UCF STIG Viewer Logo

Network Device Management Security Requirements Guide


Overview

Date Finding Count (142)
2017-07-07 CAT I (High): 0 CAT II (Med): 142 CAT III (Low): 0
STIG Description
The Network Device Management Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-55219 Medium The network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
V-55215 Medium If the network device uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.
V-55217 Medium If the network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.
V-55211 Medium The network device must be compliant with at least one IETF Internet standard authentication protocol.
V-55213 Medium The network device must use cryptographic mechanisms to protect the integrity of audit information at rest.
V-55295 Medium The network device must generate audit log events for a locally developed list of auditable events.
V-55045 Medium The network device must automatically audit account modification.
V-55169 Medium The network device must protect audit information from any type of unauthorized read access.
V-55047 Medium The network device must automatically audit account disabling actions.
V-55291 Medium The network device must notify the administrator of the number of successful login attempts occurring during an organization-defined time period.
V-55041 Medium The network device must automatically disable accounts after a 35-day period of account inactivity.
V-55293 Medium The network device must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B.
V-55043 Medium The network device must automatically audit account creation.
V-55163 Medium The network device must recognize only system-generated session identifiers.
V-55161 Medium The network device must invalidate session identifiers upon administrator logout or other session termination.
V-55167 Medium The network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
V-55049 Medium The network device must automatically audit account removal actions.
V-55165 Medium The network device must use internal system clocks to generate time stamps for audit records.
V-55209 Medium The network device must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
V-55203 Medium The network device must automatically audit account enabling actions.
V-55201 Medium The network device must terminate shared/group account credentials when members leave the group.
V-55207 Medium The network device must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.
V-55205 Medium The network device must protect audit tools from unauthorized deletion.
V-55071 Medium The network device must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the date and time of the last logon (access).
V-55283 Medium The network device must generate audit records when concurrent logons from different workstations occur.
V-55073 Medium The network device must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.
V-55281 Medium The network device must generate audit records showing starting and ending time for administrator access to the system.
V-55075 Medium The network device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-55287 Medium The network device must off-load audit records onto a different system or media than the system being audited.
V-55077 Medium The network device must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
V-55285 Medium The network device must generate audit records for all account creations, modifications, disabling, and termination events.
V-55079 Medium The network device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.
V-55171 Medium The network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
V-55289 Medium The network device must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-55175 Medium The network device or authentication server must never automatically remove or disable emergency administrator accounts.
V-55177 Medium The application must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
V-55145 Medium The network device must map the authenticated identity to the user account for PKI-based authentication.
V-55147 Medium The network device must generate audit records containing the full-text recording of privileged commands.
V-55141 Medium The network device, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-55143 Medium The network device must generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-55179 Medium The network device must protect audit information from unauthorized deletion.
V-55149 Medium The network device must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-55173 Medium The network device must protect audit information from unauthorized modification.
V-55197 Medium Network devices must provide a logout capability for administrator-initiated communication sessions.
V-55279 Medium The network device must generate audit records for privileged activities or other system-level access.
V-55069 Medium The network device must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
V-55277 Medium The network device must generate audit records when successful/unsuccessful logon attempts occur.
V-55067 Medium The network device must audit the execution of privileged functions.
V-55275 Medium The network device must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.
V-55065 Medium The network device must notify the administrator of changes to access and/or privilege parameters of the administrators account that occurred since the last logon.
V-55273 Medium The network device must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.
V-55063 Medium Upon successful login, the network device must notify the administrator of the number of unsuccessful login attempts since the last successful login.
V-55271 Medium If the network device uses mandatory access control, the network device must enforce organization-defined mandatory access control policies over all subjects and objects.
V-55061 Medium Upon successful login, the network device must notify the administrator of the date and time of the last login.
V-55093 Medium The network device must initiate session auditing upon startup.
V-55091 Medium The network device must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-55097 Medium The network device must produce audit records containing information to establish when (date and time) the events occurred.
V-55095 Medium The network device must produce audit log records containing sufficient information to establish what type of event occurred.
V-55099 Medium The network device must produce audit records containing information to establish where the events occurred.
V-55303 Medium The network device must employ automated mechanisms to centrally verify authentication settings.
V-55153 Medium The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
V-55301 Medium The network device must employ automated mechanisms to centrally apply authentication settings.
V-55151 Medium The network device must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-55307 Medium The network device must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
V-55157 Medium The network device must shut down by default upon audit failure (unless availability is an overriding concern).
V-55305 Medium The network device must employ automated mechanisms to detect the addition of unauthorized components or devices.
V-55155 Medium The network device must terminate all sessions and network connections when nonlocal device maintenance is completed.
V-55309 Medium The network device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
V-55159 Medium The network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
V-55269 Medium The network device must protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the network device management network by employing organization-defined security safeguards.
V-55265 Medium The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
V-55267 Medium Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
V-63997 Medium The network device must not have any default manufacturer passwords when deployed.
