| V-251008 | | The Sentry must enforce approved authorizations for logical access to information and system resources by enabling identity-based, role-based, and/or attribute-based security policies. These controls are enabled in MobileIron UEM (MobileIron Core) and applied by the Sentry for conditional access enforcement. | Successful authentication through Sentry must not automatically give an entity access to resources behind Sentry. The lack of authorization-based acce... |
| V-251009 | | The Sentry must enforce approved authorizations for controlling the flow of information within the network based on attribute-based inspection of the source, destination, and headers, of the communications traffic. | Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and cont... |
| V-251010 | | The Sentry must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restrictin... |
| V-251011 | | The Sentry providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-251012 | | If Sentry stores secret or private keys, it must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key d... |
| V-251013 | | The Sentry that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52. | SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrect... |
| V-251014 | | The Sentry providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD-nonpu... |
| V-251022 | | The Sentry must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-251023 | | The Sentry providing mobile device access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate mobile device account access authorizations and privileges. | User account and privilege validation must be centralized in order to prevent unauthorized access using changed or revoked privileges.
ALGs can imple... |
| V-251024 | | The Sentry providing mobile device authentication intermediary services must restrict mobile device authentication traffic to specific authentication server(s). | User authentication can be used as part of the policy filtering rule sets. Some URLs or network resources can be restricted to authenticated users onl... |
| V-251025 | | The Sentry providing mobile device authentication intermediary services must use multifactor authentication for network access to non-privileged accounts. | To ensure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse ... |
| V-251026 | | The Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-251027 | | The Sentry that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path vali... |
| V-251028 | | The Sentry providing PKI-based mobile device authentication intermediary services must map authenticated identities to the mobile device account. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individua... |
| V-251029 | | The Sentry must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for mobile device sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-251031 | | The Sentry providing mobile device authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. | For remote access to nonprivileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of ... |
| V-251032 | | The Sentry providing mobile device authentication intermediary services using PKI-based mobile device authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions. | Non-DoD-approved PKIs have not been evaluated to ensure they have security controls and identity vetting procedures in place that are sufficient for D... |
| V-251034 | | The Sentry must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. | Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traff... |
| V-251036 | | The Sentry providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryp... |
| V-251037 | | The Sentry providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryp... |
| V-251038 | | The Sentry providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryp... |
| V-251015 | | The Sentry must produce audit records containing information to establish what type of events occurred. | Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or... |
| V-251016 | | The Sentry must produce audit records containing information to establish when (date and time) the events occurred. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In... |
| V-251017 | | The Sentry must produce audit records containing information to establish where the events occurred. | Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
I... |
| V-251018 | | The Sentry must produce audit records containing information to establish the source of the events. | Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography en... |
| V-251019 | | The Sentry must produce audit records containing information to establish the outcome of the events. | Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if ch... |
| V-251020 | | The Sentry must generate audit records containing information to establish the identity of any individual or process associated with the event. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, sec... |
| V-251021 | | The Sentry must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-251030 | | The Sentry must offload audit records onto a centralized log server. | Without the capability to select a user session to capture or view, investigations into suspicious or harmful events would be hampered by the volume o... |
| V-251033 | | The Sentry must implement load balancing to limit the effects of known and unknown types of Denial-of-Service (DoS) attacks. | If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redund... |
| V-251035 | | The Sentry must reveal error messages only to the ISSO, ISSM, and SCA. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-251039 | | The Sentry must offload audit records onto a centralized log server in real time. | Offloading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in c... |
