UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

WLAN Access Point (Enclave-NIPRNet Connected) Security Technical Implementation Guide



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-4582 High The IAO will ensure that all OOB management connections to the device require authentication.
V-3056 High The IAO/NSO will ensure each user accessing the device locally have their own account with username and password.
V-3143 High The IAO/NSO will ensure all default manufacturer passwords are changed.
V-3210 High The IAO/NSO will ensure that all SNMP community strings are changed from the default values.
V-3175 High The IAO will ensure that all in-band management connections to the device require authentication.
V-3069 Medium The system administrator will ensure in-band management access to the device is secured using FIPS 140-2 approved encryption or hash algorithms such as AES, 3DES, SSH, or TLS / SSL.
V-14671 Medium The IAO will ensure all NTP-enabled devices authenticate received NTP messages.
V-14717 Medium The system administrator will ensure SSH version 2 is implemented.
V-30255 Medium The WLAN must be WPA2-Enterprise certified.
V-30257 Medium WLAN EAP-TLS implementation must use CAC authentication to connect to DoD networks.
V-3057 Medium The IAO/NSO will ensure all user accounts are assigned the lowest privilege level that allows them to perform their duties.
V-19900 Medium The WLAN implementation of EAP-TLS must be FIPS 140-2 validated.
V-3014 Medium The system administrator will ensure the timeout for administrative access is set for no longer than 10 minutes.
V-14886 Medium Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.
V-28784 Medium A service or feature that calls home to the vendor must be disabled.
V-3967 Medium The system administrator will ensure the console port is configured to time out after 10 minutes or less of inactivity.
V-17821 Medium Managed NE OOBM interface is not configured with an OOBM network address.
V-17822 Medium The management interface is not configured with both an ingress and egress ACL.
V-14888 Medium The WLAN inactive session timeout must be set for 30 minutes or less.
V-19894 Medium The WLAN implementation of AES-CCMP must be FIPS 140-2 validated.
V-3692 Medium WLAN must use EAP-TLS.
V-3515 Medium The WLAN must use AES-CCMP to protect data-in-transit.
V-5613 Medium The system administrator will ensure the maximum number of unsuccessful SSH login attempts is set to three, locking access to the network device.
V-5612 Medium The system administrator will ensure SSH timeout value is set to 60 seconds or less, causing incomplete SSH connections to shut down after 60 seconds or less.
V-5611 Medium The system administrator will ensure that the device only allows in-band management sessions from authorized IP addresses from the internal network.
V-14004 Low WLAN equipment obtained through acquisition programs must be JITC interoperability certified.
V-23747 Low The IAO/NSO will ensure all managed network elements are configured to use two or more NTP servers to synchronize time.
V-14846 Low WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc.
V-14844 Low The relevant U.S. Forces Command (USFORSCOM) or host nation must approve the use of wireless equipment prior to operation of such equipment outside the United States and Its Possessions (US&P).
V-7011 Low The system administrator will ensure that the device auxiliary port is disabled if a secured modem providing encryption and authentication is not connected.
V-3070 Low The system administrator will configure the ACL that is bound to the inband interface to log permitted and denied access attempts.
V-14889 Low WLAN signals must not be intercepted outside areas authorized for WLAN access.
V-19895 Low The Information Assurance component of the WLAN system must be NIAP Common Criteria certified for basic or medium robustness for data in transit.