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.\n\nExamples include unneeded listening ports.\n\nThe organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure. \n\nSatisfies:FMT_SMF.1.1(2) Refinement b \nReference:PP-MDM-431006",
"fixid": "F-37676r615222_fix",
"fixtext": "Configure the UEM server to disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.",
"iacontrols": null,
"id": "V-234526",
"ruleID": "SV-234526r617355_rule",
"severity": "medium",
"title": "The UEM server must disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.",
"version": "SRG-APP-000383-UEM-000254"
},
"V-234532": {
"checkid": "C-37717r615239_chk",
"checktext": "Verify the UEM server requires users (administrators) to reauthenticate when roles change.\n\nIf the UEM server does not require users (administrators) to reauthenticate when roles change, this is a finding.",
"description": "Without reauthentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate.\n\nIn addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances.\n\n(i) When authenticators change; \n(ii) When roles change; \n(iii) When security categories of information systems change; \n(iv) When the execution of privileged functions occurs; \n(v) After a fixed period of time; or\n(vi) Periodically.\n\nWithin the DoD, the minimum circumstances requiring reauthentication are privilege escalation and role changes. \n\nSatisfies:FMT_SMF.1.1(2) b \nReference:PP-MDM-431016",
"fixid": "F-37682r615240_fix",
"fixtext": "Configure the UEM server to require users (administrators) to reauthenticate when roles change.",
"iacontrols": null,
"id": "V-234532",
"ruleID": "SV-234532r617355_rule",
"severity": "medium",
"title": "The UEM server must require users (administrators) to reauthenticate when roles change.",
"version": "SRG-APP-000389-UEM-000260"
},
"V-234533": {
"checkid": "C-37718r615981_chk",
"checktext": "Verify the UEM server requires end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.\n\nIf the UEM server does not require end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication, this is a finding.",
"description": "This requirement refers to the end-point device user reauthenticating to the device. The following are examples of organization-defined circumstances or situations requiring reauthentication: \n\n(i) After a screen lock; \n(ii) After device reboot; \n(iii) Before installation of new device policy or profile;\n(iv) Before executing a device reset or wipe. \n\nSatisfies:FMT_SMF.1.1(2) b \nReference:PP-MDM-431016",
"fixid": "F-37683r615243_fix",
"fixtext": "Configure the UEM server to require end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.",
"iacontrols": null,
"id": "V-234533",
"ruleID": "SV-234533r617355_rule",
"severity": "medium",
"title": "The UEM server must require end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.",
"version": "SRG-APP-000390-UEM-000261"
},
"V-234538": {
"checkid": "C-37723r617415_chk",
"checktext": "Verify the UEM server establishes a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed. \n\nIf the UEM server does not establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed, this is a finding.",
"description": "Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DoD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm. \n\nFor distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions.\n\nA local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; the internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).\n\nBecause of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability. \n\nSatisfies:FIA_X509_EXT.1(1), FIA_ENR_EXT.1.1",
"fixid": "F-37688r615984_fix",
"fixtext": "Configure the UEM server to establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed.",
"iacontrols": null,
"id": "V-234538",
"ruleID": "SV-234538r617415_rule",
"severity": "high",
"title": "Before establishing a connection to any endpoint device being managed, the UEM server must establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.",
"version": "SRG-APP-000395-UEM-000266"
},
"V-234543": {
"checkid": "C-37728r615986_chk",
"checktext": "Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server prohibits the use of cached authenticators after an organization-defined time period.\n\nIf the UEM server does not prohibit the use of cached authenticators after an organization-defined time period, this is a finding.",
"description": "If cached authentication information is out-of-date, the validity of the authentication information may be questionable.\n\nAccording to the CNSS 1253, the IA-5(13) control which is tied to this requirement is not defined at the DoD-level. The organization should specify this value based on numerous factors, including the application in question, the data it hosts and the associated exposures/risks.",
"fixid": "F-37693r615273_fix",
"fixtext": "Configure the UEM server to prohibit the use of cached authenticators after an organization-defined time period.",
"iacontrols": null,
"id": "V-234543",
"ruleID": "SV-234543r617355_rule",
"severity": "medium",
"title": "The UEM server must prohibit the use of cached authenticators after an organization-defined time period.",
"version": "SRG-APP-000400-UEM-000271"
},
"V-234544": {
"checkid": "C-37729r615988_chk",
"checktext": "Verify the UEM server, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.\n\nIf the UEM server, for PKI-based authentication, does not implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding.",
"description": "Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).",
"fixid": "F-37694r615276_fix",
"fixtext": "Configure the UEM server to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network for PKI-based authentication.",
"iacontrols": null,
"id": "V-234544",
"ruleID": "SV-234544r617355_rule",
"severity": "medium",
"title": "The UEM server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.",
"version": "SRG-APP-000401-UEM-000272"
},
"V-234555": {
"checkid": "C-37740r615991_chk",
"checktext": "Verify the UEM server web management tools use a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.\n\nIf the UEM server web management tools do not use FIPS-validated Advanced Encryption Standard (AES) cipher block algorithms to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions, this is a finding.",
"description": "Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nNonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network.",
"fixid": "F-37705r615309_fix",
"fixtext": "Configure the UEM server web management tools with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.",
"iacontrols": null,
"id": "V-234555",
"ruleID": "SV-234555r617355_rule",
"severity": "high",
"title": "The UEM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.",
"version": "SRG-APP-000412-UEM-000283"
},
"V-234556": {
"checkid": "C-37741r615993_chk",
"checktext": "Verify the UEM server verifies remote disconnection when non-local maintenance and diagnostic sessions are terminated.\n\nIf the UEM server does not verify remote disconnection when non-local maintenance and diagnostic sessions are terminated, this is a finding.",
"description": "If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Remote connections must be disconnected and verified as disconnected when non-local maintenance sessions have been terminated and are no longer available for use.",
"fixid": "F-37706r615312_fix",
"fixtext": "Configure the UEM server to verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.",
"iacontrols": null,
"id": "V-234556",
"ruleID": "SV-234556r617355_rule",
"severity": "medium",
"title": "The UEM server must verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.",
"version": "SRG-APP-000413-UEM-000284"
},
"V-234573": {
"checkid": "C-37758r615995_chk",
"checktext": "Verify the UEM server allows only DoD-PKI established certificate authorities for verification of the establishment of protected sessions.\n\nIf the UEM server does not allow only DoD-PKI established certificate authorities for verification of the establishment of protected sessions, this is a finding.",
