| V-283924 | | Fly Server must limit the number of concurrent sessions for all accounts and/or account types. | Application management includes the ability to control the number of users and user sessions that use an application. Limiting the number of allowed u... |
| V-283925 | | Fly Server must automatically disable accounts after a 35-day period of account inactivity. | Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive acc... |
| V-283926 | | Fly Server must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-283927 | | Fly Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
... |
| V-283929 | | Fly Server must enforce a minimum 15-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-283930 | | Fly Server must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-283931 | | Fly Server must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-283932 | | Fly Server must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-283933 | | Fly Server must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-283934 | | Fly Server must require the change of at least eight of the total number of characters when passwords are changed. | If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increa... |
| V-283935 | | Fly Server must enforce 24 hours/1 day as the minimum password lifetime. | Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.
Restri... |
| V-283936 | | Fly Server must terminate sessions after 10 minutes. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-283937 | | Fly Server must notify system administrators (SAs) and the information system security officer (ISSO) for all account-related events. | Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to ... |
| V-283941 | | Fly Server must only allow the use of DoW PKI established certificate authorities for verification of the establishment of protected sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoW syst... |
| V-284007 | | Fly Server must enforce a role-based access control (RBAC) policy over defined subjects and objects. | RBAC is an access control policy that restricts information system access to authorized users. Without these security policies, access control and enf... |
| V-284030 | | Fly Server must automatically check for updates weekly. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovere... |
| V-284031 | | Fly Server must be updated within 30 days of an update release. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovere... |
| V-283942 | | Fly Server must be configured to use an enterprise database solution. | Configuring the application to implement organizationwide security implementation guides and security checklists ensures compliance with federal stand... |
| V-283928 | | Fly Server must use an approved DoW enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate organizational users. | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-283938 | | Fly Server must have no local accounts for the user interface. | To ensure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse a... |
| V-283939 | | Fly Server must have local authentication disabled. | To ensure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse a... |
| V-284032 | | Fly Server must be a version supported by the vendor. | Unsupported software and systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support ... |