UCF STIG Viewer Logo

Network Device Management Security Requirements Guide


Overview

Date Finding Count (112)
2024-05-30 CAT I (High): 17 CAT II (Med): 95 CAT III (Low): 0
STIG Description
This Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-202017 High The network device must be configured to assign appropriate user roles or access levels to authenticated users.
V-202132 High The network device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.
V-202118 High The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions
V-202117 High The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
V-213467 High The network device must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
V-213468 High The network device must be running an operating system release that is currently supported by the vendor.
V-237779 High The network device must be configured to use DoD PKI as multi-factor authentication (MFA) for interactive logins.
V-202049 High The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services
V-237780 High The network device must be configured to use DoD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.
V-237781 High The network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
V-202074 High The network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.
V-202072 High The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
V-202071 High The network device must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-202078 High The network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
V-202093 High The network device must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-202065 High The network device must transmit only encrypted representations of passwords.
V-202064 High The network device must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash for password-based authentication.
V-202087 Medium The network device must terminate shared/group account credentials when members leave the group.
V-202086 Medium The network device must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
V-202085 Medium The network device must be configured to provide a logout mechanism for administrator-initiated communication sessions.
V-264307 Medium The network device must be configured to synchronize system clocks within and between systems or system components.
V-264300 Medium The network device must be configured to require immediate selection of a new password upon account recovery for password-based authentication.
V-264301 Medium The network device must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters for password-based authentication.
V-264302 Medium The network device must be configured to employ automated tools to assist the user in selecting strong password authenticators for password-based authentication.
V-264303 Medium The network device must be configured to implement a local cache of revocation data to support path discovery and validation for public key-based authentication.
V-264308 Medium The network device must be configured to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.
V-264306 Medium The network device must be configured to provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.
V-202088 Medium The network device must automatically audit account enabling actions.
V-202076 Medium The network device must recognize only system-generated session identifiers.
V-202018 Medium The network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
V-202019 Medium The network device must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.
V-202077 Medium The network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
V-202014 Medium The network device must automatically audit account modification.
V-202015 Medium The network device must automatically audit account disabling actions.
V-202016 Medium The network device must automatically audit account removal actions.
V-202013 Medium The network device must automatically audit account creation.
V-264304 Medium The network device must be configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.
V-202009 Medium The network device must retain the session lock until the administrator reestablishes access using established identification and authentication procedures.
V-202008 Medium The network device must be configured to enable network administrators to directly initiate a session lock.
V-202007 Medium The network device must initiate a session lock after a 15-minute period of inactivity.
V-202006 Medium The network device must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-202120 Medium If the network device uses mandatory access control, the network device must enforce organization-defined mandatory access control policies over all subjects and objects.
V-202121 Medium The network device must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
V-202122 Medium The network device must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
V-202123 Medium The network device must generate audit records when successful/unsuccessful logon attempts occur.
V-264305 Medium The network device must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.
V-202125 Medium The network device must generate audit records showing starting and ending time for administrator access to the system.
V-202126 Medium The network device must generate audit records when concurrent logons from different workstations occur.
V-202127 Medium The network device must off-load audit records onto a different system or media than the system being audited.
V-202032 Medium The network device must produce audit records containing information to establish where the events occurred.
V-202033 Medium The network device must produce audit log records containing information to establish the source of events.
V-202030 Medium The network device must produce audit log records containing sufficient information to establish what type of event occurred.
V-202031 Medium The network device must produce audit records containing information to establish when (date and time) the events occurred.
V-202036 Medium The network device must generate audit records containing the full-text recording of privileged commands.
V-202034 Medium The network device must produce audit records that contain information to establish the outcome of the event.
V-202035 Medium The network device must generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-202039 Medium The network device must use internal system clocks to generate time stamps for audit records.
V-202131 Medium The network device must enforce access restrictions associated with changes to the system components.
V-202130 Medium The network device must generate log records for a locally developed list of auditable events
V-202137 Medium The network device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
V-202136 Medium The network device must be configured to conduct backups of system level information contained in the information system when changes occur.
V-202047 Medium The network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
V-202139 Medium The network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-202025 Medium The network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-202021 Medium The network device must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
V-202020 Medium The network device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-202029 Medium The network device must initiate session auditing upon startup.
V-202028 Medium The network device must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-202106 Medium The network device must enforce access restrictions associated with changes to device configuration.
V-202107 Medium The network device must audit the enforcement actions used to restrict access associated with changes to the device.
V-202105 Medium The network device must prohibit installation of software without explicit privileged status.
V-202102 Medium The network device must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-202103 Medium The network device must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-202100 Medium The network device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.
V-216508 Medium The network device must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-202119 Medium The network device must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
V-202111 Medium The network device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
V-202112 Medium The network device must authenticate Network Time Protocol sources using authentication that is cryptographically based.
V-202115 Medium The network device must prohibit the use of cached authenticators after an organization-defined time period.
V-202116 Medium Network devices performing maintenance functions must restrict use of these functions to authorized personnel only.
V-202051 Medium The network device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
V-202054 Medium The network device must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
V-202055 Medium The network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-202057 Medium The network device must enforce a minimum 15-character password length.
V-202059 Medium The network device must enforce password complexity by requiring that at least one uppercase character be used.
V-202043 Medium The network device must protect audit tools from unauthorized modification.
V-202042 Medium The network device must protect audit tools from unauthorized access.
V-202041 Medium The network device must protect audit information from unauthorized deletion.
V-202040 Medium The network device must protect audit information from unauthorized modification.
V-202044 Medium The network device must protect audit tools from unauthorized deletion.
V-202048 Medium The network device must limit privileges to change the software resident within software libraries.
V-264292 Medium The network device must be configured to disable accounts when the accounts are no longer associated to a user.
V-264293 Medium The network device must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
V-264291 Medium The network device must be configured to disable accounts when the accounts have expired.
V-264296 Medium The network device must be configured to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency for password-based authentication.
V-264297 Medium The network device must be configured to update the list of passwords on an organization-defined frequency for password-based authentication.
V-264294 Medium The network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-264295 Medium The network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.
V-264298 Medium The network device must be configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly for password-based authentication.
V-264299 Medium The network device must be configured to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a) for password-based authentication.
V-202075 Medium The network device must invalidate session identifiers upon administrator logout or other session termination.
V-202094 Medium The network device must audit the execution of privileged functions.
V-202091 Medium If the network device uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
V-202092 Medium If the network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.
V-202098 Medium The network device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-202140 Medium The network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
V-202061 Medium The network device must enforce password complexity by requiring that at least one numeric character be used.
V-202060 Medium The network device must enforce password complexity by requiring that at least one lowercase character be used.
V-202063 Medium The network device must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
V-202062 Medium The network device must enforce password complexity by requiring that at least one special character be used.
V-202124 Medium The network device must generate audit records for privileged activities or other system-level access.
V-256777 Medium The network device must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).