| V-69161 | High | The NSX vCenter must be configured to use an authentication server to provide automated support for account management functions to centrally control the authentication process for the purpose of granting administrative access. | Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations and privilege levels. NSX Manager must be configured... |
| V-69163 | High | The NSX vCenter must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate... |
| V-69167 | High | The NSX Manager must not have any default manufacturer passwords when deployed. | Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password and gain access to the device, which can result in loss of availability,... |
| V-69171 | Medium | The NSX vCenter must protect audit information from any type of unauthorized read access. | Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
If audit data were to become... |
| V-69219 | Medium | The NSX vCenter must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key... |
| V-69177 | Medium | The NSX vCenter must prohibit password reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
To meet password policy requirements, passwords need... |
| V-69175 | Medium | The NSX vCenter must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to... |
| V-69179 | Medium | If multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one upper-case character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-69211 | Medium | The NSX Manager must enforce access restrictions associated with changes to the system components. | Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals must... |
| V-69217 | Medium | The NSX Manager must employ automated mechanisms to assist in the tracking of security incidents. | Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the network... |
| V-69191 | Medium | The NSX vCenter must reveal error messages only to authorized individuals (ISSO, ISSM, and SA). | Only authorized personnel must be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state. Additionally, sensitive account information... |
| V-69193 | Medium | The NSX vCenter must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect. | Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications... |
| V-69195 | Medium | If the NSX vCenter uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects. | Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the... |
| V-69197 | Medium | The NSX vCenter must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
... |
| V-69199 | Medium | The NSX vCenter must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. |
| V-69221 | Medium | The NSX vCenter must accept multifactor credentials. | DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national... |
| V-69209 | Medium | The NSX Manager must off-load audit records onto a different system or media than the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity. |
| V-69165 | Medium | The NSX vCenter must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. |
| V-69207 | Medium | The NSX Manager must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other... |
| V-69201 | Medium | The NSX vCenter must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real time. | If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important... |
| V-69189 | Medium | The NSX vCenter must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-69187 | Medium | The NSX vCenter must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.
One method of minimizing this risk is to use complex passwords and... |
| V-69185 | Medium | If multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-69183 | Medium | If multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-69181 | Medium | If multifactor authentication is not supported and passwords must be used, the NSX vCenter must enforce password complexity by requiring that at least one lower-case character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-69173 | Low | The NSX Manager must back up audit records at least every seven days onto a different system or system component than the system or component being audited. | Protection of log data includes verifying log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being... |
| V-69213 | Low | The NSX Manager must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the... |
| V-69215 | Low | The NSX Manager must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system... |
| V-69205 | Low | The NSX Manager must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when... |
| V-69203 | Low | The NSX Manager must compare internal information system clocks at least every 24 hours with an authoritative time server. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when... |
