{
"stig": {
"date": "2016-06-27",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-69137": {
"checkid": "C-69575r1_chk",
"checktext": "Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective \"Applied to\" category is configured if appropriate.\n\nLog into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General.\nExpand rule sections as necessary to view rules.\n\nIf there are no rules configured to enforce authorizations, this is a finding.",
"description": "Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.\n \nAuthorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.\n \nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary.",
"fixid": "F-75323r1_fix",
"fixtext": "Log into vSphere Web Client with credentials authorized for administration.\n\nRemediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General \n\nConfigure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies \n\nEnsure the rules have been enabled, and configure the respective \"Applied to\" category if appropriate.",
"iacontrols": null,
"id": "V-69137",
"ruleID": "SV-83741r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.",
"version": "VNSX-FW-000001"
},
"V-69139": {
"checkid": "C-69577r1_chk",
"checktext": "Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective \"Applied to\" category is configured if appropriate.\n\nLog into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General.\nExpand rule sections as necessary to view rules.\n\nIf there are no rules configured to enforce authorizations, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.\n \nInformation flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems. Examples of information flow control restrictions include keeping export controlled information from being transmitted in the clear to the Internet or blocking information marked as classified but is being transported to an unapproved destination.\n \nALGs enforce approved authorizations by employing security policy and/or rules that restrict information system services, provide packet filtering capability based on header or protocol information and/or message filtering capability based on data content (e.g., implementing key word searches or using document characteristics).",
"fixid": "F-75325r1_fix",
"fixtext": "Log into vSphere Web Client with credentials authorized for administration.\n\nRemediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General \n\nConfigure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies \n\nEnsure the rules have been enabled, and configure the respective \"Applied to\" category if appropriate.",
"iacontrols": null,
"id": "V-69139",
"ruleID": "SV-83743r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.",
"version": "VNSX-FW-000002"
},
"V-69141": {
"checkid": "C-69579r1_chk",
"checktext": "Verify the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies are configured, enabled and the respective \"Applied to\" category is configured if appropriate.\n\nLog into vSphere Web Client with credentials authorized for administration, navigate to Networking and Security >> Firewall >> Configuration tab >> General. \n\nExpand rule sections as necessary to view rules.\n\nIf there are no rules configured to enforce authorizations, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic.\n \nThis requirement applies to the flow of information between the ALG when used as a gateway or boundary device which allows traffic flow between interconnected networks of differing security policies.\n \nThe ALG is installed and configured such that it restricts or blocks information flows based on guidance in the PPSM regarding restrictions for boundary crossing for ports, protocols and services. Information flow restrictions may be implemented based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.\n \nThe ALG must be configured with policy filters (e.g., security policy, rules, and/or signatures) that restrict or block information system services; provide a packet-filtering capability based on header information; and/or perform message-filtering based on message content. The policy filters used depends upon the type of application gateway (e.g., web, email, or TLS).",
"fixid": "F-75327r1_fix",
"fixtext": "Log into vSphere Web Client with credentials authorized for administration.\n\nRemediate this finding by navigating to the Networking and Security >> Firewall tab on the left side menu >> Configuration tab >> General \n\nConfigure the rules necessary to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies \n\nEnsure the rules have been enabled, and configure the respective \"Applied to\" category if appropriate.",
"iacontrols": null,
"id": "V-69141",
"ruleID": "SV-83745r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.",
"version": "VNSX-FW-000003"
},
"V-69143": {
"checkid": "C-69581r1_chk",
"checktext": "Verify no unwanted services are enabled.\n\nLog into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> Partner Security Services.\n \nVerify that any unwanted services are disabled. \n\nIf there are services that should not be enabled, this is a finding.",
