{
  "id": 686,
  "benchmarkId": "Nokia_SR_OS_25-x_NDM_STIG",
  "slug": "nokia_service_router_os_25x_network_device_management",
  "stigSlug": "nokia_service_router_os_25x_network_device_management",
  "versionStatus": "current",
  "status": "accepted",
  "statusDate": "2026-06-15T00:00:00.000Z",
  "title": "Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide",
  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
  "version": "V1R1",
  "vendor": null,
  "createdAt": "2026-07-11T12:27:49.692Z",
  "updatedAt": "2026-07-11T12:27:49.692Z",
  "groups": [
    {
      "id": 40750,
      "benchmarkId": 686,
      "groupId": "V-283785",
      "title": "SRG-APP-000516-NDM-000336",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283785r1203604_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "NOKI-ND-000890",
      "ruleTitle": "The Nokia router must be configured to use at least two authentication servers for authenticating users prior to granting administrative access.",
      "ruleVulnDiscussion": "Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. \n\nThe alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each device.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000370",
      "ruleIdents": [
        "CCI-000370"
      ],
      "ruleFixText": "1. Configure the Nokia router to use at least two authentication servers.\n\nNokia router supports RADIUS, TACACS+, and LDAP for user authentication. Multiple authentication servers can be configured. The example below is for the TACACS configuration:\n\n- configure system security tacplus server <index> address <tacacs+ server ip address>\n\n2. Configure the authentication order to use the authentication servers as the primary source for authentication. Up to four methods of authentication order can be configured:\n\n- configure system security password authentication-order <first order can be: local, radius, tacplus or ldap> <2nd order can be: local, radius, tacplus or ldap> <3rd order can be: local, radius, tacplus or ldap> <4th order can be: local, radius, tacplus or ldap> \n\n3. Configure all network connections associated with a device management to use the authentication servers for login authentication.",
      "ruleFixId": "F-88255r1203599_fix",
      "ruleCheckSystem": "C-88350r1203398_chk",
      "ruleCheckContent": "Review the Nokia router configuration to verify the device is configured to use at least two authentication servers as the primary source for authentication.\n\nVerify multiple authentication servers are configured and status is \"up\", as shown in the example below:\n\n- show system security authentication statistics\nshow system security authentication statistics\n\nAuthentication sequence : radius tacplus ldap local\n\ntype status timeout (secs) retry count\n server address retry timeout\n server name (secs)\n\nradius up 3 3\n 192.168.0.10:1812 n/a\ntacplus up 3 n/a\n 192.168.1.10:49 300\nldap up 3 3\n 10.1.1.1:389 n/a\n Corporate LDAP Server\n\nradius admin/oper status : up/up\n UDP port : 1812\n TCP port : 2083\ntacplus admin/oper status : up/up\nldap admin/oper status : up/up\nhealth check : enabled (interval 30 secs)\n\nNo. of Servers: 3\n\nIf the Nokia router is not configured to use at least two authentication servers for authenticating users prior to granting administrative access, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40725,
      "benchmarkId": 686,
      "groupId": "V-283760",
      "title": "SRG-APP-000001-NDM-000200",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283760r1203325_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000010",
      "ruleTitle": "The Nokia router must limit the number of concurrent management sessions to a maximum of three for each administrator account and/or administrator account type.",
      "ruleVulnDiscussion": "Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks.\n\nThis requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.\n\nNokia routers apply session limits for both inbound and outbound sessions per access method.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000054",
      "ruleIdents": [
        "CCI-000054"
      ],
      "ruleFixText": "Configure the Nokia router to limit the number of concurrent management sessions to a maximum of \"3\" sessions, as shown in the example below:\n\nSSH example:\n- configure system login-control ssh inbound-max-sessions 3\n\n- configure system login-control ssh outbound-max-sessions 3",
      "ruleFixId": "F-88230r1203324_fix",
      "ruleCheckSystem": "C-88325r1203323_chk",
      "ruleCheckContent": "Review the Nokia router configuration to determine if concurrent management sessions are limited, as shown in the example below:\n\nSSH example:\nUse the command below to get into the correct configuration context:\n\n- exit all\n- configure system login-control ssh \n- info detail | match inbound-max-sessions\n\n                inbound-max-sessions 3\n\n- info detail | match outbound-max-sessions\n\n                outbound-max-sessions 3\n\nIf \"inbound-max-sessions\" is not set to \"3\" or less, this is a finding.\n\nIf \"outbound-max-sessions\" is not set to \"3\" or less, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40726,
      "benchmarkId": 686,
      "groupId": "V-283761",
      "title": "SRG-APP-000033-NDM-000212",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283761r1223367_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "NOKI-ND-000100",
