V-258450 | High | The version of vRealize Automation application running on the system must be a supported version. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations... |
V-239845 | High | vRA must enable FIPS Mode. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
V-239849 | Medium | The application server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient... |
V-239848 | Medium | The vRealize Automation security file must be restricted to the vcac user. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
The... |
V-239846 | Medium | The vRealize Automation application must be configured to a 15 minute of less session timeout. | If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or... |
V-239847 | Medium | The vRealize Automation server must be configured to perform complete application deployments. | Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.
When an... |
V-239851 | Medium | The vRealize Automation appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | Configuring the vRealize Automation application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a... |
V-239850 | Medium | The application server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. | Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing... |