"description": "Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the ALG. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n \nThe primary function of an ALG is to provide application specific content filtering and/or proxy services. The ALG application suite may integrate related content filtering and analysis services and tools (e.g., IPS, proxy, malware inspection, black/white lists). Some gateways may also include email scanning, decryption, caching, and DLP services. However, services and capabilities which are unrelated to this primary functionality must not be installed (e.g., DNS, email client or server, FTP server, or web server).\n \nNext Generation ALGs (NGFW) and Unified Threat Management (UTM) ALGs integrate functions which have been traditionally separated. These products integrate content filtering features to provide more granular policy filtering. There may be operational drawbacks to combining these services into one device. Another issue is that NGFW and UTM products vary greatly with no current definitive industry standard.",
"fixid": "F-75329r1_fix",
"fixtext": "Configure Partner Security Services to the disabled state.\n\nLog into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side\n menu >> Configuration >> Partner Security Services >> Select the partner security service.\n \nHover over the \"No.\" column \nClick the pencil icon \nDisable it",
"iacontrols": null,
"id": "V-69143",
"ruleID": "SV-83747r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must not have unnecessary services and functions enabled.",
"version": "VNSX-FW-000034"
},
"V-69145": {
"checkid": "C-69583r1_chk",
"checktext": "View the configuration and vendor documentation of the ALG application to find the minimum ports, protocols, and services which are required for operation of the ALG. \n\nLog into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> General\n\nVerify the NSX Distributed Firewall policy restricts the use of ports, protocols, and/or services with the Ports, Protocol, and Service Management (PPSM) and IAVM requirements.\n \nIf ports, protocols, and/or services are not disabled or restricted as required by the PPSM, this is a finding.",
"description": "In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n \nALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems.\n \nThe network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.",
"fixid": "F-75331r1_fix",
"fixtext": "Disable ports, protocols, and/or services not required for operation of the ALG application.\n\nLog into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab on the left side menu >> Configuration >> General >> Click on Green check in the number column to disable an individual distributed firewall rule >> Publish Changes.\n\nOnce configuration is saved successfully verify the check is greyed out.",
"iacontrols": null,
"id": "V-69145",
"ruleID": "SV-83749r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.",
"version": "VNSX-FW-000036"
},
"V-69147": {
"checkid": "C-69585r1_chk",
"checktext": "Verify denied by default policy.\n\nLog into the vCenter web interface with credentials authorized for administration, navigate to Networking and Security >> Firewall\n\nExpand \"Default Section Layer 3\" in Configuration\n\nIf the action for the Default Rule is \"Allow\", this is a finding.",
"description": "A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.\n \nAs a managed interface, the ALG must block all inbound and outbound network communications traffic to the application being managed and controlled unless a policy filter is installed to explicitly allow the traffic. The allow policy filters must comply with the site's security policy. A deny all, permit by exception network communications traffic policy ensures that only those connections which are essential and approved, are allowed.\n \nThis requirement applies to both inbound and outbound network communications traffic. All inbound and outbound traffic for which the ALG is acting as an intermediary or proxy must be denied by default.",
"fixid": "F-75333r1_fix",
"fixtext": "Configure the \"Default Rule\" to deny by default with \"Block\".\n \nLog into the vCenter web interface with credentials authorized for administration, navigate to Networking and Security >> Firewall\n\nExpand \"Default Section Layer 3\" in Configuration\nExpand the Action for the rule named \"Default Rule\"\nChange the action to \"Block\"\nSelect \"OK\"\nSelect \"Publish Changes\"",
"iacontrols": null,
"id": "V-69147",
"ruleID": "SV-83751r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).",
"version": "VNSX-FW-000046"
},
"V-69149": {
"checkid": "C-69587r1_chk",
"checktext": "Verify the vSphere Web Client sessions terminate after \"10\" minutes of idle time, requiring the user to log in again to resume using the client. You can view the timeout value by viewing the webclient.properties file.\n \n On the system where vCenter is installed locate the webclient.properties file.\n \n Windows: C:\\ProgramData\\VMware\\vCenter Server\\cfg\\vsphere-client\n \n Find the session.timeout = line in the webclient.properties file.\n \n If the session timeout is not set to \"10\" in the webclient.properties file, this is a finding.",
"description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.\n \nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system level network connection.\n \nALGs may provide session control functionality as part of content filtering, load balancing, or proxy services.",
"fixid": "F-75335r1_fix",
"fixtext": "Change the timeout value by editing the webclient.properties file.\n \n On the system where vCenter is installed locate the webclient.properties file.\n \n Windows: C:\\ProgramData\\VMware\\vCenter Server\\cfg\\vsphere-client\n \n Edit the file to include the line \"session.timeout = 10\" where \"10\" is the timeout value in minutes. Uncomment the line if necessary.\n \n After editing the file the vSphere Web Client service must be restarted.",