      "ruleTitle": "The Nokia router must be configured to assign appropriate user roles or access levels to authenticated users.",
      "ruleVulnDiscussion": "Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise of, and unauthorized access to, sensitive information. All DoW systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.\n\nAuthorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.\n\nSome network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions and access levels for members of the group, and then assign the ISSM's user persona to the audit security group. This is still considered privileged access, but the ISSM's security group is more restrictive than the network administrator's security group.\n\nNetwork devices that rely on Authentication, Authorization, and Accounting (AAA) brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically based on each user's directory service group membership.\n\nSatisfies: SRG-APP-000033-NDM-000212, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000231-NDM-000271, SRG-APP-000329-NDM-000287, SRG-APP-000378-NDM-000302, SRG-APP-000380-NDM-000304, SRG-APP-000516-NDM-000335",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000213",
      "ruleIdents": [
        "CCI-000213",
        "CCI-000164",
        "CCI-001493",
        "CCI-001494",
        "CCI-001495",
        "CCI-001199",
        "CCI-002169",
        "CCI-000366",
        "CCI-003980",
        "CCI-001813",
        "CCI-000345"
      ],
      "ruleFixText": "Administrative profiles exist by default. Other profiles should be created based on user roles and access levels.\n\nCreate a new profile and add as many entries as needed:\n\n- configure system security profile <profile name>\n- default-action <deny-all or permit-all or none or read-only-all>\n- entry <entry id>\n- match <command string>\n- action < permit or deny or read-only or none>\n\nApply the correct profile to each user:\n\n- configure system security user <user name> console member <profile name>",
      "ruleFixId": "F-88231r1203327_fix",
      "ruleCheckSystem": "C-88326r1203592_chk",
      "ruleCheckContent": "For local accounts, role-based access control is configured through the user profile. \n\nVerify the \"profile\" assigned to each user using the command below:\n\n- show system security user <user name> detail\n- show system security user \"admin\" detail | match profile\nprofile            : administrative\n\nIn this example, user \"admin\" is configured with user profile \"administrative\". \n\nVerify the user-assigned profile matches the user roles and responsibilities: \n\n- show system security profile <profile name> \n- show system security profile \"administrative\"\n\nUser Profile          : administrative\nDef. Action           : permit-all\nLI                    : no\n\nNETCONF RPC\n\nNETCONF Kill RPC Authorization                            : yes\nNETCONF Lock RPC Authorization                            : yes\nNETCONF Close-Session RPC Authorization                   : yes\nNETCONF Get RPC Authorization                             : yes\nNETCONF Get-Config RPC Authorization                      : yes\nNETCONF Get-Data RPC Authorization                        : yes\nNETCONF Edit-Config RPC Authorization                     : yes\nNETCONF Copy-Config RPC Authorization                     : yes\nNETCONF Delete-Config RPC Authorization                   : yes\nNETCONF Discard-Changes RPC Authorization                 : yes\nNETCONF Validate RPC Authorization                        : yes\nNETCONF Commit RPC Authorization                          : yes\n.... \n\nFor external AAA servers, access levels are available per command. Nokia routers support TACACS+ and RADIUS authentication servers. \n\nIf the Nokia router does not enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40727,
      "benchmarkId": 686,
      "groupId": "V-283762",
      "title": "SRG-APP-000038-NDM-000213",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283762r1203331_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000110",
      "ruleTitle": "The Nokia router must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.",
      "ruleVulnDiscussion": "A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. \n\nApplication-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics).",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001368",
      "ruleIdents": [
        "CCI-001368"
      ],
      "ruleFixText": "Each of the management-access-filters and cpm-filters supports the IPv4 filter (ip-filter), IPv6 filter, and MAC filters. Configure each filter using the examples below: \n\nConfigure the entry match criteria based on IPv4, IPv6, or MAC match criteria. \n\nExample of management-access-filter ipv4 filter configuration:\n\n- configure system security management-access-filter ip-filter\n- default-action <permit | deny| deny-host-unreachable>\n- entry <entry id>\n- <match criteria> <match value>\n- action <permit | deny| deny-host-unreachable>\n\nEnable the management access ip filter: \n\n- configure system security management-access-filter ip-filter no shutdown\n\nExample of management-access-filter ipv6 filter configuration:\n\n- configure system security management-access-filter ipv6-filter\n- default-action <permit | deny| deny-host-unreachable>\n- entry <entry id>\n- <match criteria> <match value>\n- action <permit | deny| deny-host-unreachable>\n\nEnable the management access ipv6 filter: \n\n- configure system security management-access-filter ipv6-filter no shutdown\n\nExample of cpm ipv6 filter configuration:\n\n- configure system security cpm-filter ipv6-filter\n- entry <id> create\n- match <match criteria> <match value>\n- action <action>\n\nEnable the cpm ipv6 filter:\n\n- configure system security cpm-filter ipv6-filter no shutdown\n\nExample of cpm ipv4 filter configuration:\n\n- configure system security cpm-filter ip-filter\n- entry <id> create\n- match <match criteria> <match value>\n- action <action>\n\nEnable the cpm ipv4 filter:\n\n- configure system security cpm-filter ip-filter no shutdown",
