| V-233096 | | For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. | Passwords need to be protected on entry, in transmission, during authentication, and when stored. If compromised at any of these security points, a ne... |
| V-233118 | | The container platform must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules. | The container platform is responsible for pulling images from trusted sources and placing those images into its registry. To protect the transmission ... |
| V-233185 | | The container platform runtime must prohibit the instantiation of container images without explicit privileged status. | Controlling access to those users and roles responsible for container image instantiation reduces the risk of untested or potentially malicious contai... |
| V-233220 | | The container platform keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform. | Container platform keystore is used for container deployments for persistent storage of all its REST API objects. These objects are sensitive in natur... |
| V-233224 | | The application must protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepte... |
| V-233289 | | The container platform must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality. | Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected ... |
| V-233290 | | The container platform must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission. | The use of secure ports, protocols and services within the container platform must be controlled and conform to the PPSM CAL. Those ports, protocols, ... |
| V-233015 | | The container platform must use TLS 1.2 or greater for secure container image transport from trusted sources. | The authenticity and integrity of the container image during the container image lifecycle is part of the overall security posture of the container pl... |
| V-233016 | | The container platform must use TLS 1.2 or greater for secure communication. | The authenticity and integrity of the container platform and communication between nodes and components must be secure. If an insecure protocol is use... |
| V-233019 | | The container platform must use a centralized user management solution to support account management functions. | Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk o... |
| V-233020 | | The container platform must automatically remove or disable temporary user accounts after 72 hours. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To ... |
| V-233021 | | The container platform must automatically disable accounts after a 35-day period of account inactivity. | Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive acc... |
| V-233022 | | The container platform must automatically audit account creation. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accom... |
| V-233023 | | The container platform must automatically audit account modification. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accom... |
| V-233024 | | The container platform must automatically audit account-disabling actions. | When application accounts are disabled, user accessibility is affected. Once an attacker establishes access to an application, the attacker often atte... |
| V-233025 | | The container platform must automatically audit account removal actions. | When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attem... |
| V-233026 | | Least privilege access and need to know must be required to access the container platform registry. | The container platform registry is used to store images and is the keeper of truth for trusted images within the platform. To guarantee the images int... |
| V-233027 | | Least privilege access and need to know must be required to access the container platform runtime. | The container platform runtime is used to instantiate containers. If this process is accessed by those persons who are not authorized, those container... |
| V-233028 | | Least privilege access and need to know must be required to access the container platform keystore. | The container platform keystore is used to store access keys and tokens for trusted access to and from the container platform. The keystore gives the ... |
| V-233029 | | The container platform must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies. | Controlling information flow between the container platform components and container user services instantiated by the container platform must enforce... |
| V-233030 | | The container platform must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies. | Controlling information flow between the container platform components and container user services instantiated by the container platform must enforce... |
| V-233031 | | The container platform must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-233038 | | The container platform must generate audit records for all DoD-defined auditable events within all components in the platform. | Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when t... |
| V-233039 | | The container platform must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-233040 | | The container platform must generate audit records when successful/unsuccessful attempts to access privileges occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-233041 | | The container platform must initiate session auditing upon startup. | When the container platform is started, container platform components and user services can also be started. It is important that the container platfo... |
| V-233042 | | All audit records must identify what type of event has occurred within the container platform. | Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when t... |
| V-233043 | | The container platform audit records must have a date and time association with all events. | Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when t... |
| V-233044 | | All audit records must identify where in the container platform the event occurred. | Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when t... |
| V-233045 | | All audit records must identify the source of the event within the container platform. | Audit data is important when there are issues, to include security incidents that must be investigated. Since the audit data may be part of a larger a... |
| V-233046 | | All audit records must generate the event results within the container platform. | Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when t... |
| V-233047 | | All audit records must identify any users associated with the event within the container platform. | Without information that establishes the identity of the user associated with the events, security personnel cannot determine responsibility for the p... |
| V-233048 | | All audit records must identify any containers associated with the event within the container platform. | Without information that establishes the identity of the containers offering user services or running on behalf of a user within the platform associat... |
