| V-266067 | | The F5 BIG-IP appliance must be configured to assign appropriate user roles or access levels to authenticated users. | Successful identification and authentication must not automatically give an entity full access to a network device or security domain.
Authorization... |
| V-266075 | | The F5 BIG-IP appliance must generate audit records and send records to redundant central syslog servers that are separate from the appliance. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Without generating audit records that are specif... |
| V-266079 | | The F5 BIG-IP appliance must be configured to use at least two authentication servers to authenticate administrative users. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important... |
| V-266080 | | The F5 BIG-IP appliance must be running an operating system release that is currently supported by the vendor. | Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilit... |
| V-266084 | | The F5 BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-266085 | | The F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins. | MFA is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid fac... |
| V-266094 | | The F5 BIG-IP appliance must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication. | Once issued by a DOD certificate authority (CA), public key infrastructure (PKI) certificates are typically valid for three years or shorter within th... |
| V-266095 | | The F5 BIG-IP appliance must set the idle time before automatic logout to five minutes of inactivity except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-266064 | | The F5 BIG-IP appliance must be configured to limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of al... |
| V-266065 | | The F5 BIG-IP appliance must terminate shared/group account credentials when members leave the group. | A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single acco... |
| V-266066 | | The F5 BIG-IP appliance must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local da... |
| V-266068 | | The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-266069 | | The F5 BIG-IP appliance must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for at least 15 minutes. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-266070 | | The F5 BIG-IP appliance must be configured to display the Standard Mandatory DOD Notice and Consent Banner upon access to the TMOS User Interface. | Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is c... |
| V-266077 | | The F5 BIG-IP appliance must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generate... |
| V-266078 | | The F5 BIG-IP appliance must be configured to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. | Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been... |
| V-266083 | | The F5 BIG-IP appliance must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agenci... |
| V-266086 | | The F5 BIG-IP appliance must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based. | If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to ne... |
| V-266087 | | The F5 BIG-IP appliance must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-266088 | | The F5 BIG-IP appliance must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measur... |
| V-266089 | | The F5 BIG-IP appliance must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-266090 | | The F5 BIG-IP appliance must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-266091 | | The F5 BIG-IP appliance must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-266092 | | The F5 BIG-IP appliance must require that when a password is changed, the characters are changed in at least eight of the positions within the password. | If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increa... |
| V-266093 | | The F5 BIG-IP appliance must prohibit the use of cached authenticators after eight hours or less. | Some authentication implementations can be configured to use cached authenticators.
If cached authentication information is out-of-date, the validity... |
| V-266096 | | The F5 BIG-IP appliance must conduct backups of the configuration at a weekly or organization-defined frequency and store on a separate device. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation con... |
| V-266134 | | The F5 BIG-IP appliance must be configured to display the Standard Mandatory DOD Notice and Consent Banner when accessing via SSH. | Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is c... |
| V-266135 | | The F5 BIG-IP appliance must be configured to restrict a consistent inbound IP for the entire management session. | This security measure helps limit the effects of denial-of-service (DoS) attacks by employing anti-session hijacking security safeguards. Session hija... |
| V-266074 | | The F5 BIG-IP appliance must manage local audit storage capacity in accordance with organization-defined audit record storage requirements. | To ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage c... |