      "ruleFixId": "F-88232r1203330_fix",
      "ruleCheckSystem": "C-88327r1203329_chk",
      "ruleCheckContent": "Verify at least one IPv4, IPv6, or MAC for management-access-filter or cpm-filter is configured to control the flow of management information within the Nokia router.\n\nVerify entries meet the approved authorization for controlling the flow of management information, as shown in the examples below: \n\n- show system security management-access-filter ip-filter\n- show system security management-access-filter ipv6-filter\n- show system security management-access-filter mac-filter\n- show system security cpm-filter ip-filter\n- show system security cpm-filter ipv6-filter\n- show system security cpm-filter mac-filter\n\nIf at least one of these filters is not configured to enforce the approved authorizations, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40728,
      "benchmarkId": 686,
      "groupId": "V-283763",
      "title": "SRG-APP-000065-NDM-000214",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283763r1203595_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000120",
      "ruleTitle": "The Nokia router must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.",
      "ruleVulnDiscussion": "By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000044",
      "ruleIdents": [
        "CCI-000044"
      ],
      "ruleFixText": "Configure the Nokia router using the command below:\n\n- configure system security password attempts 3 lockout 15",
      "ruleFixId": "F-88233r1203333_fix",
      "ruleCheckSystem": "C-88328r1203594_chk",
      "ruleCheckContent": "Verify that \"Number of invalid attempts permitted per login\" is set to \"3\", and \"Lockout period (when threshold breached)\" is set to \"15\", as shown in the example below:\n\n- show system security password-options\n\nNumber of invalid attempts permitted per login   : 3\nLockout period (when threshold breached)         : 15\n\nIf the \"Number of invalid attempts permitted per login\" is not set to \"3\", this is a finding.\n\nIf the \"Lockout period (when threshold breached)\" is not set to \"15\", this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40729,
      "benchmarkId": 686,
      "groupId": "V-283764",
      "title": "SRG-APP-000068-NDM-000215",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283764r1223368_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000130",
      "ruleTitle": "The Nokia router must display the Standard Mandatory DoW Notice and Consent Banner before granting access to the device, and it must remain until the administrator acknowledges the usage conditions and takes explicit action to log on for further access.",
      "ruleVulnDiscussion": "Display of the DoW-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users.\n\nSatisfies: SRG-APP-000068-NDM-000215, SRG-APP-000069-NDM-000216",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000048",
      "ruleIdents": [
        "CCI-000048",
        "CCI-000050"
      ],
      "ruleFixText": "Configure the Nokia router to display the Standard Mandatory DOD Notice and Consent Banner before granting access, as shown in the example below:\n\n- exit all\n- configure system login-control pre-login-message \"I've read & consent to terms in IS user agreem't.\"",
      "ruleFixId": "F-88234r1203336_fix",
      "ruleCheckSystem": "C-88329r1203335_chk",
      "ruleCheckContent": "Determine if the Nokia router is configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060. Entering the username, viewing the banner, and then entering the password is considered an explicit action of acknowledgement.\n\nUse the verbiage below for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nIf the Nokia router is not configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device, this is a finding.\n\nIf the Nokia router does not retain the banner on the screen until the administrator acknowledges the usage conditions and takes explicit action of entering the username and password to log on for further access, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40730,
      "benchmarkId": 686,
      "groupId": "V-283765",
      "title": "SRG-APP-000092-NDM-000224",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283765r1203340_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000170",
      "ruleTitle": "The Nokia router must initiate session auditing upon startup.",
      "ruleVulnDiscussion": "If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.\n\nSatisfies: SRG-APP-000092-NDM-000224, SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000080-NDM-000220, SRG-APP-000091-NDM-000223, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000319-NDM-000283, SRG-APP-000343-NDM-000289, SRG-APP-000381-NDM-000305, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323, SRG-APP-000516-NDM-000334",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001464",