| V-233049 | | The container platform must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. | During an investigation of an incident, it is important to fully understand what took place. Often, information is not part of the audited event due t... |
| V-233052 | | The container platform components must provide the ability to send audit logs to a central enterprise repository for review and analysis. | The container platform components must send audit events to a central managed audit log repository to provide reporting, analysis, and alert notificat... |
| V-233055 | | The container platform must use internal system clocks to generate audit record time stamps. | Understanding when and sequence of events for an incident is crucial to understand what may have taken place. Without a common clock, the components g... |
| V-233056 | | The container platform must protect audit information from any type of unauthorized read access. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity i... |
| V-233057 | | The container platform must protect audit information from unauthorized modification. | If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity would be im... |
| V-233058 | | The container platform must protect audit information from unauthorized deletion. | If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity would be im... |
| V-233059 | | The container platform must protect audit tools from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is ne... |
| V-233060 | | The container platform must protect audit tools from unauthorized modification. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is ne... |
| V-233061 | | The container platform must protect audit tools from unauthorized deletion. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is ne... |
| V-233063 | | The container platform must use FIPS validated cryptographic mechanisms to protect the integrity of log information. | To fully investigate an incident and to have trust in the audit data that is generated, it is important to put in place data protections. Without inte... |
| V-233064 | | The container platform must be built from verified packages. | It is important to patch and upgrade the container platform when patches and upgrades are available. More important is to get these patches and upgrad... |
| V-233065 | | The container platform must verify container images. | The container platform must be capable of validating container images are signed and that the digital signature is from a recognized and approved sour... |
| V-233066 | | The container platform must limit privileges to the container platform registry. | To control what is instantiated within the container platform, it is important to control access to the registry. Without this control, container imag... |
| V-233067 | | The container platform must limit privileges to the container platform runtime. | To control what is instantiated within the container platform, it is important to control access to the runtime. Without this control, container platf... |
| V-233068 | | The container platform must limit privileges to the container platform keystore. | The container platform keystore is used to store credentials used to build a trust between the container platform and some external source. This trust... |
| V-233069 | | Configuration files for the container platform must be protected. | The secure configuration of the container platform must be protected by disallowing changes to be implemented by non-privileged users. Changes to the ... |
| V-233070 | | Authentication files for the container platform must be protected. | The secure configuration of the container platform must be protected by disallowing changing to be implemented by non-privileged users. Changes to the... |
| V-233071 | | The container platform must be configured with only essential configurations. | The container platform can be built with components that are not used for the intended purpose of the organization. To limit the attack surface of the... |
| V-233072 | | The container platform registry must contain only container images for those capabilities being offered by the container platform. | Allowing container images to reside within the container platform registry that are not essential to the capabilities being offered by the container p... |
| V-233073 | | The container platform runtime must enforce ports, protocols, and services that adhere to the PPSM CAL. | Ports, protocols, and services within the container platform runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and servi... |
| V-233074 | | The container platform runtime must enforce the use of ports that are non-privileged. | Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container... |
| V-233075 | | The container platform must uniquely identify and authenticate users. | The container platform requires user accounts to perform container platform tasks. These tasks may pertain to the overall container platform or may be... |
| V-233076 | | The container platform application program interface (API) must uniquely identify and authenticate users. | The container platform requires user accounts to perform container platform tasks. These tasks are often performed through the container platform API.... |
| V-233077 | | The container platform must uniquely identify and authenticate processes acting on behalf of the users. | The container platform will instantiate a container image and use the user privileges given to the user used to execute the container. To ensure accou... |
| V-233078 | | The container platform application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users. | The container platform API can be used to perform any task within the platform. Often, the API is used to create tasks that perform some kind of maint... |
| V-233079 | | The container platform must use multifactor authentication for network access to privileged accounts. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires u... |
| V-233080 | | The container platform must use multifactor authentication for network access to non-privileged accounts. | To ensure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse ... |
| V-233081 | | The container platform must use multifactor authentication for local access to privileged accounts. | To ensure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and ... |
| V-233082 | | The container platform must use multifactor authentication for local access to nonprivileged accounts. | To ensure accountability, prevent unauthenticated access, and prevent misuse of the system, nonprivileged users must utilize multi-factor authenticati... |
| V-233083 | | The container platform must ensure users are authenticated with an individual authenticator prior to using a group authenticator. | To ensure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated.
