| V-246927 | | ONTAP must enforce administrator privileges based on their defined roles. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-246930 | | ONTAP must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-246940 | | ONTAP must be configured to use an authentication server to provide multifactor authentication. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important... |
| V-246946 | | ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-246958 | | ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-246959 | | ONTAP must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-246964 | | ONTAP must be configured to send audit log data to a central log server. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stor... |
| V-246922 | | ONTAP must be configured to limit the number of concurrent sessions. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of al... |
| V-246923 | | ONTAP must be configured to create a session lock after 15 minutes. | A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the net... |
| V-246925 | | ONTAP must automatically audit account-enabling actions. | Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way t... |
| V-246926 | | ONTAP must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local da... |
| V-246931 | | ONTAP must be configured to enforce the limit of three consecutive failed logon attempts. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-246932 | | ONTAP must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is c... |
| V-246933 | | ONTAP must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | Audit records are stored on staging volumes when auditing is enabled. If the staging volumes do not exist when auditing is enabled, the auditing subsy... |
| V-246935 | | ONTAP must have audit guarantee enabled. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. With audit guarantee ena... |
| V-246936 | | ONTAP must be configured to synchronize internal information system clocks using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly in... |
| V-246938 | | ONTAP must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generate... |
| V-246939 | | ONTAP must enforce access restrictions associated with changes to the device configuration. | Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of... |
| V-246944 | | ONTAP must be configured to conduct backups of system level information. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configurat... |
| V-246945 | | ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates. | Each organization obtains user certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a lega... |
| V-246947 | | ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role. | To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated.
Individual acc... |
| V-246948 | | ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-246949 | | ONTAP must be configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-246950 | | ONTAP must authenticate NTP sources using authentication that is cryptographically based. | If Network Time Protocol (NTP) is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrec... |
| V-246951 | | ONTAP must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-246952 | | ONTAP must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-246953 | | ONTAP must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-246954 | | ONTAP must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-246955 | | ONTAP must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
