| V-206864 | | The IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments. | The flow of all communications traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure o... |
| V-206865 | | The IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. | The IDPS enforces approved authorizations by controlling the flow of information between interconnected networks to prevent harmful or suspicious traf... |
| V-206866 | | The IDPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions. | Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes ... |
| V-206867 | | The IDPS must produce audit records containing sufficient information to establish what type of event occurred, including, at a minimum, event descriptions, policy filter, rule or signature invoked, port, protocol, and criticality level/alert code or description. | Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or... |
| V-206868 | | The IDPS must produce audit records containing information to establish when (date and time) the events occurred. | Without establishing the time (date/time) an event occurred, it would be difficult to establish, correlate, and investigate the events leading up to a... |
| V-206869 | | The IDPS must produce audit records containing information to establish where the event was detected, including, at a minimum, network segment, destination address, and IDPS component which detected the event. | Associating where the event was detected with the event log entries provides a means of investigating an attack or identifying an improperly configure... |
| V-206870 | | The IDPS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address. | Associating the source of the event with detected events in the logs provides a means of investigating an attack or suspected attack.
While auditing ... |
| V-206871 | | The IDPS must produce audit records containing information to establish the outcome of events associated with detected harmful or potentially harmful traffic, including, at a minimum, capturing all associated communications traffic. | Associating event outcome with detected events in the log provides a means of investigating an attack or suspected attack.
While auditing and logging... |
| V-206874 | | The IDPS must provide log information in a format that can be extracted and used by centralized analysis tools. | Centralized review and analysis of log records from multiple IDPS components gives the organization the capability to better detect distributed attack... |
| V-206875 | | The IDPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, o... |
| V-206876 | | The IDPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, o... |
| V-206877 | | The IDPS must provide audit record generation with a configurable severity and escalation level capability. | Without the capability to generate audit records with a severity code it is difficult to track and handle detection events.
While auditing and loggin... |
| V-206878 | | The IDPS must be configured to remove or disable non-essential capabilities which are not required for operation or not related to IDPS functionality (e.g., DNS, email client or server, FTP server, or web server). | An IDPS can be capable of providing a wide variety of capabilities. Not all of these capabilities are necessary. Unnecessary services, functions, and ... |
| V-206879 | | The IDPS must be configured to remove or disable non-essential features, functions, and services of the IDPS application. | An IDPS can be capable of providing a wide variety of capabilities. Not all of these capabilities are necessary. Unnecessary services, functions, and ... |
| V-206880 | | The IDPS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | Some ports, protocols, or services have known exploits or security weaknesses. These ports, protocols, and services must be prohibited or restricted i... |
| V-206881 | | The IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic. | The IDPS must include protection against DoS attacks that originate from inside the enclave which can affect either internal or external systems. Thes... |
| V-206882 | | The IDPS must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment. | Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local sys... |
| V-206883 | | The IDPS must block any prohibited mobile code at the enclave boundary when it is detected. | Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local sys... |
| V-206884 | | The IDPS must fail to a secure state which maintains access control mechanisms when the IDPS hardware, software, or firmware fails on initialization/shutdown or experiences a sudden abort during normal operation. | Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Pr... |
| V-206885 | | In the event of a failure of the IDPS function, the IDPS must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted. | Failure in a secure state address safety or security in accordance with the mission needs of the organization. Failure to a secure state helps prevent... |
| V-206887 | | The IDPS must automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management procedures. | Failing to update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves... |
| V-206888 | | The IDPS must perform real-time monitoring of files from external sources at network entry/exit points. | Real-time monitoring of files from external sources at network entry/exit points helps to detect covert malicious code before it is downloaded to or e... |
| V-206889 | | The IDPS must block malicious code. | Configuring the IDPS to delete and/or quarantine based on local organizational incident handling procedures minimizes the impact of this code on the n... |
| V-206890 | | The IDPS must quarantine and/or delete malicious code. | Configuring the network element to delete and/or quarantine based on local organizational incident handling procedures minimizes the impact of this co... |
| V-206891 | | The IDPS must send an immediate (within seconds) alert to, at a minimum, the system administrator when malicious code is detected. | Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and ... |