"description": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. \n\nThis requirement focuses on communications protection for the application session rather than for the network packet.\n\nThis requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). \n\nSatisfies:FIA_X509_EXT.1.1(1)",
"fixid": "F-37723r615354_fix",
"fixtext": "Configure the UEM server to allow only DoD-PKI established certificate authorities for verification of the establishment of protected sessions.",
"iacontrols": null,
"id": "V-234573",
"ruleID": "SV-234573r617355_rule",
"severity": "medium",
"title": "The UEM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.",
"version": "SRG-APP-000427-UEM-000298"
},
"V-234574": {
"checkid": "C-37759r615356_chk",
"checktext": "Verify the UEM server uses X.509v3 certificates for code signing for system software updates.\n\nIf the UEM server does not use X.509v3 certificates for code signing for system software updates, this is a finding.",
"description": "It is critical that the UEM server validate code signing certificates for key activities such as code signing for system software updates, code signing for integrity verification, and policy signing. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Therefore, the MDM server must have the capability to enforce a policy for this control. \n\nSatisfies:FMT_SMF.1.1(2) c.8, FIA_X509_EXT.2.1 \nReference:PP-MDM-412002",
"fixid": "F-37724r615357_fix",
"fixtext": "Configure the UEM server to use X.509v3 certificates for code signing for system software updates.",
"iacontrols": null,
"id": "V-234574",
"ruleID": "SV-234574r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to use X.509v3 certificates for code signing for system software updates.",
"version": "SRG-APP-000427-UEM-000299"
},
"V-234575": {
"checkid": "C-37760r615359_chk",
"checktext": "Verify the UEM server uses X.509v3 certificates for code signing for integrity verification.\n\nIf the UEM server does not use X.509v3 certificates for code signing for integrity verification, this is a finding.",
"description": "It is critical that the UEM server validate code signing certificates for key activities such as code signing for system software updates, code signing for integrity verification, and policy signing. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Therefore, the MDM server must have the capability to enforce a policy for this control. \n\nSatisfies:FMT_SMF.1.1(2) c.8, FIA_X509_EXT.2.1 \nReference:PP-MDM-412002",
"fixid": "F-37725r615360_fix",
"fixtext": "Configure the UEM server to use X.509v3 certificates for code signing for integrity verification.",
"iacontrols": null,
"id": "V-234575",
"ruleID": "SV-234575r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to use X.509v3 certificates for code signing for integrity verification.",
"version": "SRG-APP-000427-UEM-000300"
},
"V-234588": {
"checkid": "C-37773r615997_chk",
"checktext": "Verify the UEM server connects to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.\n\nIf the UEM server does not connect to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information, this is a finding.",
"description": "Applications may include the following: update server, database, and enterprise directory service. Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPSEC.\n\nCommunication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\nThis requirement applies to any application to which the server connects (for example SQL server, Active Directory). \n\nSatisfies:FMT_SMF.1.1(2) b, FTP_ITC.1.1(1), FTP_ITC.1.2(1), FTP_ITC.1.3(1) \nReference:PP-MDM-431009",
"fixid": "F-37738r615399_fix",
"fixtext": "Configure the UEM server to connect to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.",
"iacontrols": null,
"id": "V-234588",
"ruleID": "SV-234588r617355_rule",
"severity": "high",
"title": "The UEM server must connect to [assignment: [list of applications]] and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.",
"version": "SRG-APP-000439-UEM-000313"
},
"V-234596": {
"checkid": "C-37781r615422_chk",
"checktext": "Verify the UEM server writes to the server event log when invalid inputs are received.\n\nIf the UEM server does not write to the server event log when invalid inputs are received, this is a finding.",
"description": "A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.\n\nThe behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input. \n\nSatisfies:FPT_TST_EXT.1.2",
"fixid": "F-37746r615423_fix",
"fixtext": "Configure the UEM server to write to the server event log when invalid inputs are received.",
"iacontrols": null,
"id": "V-234596",
"ruleID": "SV-234596r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to write to the server event log when invalid inputs are received.",
"version": "SRG-APP-000447-UEM-000321"
},
"V-234603": {
"checkid": "C-37788r615443_chk",
"checktext": "Verify the UEM server removes old software components after updated versions have been installed.\n\nIf the UEM server does not remove old software components after updated versions have been installed, this is a finding.",
"description": "Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.\n\nIf the update is due to a security issue with the old version of the app, the old version is not reinstalled. If rollback files are used by the server, they must be stored so as to not be easily accessible to the production system, or cannot be accidentally installed on the operational system, and then must be deleted after a short period of time defined by the organization.",
"fixid": "F-37753r615444_fix",
"fixtext": "Configure the UEM server to remove old software components after updated versions have been installed.",
"iacontrols": null,
"id": "V-234603",
"ruleID": "SV-234603r617355_rule",
"severity": "medium",
"title": "The UEM server must remove old software components after updated versions have been installed.",
"version": "SRG-APP-000454-UEM-000328"
},
"V-234605": {
"checkid": "C-37790r615449_chk",
"checktext": "Verify the UEM server is maintained at a supported version.\n\nIf the UEM server is not maintained at a supported version, this is a finding.",
"description": "The UEM vendor maintains specific product versions for a specific period of time. MDM/EMM server versions no longer supported by the vendor will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. \n\nSatisfies:FPT_TUD_EXT.1.1, FPT_TUD_EXT.1.2 \nReference:PP-MDM-414005",
"fixid": "F-37755r615450_fix",
"fixtext": "Configure the UEM server to be maintained at a supported version.",
"iacontrols": null,
"id": "V-234605",
"ruleID": "SV-234605r617355_rule",
"severity": "high",
"title": "The UEM server must be maintained at a supported version.",
"version": "SRG-APP-000456-UEM-000330"
},
"V-234622": {
"checkid": "C-37807r616001_chk",
"checktext": "Verify the UEM server is configured with the periodicity of the following commands to the agent of six hours or less: \n- query connectivity status;\n- query the current version of the managed device firmware/software;\n- query the current version of installed mobile applications;\n- read audit logs kept by the managed device.\n\nIf the UEM server is not configured with the periodicity of the following commands to the agent of six hours or less: \n- query connectivity status;\n- query the current version of the managed device firmware/software;\n- query the current version of installed mobile applications;\n- read audit logs kept by the managed device,\nthis is a finding.",
"description": "Without verification, security functions may not operate correctly and this failure may go unnoticed. \n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to applications performing security functions and the applications performing security function verification/testing. \n\nSatisfies:FAU_NET_EXT.1.1, FMT_SMF.1.1(2) c.3 \nReference:PP-MDM-411057",
"fixid": "F-37772r616002_fix",
"fixtext": "Configure the UEM server with the periodicity of the following commands to the agent of six hours or less: \n- query connectivity status;\n- query the current version of the managed device firmware/software;\n- query the current version of installed mobile applications;\n- read audit logs kept by the managed device.",
