| V-270904 | | Dragos must configure idle timeouts at 10 minutes. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-270910 | | Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes. | Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk o... |
| V-270916 | | The Dragos Platform must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-270917 | | The publicly accessible Dragos Platform application must display the Standard Mandatory DOD Notice and Consent Banner before granting access to Dragos Platform. | Display of a standardized and approved use notification before granting access to the publicly accessible application ensures privacy and security not... |
| V-270919 | | The Dragos Platform must only allow local administrative and service user accounts. | Only two default accounts facilitate the initial setup and configuration of the Platform. These accounts provide immediate access to the system, allow... |
| V-270932 | | The Dragos Platform must have notification and audit services installed. | Installing the Knowledge Pack(s) is essential for the Dragos Platform to provide comprehensive security monitoring, compliance, and operational visibi... |
| V-270944 | | The Dragos Platform must be configured to send backup audit records. | Configuring the Dragos Platform to send out backup audit records is a critical best practice for ensuring the security, integrity, and availability of... |
| V-270945 | | The Dragos Platform must have disk encryption enabled on a virtual machines (VMs). | Enabling disk encryption on VMs running the Dragos Platform is a critical security measure to protect sensitive data, ensure compliance with regulatio... |
| V-270952 | | Dragos must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system. | Without restricting which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of cri... |
| V-270955 | | The Dragos Platform must configure local password policies. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-270978 | | Dragos must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of application configuration files and user-generated data stored or aggregated on the device. | Confidentiality and integrity protections are intended to address the confidentiality and integrity of system information at rest (e.g., network devic... |
| V-270993 | | The Dragos Platform must notify system administrators and information system security officer (ISSO) of local account activity. | Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to... |
| V-271008 | | Dragos Platform must allocate audit record storage retention length. | In order to ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit re... |
| V-271027 | | The Syslog client must use TCP connections. | Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized trans... |
| V-271034 | | Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication. | The use of Personal Identity Verification (PIV) credentials facilitates standardization and reduces the risk of unauthorized access.
PIV credentials ... |
| V-271049 | | The Dragos Platform must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD syst... |
| V-271070 | | The Dragos Platform must alert the information system security officer (ISSO), information system security manager (ISSM), and other individuals designated by the local organization when events are detected that indicate a compromise or potential for compromise. | When a security event occurs, Dragos Platform must immediately notify the appropriate support personnel so they can respond appropriately.
Alerts may... |
| V-271105 | | Before establishing a network connection with a Network Time Protocol (NTP) server, Dragos Platform must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server. | Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safe... |
| V-270947 | | Dragos Platforms must limit privileges and not allow the ability to run shell. | If Dragos Platform were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the approp... |