| V-206892 | | The IDPS must automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy. | Failing to automatically update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided... |
| V-206893 | | The IDPS must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages. | Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the send... |
| V-206894 | | The IDPS must block malicious ICMP packets by properly configuring ICMP signatures and rules. | Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the send... |
| V-206895 | | To protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use... |
| V-206896 | | To protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use... |
| V-206897 | | To protect against unauthorized data mining, the IDPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use... |
| V-206898 | | To protect against unauthorized data mining, the IDPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use... |
| V-206899 | | To protect against unauthorized data mining, the IDPS must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use... |
| V-206900 | | To protect against unauthorized data mining, the IDPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use... |
| V-206902 | | The IDPS must off-load log records to a centralized log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading ensures audit information does not ge... |
| V-206903 | | The IDPS must provide an alert to, at a minimum, the system administrator and ISSO when any audit failure events occur. | Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis may ... |
| V-206904 | | The IDPS must assign a critical severity level to all audit processing failures. | It is critical that when the IDPS is at risk of failing to process audit logs as required, it takes action to mitigate the failure
Audit processing f... |
| V-206905 | | The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis. | If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.
Installation of IDPS detection and pre... |
| V-206906 | | The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based attack detection. | If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.
Installation of IDPS detection and pre... |
| V-206907 | | The IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures. | If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.
Installation of IDPS detection and pr... |
| V-206909 | | IDPS components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability. | An integrated, network-wide intrusion detection capability increases the ability to detect and prevent sophisticated distributed attacks based on acce... |
| V-206910 | | The IDPS must detect network services that have not been authorized or approved by the ISSO or ISSM, at a minimum. | Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogue... |
| V-206911 | | The IDPS must generate a log record when unauthorized network services are detected. | Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogue... |
| V-206912 | | The IDPS must generate an alert to the ISSM and ISSO, at a minimum, when unauthorized network services are detected. | Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogue... |
| V-206913 | | The IDPS must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions. | If inbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile ac... |
| V-206914 | | The IDPS must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions. | If outbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile a... |
| V-206915 | | The IDPS must send an alert to, at a minimum, the information system security manager (ISSM) and information system security officer (ISSO) when intrusion detection events are detected which indicate a compromise or potential for compromise. | Without an alert, security personnel may be unaware of intrusion detection incidents that require immediate action and this delay may result in the lo... |
| V-206916 | | The IDPS must send an alert to, at a minimum, the ISSM and ISSO when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected which indicate a compromise or potential for compromise. | Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and ... |
| V-206917 | | The IDPS must generate an alert to, at a minimum, the ISSM and ISSO when root level intrusion events which provide unauthorized privileged access are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss o... |
| V-206918 | | The IDPS must send an alert to, at a minimum, the ISSM and ISSO when user level intrusions which provide non-privileged access are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss o... |
| V-206919 | | The IDPS must send an alert to, at a minimum, the ISSM and ISSO when denial of service incidents are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss o... |
| V-206920 | | The IDPS must generate an alert to, at a minimum, the ISSM and ISSO when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security
of DoD systems is detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss o... |
| V-206921 | | The IDPS must, for fragmented packets, either block the packets or properly reassemble the packets before inspecting and forwarding. | Packet fragmentation is allowed by the TCP/IP specifications and is encouraged in situations where it is needed. However, packet fragmentation has bee... |
| V-206922 | | The IDPS must off-load log records to a centralized log server in real-time. | Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in ... |
| V-206923 | | The IDPS must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices. | Configuring the IDPS to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards a... |
| V-263663 | | The IDPS must employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective. | DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organization... |
| V-263664 | | The IDPS must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. | Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessa... |
| V-263665 | | The IDPS must establish organization-defined alternate communications paths for system operations organizational command and control. | An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational ... |