"iacontrols": null,
"id": "V-234622",
"ruleID": "SV-234622r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.",
"version": "SRG-APP-000472-UEM-000347"
},
"V-234623": {
"checkid": "C-37808r616004_chk",
"checktext": "Verify the UEM server runs a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.\n\nIf the UEM server does not run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server, this is a finding.",
"description": "Without verification, security functions may not operate correctly and this failure may go unnoticed. \n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nNotifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis requirement applies to applications performing security functions and the applications performing security function verification/testing. \n\nSatisfies:FPT_TST_EXT.1.1",
"fixid": "F-37773r615504_fix",
"fixtext": "Configure the UEM server to run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.",
"iacontrols": null,
"id": "V-234623",
"ruleID": "SV-234623r617355_rule",
"severity": "medium",
"title": "The UEM server must run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.",
"version": "SRG-APP-000473-UEM-000348"
},
"V-234624": {
"checkid": "C-37809r616006_chk",
"checktext": "Verify the UEM server alerts the system administrator when anomalies in the operation of security functions are discovered.\n\nIf the UEM server does not alert the system administrator when anomalies in the operation of security functions are discovered, this is a finding.",
"description": "If anomalies are not acted upon, security functions may fail to secure the system. \n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis requirement applies to applications performing security functions and the applications performing security function verification/testing. \n\nSatisfies:FAU_ALT_EXT.1.1 c.",
"fixid": "F-37774r615507_fix",
"fixtext": "Configure the UEM server to alert the system administrator when anomalies in the operation of security functions are discovered.",
"iacontrols": null,
"id": "V-234624",
"ruleID": "SV-234624r617355_rule",
"severity": "medium",
"title": "The UEM server must alert the system administrator when anomalies in the operation of security functions are discovered.",
"version": "SRG-APP-000474-UEM-000349"
},
"V-234629": {
"checkid": "C-37814r616008_chk",
"checktext": "Verify the UEM server verifies software updates to the server using a digital signature mechanism prior to installing those updates.\n\nIf the UEM server does not verify software updates to the server using a digital signature mechanism prior to installing those updates, this is a finding.",
"description": "Unauthorized modifications to software or firmware may be indicative of a sophisticated, targeted cyber-attack. Cryptographic authentication includes, for example, verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. \n\nSatisfies:FPT_TUD_EXT.1.3",
"fixid": "F-37779r615522_fix",
"fixtext": "Configure the UEM server to verify software updates to the server using a digital signature mechanism prior to installing those updates.",
"iacontrols": null,
"id": "V-234629",
"ruleID": "SV-234629r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to verify software updates to the server using a digital signature mechanism prior to installing those updates.",
"version": "SRG-APP-000479-UEM-000354"
},
"V-234642": {
"checkid": "C-37827r616011_chk",
"checktext": "Verify the UEM server generates audit records when successful/unsuccessful attempts to access security objects occur.\n\nIf the UEM server does not generate audit records when successful/unsuccessful attempts to access security objects occur, this is a finding.",
"description": "Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37792r615561_fix",
"fixtext": "Configure the UEM server to generate audit records when successful/unsuccessful attempts to access security objects occur.",
"iacontrols": null,
"id": "V-234642",
"ruleID": "SV-234642r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records when successful/unsuccessful attempts to access security objects occur.",
"version": "SRG-APP-000492-UEM-000367"
},
"V-234645": {
"checkid": "C-37830r617401_chk",
"checktext": "Verify the UEM server generates audit records when successful/unsuccessful attempts to modify privileges occur.\n\nIf the UEM server does not generate audit records when successful/unsuccessful attempts to modify privileges occur, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37795r615570_fix",
"fixtext": "Configure the UEM server to generate audit records when successful/unsuccessful attempts to modify privileges occur.",
"iacontrols": null,
"id": "V-234645",
"ruleID": "SV-234645r617401_rule",
"severity": "medium",
"title": "The UEM server must generate audit records when successful/unsuccessful attempts to modify privileges occur.",
"version": "SRG-APP-000495-UEM-000370"
},
"V-234646": {
"checkid": "C-37831r616013_chk",
"checktext": "Verify the UEM server generates audit records when successful/unsuccessful attempts to modify security objects occur.\n\nIf the UEM server does not generate audit records when successful/unsuccessful attempts to modify security objects occur, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37796r615573_fix",
"fixtext": "Configure the UEM server to generate audit records when successful/unsuccessful attempts to modify security objects occur.",
"iacontrols": null,
"id": "V-234646",
"ruleID": "SV-234646r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records when successful/unsuccessful attempts to modify security objects occur.",
"version": "SRG-APP-000496-UEM-000371"
},
"V-234649": {
"checkid": "C-37834r615581_chk",
"checktext": "Verify the UEM server generates audit records when successful/unsuccessful attempts to delete privileges occur.\n\nIf the UEM server does not generate audit records when successful/unsuccessful attempts to delete privileges occur, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37799r615582_fix",
"fixtext": "Configure the UEM server to generate audit records when successful/unsuccessful attempts to delete privileges occur.",
"iacontrols": null,
"id": "V-234649",
"ruleID": "SV-234649r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records when successful/unsuccessful attempts to delete privileges occur.",
"version": "SRG-APP-000499-UEM-000374"
},
"V-234651": {
"checkid": "C-37836r616015_chk",
"checktext": "Verify the UEM server generates audit records when successful/unsuccessful attempts to delete security objects occur.\n\nIf the UEM server does not generate audit records when successful/unsuccessful attempts to delete security objects occur, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37801r615588_fix",
"fixtext": "Configure the UEM server to generate audit records when successful/unsuccessful attempts to delete security objects occur.",
"iacontrols": null,
"id": "V-234651",
"ruleID": "SV-234651r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records when successful/unsuccessful attempts to delete security objects occur.",
"version": "SRG-APP-000501-UEM-000376"
},
"V-234653": {
"checkid": "C-37838r615593_chk",
"checktext": "Verify the UEM server generates audit records when successful/unsuccessful logon attempts occur.\n\nIf the UEM server does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37803r615594_fix",
"fixtext": "Configure the UEM server to generate audit records when successful/unsuccessful logon attempts occur.",
"iacontrols": null,
"id": "V-234653",
"ruleID": "SV-234653r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records when successful/unsuccessful logon attempts occur.",
"version": "SRG-APP-000503-UEM-000378"
},
"V-234654": {
"checkid": "C-37839r615596_chk",
"checktext": "Verify the UEM server generates audit records for privileged activities or other system-level access.\n\nIf the UEM server does not generate audit records for privileged activities or other system-level access, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37804r615597_fix",
"fixtext": "Configure the UEM server to generate audit records for privileged activities or other system-level access.",