"iacontrols": null,
"id": "V-69149",
"ruleID": "SV-83753r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity.",
"version": "VNSX-FW-000047"
},
"V-69151": {
"checkid": "C-69589r1_chk",
"checktext": "Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click \"Manage\" >> \"Advanced System Settings\", and enter \"Syslog.global.logHost\" in the filter.\n\nVerify the correct setting for \"Syslog.global.logHost\" to the hostname of your syslog server.\n\nIf this setting does not specify the appropriate syslog server on each ESXi host, this is a finding.",
"description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n \nOff-loading is a common process in information systems with limited audit storage capacity.\n \nThis does not apply to audit logs generated on behalf of the device itself (management).",
"fixid": "F-75337r2_fix",
"fixtext": "Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click \"Manage\" >> \"Advanced System Settings\", and enter \"Syslog.global.logHost\" in the filter.\n\nVerify the correct setting for \"Syslog.global.logHost\" to the hostname of your syslog server.\n\nVerify each ESXi host is set to a remote syslog server.",
"iacontrols": null,
"id": "V-69151",
"ruleID": "SV-83755r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must off-load audit records onto a centralized log server.",
"version": "VNSX-FW-000090"
},
"V-69153": {
"checkid": "C-69591r1_chk",
"checktext": "Verify each rule in the NSX Firewall has been configured to \"Log\". \n\nLog into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment.\n\nClick on the dropdown arrow to expand each firewall rule's section.\nFor each rule, select the pencil icon in the \"Action\" column.\nThe \"Log\" option must be selected for each rule. \n\nIf the \"Log\" option has not been enabled for all rules, this is a finding.",
"description": "Without generating audit records that log usage of objects by subjects and other objects, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n \nAudit records can be generated from various components within the information system (e.g., module or policy filter). Security objects are data objects which are controlled by security policy and bound to security attributes.\n \nThis requirement applies to the ALG traffic management functions. This does not apply to audit logs generated on behalf of the device (device management).",
"fixid": "F-75339r1_fix",
"fixtext": "Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment.\n\nClick on the dropdown arrow to expand each firewall rule's section.\nFor each rule, select the pencil icon in the \"Action\" column.\nSelect the radio button next to the \"Log\" option to turn on logging for each rule.",
"iacontrols": null,
"id": "V-69153",
"ruleID": "SV-83757r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to access security objects occur.",
"version": "VNSX-FW-000124"
},
"V-69155": {
"checkid": "C-69593r1_chk",
"checktext": "Verify each rule in the NSX Firewall has been configured to \"Log\". \n\nLog into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment.\n\nClick on the dropdown arrow to expand each firewall rule's section.\nFor each rule, select the pencil icon in the \"Action\" column.\nThe \"Log\" option must be selected for each rule. \n\nIf the \"Log\" option has not been enabled for all rules, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n \nAudit records can be generated from various components within the information system (e.g., module or policy filter). Security objects are data objects which are controlled by security policy and bound to security attributes.\n \nThis requirement applies to the ALG traffic management functions such as content filtering or intermediary services. This does not apply to audit logs generated on behalf of the device (device management).",
"fixid": "F-75341r1_fix",
"fixtext": "Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment.\n\nClick on the dropdown arrow to expand each firewall rule's section.\nFor each rule, select the pencil icon in the \"Action\" column.\nSelect the radio button next to the \"Log\" option to turn on logging for each rule.",
"iacontrols": null,
"id": "V-69155",
"ruleID": "SV-83759r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to modify security objects occur.",
"version": "VNSX-FW-000128"
},
"V-69157": {
"checkid": "C-69595r1_chk",
"checktext": "Verify each rule in the NSX Firewall has been configured to \"Log\". \n\nLog into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment.\n\nClick on the dropdown arrow to expand each firewall rule's section.\nFor each rule, select the pencil icon in the \"Action\" column.\nThe \"Log\" option must be selected for each rule. \n\nIf the \"Log\" option has not been enabled for all rules, this is a finding.",
"description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n \nAudit records can be generated from various components within the information system (e.g., module or policy filter). Security objects are data objects which are controlled by security policy and bound to security attributes.\n \nThis requirement applies to the ALG traffic management functions such as content filtering or intermediary services. This does not apply to audit logs generated on behalf of the device (device management).",