      "ruleIdents": [
        "CCI-001464",
        "CCI-000018",
        "CCI-001403",
        "CCI-001404",
        "CCI-001405",
        "CCI-000166",
        "CCI-000172",
        "CCI-000130",
        "CCI-000131",
        "CCI-000132",
        "CCI-000133",
        "CCI-000134",
        "CCI-001487",
        "CCI-000135",
        "CCI-002130",
        "CCI-002234",
        "CCI-003938",
        "CCI-000169",
        "CCI-000366"
      ],
      "ruleFixText": "Configure appropriate logs:\n\n- exit all\n- configure log log-id <id>\n- from main, security, and change\n- to <console, syslog-id, snmp, log-file-id, memory, session, netconf, cli>\n\nNote: Select the appropriate location for the log event data from the options above.",
      "ruleFixId": "F-88235r1203339_fix",
      "ruleCheckSystem": "C-88330r1203338_chk",
      "ruleCheckContent": "Verify at least one log file has been created with the \"Source\" field set to main, security, and change:\n\nshow log log-id\n\nEvent Logs\n\nName\nLog     Source     Filter     Admin     Oper     Logged     Dropped     Dest            Dest Size\nId        Id                              State         State                        Type             Id\n\n101     M S C         N/A       up              up          1420         0                    netconf      500\n\nIf no log file has been created with \"Source\" including \"M\", \"S\", and \"C\" for main, security, and change events, this is a finding.\n\nIf \"Admin State\" and \"Oper State\" are \"down\", this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40731,
      "benchmarkId": 686,
      "groupId": "V-283766",
      "title": "SRG-APP-000119-NDM-000236",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283766r1203597_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000260",
      "ruleTitle": "The Nokia router must protect audit information from unauthorized modification.",
      "ruleVulnDiscussion": "Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit network device activity.\n\nIf audit data were to become compromised, forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve. \n\nTo ensure the veracity of audit data, the network device must protect audit information from unauthorized modification. \n\nThis requirement can be achieved through multiple methods, which will depend on system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations. \n\nNetwork devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data, along with the corresponding user rights, to make access decisions regarding the modification of audit data.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000163",
      "ruleIdents": [
        "CCI-000163"
      ],
      "ruleFixText": "Configure the Nokia router to protect audit information from unauthorized modification by configuring authentication servers and applying correct authorization privileges for each user. \n\nMultiple RADIUS servers can be configured per the configuration below:\n\n- configure system security radius\n- accounting\n- authorization\n\n- server <radius server ip address>\n\nFor local accounts, assign the correct user profile to each user:\n\n- configure system security user <user name> console member <profile name>\n\nUsers can also be restricted to the user's home directory. If the home directory for the user is not configured, the user does not have access to any directory:\n\n- configure system security user <user name>\n- restricted-to-home\n\nIf the user requires a directory, it can be configured using the command below:\n\n- home-directory <directory >",
      "ruleFixId": "F-88236r1203596_fix",
      "ruleCheckSystem": "C-88331r1203571_chk",
      "ruleCheckContent": "Determine if the Nokia router protects audit information from any type of unauthorized modification with such methods as ensuring log files receive the proper file system permissions, limiting log data locations, and leveraging user permissions and roles to identify the user accessing the data and the corresponding user rights. \n\nVerify the authentication server is configured using the command below:\n\n- show system security authentication\n\nVerify authentication servers are configured with correct user privileges to restrict access to the router file system. \n\nVerify each local user has the correct \"profile\" assigned, the user is \"restricted to home\", and the \"home directory\" is defined:\n\n- show system security user detail\n\nIf the Nokia router is not configured with external authentication servers, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40732,
      "benchmarkId": 686,
      "groupId": "V-283767",
      "title": "SRG-APP-000131-NDM-000243",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283767r1223369_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000310",
      "ruleTitle": "The Nokia router must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.",
      "ruleVulnDiscussion": "Changes to any software components can have significant effects on the overall security of the Nokia router. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor. \n\nAccordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. \n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device should not have to verify the software again. This requirement does not mandate DoW certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-003992",
      "ruleIdents": [
        "CCI-003992"
      ],