"iacontrols": null,
"id": "V-234654",
"ruleID": "SV-234654r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records for privileged activities or other system-level access.",
"version": "SRG-APP-000504-UEM-000379"
},
"V-234655": {
"checkid": "C-37840r615599_chk",
"checktext": "Verify the UEM server generates audit records showing starting and ending time for user access to the system.\n\nIf the UEM server does not generate audit records showing starting and ending time for user access to the system, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37805r615600_fix",
"fixtext": "Configure the UEM server to generate audit records showing starting and ending time for user access to the system.",
"iacontrols": null,
"id": "V-234655",
"ruleID": "SV-234655r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records showing starting and ending time for user access to the system.",
"version": "SRG-APP-000505-UEM-000380"
},
"V-234656": {
"checkid": "C-37841r615602_chk",
"checktext": "Verify the UEM server generates audit records when concurrent logons from different workstations occur.\n\nIf the UEM server does not generate audit records when concurrent logons from different workstations occur, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37806r615603_fix",
"fixtext": "Configure the UEM server to generate audit records when concurrent logons from different workstations occur.",
"iacontrols": null,
"id": "V-234656",
"ruleID": "SV-234656r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records when concurrent logons from different workstations occur.",
"version": "SRG-APP-000506-UEM-000381"
},
"V-234657": {
"checkid": "C-37842r615605_chk",
"checktext": "Verify the UEM server generates audit records when successful/unsuccessful accesses to objects occur.\n\nIf the UEM server does not generate audit records when successful/unsuccessful accesses to objects occur, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37807r615606_fix",
"fixtext": "Configure the UEM server to generate audit records when successful/unsuccessful accesses to objects occur.",
"iacontrols": null,
"id": "V-234657",
"ruleID": "SV-234657r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records when successful/unsuccessful accesses to objects occur.",
"version": "SRG-APP-000507-UEM-000382"
},
"V-234658": {
"checkid": "C-37843r615608_chk",
"checktext": "Verify the UEM server generates audit records for all direct access to the information system.\n\nIf the UEM server does not generate audit records for all direct access to the information system, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37808r615609_fix",
"fixtext": "Configure the UEM server to generate audit records for all direct access to the information system.",
"iacontrols": null,
"id": "V-234658",
"ruleID": "SV-234658r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records for all direct access to the information system.",
"version": "SRG-APP-000508-UEM-000383"
},
"V-234659": {
"checkid": "C-37844r616017_chk",
"checktext": "Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.\n\nVerify the UEM server generates audit records for all account creations, modifications, disabling, and termination events.\n\nIf the UEM server does not generate audit records for all account creations, modifications, disabling, and termination events, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \n\nSatisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 \nReference:PP-MDM-411065, PP-MDM-412000",
"fixid": "F-37809r615612_fix",
"fixtext": "Configure the UEM server to generate audit records for all account creations, modifications, disabling, and termination events.",
"iacontrols": null,
"id": "V-234659",
"ruleID": "SV-234659r617355_rule",
"severity": "medium",
"title": "The UEM server must generate audit records for all account creations, modifications, disabling, and termination events.",
"version": "SRG-APP-000509-UEM-000384"
},
"V-234664": {
"checkid": "C-37849r615626_chk",
"checktext": "Verify the UEM server uses a FIPS-validated cryptographic module to generate cryptographic hashes.\n\nIf the UEM server does not use a FIPS-validated cryptographic module to generate cryptographic hashes, this is a finding.",
"description": "FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard. \n\nThe cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function within the product being evaluated. \n\nSatisfies:FCS_COP.1.1(2)",
"fixid": "F-37814r615627_fix",
"fixtext": "Configure the UEM server to use a FIPS-validated cryptographic module to generate cryptographic hashes.",
"iacontrols": null,
"id": "V-234664",
"ruleID": "SV-234664r617355_rule",
"severity": "high",
"title": "The UEM server must use a FIPS-validated cryptographic module to generate cryptographic hashes.",
"version": "SRG-APP-000514-UEM-000389"
},
"V-234665": {
"checkid": "C-37850r616019_chk",
"checktext": "Verify the UEM server, at a minimum, off-loads audit logs of interconnected systems in real time and off-load standalone systems weekly.\n\nIf the UEM server does not off-load audit logs of interconnected systems in real time and off-load standalone systems weekly, this is a finding.",
"description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity. \n\nSatisfies:FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) \nReference:PP-MDM-411054",
"fixid": "F-37815r615630_fix",
"fixtext": "Configure the UEM server to, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.",
"iacontrols": null,
"id": "V-234665",
"ruleID": "SV-234665r617355_rule",
"severity": "medium",
"title": "The UEM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.",
"version": "SRG-APP-000515-UEM-000390"
},
"V-234666": {
"checkid": "C-37851r616021_chk",
"checktext": "Verify the UEM server is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.\n\nIf the UEM server is not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.",
"description": "Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.",
"fixid": "F-37816r615633_fix",
"fixtext": "Configure the UEM server in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.",
"iacontrols": null,
"id": "V-234666",
"ruleID": "SV-234666r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.",
"version": "SRG-APP-000516-UEM-000391"
},
"V-234667": {
"checkid": "C-37852r615635_chk",
"checktext": "Verify the UEM server allows authorized administrators to read all audit data from audit records on the server.\n\nIf the UEM server does not allow authorized administrators to read all audit data from audit records on the server, this is a finding.",
"description": "Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted. \n\nSegregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems.\n\nAutomated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. \n\nSatisfies:FAU_SAR.1.1 \nReference:PP-MDM-413000",
"fixid": "F-37817r615636_fix",
"fixtext": "Configure the UEM server to allow authorized administrators to read all audit data from audit records on the server.",
"iacontrols": null,
"id": "V-234667",
"ruleID": "SV-234667r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to allow authorized administrators to read all audit data from audit records on the server.",
"version": "SRG-APP-000516-UEM-000392"
},
"V-234668": {
"checkid": "C-37853r615638_chk",
"checktext": "Verify FIPS 140-2 mode has been implemented on the UEM server for all server and agent encryption.\n\nIf FIPS 140-2 mode has not been implemented on the UEM server for all server and agent encryption, this is a finding.",
"description": "Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. \n\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.\n\nA block cipher mode is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication.\n\nAES is the FIPS-validated cipher block cryptographic algorithm approved for use in DoD. For an algorithm implementation to be listed on a FIPS 140-2 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW. \n\nSatisfies:FCS_COP.1.1(1), FTP_TRP.1.1(1) \nReference:PP-MDM-414001",
"fixid": "F-37818r615639_fix",
"fixtext": "Configure the UEM server to implement FIPS 140-2 mode for all server and agent encryption.",
