V-65483 | High | The ArcGIS Server must use a full disk encryption solution to protect the confidentiality and integrity of all information. | Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile... |
V-65323 | High | The ArcGIS Server must use Windows authentication for supporting account management functions. | Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error.
A... |
V-65519 | High | The ArcGIS Server keystores must only contain certificates of PKI established certificate authorities for verification of protected sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient... |
V-65515 | High | The ArcGIS Server Windows authentication must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate... |
V-65385 | High | The ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., networks, web servers, and web... |
V-65517 | High | The ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards... |
V-65393 | High | The ArcGIS Server must provide audit record generation capability for DoD-defined auditable events within all application components. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit... |
V-65319 | High | The ArcGIS Server must protect the integrity of remote access sessions by enabling HTTPS with DoD-approved certificates. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD nonpublic information systems by an authorized... |
V-65467 | High | The ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be... |
V-65487 | Medium | The ArcGIS Server must reveal error messages only to the ISSO, ISSM, and SA. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the application.... |
V-65485 | Medium | The ArcGIS Server must be configured such that emergency accounts are never automatically removed or disabled. | Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account... |
V-65459 | Medium | The ArcGIS Server, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.
A trust anchor is an authoritative... |
V-65477 | Medium | The ArcGIS Server must recognize only system-generated session identifiers. | Applications utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session... |
V-65415 | Medium | The ArcGIS Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
V-65413 | Medium | The ArcGIS Server must be configured to disable non-essential capabilities. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked... |
V-65499 | Medium | The ArcGIS Server must enforce access restrictions associated with changes to application configuration. | Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system.
When dealing with access... |
V-65503 | Medium | The organization must disable organization-defined functions, ports, protocols, and services within the ArcGIS Server deemed to be unnecessary and/or nonsecure. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
V-65569 | Medium | The ArcGIS Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security... |
V-65509 | Medium | The ArcGIS Server must accept and electronically verify Personal Identity Verification (PIV) credentials. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DoD has mandated the use of the CAC to support identity management and personal authentication... |
V-65429 | Medium | The ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be... |
V-65407 | Medium | The ArcGIS Server must protect audit information from any type of unauthorized read access, modification or deletion. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In... |
V-65521 | Medium | The ArcGIS Server must maintain a separate execution domain for each executing process. | Applications can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication... |