| V-258586 | | The ICS must be configured to use TLS 1.2, at a minimum. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that explo... |
| V-258589 | | The ICS must be configured to use multifactor authentication (e.g., DOD PKI) for network access to nonprivileged accounts. | To ensure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and c... |
| V-258583 | | The ICS must be configured to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. | Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traff... |
| V-258584 | | The ICS must display the Standard Mandatory DOD Notice and Consent Banner before granting access to users. | Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is c... |
| V-258585 | | The ICS must be configured to limit the number of concurrent sessions for user accounts to one. | VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowe... |
| V-258588 | | The ICS must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-258590 | | The ICS, when utilizing PKI-based authentication, must be configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-258591 | | The ICS must terminate remote access network connections after an organization-defined time period. | This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment.
Best prac... |
| V-258592 | | The ICS must be configured to send user traffic log data to redundant central log server. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stor... |
| V-258593 | | The ICS must be configured to forward all log failure events where the detection and/or prevention function is unable to write events to local log record or send an SNMP trap that can be forwarded to the SCA and ISSO. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-258594 | | The ICS must be configured to authenticate all clients before establishing a connection. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For ICS, user authenticat... |
| V-258595 | | The ICS must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
The National Security Agency/Central Secur... |
| V-258596 | | The ICS must be configured to disable split-tunneling for remote client VPNs. | Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizati... |
| V-258597 | | The ICS that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm. | Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safe... |
| V-258587 | | The ICS must be configured to generate log records containing sufficient information about where, when, identity, source, or outcome of the events. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
VP... |