"iacontrols": null,
"id": "V-234668",
"ruleID": "SV-234668r617355_rule",
"severity": "high",
"title": "The UEM server must be configured to implement FIPS 140-2 mode for all server and agent encryption.",
"version": "SRG-APP-000555-UEM-000393"
},
"V-234669": {
"checkid": "C-37854r615641_chk",
"checktext": "Verify the UEM server is configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.\n\nIf the UEM server is not configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0, this is a finding.",
"description": "Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nThis requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation, either on DoD-only or on public-facing servers. \n\nSatisfies:FCS_TLSC_EXT.1.1 \nReference:PP-MDM-412061",
"fixid": "F-37819r615642_fix",
"fixtext": "Configure the UEM server to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.",
"iacontrols": null,
"id": "V-234669",
"ruleID": "SV-234669r617355_rule",
"severity": "medium",
"title": "The UEM server must be configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.",
"version": "SRG-APP-000560-UEM-000394"
},
"V-234673": {
"checkid": "C-37858r616025_chk",
"checktext": "Verify the UEM server authenticates endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.\n\nIf the UEM server does not authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based, this is a finding.",
"description": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk, such as remote connections.\n\nThis requires device-to-device authentication. Information systems must use IEEE 802.1x, Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, or Kerberos to identify/authenticate devices on local and/or wide area networks. \n\nSatisfies:FMT_SMF.1.1(2) b, FTP_ITC.1.1(1), FTP_ITC.1.2(1), FTP_ITC.1.3(1) \nReference:PP-MDM-431009",
"fixid": "F-37823r615654_fix",
"fixtext": "Configure the UEM server to authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.",
"iacontrols": null,
"id": "V-234673",
"ruleID": "SV-234673r617355_rule",
"severity": "medium",
"title": "The UEM server must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.",
"version": "SRG-APP-000580-UEM-000398"
},
"V-234674": {
"checkid": "C-37859r616027_chk",
"checktext": "Verify cipher suites using pre-shared keys are for device authentication have a minimum security strength of 112 bits or higher.\n\nIf cipher suites using pre-shared keys are for device authentication do not have a minimum security strength of 112 bits or higher, this is a finding.",
"description": "Pre-shared keys are symmetric keys that are already in place prior to the initiation of a Transport Layer Security (TLS) session (e.g., as the result of a manual distribution). In general, pre-shared keys should not be used. However, the use of pre-shared keys may be appropriate for some closed environments that have stung key management best practices. \n\nPre-shared keys may be appropriate for constrained environments with limited processing, memory, or power. If pre-shared keys are appropriate and supported, the following additional guidelines must be followed. Consult 800-52 for recommended pre-shared key cipher suites for pre-shared keys. Pre-shared keys must be distributed in a secure manner, such as a secure manual distribution or using a key establishment certificate. These cipher suites employ a pre-shared key for device authentication (for both the server and the client) and may also use RSA or ephemeral Diffie-Hellman (DHE) algorithms for key establishment. \n\nBecause these cipher suites require pre-shared keys, these suites are not generally applicable to classic secure website applications and are not expected to be widely supported in TLS clients or TLS servers. NIST suggests that these suites be considered in particular for infrastructure applications, particularly if frequent authentication of the network entities is required. These cipher suites may be used with TLS versions 1.1 or 1.2. Note that cipher suites using GCM, SHA-256, or SHA-384 are only available in TLS 1.2.",
"fixid": "F-37824r615657_fix",
"fixtext": "If cipher suites using pre-shared keys are used for device authentication, configure the UEM server to have a minimum security strength of 112 bits or higher.",
"iacontrols": null,
"id": "V-234674",
"ruleID": "SV-234674r617355_rule",
"severity": "medium",
"title": "If cipher suites using pre-shared keys are used for device authentication, the UEM server must have a minimum security strength of 112 bits or higher.",
"version": "SRG-APP-000585-UEM-000399"
},
"V-234676": {
"checkid": "C-37861r616029_chk",
"checktext": "Verify the UEM server validates certificates used for TLS functions by performing RFC 5280-compliant certification path validation.\n\nIf the UEM server does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.",
"description": "A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. \n\nCertification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses. \n\nSatisfies:FIA_X509_EXT.1.1(1)",
"fixid": "F-37826r615663_fix",
"fixtext": "Configure the UEM server to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.",
"iacontrols": null,
"id": "V-234676",
"ruleID": "SV-234676r617355_rule",
"severity": "medium",
"title": "The UEM server must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.",
"version": "SRG-APP-000605-UEM-000401"
},
"V-234677": {
"checkid": "C-37862r616031_chk",
"checktext": "Verify the UEM server uses FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.\n\nIf the UEM server does not use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification, this is a finding.",
"description": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nNote: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. \n\nTo protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512.\n\nFor digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only. \n\nSatisfies:FCS_COP.1.1(4)",
"fixid": "F-37827r615666_fix",
"fixtext": "Configure the UEM server to use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.",
"iacontrols": null,
"id": "V-234677",
"ruleID": "SV-234677r617355_rule",
"severity": "high",
"title": "The application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.",
"version": "SRG-APP-000610-UEM-000402"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-234275": "true",
"V-234276": "true",
"V-234277": "true",
"V-234278": "true",
"V-234279": "true",
"V-234283": "true",
"V-234286": "true",
"V-234287": "true",
"V-234288": "true",
"V-234289": "true",
"V-234290": "true",
"V-234291": "true",
"V-234292": "true",
"V-234310": "true",
"V-234311": "true",
"V-234312": "true",
"V-234315": "true",
"V-234316": "true",
"V-234318": "true",
"V-234323": "true",
"V-234324": "true",
"V-234325": "true",
"V-234326": "true",
"V-234327": "true",
"V-234328": "true",
"V-234329": "true",
"V-234330": "true",
"V-234331": "true",
"V-234332": "true",
"V-234333": "true",
"V-234334": "true",
"V-234335": "true",
"V-234340": "true",
"V-234341": "true",
"V-234342": "true",
"V-234343": "true",
"V-234347": "true",
"V-234349": "true",
"V-234351": "true",
"V-234352": "true",
"V-234353": "true",
"V-234354": "true",
"V-234355": "true",
"V-234356": "true",
"V-234358": "true",
"V-234360": "true",
"V-234361": "true",
"V-234363": "true",
"V-234364": "true",
"V-234366": "true",
"V-234367": "true",
"V-234368": "true",
"V-234369": "true",
"V-234370": "true",
"V-234371": "true",
"V-234372": "true",
"V-234373": "true",
"V-234374": "true",
"V-234375": "true",
"V-234376": "true",
"V-234377": "true",
"V-234378": "true",
"V-234379": "true",
"V-234380": "true",
"V-234381": "true",
"V-234382": "true",
"V-234383": "true",
"V-234390": "true",
"V-234391": "true",
"V-234392": "true",
"V-234405": "true",
"V-234406": "true",
"V-234407": "true",
"V-234408": "true",
"V-234409": "true",
"V-234410": "true",
"V-234421": "true",
"V-234424": "true",
"V-234425": "true",
"V-234426": "true",
"V-234430": "true",
"V-234438": "true",
"V-234439": "true",
"V-234440": "true",
"V-234441": "true",
"V-234442": "true",
"V-234443": "true",
"V-234444": "true",
"V-234465": "true",
"V-234466": "true",
