V-74915 | High | The MQ Appliance messaging server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. | Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device.
Bidirectional authentication... |
V-74801 | Medium | The MQ Appliance messaging server must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75% of maximum log record storage capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include software/hardware errors, failures in the... |
V-74909 | Medium | The MQ Appliance messaging server must generate log records for access and authentication events. | Log records can be generated from various components within the messaging server. From a messaging server perspective, certain specific messaging server functionalities may be logged as well. The... |
V-74805 | Medium | The MQ Appliance messaging server must automatically terminate a SSH user session after organization-defined conditions or trigger events requiring a session disconnect. | An attacker can take advantage of CLI user sessions that are left open, thus bypassing the user authentication process.
To thwart the vulnerability of open and unused user sessions, the messaging... |
V-74835 | Medium | The MQ Appliance messaging server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. | Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing... |
V-74863 | Medium | The MQ Appliance messaging server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version. | Preventing the disclosure of transmitted information requires that the messaging server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
V-74901 | Medium | The MQ Appliance messaging server must map the authenticated identity to the individual messaging user or group account for PKI-based authentication. | The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information, but the key can... |
V-74861 | Medium | The MQ Appliance messaging server must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | During the initial setup of a Transport Layer Security (TLS) connection to the messaging server, the client sends a list of supported cipher suites in order of preference. The messaging server... |
V-74903 | Medium | The MQ Appliance must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the application.... |
V-75029 | Medium | The MQ Appliance messaging server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected (messaging) sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient... |
V-74907 | Medium | The MQ Appliance messaging server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. | Messaging servers are required to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system management interface, providing privacy and security notices... |
V-74897 | Medium | The MQ Appliance messaging server must uniquely identify all network-connected endpoint devices before establishing any connection. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed messaging servers and components, the decisions regarding... |
V-74895 | Medium | The MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session. | This control focuses on communications protection at the session, versus packet level.
At the application layer, session IDs are tokens generated by web applications to uniquely identify an... |
V-74893 | Medium | The MQ Appliance messaging server must provide a clustering capability. | This requirement is dependent upon system criticality and confidentiality requirements. If the system categorization and confidentiality levels do not specify redundancy requirements, this... |
V-74891 | Medium | The MQ Appliance messaging server must be configured to fail over to another system in the event of log subsystem failure. | This requirement is dependent upon system MAC and availability. If the system MAC and availability do not specify redundancy requirements, this requirement is NA.
It is critical that, when a... |
V-74899 | Medium | Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.
Messaging servers have the capability to utilize LDAP directories... |
V-74853 | Medium | The MQ Appliance messaging server must provide centralized management and configuration of the content to be captured in log records generated by all application components. | A clustered messaging server is made up of several servers working together to provide the user a failover and increased computing capability. To facilitate uniform logging in the event of an... |
V-74851 | Medium | The MQ Appliance messaging server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can... |
V-74859 | Medium | The MQ Appliance messaging server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. | Preventing the disclosure or modification of transmitted information requires that messaging servers take measures to employ approved cryptography in order to protect the information during... |
V-74879 | Medium | The MQ Appliance messaging server must identify potentially security-relevant error conditions. | The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in... |
V-74919 | Medium | The MQ Appliance messaging server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
V-74831 | Medium | The MQ Appliance messaging server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations... |
V-74913 | Medium | The MQ Appliance messaging server must authenticate all network-connected endpoint devices before establishing any connection. | Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device.
Device authentication is... |
V-74911 | Medium | The MQ Appliance messaging server must generate a unique session identifier using a FIPS 140-2 approved random number generator. | The messaging server will use session IDs to communicate between modules or applications within the messaging server and between the messaging server and users. The session ID allows the... |
V-74815 | Medium | The MQ Appliance SSH interface to the messaging server must prohibit the use of cached authenticators after 600 seconds. | When the messaging server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network, but if cached... |
V-74917 | Medium | MQ Appliance messaging servers must use NIST-approved or NSA-approved key management technology and processes. | An asymmetric encryption key must be protected during transmission. The public portion of an asymmetric key pair can be freely distributed without fear of compromise, and the private portion of... |
V-74813 | Medium | The MQ Appliance must automatically terminate a WebGUI user session after 600 seconds of idle time. | An attacker can take advantage of WebGUI user sessions that are left open, thus bypassing the user authentication process.
To thwart the vulnerability of open and unused user sessions, the... |
V-74905 | Medium | The MQ Appliance messaging server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which... |
V-74849 | Medium | The MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions. | Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the messaging server via a network for the purposes of managing the... |
V-74877 | Medium | The MQ Appliance messaging server must produce log records containing information to establish what type of events occurred. | Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and... |
V-74749 | Medium | The MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour. | When the messaging server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network, but if cached... |
V-74741 | Medium | The MQ Appliance messaging server must off-load log records onto a different system or media from the system being logged. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited... |
V-74747 | Medium | The MQ Appliance messaging server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
V-74889 | Medium | The MQ Appliance messaging server must provide a log reduction capability that supports on-demand reporting requirements. | The ability to generate on-demand reports, including after the log data has been subjected to log reduction, greatly facilitates the organization's ability to generate incident reports as needed... |
V-74847 | Medium | The MQ Appliance messaging server, when categorized as a high level system, must be in a high-availability (HA) cluster. | A high level system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A high level system must maintain the... |
V-74921 | Medium | The MQ Appliance messaging server must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged. | In order to be able to provide a forensic history of activity, the messaging server must ensure users who are granted a privileged role or those who utilize a separate distinct account when... |
V-74729 | Medium | The MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session. | Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the messaging server configuration.... |
V-74883 | Medium | The MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure. | Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the... |
V-74727 | Medium | The MQ Appliance messaging server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. | Non-repudiation of actions taken is required in order to messaging service application integrity. Examples of particular actions taken by individuals include creating information, sending a... |
V-74885 | Medium | The MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce... |
V-74743 | Low | The MQ Appliance messaging server must synchronize internal MQ Appliance messaging server clocks to an authoritative time source when the time difference is greater than the organization-defined time period. | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Synchronization of internal... |
V-74745 | Low | The MQ Appliance messaging server must compare internal MQ Appliance messaging server clocks at least every 24 hours with an authoritative time source. | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Synchronization of system clocks is... |
V-74887 | Low | The MQ Appliance messaging server must accept FICAM-approved third-party credentials. | Access may be denied to legitimate users if FICAM-approved third-party credentials are not accepted.
This requirement typically applies to organizational information systems that are accessible... |