| V-204636 | | AAA Services must be configured to provide automated account management functions. | Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potentia... |
| V-204637 | | AAA Services must be configured to automatically remove temporary user accounts after 72 hours. | When temporary user accounts remain active after no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. ... |
| V-204638 | | AAA Services must be configured to automatically remove authorizations for temporary user accounts after 72 hours. | When temporary user accounts remain active after no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. ... |
| V-204639 | | AAA Services must be configured to automatically disable accounts after a 35-day period of account inactivity. | Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive acc... |
| V-204640 | | AAA Services must be configured to automatically audit account creation. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-204641 | | AAA Services must be configured to automatically audit account modification. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-204642 | | AAA Services must be configured to automatically audit account disabling actions. | When application accounts are disabled, user accessibility is affected. Once an attacker establishes access to an application, the attacker often atte... |
| V-204643 | | AAA Services must be configured to automatically audit account removal actions. | When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attem... |
| V-204644 | | AAA Services must be configured to automatically lock user accounts after three consecutive invalid logon attempts within a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-204645 | | AAA Services must be configured to audit each authentication and authorization transaction. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, o... |
| V-204646 | | AAA Services configuration audit records must identify what type of events occurred. | Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, o... |
| V-204647 | | AAA Services configuration audit records must identify when (date and time) the events occurred. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.
In order to ... |
| V-204648 | | AAA Services configuration audit records must identify where the events occurred. | Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.
In order to... |
| V-204649 | | AAA Services configuration audit records must identify the source of the events. | Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
... |
| V-204650 | | AAA Services configuration audit records must identify the outcome of the events. | Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if ch... |
| V-204651 | | AAA Services configuration audit records must identify any individual user or process associated with the event. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, sec... |
| V-204652 | | AAA Services must be configured to alert the SA and ISSO when any audit processing failure occurs. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-204655 | | AAA Services must be configured to use internal system clocks to generate time stamps for audit records. | Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysi... |
| V-204656 | | AAA Services must be configured to disable non-essential modules. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary ca... |
| V-204659 | | AAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-204661 | | AAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires ... |
| V-204662 | | AAA Services must be configured to require multifactor authentication using Common Access Card (CAC) Personal Identity Verification (PIV) credentials for authenticating non-privileged user accounts. | To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse ... |
| V-204663 | | AAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architecture... |
| V-204664 | | AAA Services must be configured to enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-204666 | | AAA Services must be configured to enforce password complexity by requiring that at least one uppercase character be used. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a ... |
| V-204667 | | AAA Services must be configured to enforce password complexity by requiring that at least one lowercase character be used. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a ... |
| V-204668 | | AAA Services must be configured to enforce password complexity by requiring that at least one numeric character be used. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a ... |
| V-204669 | | AAA Services must be configured to enforce password complexity by requiring that at least one special character be used. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a ... |
| V-204670 | | AAA Services must be configured to require the change of at least eight of the total number of characters when passwords are changed. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a ... |
| V-204673 | | AAA Services must be configured to enforce 24 hours as the minimum password lifetime. | Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.
Restri... |
| V-204674 | | AAA Services must be configured to enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked; therefore, passwords must be changed at specific intervals.
One method of minimizing... |
| V-204677 | | AAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-204678 | | AAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will n... |
| V-204680 | | AAA Services must be configured to prevent automatically removing emergency accounts. | Emergency accounts are administrator accounts that are established in response to crisis situations where the need for rapid account activation is req... |
| V-204682 | | AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are created. | Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to... |
| V-204683 | | AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are modified. | When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the ... |
| V-204684 | | AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account disabling actions. | When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the ... |
| V-204685 | | AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account removal actions. | When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application ... |
| V-204686 | | AAA Services must be configured to automatically audit account enabling actions. | Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to ... |
| V-204687 | | AAA Services must be configured to notify system administrators (SAs) and information system security officer (ISSO) of account enabling actions. | Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to ... |
| V-204689 | | AAA Services must be configured to maintain locks on user accounts until released by an administrator. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-204690 | | AAA Services must be configured to send audit records to a centralized audit server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-204691 | | AAA Services must be configured to use or map to Coordinated Universal Time (UTC) to record time stamps for audit records. | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generate... |
| V-204692 | | AAA Services must be configured with a minimum granularity of one second to record time stamps for audit records. | Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.
