| V-239896 | | The Cisco ASA must be configured to limit the number of concurrent management sessions to an organization-defined number. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of al... |
| V-239897 | | The Cisco ASA must be configured to automatically audit account creation. | Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accom... |
| V-239898 | | The Cisco ASA must be configured to automatically audit account modification. | Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. A... |
| V-239899 | | The Cisco ASA must be configured to automatically audit account-disabling actions. | Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized pers... |
| V-239900 | | The Cisco ASA must be configured to automatically audit account removal actions. | Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized pers... |
| V-239901 | | The Cisco ASA must be configured to enforce approved authorizations for controlling the flow of management information within the Cisco ASA based on information flow control policies. | A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management informati... |
| V-239902 | | The Cisco ASA must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is c... |
| V-239903 | | The Cisco ASA must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. | This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration... |
| V-239904 | | The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-239905 | | The Cisco ASA must be configured to produce audit log records containing sufficient information to establish what type of event occurred. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in... |
| V-239906 | | The Cisco ASA must be configured to produce audit records containing information to establish when (date and time) the events occurred. | It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done in... |
| V-239907 | | The Cisco ASA must be configured to produce audit records containing information to establish where the events occurred. | In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, s... |
| V-239908 | | The Cisco ASA must be configured to produce audit log records containing information to establish the source of events. | In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event.... |
| V-239909 | | The Cisco ASA must be configured to produce audit records that contain information to establish the outcome of the event. | Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if ch... |
| V-239910 | | The Cisco ASA must be configured to generate audit records containing the full-text recording of privileged commands. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
Organizations consider lim... |
| V-239912 | | The Cisco ASA must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local da... |
| V-239913 | | The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-239914 | | The Cisco ASA must be configured to enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-239915 | | The Cisco ASA must be configured to enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measur... |
| V-239916 | | The Cisco ASA must be configured to enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-239917 | | The Cisco ASA must be configured to enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-239918 | | The Cisco ASA must be configured to enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-239919 | | The Cisco ASA must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password. | If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increa... |
| V-239921 | | The Cisco ASA must be configured to audit the execution of privileged functions. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-239922 | | The Cisco ASA must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record ... |
| V-239923 | | The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-239924 | | The Cisco ASA must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly in... |
| V-239925 | | The Cisco ASA must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. | Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by... |
| V-239927 | | The Cisco ASA must be configured to authenticate Simple Network Management Protocol (SNMP) messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-239928 | | The Cisco ASA must be configured to encrypt Simple Network Management Protocol (SNMP) messages using a FIPS 140-2 approved algorithm. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-239929 | | The Cisco ASA must be configured to authenticate Network Time Protocol sources using authentication that is cryptographically based. | If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time... |
| V-239932 | | The Cisco ASA must be configured to protect against known types of denial-of-service (DoS) attacks by enabling the Threat Detection feature. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-239933 | | The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to modify administrator privileges occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-239934 | | The Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to delete administrator privileges occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-239935 | | The Cisco ASA must be configured to generate audit records when successful/unsuccessful logon attempts occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-239936 | | The Cisco ASA must be configured to generate audit records for privileged activities or other system-level access. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-239937 | | The Cisco ASA must be configured to generate audit records showing starting and ending time for administrator access to the system. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-239938 | | The Cisco ASA must be configured to generate audit records when concurrent logons from different workstations occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-239941 | | The Cisco ASA must be configured to conduct backups of system-level information contained in the information system when changes occur. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configurat... |
| V-239942 | | The Cisco ASA must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agenci... |
| V-239911 | | The Cisco ASA must be configured to prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-239920 | | The Cisco ASA must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-239930 | | The Cisco ASA must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of non-local maintenance and diagnostic communications. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-239931 | | The Cisco ASA must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions. | This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instea... |
| V-239940 | | The Cisco ASA must be configured to use at least two authentication servers to authenticate users prior to granting administrative access. | Centralized management of authentication settings increases the security of remote and non-local access methods. This control is particularly importan... |
| V-239943 | | The Cisco ASA must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to organization-defined personnel and/or the firewall administrator. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stor... |
| V-239944 | | The Cisco ASA must be running an operating system release that is currently supported by Cisco Systems. | Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilit... |