"V-234473": "true",
"V-234475": "true",
"V-234489": "true",
"V-234491": "true",
"V-234500": "true",
"V-234516": "true",
"V-234517": "true",
"V-234519": "true",
"V-234520": "true",
"V-234521": "true",
"V-234523": "true",
"V-234524": "true",
"V-234526": "true",
"V-234532": "true",
"V-234533": "true",
"V-234538": "true",
"V-234543": "true",
"V-234544": "true",
"V-234555": "true",
"V-234556": "true",
"V-234573": "true",
"V-234574": "true",
"V-234575": "true",
"V-234588": "true",
"V-234596": "true",
"V-234603": "true",
"V-234605": "true",
"V-234622": "true",
"V-234623": "true",
"V-234624": "true",
"V-234629": "true",
"V-234642": "true",
"V-234645": "true",
"V-234646": "true",
"V-234649": "true",
"V-234651": "true",
"V-234653": "true",
"V-234654": "true",
"V-234655": "true",
"V-234656": "true",
"V-234657": "true",
"V-234658": "true",
"V-234659": "true",
"V-234664": "true",
"V-234665": "true",
"V-234666": "true",
"V-234667": "true",
"V-234668": "true",
"V-234669": "true",
"V-234673": "true",
"V-234674": "true",
"V-234676": "true",
"V-234677": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-234275": "true",
"V-234276": "true",
"V-234277": "true",
"V-234278": "true",
"V-234279": "true",
"V-234283": "true",
"V-234286": "true",
"V-234287": "true",
"V-234288": "true",
"V-234289": "true",
"V-234290": "true",
"V-234291": "true",
"V-234292": "true",
"V-234310": "true",
"V-234311": "true",
"V-234312": "true",
"V-234315": "true",
"V-234316": "true",
"V-234318": "true",
"V-234323": "true",
"V-234324": "true",
"V-234325": "true",
"V-234326": "true",
"V-234327": "true",
"V-234328": "true",
"V-234329": "true",
"V-234330": "true",
"V-234331": "true",
"V-234332": "true",
"V-234333": "true",
"V-234334": "true",
"V-234335": "true",
"V-234340": "true",
"V-234341": "true",
"V-234342": "true",
"V-234343": "true",
"V-234347": "true",
"V-234349": "true",
"V-234351": "true",
"V-234352": "true",
"V-234353": "true",
"V-234354": "true",
"V-234355": "true",
"V-234356": "true",
"V-234358": "true",
"V-234360": "true",
"V-234361": "true",
"V-234363": "true",
"V-234364": "true",
"V-234366": "true",
"V-234367": "true",
"V-234368": "true",
"V-234369": "true",
"V-234370": "true",
"V-234371": "true",
"V-234372": "true",
"V-234373": "true",
"V-234374": "true",
"V-234375": "true",
"V-234376": "true",
"V-234377": "true",
"V-234378": "true",
"V-234379": "true",
"V-234380": "true",
"V-234381": "true",
"V-234382": "true",
"V-234383": "true",
"V-234390": "true",
"V-234391": "true",
"V-234392": "true",
"V-234405": "true",
"V-234406": "true",
"V-234407": "true",
"V-234408": "true",
"V-234409": "true",
"V-234410": "true",
"V-234421": "true",
"V-234424": "true",
"V-234425": "true",
"V-234426": "true",
"V-234430": "true",
"V-234438": "true",
"V-234439": "true",
"V-234440": "true",
"V-234441": "true",
"V-234442": "true",
"V-234443": "true",
"V-234444": "true",
"V-234465": "true",
"V-234466": "true",
"V-234473": "true",
"V-234475": "true",
"V-234489": "true",
"V-234491": "true",
"V-234500": "true",
"V-234516": "true",
"V-234517": "true",
"V-234519": "true",
"V-234520": "true",
"V-234521": "true",
"V-234523": "true",
"V-234524": "true",
"V-234526": "true",
"V-234532": "true",
"V-234533": "true",
"V-234538": "true",
"V-234543": "true",
"V-234544": "true",
"V-234555": "true",
"V-234556": "true",
"V-234573": "true",
"V-234574": "true",
"V-234575": "true",
"V-234588": "true",
"V-234596": "true",
"V-234603": "true",
"V-234605": "true",
"V-234622": "true",
"V-234623": "true",
"V-234624": "true",
"V-234629": "true",
"V-234642": "true",
"V-234645": "true",
"V-234646": "true",
"V-234649": "true",
"V-234651": "true",
"V-234653": "true",
"V-234654": "true",
"V-234655": "true",
"V-234656": "true",
"V-234657": "true",
"V-234658": "true",
"V-234659": "true",
"V-234664": "true",
"V-234665": "true",
"V-234666": "true",
"V-234667": "true",
"V-234668": "true",
"V-234669": "true",
"V-234673": "true",
"V-234674": "true",
"V-234676": "true",
"V-234677": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-234275": "true",
"V-234276": "true",
"V-234277": "true",
"V-234278": "true",
"V-234279": "true",
"V-234283": "true",
"V-234286": "true",
"V-234287": "true",
"V-234288": "true",
"V-234289": "true",
"V-234290": "true",
"V-234291": "true",
"V-234292": "true",
"V-234310": "true",
"V-234311": "true",
"V-234312": "true",
"V-234315": "true",
"V-234316": "true",
"V-234318": "true",
"V-234323": "true",
"V-234324": "true",
"V-234325": "true",
"V-234326": "true",
"V-234327": "true",
"V-234328": "true",
"V-234329": "true",
"V-234330": "true",
"V-234331": "true",
"V-234332": "true",
"V-234333": "true",
"V-234334": "true",
"V-234335": "true",
"V-234340": "true",
"V-234341": "true",
"V-234342": "true",
"V-234343": "true",
"V-234347": "true",
"V-234349": "true",
"V-234351": "true",
"V-234352": "true",
"V-234353": "true",
"V-234354": "true",
"V-234355": "true",
"V-234356": "true",
"V-234358": "true",
"V-234360": "true",
"V-234361": "true",
"V-234363": "true",
"V-234364": "true",
"V-234366": "true",
"V-234367": "true",
"V-234368": "true",
"V-234369": "true",
"V-234370": "true",
"V-234371": "true",
"V-234372": "true",
"V-234373": "true",
"V-234374": "true",
"V-234375": "true",
"V-234376": "true",
"V-234377": "true",
"V-234378": "true",
"V-234379": "true",
"V-234380": "true",
"V-234381": "true",
"V-234382": "true",
"V-234383": "true",
"V-234390": "true",
"V-234391": "true",
"V-234392": "true",
"V-234405": "true",
"V-234406": "true",
"V-234407": "true",
"V-234408": "true",
"V-234409": "true",
"V-234410": "true",
"V-234421": "true",
"V-234424": "true",
"V-234425": "true",
"V-234426": "true",
"V-234430": "true",
"V-234438": "true",
"V-234439": "true",
"V-234440": "true",
"V-234441": "true",
"V-234442": "true",
"V-234443": "true",
"V-234444": "true",
"V-234465": "true",
"V-234466": "true",
"V-234473": "true",
"V-234475": "true",
"V-234489": "true",
"V-234491": "true",
"V-234500": "true",
"V-234516": "true",
"V-234517": "true",
"V-234519": "true",
"V-234520": "true",
"V-234521": "true",
"V-234523": "true",
"V-234524": "true",
"V-234526": "true",
"V-234532": "true",
"V-234533": "true",
"V-234538": "true",
"V-234543": "true",
"V-234544": "true",
"V-234555": "true",
"V-234556": "true",
"V-234573": "true",
"V-234574": "true",
"V-234575": "true",
"V-234588": "true",
"V-234596": "true",
"V-234603": "true",
"V-234605": "true",
"V-234622": "true",
"V-234623": "true",
"V-234624": "true",
"V-234629": "true",
"V-234642": "true",
"V-234645": "true",
"V-234646": "true",
"V-234649": "true",
"V-234651": "true",
"V-234653": "true",
"V-234654": "true",
"V-234655": "true",
"V-234656": "true",
"V-234657": "true",
"V-234658": "true",
"V-234659": "true",
"V-234664": "true",
"V-234665": "true",
"V-234666": "true",
"V-234667": "true",
"V-234668": "true",
"V-234669": "true",
"V-234673": "true",
"V-234674": "true",
"V-234676": "true",
"V-234677": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-234275": "true",
"V-234276": "true",
"V-234277": "true",
"V-234278": "true",
"V-234279": "true",
"V-234283": "true",
"V-234286": "true",
"V-234287": "true",
"V-234288": "true",
"V-234289": "true",
"V-234290": "true",
"V-234291": "true",
"V-234292": "true",
"V-234310": "true",
"V-234311": "true",
"V-234312": "true",
"V-234315": "true",
"V-234316": "true",
"V-234318": "true",
"V-234323": "true",
"V-234324": "true",
"V-234325": "true",
"V-234326": "true",
"V-234327": "true",
"V-234328": "true",
"V-234329": "true",
"V-234330": "true",
"V-234331": "true",
"V-234332": "true",
"V-234333": "true",
"V-234334": "true",
"V-234335": "true",
"V-234340": "true",
"V-234341": "true",
"V-234342": "true",
"V-234343": "true",
"V-234347": "true",
"V-234349": "true",
"V-234351": "true",
"V-234352": "true",
"V-234353": "true",
"V-234354": "true",
"V-234355": "true",
"V-234356": "true",
"V-234358": "true",
"V-234360": "true",
"V-234361": "true",
"V-234363": "true",
"V-234364": "true",
"V-234366": "true",
"V-234367": "true",
"V-234368": "true",
"V-234369": "true",
"V-234370": "true",
"V-234371": "true",
"V-234372": "true",
"V-234373": "true",
"V-234374": "true",
"V-234375": "true",
"V-234376": "true",
"V-234377": "true",
"V-234378": "true",
"V-234379": "true",