"fixid": "F-75343r1_fix",
"fixtext": "Log into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment.\n\nClick on the dropdown arrow to expand each firewall rule's section.\nFor each rule, select the pencil icon in the \"Action\" column.\nSelect the radio button next to the \"Log\" option to turn on logging for each rule.",
"iacontrols": null,
"id": "V-69157",
"ruleID": "SV-83761r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must generate audit records when successful/unsuccessful attempts to delete security objects occur.",
"version": "VNSX-FW-000133"
},
"V-69159": {
"checkid": "C-69597r1_chk",
"checktext": "Verify \"SpoofGuard\" Default Policy is \"Enabled\" and \"firewall\" service is \"Enabled\" on all hosts.\n\nLog into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> select the \"SpoofGuard\" tab on the left side menu.\n\nVerify Default Policy for \"All Networks Operation Mode\" is set to \"Enabled\".\nNext, select the \"Installation\" tab on the left side menu and verify \"firewall\" is \"Enabled\".\n\nIf \"SpoofGuard\" Default Policy is not \"Enabled\" or \"firewall\" service is not \"Enabled\" on all hosts, this is a finding.",
"description": "A compromised host in an enclave can be used by a malicious actor as a platform to launch cyber attacks on third parties. This is a common practice in \"botnets\", which are a collection of compromised computers using malware to attack (usually DDoS) other computers or networks. DDoS attacks frequently leverage IP source address spoofing, in which packets with false source IP addresses send traffic to multiple hosts, which then send return traffic to the hosts with the IP addresses that were forged. This can generate significant, even massive, amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken.\n \nThe router must not accept any outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF) strict mode or by implementing an egress ACL. Unicast Reverse Path Forwarding (uRPF) provides an IP address spoof protection capability. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet.",
"fixid": "F-75345r1_fix",
"fixtext": "Set \"SpoofGuard\" Default Policy to \"Enabled\" and \"firewall\" service to \"Enabled\" on all hosts.\n\nLog into vSphere Web Client with credentials authorized for administration, navigate and select Networking and Security >> select the \"SpoofGuard\" tab on the left side menu.\n\nSet the Default Policy for All Networks Operation Mode to \"Enabled\".\nNext, select the \"Installation\" tab on the left side menu.\nSelect Firewall and set to \"Enabled\".",
"iacontrols": null,
"id": "V-69159",
"ruleID": "SV-83763r1_rule",
"severity": "medium",
"title": "The NSX Distributed Firewall must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.",
"version": "VNSX-FW-000151"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-69137": "true",
"V-69139": "true",
"V-69141": "true",
"V-69143": "true",
"V-69145": "true",
"V-69147": "true",
"V-69149": "true",
"V-69151": "true",
"V-69153": "true",
"V-69155": "true",
"V-69157": "true",
"V-69159": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-69137": "true",
"V-69139": "true",
"V-69141": "true",
"V-69143": "true",
"V-69145": "true",
"V-69147": "true",
"V-69149": "true",
"V-69151": "true",
"V-69153": "true",
"V-69155": "true",
"V-69157": "true",
"V-69159": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-69137": "true",
"V-69139": "true",
"V-69141": "true",
"V-69143": "true",
"V-69145": "true",
"V-69147": "true",
"V-69149": "true",
"V-69151": "true",
"V-69153": "true",
"V-69155": "true",
"V-69157": "true",
"V-69159": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-69137": "true",
"V-69139": "true",
"V-69141": "true",
"V-69143": "true",
"V-69145": "true",
"V-69147": "true",
"V-69149": "true",
"V-69151": "true",
"V-69153": "true",
"V-69155": "true",
"V-69157": "true",
"V-69159": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-69137": "true",
"V-69139": "true",
"V-69141": "true",
"V-69143": "true",
"V-69145": "true",
"V-69147": "true",
"V-69149": "true",
"V-69151": "true",
"V-69153": "true",
"V-69155": "true",
"V-69157": "true",
"V-69159": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-69137": "true",
"V-69139": "true",
"V-69141": "true",
"V-69143": "true",
"V-69145": "true",
"V-69147": "true",
"V-69149": "true",
"V-69151": "true",
"V-69153": "true",
"V-69155": "true",
"V-69157": "true",
"V-69159": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-69137": "true",
"V-69139": "true",
"V-69141": "true",
"V-69143": "true",
"V-69145": "true",
"V-69147": "true",
"V-69149": "true",
"V-69151": "true",
"V-69153": "true",
"V-69155": "true",
"V-69157": "true",
"V-69159": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-69137": "true",
"V-69139": "true",
"V-69141": "true",
"V-69143": "true",
"V-69145": "true",
"V-69147": "true",
"V-69149": "true",
"V-69151": "true",
"V-69153": "true",
"V-69155": "true",
"V-69157": "true",
"V-69159": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-69137": "true",
"V-69139": "true",
"V-69141": "true",
"V-69143": "true",
"V-69145": "true",
"V-69147": "true",
"V-69149": "true",
"V-69151": "true",
"V-69153": "true",
"V-69155": "true",
"V-69157": "true",
"V-69159": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "vmware_nsx_distributed_firewall",
"title": "VMware NSX Distributed Firewall Security Technical Implementation Guide",
"version": "1"
}
}