| V-255947 | | The Arista network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of al... |
| V-255948 | | The Arista network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies. | A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management informati... |
| V-255949 | | The Arista network device must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-255950 | | The Arista network device must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device. | Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is c... |
| V-255951 | | The Arista network device must be configured to audit all administrator activity. | This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration... |
| V-255953 | | The Arista network device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local da... |
| V-255954 | | The Arista network device must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-255957 | | If the Arista network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects. | Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizationa... |
| V-255958 | | The Arista network device must be configured to synchronize internal system clocks using redundant authenticated time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly in... |
| V-255959 | | The Arista network device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-255962 | | The Arista network device must be configured to capture all DOD auditable events. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack... |
| V-255964 | | The network device must be configured to conduct backups of system level information contained in the information system when changes occur. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configurat... |
| V-255965 | | The Arista network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agenci... |
| V-255952 | | The Arista network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-255955 | | The Arista network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module. | Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentia... |
| V-255956 | | The Arista network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-255960 | | The Arista network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions. | Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidential... |
| V-255961 | | The Arista network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions. | This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instea... |
| V-255963 | | The network device must be configured to use an authentication server to authenticate users prior to granting administrative access. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important... |
| V-255966 | | The Arista network Arista device must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stor... |
| V-255967 | | The Arista network device must be running an operating system release that is currently supported by the vendor. | Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilit... |