Individual ... |
| V-233084 | | The container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-233085 | | The container platform must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-233086 | | The container platform must uniquely identify all network-connected nodes before establishing any connection. | A container platform usually consists of multiple nodes. It is important for these nodes to be uniquely identified before a connection is allowed. Wit... |
| V-233087 | | The container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications. Attackers that are able to exploit an inactive identifier can potentially obtain and mai... |
| V-233088 | | The container platform must enforce a minimum 15-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-233090 | | The container platform must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-233091 | | The container platform must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-233092 | | The container platform must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-233093 | | The container platform must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-233094 | | The container platform must require the change of at least eight of the total number of characters when passwords are changed. | If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increa... |
| V-233095 | | For container platform using password authentication, the application must store only cryptographic representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-233097 | | The container platform must enforce 24 hours (one day) as the minimum password lifetime. | Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.
Restri... |
| V-233098 | | The container platform must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed at specific intervals.
One method of minimiz... |
| V-233101 | | The container platform must map the authenticated identity to the individual user or group account for PKI-based authentication. | The container platform and its components may require authentication before use. When the authentication is PKI-based, the container platform or compo... |
| V-233102 | | The container platform must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the container platform ... |
| V-233105 | | The container platform must provide an audit reduction capability that supports on-demand reporting requirements. | The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization'... |
| V-233106 | | The container platform must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. | If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing s... |
| V-233108 | | The application must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-233114 | | The container platform must separate user functionality (including user interface services) from information system management functionality. | Separating user functionality from management functionality is a requirement for all the components within the container platform. Without the separat... |
| V-233122 | | The container platform runtime must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | The container platform offers services for container image orchestration and services for users. If any of these services were to fail into an insecur... |
| V-233123 | | The container platform must preserve any information necessary to determine the cause of the disruption or failure. | When a failure occurs within the container platform, preserving the state of the container platform and its components, along with other container ser... |
| V-233125 | | The container platform runtime must isolate security functions from non-security functions. | The container platform runtime must be configured to isolate those services used for security functions from those used for non-security functions. Th... |
| V-233126 | | The container platform must never automatically remove or disable emergency accounts. | Emergency accounts are administrator accounts that are established in response to crisis situations where the need for rapid account activation is req... |
| V-233127 | | The container platform must prohibit containers from accessing privileged resources. | Containers images instantiated within the container platform may request access to host system resources. Access to privileged resources can allow for... |
| V-233128 | | The container platform must prevent unauthorized and unintended information transfer via shared system resources. | The container platform makes host system resources available to container services. These shared resources, such as the host system kernel, network co... |
| V-233129 | | The container platform must restrict individuals' ability to launch organizationally defined denial-of-service (DoS) attacks against other information systems. | The container platform will offer services to users and these services share resources available on the hosting system. To share the resources in a ma... |
| V-233133 | | The container platform must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | The container platform is responsible for offering services to users. These services could be across diverse user groups and data types. To protect in... |
| V-233142 | | The container platform must use cryptographic mechanisms to protect the integrity of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step to ensuring the integrity of audit data. Audit data includes all i... |
| V-233143 | | The container platform must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are created. | Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to... |
| V-233144 | | The container platform must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified. | When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the ... |
| V-233145 | | The container platform must notify system administrators and ISSO for account disabling actions. | When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the ... |
| V-233146 | | The container platform must notify system administrators and ISSO for account removal actions. | When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application ... |
| V-233155 | | The container platform must terminate shared/group account credentials when members leave the group. | If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even thoug... |
| V-233157 | | The container platform must automatically audit account-enabling actions. | Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to... |
| V-233158 | | The container platform must notify the system administrator (SA) and information system security officer (ISSO) of account enabling actions. | Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to... |
| V-233162 | | The container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Controlling what users can perform privileged functions prevents unauthorized users from performing tasks that may expose data or degrade the containe... |