      "ruleFixText": "Configure the Nokia router to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. \n\nActivate secure boot on control card \"A\" and/or card \"B\" (card B for redundant control systems):\n\n- admin system security secure-boot activate card \"A\" serial-number <CPM card A serial number> confirmation-code <code>",
      "ruleFixId": "F-88237r1203345_fix",
      "ruleCheckSystem": "C-88332r1203344_chk",
      "ruleCheckContent": "Determine if the Nokia router prevents the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. This requirement may be verified by demonstration, configuration review, or validated test results. \n\nVerify secure boot is enabled for Control card \"A\" and/or card \"B\" (card B for redundant control systems):\n\n- show card \"A\" detail | match \"Secure boot\"\n    Secure boot status            : enabled\n\nIf the Nokia router does not prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40733,
      "benchmarkId": 686,
      "groupId": "V-283768",
      "title": "SRG-APP-000142-NDM-000245",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283768r1203574_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "NOKI-ND-000330",
      "ruleTitle": "The Nokia router must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.",
      "ruleVulnDiscussion": "To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.\n\nNetwork devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. \n\nTo support the requirements and principles of least functionality, the network device must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, it must be documented and approved.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000382",
      "ruleIdents": [
        "CCI-000382"
      ],
      "ruleFixText": "Configure the Nokia router to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.\n\nDisable FTP:\n\n- configure system security no ftp-server\n- configure system security no allow-ftp\n\nDisable telnet:\n\n- configure system security no telnet-server\n- configure system security no allow-telnet\n- configure system security no telnet6-server\n- configure system security no allow-telnet6\n\nDisable any other port/protocol using the management access filter:\n\n- configure system security management-access-filter ip-filter\n- default-action <permit | deny| deny-host-unreachable>\n- entry <entry id>\n- <match criteria> <match value>\n- action <permit | deny| deny-host-unreachable>\n\nEnable the management access ip filter: \n\n- configure system security management-access-filter ip-filter no shutdown\n\nExample of management-access-filter ipv6 filter configuration:\n\n- configure system security management-access-filter ipv6-filter\n- default-action <permit | deny| deny-host-unreachable>\n- entry <entry id>\n- <match criteria> <match value>\n- action <permit | deny| deny-host-unreachable>\n\nEnable the management access ipv6 filter:\n \n- configure system security management-access-filter ipv6-filter no shutdown\n\nDisable any other port/protocol using the CPM filter:\n\nExample of cpm ipv6 filter configuration:\n\n- configure system security cpm-filter ipv6-filter\n- entry <id> create\n- match <match criteria> <match value>\n- action <action>\n\nEnable the cpm ipv6 filter:\n\n- configure system security cpm-filter ipv6-filter no shutdown\n\nExample of cpm ipv4 filter configuration:\n\n- configure system security cpm-filter ip-filter\n- entry <id> create\n- match <match criteria> <match value>\n- action <action>\n\nEnable the cpm ipv4 filter:\n\n- configure system security cpm-filter ip-filter no shutdown\n\nExample of ipv4 cpm filter to block HTTP:\n\n- configure system security cpm-filter ip-filter\n- entry 1 create\n- match protocol tcp port 80\n- action drop",
      "ruleFixId": "F-88238r1203573_fix",
      "ruleCheckSystem": "C-88333r1203347_chk",
      "ruleCheckContent": "Verify the router does not have any unnecessary or nonsecure functions, ports, protocols, and services enabled. \n\nFor example, verify that Telnet and FTP are disabled:\n\n- show system information | match Tel\nTel/Tel6/SSH/FTP Admin : Disabled/Disabled/Enabled/Disabled\nTel/Tel6/SSH/FTP Oper  : Down/Down/Up/Down\n\nAny other TCP/UDP port can be disallowed using CPM and/or management filters.\n\nVerify nonsecure functions and services are disabled by using the command below: \n\n- show system security management-access-filter ip-filter\n- show system security management-access-filter ipv6-filter\n- show system security cpm-filter ip-filter\n- show system security cpm-filter ipv6-filter\n\nIf any unnecessary or nonsecure functions, ports, protocols, or services are permitted, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40755,
      "benchmarkId": 686,
      "groupId": "V-283790",
      "title": "SRG-APP-000795-NDM-000130",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283790r1203415_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000950",
      "ruleTitle": "The Nokia router must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.",
      "ruleVulnDiscussion": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are programs and devices used to conduct system audit and logging activities. \n\nProtection of audit information focuses on technical protection and limits to authorized individuals the ability to access and execute audit logging tools. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-003831",
      "ruleIdents": [
        "CCI-003831"
      ],