"V-234380": "true",
"V-234381": "true",
"V-234382": "true",
"V-234383": "true",
"V-234390": "true",
"V-234391": "true",
"V-234392": "true",
"V-234405": "true",
"V-234406": "true",
"V-234407": "true",
"V-234408": "true",
"V-234409": "true",
"V-234410": "true",
"V-234421": "true",
"V-234424": "true",
"V-234425": "true",
"V-234426": "true",
"V-234430": "true",
"V-234438": "true",
"V-234439": "true",
"V-234440": "true",
"V-234441": "true",
"V-234442": "true",
"V-234443": "true",
"V-234444": "true",
"V-234465": "true",
"V-234466": "true",
"V-234473": "true",
"V-234475": "true",
"V-234489": "true",
"V-234491": "true",
"V-234500": "true",
"V-234516": "true",
"V-234517": "true",
"V-234519": "true",
"V-234520": "true",
"V-234521": "true",
"V-234523": "true",
"V-234524": "true",
"V-234526": "true",
"V-234532": "true",
"V-234533": "true",
"V-234538": "true",
"V-234543": "true",
"V-234544": "true",
"V-234555": "true",
"V-234556": "true",
"V-234573": "true",
"V-234574": "true",
"V-234575": "true",
"V-234588": "true",
"V-234596": "true",
"V-234603": "true",
"V-234605": "true",
"V-234622": "true",
"V-234623": "true",
"V-234624": "true",
"V-234629": "true",
"V-234642": "true",
"V-234645": "true",
"V-234646": "true",
"V-234649": "true",
"V-234651": "true",
"V-234653": "true",
"V-234654": "true",
"V-234655": "true",
"V-234656": "true",
"V-234657": "true",
"V-234658": "true",
"V-234659": "true",
"V-234664": "true",
"V-234665": "true",
"V-234666": "true",
"V-234667": "true",
"V-234668": "true",
"V-234669": "true",
"V-234673": "true",
"V-234674": "true",
"V-234676": "true",
"V-234677": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-234275": "true",
"V-234276": "true",
"V-234277": "true",
"V-234278": "true",
"V-234279": "true",
"V-234283": "true",
"V-234286": "true",
"V-234287": "true",
"V-234288": "true",
"V-234289": "true",
"V-234290": "true",
"V-234291": "true",
"V-234292": "true",
"V-234310": "true",
"V-234311": "true",
"V-234312": "true",
"V-234315": "true",
"V-234316": "true",
"V-234318": "true",
"V-234323": "true",
"V-234324": "true",
"V-234325": "true",
"V-234326": "true",
"V-234327": "true",
"V-234328": "true",
"V-234329": "true",
"V-234330": "true",
"V-234331": "true",
"V-234332": "true",
"V-234333": "true",
"V-234334": "true",
"V-234335": "true",
"V-234340": "true",
"V-234341": "true",
"V-234342": "true",
"V-234343": "true",
"V-234347": "true",
"V-234349": "true",
"V-234351": "true",
"V-234352": "true",
"V-234353": "true",
"V-234354": "true",
"V-234355": "true",
"V-234356": "true",
"V-234358": "true",
"V-234360": "true",
"V-234361": "true",
"V-234363": "true",
"V-234364": "true",
"V-234366": "true",
"V-234367": "true",
"V-234368": "true",
"V-234369": "true",
"V-234370": "true",
"V-234371": "true",
"V-234372": "true",
"V-234373": "true",
"V-234374": "true",
"V-234375": "true",
"V-234376": "true",
"V-234377": "true",
"V-234378": "true",
"V-234379": "true",
"V-234380": "true",
"V-234381": "true",
"V-234382": "true",
"V-234383": "true",
"V-234390": "true",
"V-234391": "true",
"V-234392": "true",
"V-234405": "true",
"V-234406": "true",
"V-234407": "true",
"V-234408": "true",
"V-234409": "true",
"V-234410": "true",
"V-234421": "true",
"V-234424": "true",
"V-234425": "true",
"V-234426": "true",
"V-234430": "true",
"V-234438": "true",
"V-234439": "true",
"V-234440": "true",
"V-234441": "true",
"V-234442": "true",
"V-234443": "true",
"V-234444": "true",
"V-234465": "true",
"V-234466": "true",
"V-234473": "true",
"V-234475": "true",
"V-234489": "true",
"V-234491": "true",
"V-234500": "true",
"V-234516": "true",
"V-234517": "true",
"V-234519": "true",
"V-234520": "true",
"V-234521": "true",
"V-234523": "true",
"V-234524": "true",
"V-234526": "true",
"V-234532": "true",
"V-234533": "true",
"V-234538": "true",
"V-234543": "true",
"V-234544": "true",
"V-234555": "true",
"V-234556": "true",
"V-234573": "true",
"V-234574": "true",
"V-234575": "true",
"V-234588": "true",
"V-234596": "true",
"V-234603": "true",
"V-234605": "true",
"V-234622": "true",
"V-234623": "true",
"V-234624": "true",
"V-234629": "true",
"V-234642": "true",
"V-234645": "true",
"V-234646": "true",
"V-234649": "true",
"V-234651": "true",
"V-234653": "true",
"V-234654": "true",
"V-234655": "true",
"V-234656": "true",
"V-234657": "true",
"V-234658": "true",
"V-234659": "true",
"V-234664": "true",
"V-234665": "true",
"V-234666": "true",
"V-234667": "true",
"V-234668": "true",
"V-234669": "true",
"V-234673": "true",
"V-234674": "true",
"V-234676": "true",
"V-234677": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-234275": "true",
"V-234276": "true",
"V-234277": "true",
"V-234278": "true",
"V-234279": "true",
"V-234283": "true",
"V-234286": "true",
"V-234287": "true",
"V-234288": "true",
"V-234289": "true",
"V-234290": "true",
"V-234291": "true",
"V-234292": "true",
"V-234310": "true",
"V-234311": "true",
"V-234312": "true",
"V-234315": "true",
"V-234316": "true",
"V-234318": "true",
"V-234323": "true",
"V-234324": "true",
"V-234325": "true",
"V-234326": "true",
"V-234327": "true",
"V-234328": "true",
"V-234329": "true",
"V-234330": "true",
"V-234331": "true",
"V-234332": "true",
"V-234333": "true",
"V-234334": "true",
"V-234335": "true",
"V-234340": "true",
"V-234341": "true",
"V-234342": "true",
"V-234343": "true",
"V-234347": "true",
"V-234349": "true",
"V-234351": "true",
"V-234352": "true",
"V-234353": "true",
"V-234354": "true",
"V-234355": "true",
"V-234356": "true",
"V-234358": "true",
"V-234360": "true",
"V-234361": "true",
"V-234363": "true",
"V-234364": "true",
"V-234366": "true",
"V-234367": "true",
"V-234368": "true",
"V-234369": "true",
"V-234370": "true",
"V-234371": "true",
"V-234372": "true",
"V-234373": "true",
"V-234374": "true",
"V-234375": "true",
"V-234376": "true",
"V-234377": "true",
"V-234378": "true",
"V-234379": "true",
"V-234380": "true",
"V-234381": "true",
"V-234382": "true",
"V-234383": "true",
"V-234390": "true",
"V-234391": "true",
"V-234392": "true",
"V-234405": "true",
"V-234406": "true",
"V-234407": "true",
"V-234408": "true",
"V-234409": "true",
"V-234410": "true",
"V-234421": "true",
"V-234424": "true",
"V-234425": "true",
"V-234426": "true",
"V-234430": "true",
"V-234438": "true",
"V-234439": "true",
"V-234440": "true",
"V-234441": "true",
"V-234442": "true",
"V-234443": "true",
"V-234444": "true",
"V-234465": "true",
"V-234466": "true",
"V-234473": "true",
"V-234475": "true",
"V-234489": "true",
"V-234491": "true",
"V-234500": "true",
"V-234516": "true",
"V-234517": "true",
"V-234519": "true",
"V-234520": "true",
"V-234521": "true",
"V-234523": "true",
"V-234524": "true",
"V-234526": "true",
"V-234532": "true",
"V-234533": "true",
"V-234538": "true",
"V-234543": "true",
"V-234544": "true",
"V-234555": "true",
"V-234556": "true",
"V-234573": "true",
"V-234574": "true",
"V-234575": "true",
"V-234588": "true",
"V-234596": "true",
"V-234603": "true",
"V-234605": "true",
"V-234622": "true",
"V-234623": "true",
"V-234624": "true",
"V-234629": "true",
"V-234642": "true",
"V-234645": "true",
"V-234646": "true",
"V-234649": "true",
"V-234651": "true",
"V-234653": "true",
"V-234654": "true",
"V-234655": "true",
"V-234656": "true",
"V-234657": "true",
"V-234658": "true",
"V-234659": "true",
"V-234664": "true",
"V-234665": "true",
"V-234666": "true",
"V-234667": "true",
"V-234668": "true",
"V-234669": "true",
"V-234673": "true",
"V-234674": "true",
"V-234676": "true",
"V-234677": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-234275": "true",
"V-234276": "true",
"V-234277": "true",
"V-234278": "true",
"V-234279": "true",
"V-234283": "true",
"V-234286": "true",
"V-234287": "true",
"V-234288": "true",
"V-234289": "true",
"V-234290": "true",
"V-234291": "true",
"V-234292": "true",
"V-234310": "true",
"V-234311": "true",
"V-234312": "true",
"V-234315": "true",
"V-234316": "true",
"V-234318": "true",
"V-234323": "true",
"V-234324": "true",
"V-234325": "true",
"V-234326": "true",
"V-234327": "true",
"V-234328": "true",
"V-234329": "true",
"V-234330": "true",
"V-234331": "true",
"V-234332": "true",
"V-234333": "true",
"V-234334": "true",
"V-234335": "true",
"V-234340": "true",
"V-234341": "true",
"V-234342": "true",