| V-233163 | | Container images instantiated by the container platform must execute using least privileges. | Containers running within the container platform must execute as non-privileged. When a container can execute as a privileged container, the privilege... |
| V-233164 | | The container platform must audit the execution of privileged functions. | Privileged functions within the container platform can be component specific or can envelope the entire container platform. Because of the nature of t... |
| V-233165 | | The container platform must automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-233166 | | The container platform must provide the configuration for organization-identified individuals or roles to change the auditing to be performed on all components, based on all selectable event criteria within organization-defined time thresholds. | Auditing requirements may change per organization or situation within and organization. With the container platform allowing an organization to custom... |
| V-233168 | | The container platform must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | In order to ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit re... |
| V-233169 | | Audit records must be stored at a secondary location. | Auditable events are used in the investigation of incidents and must be protected from being deleted or altered. Often, events that took place in the ... |
| V-233170 | | The container platform must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity. | If security personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity e... |
| V-233171 | | The container platform must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-233181 | | All audit records must use UTC or GMT time stamps. | The container platform and its components must generate audit records using either Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) time ... |
| V-233182 | | The container platform must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. | To properly investigate an event, it is important to have enough granularity within the time stamps to determine the chronological order of the audite... |
| V-233184 | | The container platform must prohibit the installation of patches and updates without explicit privileged status. | Controlling access to those users and roles responsible for patching and updating the container platform reduces the risk of untested or potentially m... |
| V-233186 | | The container platform registry must prohibit installation or modification of container images without explicit privileged status. | Controlling access to those users and roles that perform container platform registry functions reduces the risk of untested or potentially malicious c... |
| V-233188 | | The container platform must enforce access restrictions for container platform configuration changes. | Configuration changes cause the container platform to change the way it operates. These changes can be used to improve the system with added features ... |
| V-233189 | | The container platform must enforce access restrictions and support auditing of the enforcement actions. | Auditing the enforcement of access restrictions against changes to the container platform helps identify attacks and provides forensic data for invest... |
| V-233190 | | All non-essential, unnecessary, and unsecure DoD ports, protocols, and services must be disabled in the container platform. | To properly offer services to the user and to orchestrate containers, the container platform may offer services that use ports and protocols that best... |
| V-233191 | | The container platform must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. | The container platform may offer components such as DNS services, firewall services, router services, or web services that are not required by every o... |
| V-233192 | | The container platform registry must employ a deny-all, permit-by-exception (whitelist) policy to allow only authorized container images in the container platform. | Controlling the sources where container images can be pulled from allows the organization to define what software can be run within the container plat... |
| V-233193 | | The container platform must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. | Controlling user access is paramount in securing the container platform. During a user's access to the container platform, events may occur that chang... |
| V-233195 | | The container platform must be configured to use multi-factor authentication for user authentication. | Controlling access to the container platform and its components is paramount in having a secure and stable system. Validating users is the first step ... |
| V-233200 | | The container platform must prohibit the use of cached authenticators after an organization-defined time period. | If cached authentication information is out of date, the validity of the authentication information may be questionable.... |
| V-233201 | | The container platform, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | The potential of allowing access to users who are no longer authorized (have revoked certificates) increases unless a local cache of revocation data ... |
| V-233202 | | The container platform must accept Personal Identity Verification (PIV) credentials from other federal agencies. | Controlling access to the container platform and its components is paramount in having a secure and stable system. Validating users is the first step ... |
| V-233206 | | The container platform must audit non-local maintenance and diagnostic sessions' organization-defined audit events associated with non-local maintenance. | To fully investigate an attack, it is important to understand the event and those events taking place during the same time period. Often, non-local ad... |
| V-233207 | | Container platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied on to provide conf... |
| V-233208 | | The container platform must configure web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Nonloca... |
| V-233210 | | Vulnerability scanning applications must implement privileged access authorization to all container platform components, containers, and container images for selected organization-defined vulnerability scanning activities. | In certain situations, the nature of the vulnerability scanning may be more intrusive, or the container platform component that is the subject of the ... |
| V-233211 | | The container platform must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data and images. The container platform must ... |
| V-233221 | | The container platform runtime must maintain separate execution domains for each container by assigning each container a separate address space. | Container namespace access is limited upon runtime execution. Each container is a distinct process so that communication between containers is perform... |
