| V-278381 | | NGINX must use TLS 1.2, at a minimum, to protect data confidentiality using remote access. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that explo... |
| V-278396 | | NGINX must off-load audit records to a central log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-278380 | | NGINX must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. | NGINX management includes the ability to control the number of users and user sessions that use an application. Limiting the number of allowed users a... |
| V-278382 | | The NGINX service account must be configured to not have shell access. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-278383 | | The NGINX service account must be configured to not have admin group access. | A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is ... |
| V-278384 | | NGINX must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the application. | Display of the DOD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is cons... |
| V-278385 | | NGINX must provide audit records for DOD-defined auditable events. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, o... |
| V-278386 | | NGINX must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-278387 | | NGINX must prevent the execution of unapproved modules. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to... |
| V-278388 | | NGINX must protect audit information from unauthorized access. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity i... |
| V-278389 | | NGINX must be configured to prohibit or restrict using ports, protocols, and/or services. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
... |
| V-278390 | | NGINX must implement replay-resistant authentication mechanisms for network access. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-278391 | | NGINX must be configured to use a Certificate Revocation List (CRL) for certificate path validation and revocation. (Online Certificate Status Protocol [OCSP] is the preferred configuration.) | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-278392 | | NGINX, when using PKI-based authentication, must enforce authorized access to the corresponding private key. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-278393 | | NGINX must identify prohibited mobile code. | Decisions regarding the employment of mobile code within applications are based on the potential for the code to cause damage to the system if used ma... |
| V-278394 | | NGINX must restrict the ability of individuals to launch denial-of-service (DoS) attacks against other information systems. | DoS is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission ... |
| V-278395 | | NGINX must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure... |
| V-278397 | | NGINX must restrict access to configuration files. | Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall securi... |
| V-278398 | | NGINX must be configured with a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Using an allowlist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software d... |
| V-278399 | | NGINX must be configured to require SSL sessions to reauthenticate no longer than 15 minutes. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When applications provide the capabi... |
| V-278400 | | NGINX must accept Personal Identity Verification (PIV) credentials. | Using PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DOD has mandated using the CAC to support identity man... |
| V-278401 | | NGINX must be configured to expire cached authenticators after an organization-defined time period. | If cached authentication information is out of date, the validity of the authentication information may be questionable.... |
| V-278402 | | NGINX must be configured to pass security attributes to proxies. | If security attributes are not associated with the information being transmitted between components, then access control policies and information flow... |
| V-278403 | | NGINX must only allow using DOD approved certificate authorities for PKI. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD syst... |
| V-278404 | | NGINX must protect against denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-278405 | | NGINX must be configured to use FIPS-approved algorithms to protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepte... |
| V-278406 | | NGINX must be configured to use Online Certificate Status Protocol (OCSP) for certificate path validation and revocation. (OCSP is the preferred configuration.) | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path vali... |
| V-278407 | | NGINX must be configured to use a FIPS-validated cryptographic module for confidentiality and integrity. | FIPS 140-2/140-3 precludes using invalidated cryptography for the cryptographic protection of sensitive or valuable data within federal systems. Unval... |
| V-278408 | | The NGINX service account must be configured to lock changes to the password. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords ... |
| V-278409 | | NGINX must separate API maintenance sessions from other network sessions within the system by logically separated communications paths. | Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network.
Communica... |
| V-278410 | | NGINX must generate, manage, and protect from disclosure and misuse the cryptographic keys that protect access tokens. | Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensu... |
| V-278411 | | NGINX must revoke access tokens in accordance with organization-defined identification and authentication policy. | An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Acc... |
