| V-256839 | | Compliance Guardian must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. | Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allow... |
| V-256840 | | Compliance Guardian must initiate a session timeout after a 15-minute period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-256842 | | Compliance Guardian must provide automated mechanisms for supporting account management functions. | Remote access (e.g., Remote Desktop Protocol [RDP]) is access to DOD nonpublic information systems by an authorized user (or an information system) co... |
| V-256843 | | Compliance Guardian must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-256845 | | Compliance Guardian must control remote access methods. | Remote access applications (such as those providing remote access to network devices and information systems) which lack automated control capabilitie... |
| V-256846 | | Compliance Guardian must accept FICAM-approved third-party credentials. | Access may be denied to legitimate users if FICAM-approved third-party credentials are not accepted.
This requirement typically applies to organizat... |
| V-256847 | | Compliance Guardian must conform to FICAM-issued profiles. | Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and... |
| V-256848 | | Compliance Guardian must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions. | Untrusted Certificate Authorities (CAs) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD sys... |
| V-256841 | | Compliance Guardian must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that explo... |
| V-256844 | | Compliance Guardian must use multifactor authentication for network access to privileged accounts. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires ... |