| V-233222 | | The container platform must protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organization-defined security safeguards. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-233226 | | The container platform must maintain the confidentiality and integrity of information during preparation for transmission. | Information may be unintentionally or maliciously disclosed or modified during preparation for transmission within the container platform during aggre... |
| V-233227 | | The container platform must maintain the confidentiality and integrity of information during reception. | Information either can be unintentionally or maliciously disclosed or modified during reception for reception within the container platform during agg... |
| V-233228 | | The container platform must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. | Software or code parameters typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between so... |
| V-233229 | | The container platform must implement organization-defined security safeguards to protect system CPU and memory from resource depletion and unauthorized code execution. | The execution of images within the container platform runtime must implement organizational defined security safeguards to prevent distributed denial-... |
| V-233230 | | The container platform must remove old components after updated versions have been installed. | Previous versions of container platform components that are not removed from the container platform after updates have been installed may be exploited... |
| V-233231 | | The container platform registry must remove old container images after updating versions have been made available. | Obsolete and stale images need to be removed from the registry to ensure the container platform maintains a secure posture. While the storing of these... |
| V-233233 | | The container platform registry must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs. | Software supporting the container platform, images in the registry must stay up to date with the latest patches, service packs, and hot fixes. Not upd... |
| V-233234 | | The container platform runtime must have updates installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). | The container platform runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vul... |
| V-233242 | | The organization-defined role must verify correct operation of security functions in the container platform. | Without verification, security functions may not operate correctly and this failure may go unnoticed within the container platform. The container plat... |
| V-233243 | | The container platform must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. | Without verification, security functions may not operate correctly and this failure may go unnoticed within the container platform.
Security function... |
| V-233244 | | The container platform must provide system notifications to the system administrator and operational staff when anomalies in the operation of the organization-defined security functions are discovered. | If anomalies are not acted upon, security functions may fail to secure the container within the container platform runtime.
Security functions are re... |
| V-233252 | | The container platform must generate audit records when successful/unsuccessful attempts to access security objects occur. | The container platform and its components must generate audit records when successful and unsuccessful access security objects occur. All the componen... |
| V-233253 | | The container platform must generate audit records when successful/unsuccessful attempts to access security levels occur. | Unauthorized users could access the security levels to exploit vulnerabilities within the container platform component. All the components must use th... |
| V-233254 | | The container platform must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-233255 | | The container platform must generate audit records when successful/unsuccessful attempts to modify privileges occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-233256 | | The container platform must generate audit records when successful/unsuccessful attempts to modify security objects occur. | The container platform and its components must generate audit records when modifying security objects. All the components must use the same standard s... |
| V-233257 | | The container platform must generate audit records when successful/unsuccessful attempts to modify security levels occur. | Unauthorized users could modify the security levels to exploit vulnerabilities within the container platform component. All the components must use th... |
| V-233258 | | The container platform must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-233259 | | The container platform must generate audit records when successful/unsuccessful attempts to delete privileges occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-233260 | | The container platform must generate audit records when successful/unsuccessful attempts to delete security levels occur. | The container platform and its components must generate audit records when deleting security levels. All the components must use the same standard so ... |
| V-233261 | | The container platform must generate audit records when successful/unsuccessful attempts to delete security objects occur. | Unauthorized users modify level the security levels to exploit vulnerabilities within the container platform component. All the components must use th... |
| V-233262 | | The container platform must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-233263 | | The container platform must generate audit records when successful/unsuccessful logon attempts occur. | The container platform and its components must generate audit records when successful and unsuccessful logon attempts occur. The information system ca... |
| V-233264 | | The container platform must generate audit record for privileged activities. | The container platform components will generate audit records for privilege activities and container platform runtime, registry, and keystore must gen... |
| V-233265 | | The container platform audit records must record user access start and end times. | The container platform must generate audit records showing start and end times for users and services acting on behalf of a user accessing the registr... |
| V-233266 | | The container platform must generate audit records when concurrent logons from different workstations and systems occur. | The container platform and its components must generate audit records for concurrent logons from workstations perform remote maintenance, runtime inst... |