      "ruleFixText": "Configure the Nokia router to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.\n\nWhen a log file \"source\" is set to \"security\", it will capture log modifications and deletions. These events are reported in real time through syslog and snmp traps.\n\nConfigure syslog:\n\n- configure log syslog <syslog id>\n- address <syslog server ip address>\n- level <messages with severity level equal or higher to be reported- recommend warning>\n- prefix <prefix message that will show up for each log entry>\n\n- configure log log-id <log id>\n- from security\n- to <syslog-id >\n\nConfigure snmpv3:\n\nConfigure the snmpv3 access group:\n- configure system security snmp access group <group name> security -model usm security-level privacy read \"iso\" write \"iso\" notify \"iso\"\n\nThe deletion of audit information is controlled through user privileges. Log files can be created to configure the snmpv3 user:\n- configure system security user <user name>\n- access console snmp\n- password <password>\n- group <group name>\n- authentication algorithm> <authen key> privacy <algorith> <privacy key>\n\nConfigure the snmp trap log file:\n- configure log snmp-trp-group <log-id>\n- trap-target <name> address <ip address of server> snmpv3 notify-community <snmpv3 security name> security-level privacy\n- configure log log-id <id>\n- from security main change\n- to snmp",
      "ruleFixId": "F-88260r1203414_fix",
      "ruleCheckSystem": "C-88355r1203413_chk",
      "ruleCheckContent": "Verify the Nokia router is configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. \n\nVerify syslog has been configured, as shown in the example below:\n\n- show log syslog\n\nSyslog Target Hosts\nSyslog Name\nId     Ip Address                                      Port        Sev Level\n         Below Level Drop                                Facility    Prefix\n           TLS Profile\n-------------------------------------------------------------------------------\n1\n1      1.1.1.1                                         514         info\n         0                                               local7      yes\n\nIf the syslog trap has not been configured, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40734,
      "benchmarkId": 686,
      "groupId": "V-283769",
      "title": "SRG-APP-000148-NDM-000346",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283769r1203576_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000340",
      "ruleTitle": "The Nokia router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.",
      "ruleVulnDiscussion": "Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort because it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.\n\nThe account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001358",
      "ruleIdents": [
        "CCI-001358",
        "CCI-002111"
      ],
      "ruleFixText": "Configure one  local account to be used as the account of last resort and remove all other local accounts.\n\nFor each unnecessary local user, first shut down the account and then remove it completely as shown in the example below:\n\n- configure system security user \"unnecessary_acct\" shutdown\n- no configure system security user \"unnecessary_acct\"\n\nConfigure account of last resort as shown in the example below:\n\n- configure system security user \"admin\" password\nEnter New Password:\nRe-enter New Password:\n\n- configure system security user \"admin\" access console ftp\n- configure system security user \"admin\" no shutdown",
      "ruleFixId": "F-88239r1203575_fix",
      "ruleCheckSystem": "C-88334r1203350_chk",
      "ruleCheckContent": "Review the Nokia router configuration to verify a local account for last resort has been configured. \n\nVerify only one user (user of last resort) is listed in the response for this command:\n\n- show system security user \n\nUsers\n\nUser ID      New Access                           Password Login   Failed Local\n             Pwd Permissions                      Expires  Attempt Logins Conf\n\nadmin        n   bt cc fp -- -- -- sp -- sc tc    02/08/26 66      5      y\nsnmpv3       n   bt cc -- -- -- -- sp sn sc tc    02/08/26 0       0      y\n\nNumber of users : 2\n\nIf the Nokia router is not configured with only one local account to be used as the account of last resort in the event the authentication server is not available, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40735,
      "benchmarkId": 686,
      "groupId": "V-283770",
      "title": "SRG-APP-000164-NDM-000252",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283770r1203355_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000380",
      "ruleTitle": "The Nokia router must enforce a minimum 15-character password length.",
      "ruleVulnDiscussion": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.\n\nThe shorter the password, the lower the number of possible combinations that must be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004066",
      "ruleIdents": [
        "CCI-004066"
      ],
      "ruleFixText": "Configure the Nokia router with a minimum 15-character password length using the command below:\n\n- configure system security password complexity-rules minimum-length 15",
      "ruleFixId": "F-88240r1203354_fix",
      "ruleCheckSystem": "C-88335r1203353_chk",