V-55261 Medium The network device must prohibit the use of cached authenticators after an organization-defined time period.
V-55263 Medium Network devices performing maintenance functions must restrict use of these functions to authorized personnel only.
V-55127 Medium If multifactor authentication is not supported and passwords must be used, the network device must require that when a password is changed, the characters are changed in at least eight of the positions within the password.
V-55081 Medium The network device must compare internal information system clocks at least every 24 hours with an authoritative time server.
V-55083 Medium The network device must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.
V-55085 Medium The network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-55087 Medium The network device must provide audit record generation capability for DoD-defined auditable events within the network device.
V-55089 Medium The network device must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-55311 Medium The network device must employ automated mechanisms to assist in the tracking of security incidents.
V-55313 Medium The network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-55315 Medium The network device must limit privileges to change the software resident within software libraries.
V-55297 Medium The network device must enforce access restrictions associated with changes to the system components.
V-55259 Medium The network device must allow the use of a temporary password for system logons with an immediate change to a permanent password.
V-55125 Medium If multifactor authentication is not supported and passwords must be used, the network device must enforce password complexity by requiring that at least one special character be used.
V-55123 Medium If multifactor authentication is not supported and passwords must be used, the network device must enforce password complexity by requiring that at least one numeric character be used.
V-55121 Medium If multifactor authentication is not supported and passwords must be used, the network device must enforce password complexity by requiring that at least one lower-case character be used.
V-55131 Medium The network device must store only encrypted representations of passwords.
V-55251 Medium The network device must accept Personal Identity Verification (PIV) credentials.
V-55253 Medium The network device must electronically verify Personal Identity Verification (PIV) credentials.
V-55255 Medium The network device must authenticate network management SNMP endpoints before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
V-55257 Medium The network device must dynamically manage identifiers.
V-55035 Medium The network device must retain the session lock until the administrator reestablishes access using established identification and authentication procedures.
V-55247 Medium The network device must require users to re-authenticate when privilege escalation or role changes occur.
V-55037 Medium The network element must provide automated support for account management functions.
V-55245 Medium The network device must audit the enforcement actions used to restrict access associated with changes to the device.
V-55031 Medium The network device must initiate a session lock after a 15-minute period of inactivity.
V-55243 Medium The network device must enforce access restrictions associated with changes to device configuration.
V-55033 Medium The application or console being used to administer a network device must provide the capability for network administrators to directly initiate a session lock.
V-55299 Medium Accounts for device management must be configured on the authentication server and not the network device itself, except for the account of last resort.
V-55039 Medium The network device must automatically remove or disable temporary user accounts after 72 hours.
V-55135 Medium The network device must enforce 24 hours as the minimum password lifetime.
V-55137 Medium The network device must produce audit records that contain information to establish the outcome of the event.
V-55129 Medium The network device must produce audit log records containing information to establish the source of events.
V-55133 Medium The network device must transmit only encrypted representations of passwords.
V-55139 Medium The network device must enforce a 60-day maximum password lifetime restriction.
V-55189 Medium The network device must generate alerts that can be forwarded to the administrators and IAO when accounts are disabled.
V-55231 Medium The network device must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
V-55237 Medium The network device must generate an alert that will then be sent to the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) when the unauthorized installation of software is detected.
V-55027 Medium The network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
V-55235 Medium The network device must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-55181 Medium The network device must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
V-55239 Medium The network device must prohibit installation of software without explicit privileged status.
V-55029 Medium The network device must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-55185 Medium The network device must generate alerts that can be forwarded to the administrators and IAO when accounts are created.
V-55187 Medium The network device must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.
V-55101 Medium The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services
V-55103 Medium The network device must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
V-55105 Medium The network device must use multifactor authentication for network access to privileged accounts.
V-55107 Medium The network device must use multifactor authentication for local access to privileged accounts.
V-55109 Medium The network device must ensure administrators are authenticated with an individual authenticator prior to using a group authenticator.
V-55233 Medium The network device must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-64001 Medium In the event the authentication server is unavailable, there must be one local account created for use as the account of last resort.
V-55195 Medium The network device must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
V-55193 Medium The network device must generate alerts that can be forwarded to the administrators and IAO when accounts are removed.
V-55191 Medium The network device must protect audit tools from unauthorized modification.
V-55199 Medium The network device must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
V-68747 Medium The network device must authenticate Network Time Protocol sources using authentication that is cryptographically based.
V-55221 Medium The network device must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-55113 Medium The network device must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
V-55057 Medium The network device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-55055 Medium The network device must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-55053 Medium The network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
V-55051 Medium The network device must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
V-55119 Medium If multifactor authentication is not supported and passwords must be used, the network device must enforce password complexity by requiring that at least one upper-case character be used.
V-55117 Medium The network device must prohibit password reuse for a minimum of five generations.
V-55115 Medium The network device must enforce a minimum 15-character password length.
V-55183 Medium The network device must protect audit tools from unauthorized access.
V-55059 Medium The network device must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
V-55111 Medium The network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.