| V-233267 | | The container platform runtime must generate audit records when successful/unsuccessful attempts to access objects occur. | Container platform runtime objects are defined as configuration files, code, etc. This provides the ability to configure resources and software parame... |
| V-233268 | | Direct access to the container platform must generate audit records. | Direct access to the container platform and its components must generate audit records. All the components must use the same standard so that the even... |
| V-233269 | | The container platform must generate audit records for all account creations, modifications, disabling, and termination events. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-233270 | | The container runtime must generate audit records for all container execution, shutdown, restart events, and program initiations. | The container runtime must generate audit records that are specific to the security and mission needs of the organization. Without audit record, it wo... |
| V-233271 | | The container platform must use a valid FIPS 140-2 approved cryptographic modules to generate hashes. | The cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic ha... |
| V-233273 | | Container platform components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs. | Container platform components are part of the overall container platform, offering services that enable the container platform to fully orchestrate us... |
| V-233274 | | The container platform must be able to store and instantiate industry standard container images. | Monitoring the container images and containers during their lifecycle is important to guarantee the container platform is secure. To monitor the conta... |
| V-233275 | | The container platform must continuously scan components, containers, and images for vulnerabilities. | Finding vulnerabilities quickly within the container platform and within containers deployed within the platform is important to keep the overall plat... |
| V-233276 | | The container platform must prohibit communication using TLS versions 1.0 and 1.1, and SSL 2.0 and 3.0. | The container platform and its components will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication.
T... |
| V-233284 | | The container platform must validate certificates used for Transport Layer Security (TLS) functions by performing an RFC 5280-compliant certification path validation. | A certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is nece... |
| V-233285 | | The container platform must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use). | Without the use of digital signature, information can be altered by unauthorized accounts accessing or modifying the container platform registry, keys... |
| V-257291 | | The container platform must enforce organization-defined circumstances and/or usage conditions for organization-defined accounts. | Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activ... |
| V-263586 | | The container platform must disable accounts when the accounts are no longer associated to a user. | Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack ... |
| V-263587 | | The container platform must implement the capability to centrally review and analyze audit records from multiple components within the system. | Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products.... |
| V-263588 | | The container platform must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. | Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and... |
| V-263589 | | The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. | The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multif... |
| V-263590 | | The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements. | The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multif... |
| V-263591 | | The container platform must for password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263592 | | The container platform must for password-based authentication, update the list of passwords on an organization-defined frequency. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263593 | | The container platform must for password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263594 | | The container platform must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263595 | | The container platform must for password-based authentication, require immediate selection of a new password upon account recovery. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263596 | | The container platform must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263597 | | The container platform must for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords... |
| V-263598 | | The container platform must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths. | Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network.
Communicat... |
| V-263599 | | The container platform must include only approved trust anchors in trust stores or certificate stores managed by the organization. | Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the inter... |
| V-263600 | | The container platform must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store. | A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.... |
| V-263601 | | The container platform must synchronize system clocks within and between systems or system components. | Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication proc... |
| V-270875 | | The container must have resource request limits set. | Setting a container resource request limit allows the container platform to determine the best location for the container to execute. The container pl... |
| V-270876 | | The container root filesystem must be mounted as read-only. | Any changes to a container must be made by rebuilding the image and redeploying the new container image. Once a container is running, changes to the r... |
| V-233032 | | The container platform must display the Standard Mandatory DoD Notice and Consent Banner before granting access to platform components. | The container platform has countless components where different access levels are needed. To control access, the user must first log in to the compone... |
| V-233033 | | The container platform must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage and conditions and take explicit actions to log on for further access. | The banner must be acknowledged by the user prior to allowing the user access to any container platform component. This provides assurance that the us... |
| V-233149 | | Access to the container platform must display an explicit logout message to user indicating the reliable termination of authenticated communication sessions. | Access to the container platform will occur through web and terminal sessions. Any web interfaces must conform to application and web security require... |