      "ruleCheckContent": "Verify \"Accepted password length\" is set to a minimum of 15 characters using the command below:\n\n- show system security password-options | match length\n\nUser password history length                     : disabled\nAccepted password length                         : 15..56 characters\n\nIf the Nokia router or its associated authentication server does not enforce a minimum 15-character password length, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40736,
      "benchmarkId": 686,
      "groupId": "V-283771",
      "title": "SRG-APP-000166-NDM-000254",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283771r1203358_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000390",
      "ruleTitle": "The Nokia router must enforce password complexity.",
      "ruleVulnDiscussion": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that must be tested before the password is compromised.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using Public Key Infrastructure (PKI) is not available and for the account of last resort and root account.\n\nSatisfies: SRG-APP-000166-NDM-000254, SRG-APP-000167-NDM-000255, SRG-APP-000168-NDM-000256, SRG-APP-000169-NDM-000257, SRG-APP-000845-NDM-000220",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004066",
      "ruleIdents": [
        "CCI-004066",
        "CCI-004061"
      ],
      "ruleFixText": "Configure the Nokia router using the command below:\n\n- configure system security password complexity-rules required uppercase 1 lowercase 1 numeric 1 special-character 1",
      "ruleFixId": "F-88241r1203357_fix",
      "ruleCheckSystem": "C-88336r1203356_chk",
      "ruleCheckContent": "Review the Nokia router password options to verify they comply with this requirement, as shown in the example below:\n\n- show system security password-options | match \"required characters\"\n\nNumber of required characters per class          : 1 digits, 1 lowercase, 1\n                                                   uppercase, 1 special\n\nIf the Nokia router does not require that at least one uppercase character, one lowercase character, one numeric character, and one special character be used in each password, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40737,
      "benchmarkId": 686,
      "groupId": "V-283772",
      "title": "SRG-APP-000170-NDM-000329",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283772r1203361_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000430",
      "ruleTitle": "The Nokia router must require that when a password is changed, the characters are changed in at least eight of the positions within the password.",
      "ruleVulnDiscussion": "If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.\n\nMultifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using Public Key Infrastructure (PKI) is not available and for the account of last resort and root account.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004066",
      "ruleIdents": [
        "CCI-004066"
      ],
      "ruleFixText": "Configure the Nokia router to enforce password complexity by requiring that when a password is changed, the characters are changed in at least eight of the positions within the password, using the command below:\n\n- configure system security password minimum-change 8",
      "ruleFixId": "F-88242r1203360_fix",
      "ruleCheckSystem": "C-88337r1203359_chk",
      "ruleCheckContent": "Review the Nokia router configuration to verify it complies with this requirement, as shown in the example below:\n\n- show system security password-options | match distance\n\nRequired distance with previous password         : 8\n\nIf \"Required distance with previous password\" is not set to a minimum of \"8\", this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40738,
      "benchmarkId": 686,
      "groupId": "V-283773",
      "title": "SRG-APP-000171-NDM-000258",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283773r1203364_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "NOKI-ND-000440",
      "ruleTitle": "The Nokia router must only store cryptographic representations of passwords.",
      "ruleVulnDiscussion": "Passwords must be protected at all times, and encryption is the standard method of protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. \n\nNetwork devices must enforce cryptographic representations of passwords when storing passwords in databases, configuration files, and log files. Passwords must be protected at all times; using a strong one-way hashing encryption algorithm with a salt is the standard method for providing a means to validate a password without having to store the actual password.\n\nPerformance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. If passwords are stored in clear text, they can be plainly read and easily compromised. \n\nIn many instances, a password verifier is used to confirm the user knows the password. In its simplest form, a password verifier is a computational function that can create a hash of a password and determine if the value provided by the user matches the stored hash.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004062",
      "ruleIdents": [
        "CCI-004062"
      ],
      "ruleFixText": "Configure the Nokia router to encrypt all passwords using the command below: \n\n- configure system security password hashing sha2-pbkdf2",
      "ruleFixId": "F-88243r1203363_fix",
      "ruleCheckSystem": "C-88338r1203362_chk",
      "ruleCheckContent": "Review the Nokia router configuration to determine if passwords are encrypted, as shown in the example below:\n\n- show system security password-options | match hashing\n\nPassword hashing                                 : sha2-pbkdf2\n\nIf \"Password hashing\" is not set to \"sha2-pbkdf2\" or \"sha3-pbkdf2\", this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40739,
