| V-258601 | | The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-258602 | | If SNMP is used, the ICS must be configured to use SNMPv3 with FIPS-140-2/3 validated Keyed-Hash Message Authentication Code (HMAC). | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-258603 | | The ICS must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based. | If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time... |
| V-258604 | | The ICS must be configured to record time stamps for audit records that can be mapped to Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generate... |
| V-258605 | | The ICS must be configured to allocate local audit record storage capacity in accordance with organization-defined audit record storage requirements. | In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record ... |
| V-258606 | | The ICS must be configured to enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258607 | | The ICS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local da... |
| V-258610 | | The ICS must be configured to synchronize internal information system clocks using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly in... |
| V-258611 | | The ICS must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved and shared service provider, as required by OMB policy. For federal age... |
| V-258612 | | The ICS must be configured to support organizational requirements to conduct weekly backups of information system documentation, including security-related documentation. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation con... |
| V-258614 | | The ICS must be configured to enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-258616 | | The ICS must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password. | If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increa... |
| V-258617 | | The ICS must be configured to enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258618 | | The ICS must be configured to enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258619 | | The ICS must be configured to enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measur... |
| V-258621 | | The ICS must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-258622 | | The ICS must be configured to limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of al... |
| V-258623 | | The ICS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to manage the device. | Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is c... |
| V-258624 | | The ICS must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-258625 | | The ICS must be configured to conduct backups of system level information contained in the information system when changes occur. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configurat... |
| V-258598 | | The ICS must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 approved algorithm. | If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, ... |
| V-258599 | | The ICS must be configured to send admin log data to a redundant central log server. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stor... |
| V-258600 | | The ICS must be configured to prevent nonprivileged users from executing privileged functions. | Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary ... |
| V-258608 | | The ICS must be configured to terminate after 10 minutes of inactivity except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-258609 | | The ICS must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins. | MFA is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid fac... |
| V-258613 | | The ICS must be configured to run an operating system release that is currently supported by Ivanti. | Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilit... |
| V-258615 | | The ICS must be configured to transmit only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-258620 | | The ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication. | Once issued by a DOD certificate authority (CA), public key infrastructure (PKI) certificates are typically valid for three years or shorter within th... |
| V-268324 | | The ICS must be configured to protect against known types of denial-of-service (DoS) attacks by enabling JITC mode. | This configuration protects the confidentiality of Web UI session and guards against DoS attacks. If JITC (DODIN APL) Mode is enabled, then the follow... |