"V-234343": "true",
"V-234347": "true",
"V-234349": "true",
"V-234351": "true",
"V-234352": "true",
"V-234353": "true",
"V-234354": "true",
"V-234355": "true",
"V-234356": "true",
"V-234358": "true",
"V-234360": "true",
"V-234361": "true",
"V-234363": "true",
"V-234364": "true",
"V-234366": "true",
"V-234367": "true",
"V-234368": "true",
"V-234369": "true",
"V-234370": "true",
"V-234371": "true",
"V-234372": "true",
"V-234373": "true",
"V-234374": "true",
"V-234375": "true",
"V-234376": "true",
"V-234377": "true",
"V-234378": "true",
"V-234379": "true",
"V-234380": "true",
"V-234381": "true",
"V-234382": "true",
"V-234383": "true",
"V-234390": "true",
"V-234391": "true",
"V-234392": "true",
"V-234405": "true",
"V-234406": "true",
"V-234407": "true",
"V-234408": "true",
"V-234409": "true",
"V-234410": "true",
"V-234421": "true",
"V-234424": "true",
"V-234425": "true",
"V-234426": "true",
"V-234430": "true",
"V-234438": "true",
"V-234439": "true",
"V-234440": "true",
"V-234441": "true",
"V-234442": "true",
"V-234443": "true",
"V-234444": "true",
"V-234465": "true",
"V-234466": "true",
"V-234473": "true",
"V-234475": "true",
"V-234489": "true",
"V-234491": "true",
"V-234500": "true",
"V-234516": "true",
"V-234517": "true",
"V-234519": "true",
"V-234520": "true",
"V-234521": "true",
"V-234523": "true",
"V-234524": "true",
"V-234526": "true",
"V-234532": "true",
"V-234533": "true",
"V-234538": "true",
"V-234543": "true",
"V-234544": "true",
"V-234555": "true",
"V-234556": "true",
"V-234573": "true",
"V-234574": "true",
"V-234575": "true",
"V-234588": "true",
"V-234596": "true",
"V-234603": "true",
"V-234605": "true",
"V-234622": "true",
"V-234623": "true",
"V-234624": "true",
"V-234629": "true",
"V-234642": "true",
"V-234645": "true",
"V-234646": "true",
"V-234649": "true",
"V-234651": "true",
"V-234653": "true",
"V-234654": "true",
"V-234655": "true",
"V-234656": "true",
"V-234657": "true",
"V-234658": "true",
"V-234659": "true",
"V-234664": "true",
"V-234665": "true",
"V-234666": "true",
"V-234667": "true",
"V-234668": "true",
"V-234669": "true",
"V-234673": "true",
"V-234674": "true",
"V-234676": "true",
"V-234677": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-234275": "true",
"V-234276": "true",
"V-234277": "true",
"V-234278": "true",
"V-234279": "true",
"V-234283": "true",
"V-234286": "true",
"V-234287": "true",
"V-234288": "true",
"V-234289": "true",
"V-234290": "true",
"V-234291": "true",
"V-234292": "true",
"V-234310": "true",
"V-234311": "true",
"V-234312": "true",
"V-234315": "true",
"V-234316": "true",
"V-234318": "true",
"V-234323": "true",
"V-234324": "true",
"V-234325": "true",
"V-234326": "true",
"V-234327": "true",
"V-234328": "true",
"V-234329": "true",
"V-234330": "true",
"V-234331": "true",
"V-234332": "true",
"V-234333": "true",
"V-234334": "true",
"V-234335": "true",
"V-234340": "true",
"V-234341": "true",
"V-234342": "true",
"V-234343": "true",
"V-234347": "true",
"V-234349": "true",
"V-234351": "true",
"V-234352": "true",
"V-234353": "true",
"V-234354": "true",
"V-234355": "true",
"V-234356": "true",
"V-234358": "true",
"V-234360": "true",
"V-234361": "true",
"V-234363": "true",
"V-234364": "true",
"V-234366": "true",
"V-234367": "true",
"V-234368": "true",
"V-234369": "true",
"V-234370": "true",
"V-234371": "true",
"V-234372": "true",
"V-234373": "true",
"V-234374": "true",
"V-234375": "true",
"V-234376": "true",
"V-234377": "true",
"V-234378": "true",
"V-234379": "true",
"V-234380": "true",
"V-234381": "true",
"V-234382": "true",
"V-234383": "true",
"V-234390": "true",
"V-234391": "true",
"V-234392": "true",
"V-234405": "true",
"V-234406": "true",
"V-234407": "true",
"V-234408": "true",
"V-234409": "true",
"V-234410": "true",
"V-234421": "true",
"V-234424": "true",
"V-234425": "true",
"V-234426": "true",
"V-234430": "true",
"V-234438": "true",
"V-234439": "true",
"V-234440": "true",
"V-234441": "true",
"V-234442": "true",
"V-234443": "true",
"V-234444": "true",
"V-234465": "true",
"V-234466": "true",
"V-234473": "true",
"V-234475": "true",
"V-234489": "true",
"V-234491": "true",
"V-234500": "true",
"V-234516": "true",
"V-234517": "true",
"V-234519": "true",
"V-234520": "true",
"V-234521": "true",
"V-234523": "true",
"V-234524": "true",
"V-234526": "true",
"V-234532": "true",
"V-234533": "true",
"V-234538": "true",
"V-234543": "true",
"V-234544": "true",
"V-234555": "true",
"V-234556": "true",
"V-234573": "true",
"V-234574": "true",
"V-234575": "true",
"V-234588": "true",
"V-234596": "true",
"V-234603": "true",
"V-234605": "true",
"V-234622": "true",
"V-234623": "true",
"V-234624": "true",
"V-234629": "true",
"V-234642": "true",
"V-234645": "true",
"V-234646": "true",
"V-234649": "true",
"V-234651": "true",
"V-234653": "true",
"V-234654": "true",
"V-234655": "true",
"V-234656": "true",
"V-234657": "true",
"V-234658": "true",
"V-234659": "true",
"V-234664": "true",
"V-234665": "true",
"V-234666": "true",
"V-234667": "true",
"V-234668": "true",
"V-234669": "true",
"V-234673": "true",
"V-234674": "true",
"V-234676": "true",
"V-234677": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-234275": "true",
"V-234276": "true",
"V-234277": "true",
"V-234278": "true",
"V-234279": "true",
"V-234283": "true",
"V-234286": "true",
"V-234287": "true",
"V-234288": "true",
"V-234289": "true",
"V-234290": "true",
"V-234291": "true",
"V-234292": "true",
"V-234310": "true",
"V-234311": "true",
"V-234312": "true",
"V-234315": "true",
"V-234316": "true",
"V-234318": "true",
"V-234323": "true",
"V-234324": "true",
"V-234325": "true",
"V-234326": "true",
"V-234327": "true",
"V-234328": "true",
"V-234329": "true",
"V-234330": "true",
"V-234331": "true",
"V-234332": "true",
"V-234333": "true",
"V-234334": "true",
"V-234335": "true",
"V-234340": "true",
"V-234341": "true",
"V-234342": "true",
"V-234343": "true",
"V-234347": "true",
"V-234349": "true",
"V-234351": "true",
"V-234352": "true",
"V-234353": "true",
"V-234354": "true",
"V-234355": "true",
"V-234356": "true",
"V-234358": "true",
"V-234360": "true",
"V-234361": "true",
"V-234363": "true",
"V-234364": "true",
"V-234366": "true",
"V-234367": "true",
"V-234368": "true",
"V-234369": "true",
"V-234370": "true",
"V-234371": "true",
"V-234372": "true",
"V-234373": "true",
"V-234374": "true",
"V-234375": "true",
"V-234376": "true",
"V-234377": "true",
"V-234378": "true",
"V-234379": "true",
"V-234380": "true",
"V-234381": "true",
"V-234382": "true",
"V-234383": "true",
"V-234390": "true",
"V-234391": "true",
"V-234392": "true",
"V-234405": "true",
"V-234406": "true",
"V-234407": "true",
"V-234408": "true",
"V-234409": "true",
"V-234410": "true",
"V-234421": "true",
"V-234424": "true",
"V-234425": "true",
"V-234426": "true",
"V-234430": "true",
"V-234438": "true",
"V-234439": "true",
"V-234440": "true",
"V-234441": "true",
"V-234442": "true",
"V-234443": "true",
"V-234444": "true",
"V-234465": "true",
"V-234466": "true",
"V-234473": "true",
"V-234475": "true",
"V-234489": "true",
"V-234491": "true",
"V-234500": "true",
"V-234516": "true",
"V-234517": "true",
"V-234519": "true",
"V-234520": "true",
"V-234521": "true",
"V-234523": "true",
"V-234524": "true",
"V-234526": "true",
"V-234532": "true",
"V-234533": "true",
"V-234538": "true",
"V-234543": "true",
"V-234544": "true",
"V-234555": "true",
"V-234556": "true",
"V-234573": "true",
"V-234574": "true",
"V-234575": "true",
"V-234588": "true",
"V-234596": "true",
"V-234603": "true",
"V-234605": "true",
"V-234622": "true",
"V-234623": "true",
"V-234624": "true",
"V-234629": "true",
"V-234642": "true",
"V-234645": "true",
"V-234646": "true",
"V-234649": "true",
"V-234651": "true",
"V-234653": "true",
"V-234654": "true",
"V-234655": "true",
"V-234656": "true",
"V-234657": "true",
"V-234658": "true",
"V-234659": "true",
"V-234664": "true",
"V-234665": "true",
"V-234666": "true",
"V-234667": "true",
"V-234668": "true",
"V-234669": "true",
"V-234673": "true",
"V-234674": "true",
"V-234676": "true",
"V-234677": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "unified_endpoint_management_server_security_requirements_guide",
"title": "Unified Endpoint Management Server Security Requirements Guide",
"version": "1"
}
}