Time stamps generated ... |
| V-204693 | | AAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For distributed architect... |
| V-204696 | | AAA Services must be configured to authenticate all NTP messages received from NTP servers and peers. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-204698 | | AAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP. | Additional new EAP methods/types are still being proposed. However, the three being considered secure are EAP-TLS, EAP-TTLS, and PEAP. PEAP is the pre... |
| V-204699 | | AAA Services must not be configured with shared accounts. | Shared accounts configured for use on a network device do not allow for accountability or repudiation of individuals using them. If shared accounts ar... |
| V-204700 | | AAA Services used to authenticate privileged users for device management must be configured to connect to the management network. | Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentica... |
| V-204701 | | AAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services. | Using standardized authentication protocols such as RADIUS, TACACS+, and Kerberos, an authentication server provides centralized and robust authentica... |
| V-204702 | | AAA Services must be configured to use IP segments separate from production VLAN IP segments. | When policy assessment and remediation have been implemented and the advanced AAA server dynamic VLAN is misconfigured, logical separation of the prod... |
| V-204703 | | AAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access. | Devices having an IP address that do not pass authentication can be used to attack compliant devices if they share VLANs. When devices proceed into th... |
| V-204704 | | AAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal stan... |
| V-263527 | | AAA Services must be configured to disable accounts when the accounts have expired. | Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality, which reduce the attack... |
| V-263528 | | AAA Services must be configured to disable accounts when the accounts are no longer associated to a user. | Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality, which reduce the attack... |
| V-263529 | | AAA Services must be configured to disable accounts when the accounts are in violation of organizational policy. | Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality, which reduce the attack... |
| V-263530 | | AAA Services must be configured to automatically generate audit records of the enforcement actions. | Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to sup... |
| V-263531 | | AAA Services must be configured to require users to be individually authenticated before granting access to the shared accounts or resources. | Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators.... |
| V-263532 | | For password-based authentication, AAA Services must be configured to update the list of passwords on an organization-defined frequency. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263533 | | For password-based authentication, AAA Services must be configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263534 | | For password-based authentication, AAA Services must be configured to verify when users create or update passwords, and that the passwords are not on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263535 | | For password-based authentication, AAA Services must be configured to require immediate selection of a new password upon account recovery. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263536 | | For password-based authentication, AAA Services must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263537 | | For password-based authentication, AAA Services must be configured to employ automated tools to assist the user in selecting strong password authenticators. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263538 | | For public key-based authentication, AAA Services must be configured to implement a local cache of revocation data to support path discovery and validation. | Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certific... |
| V-263539 | | AAA Services must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization. | Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the inter... |
| V-204681 | | AAA Services must be configured to prevent automatically disabling emergency accounts. | Emergency accounts are administrator accounts that are established in response to crisis situations where the need for rapid account activation is req... |
| V-204695 | | AAA Services must be configured to use at least two NTP servers to synchronize time. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-204697 | | AAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-204657 | | AAA Services must be configured to use secure protocols when connecting to directory services. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
... |
| V-204658 | | AAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments. | Authentication protection of the client credentials (specifically the password or shared secret) prevents unauthorized access to resources. The RADIUS... |
| V-204660 | | AAA Services must be configured to uniquely identify and authenticate organizational users. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-204671 | | For password-based authentication, AAA Services must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-204672 | | AAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can b... |
| V-204675 | | AAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-204676 | | AAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-204679 | | AAA Services must be configured to protect the confidentiality and integrity of all information at rest. | Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an or... |
