| V-253512 | | DocAve must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that explo... |
| V-253515 | | DocAve must use multifactor authentication for network access to privileged accounts. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires ... |
| V-253516 | | The underlying IIS platform must be configured for Smart Card (CAC) Authorization. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires ... |
| V-253510 | | DocAve must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. | Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allow... |
| V-253511 | | DocAve must initiate a session lock after a 15-minute period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-253513 | | DocAve must provide automated mechanisms for supporting account management functions. | Remote access (e.g., Remote Desktop Protocol [RDP]) is access to DoD nonpublic information systems by an authorized user (or an information system) co... |
| V-253514 | | DocAve must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-253517 | | DocAve must control remote access methods. | Remote access applications, such as those providing remote access to network devices and information systems, which lack automated control capabilitie... |
| V-253518 | | DocAve must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD syst... |