      "benchmarkId": 686,
      "groupId": "V-283774",
      "title": "SRG-APP-000179-NDM-000265",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283774r1223370_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "NOKI-ND-000490",
      "ruleTitle": "The Nokia router must use Federal Information Processing Standard (FIPS) 140-3-approved algorithms for authentication to a cryptographic module.",
      "ruleVulnDiscussion": "Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied on to provide confidentiality or integrity, and DoW data may be compromised.\n\nNetwork devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoW requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and National Institute of Standards and Technology (NIST)-recommended authentication algorithms.\n\nSatisfies: SRG-APP-000179-NDM-000265, SRG-APP-000224-NDM-000270",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000803",
      "ruleIdents": [
        "CCI-000803",
        "CCI-001188"
      ],
      "ruleFixText": "Configure the Nokia router to use FIPS 140-3-approved algorithms for authentication to a cryptographic module using the commands below:\n\n- bof fips-140\n- bof save\n- admin save\n- reboot",
      "ruleFixId": "F-88244r1203366_fix",
      "ruleCheckSystem": "C-88339r1203365_chk",
      "ruleCheckContent": "Verify FIPS has been enabled using the command below:\n\n- show bof | match fips\n\n    fips-140\n\nIf the command does not return \"fips-140\" as shown above, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40740,
      "benchmarkId": 686,
      "groupId": "V-283775",
      "title": "SRG-APP-000190-NDM-000267",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283775r1203370_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "NOKI-ND-000500",
      "ruleTitle": "The Nokia router must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.",
      "ruleVulnDiscussion": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, deallocating associated Transmission Control Protocol/Internet Protocol (TCP/IP) address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001133",
      "ruleIdents": [
        "CCI-001133"
      ],
      "ruleFixText": "Configure the Nokia router to terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity using the command below:\n\n- configure system login-control idle-timeout 5",
      "ruleFixId": "F-88245r1203369_fix",
      "ruleCheckSystem": "C-88340r1203368_chk",
      "ruleCheckContent": "Review the Nokia router configuration to verify all network connections associated with a device management session have an idle timeout value set to five minutes or less, as shown in the example below:\n\n- configure system login-control\n- info detail | match idle-timeout\n\n            idle-timeout 5\n\nIf the Nokia router does not terminate the connection associated with a device management session after five minutes of inactivity, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40741,
      "benchmarkId": 686,
      "groupId": "V-283776",
      "title": "SRG-APP-000357-NDM-000293",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283776r1203373_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000630",
      "ruleTitle": "The Nokia router must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.",
      "ruleVulnDiscussion": "To ensure network devices have a sufficient storage capacity in which to write the audit logs, they must be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it can be modified. \n\nThe value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001849",
      "ruleIdents": [
        "CCI-001849"
      ],
      "ruleFixText": "Configure the Nokia router to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.\n\nCreate a log file for audit purposes. If the file destination is \"memory\", the size of the file can also be configured:\n\n- configure log log-id <log id>\n- from <main, security, change, debug-trace>\n- to <syslog or console or memory or session or NETCONF, ....>\n- size <50 to 3000 bytes>",
      "ruleFixId": "F-88246r1203372_fix",
      "ruleCheckSystem": "C-88341r1203371_chk",
      "ruleCheckContent": "Verify the log size complies with organization-defined audit record storage using the command below:\n\n- show log log-id\n\nEvent Logs\n\nName\nLog     Source     Filter     Admin     Oper     Logged     Dropped     Dest            Dest Size\nId        Id                              State         State                        Type             Id\n\n101     M S C         N/A       up              up          1420         0                    netconf      500\n\nIf the log size does not meet organization-defined audit record storage requirements, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40742,
      "benchmarkId": 686,
      "groupId": "V-283777",
      "title": "SRG-APP-000360-NDM-000295",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283777r1203376_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000640",
      "ruleTitle": "The Nokia router must generate an immediate real-time alert for all audit failure events requiring real-time alerts.",
      "ruleVulnDiscussion": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. \n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001858",
      "ruleIdents": [
        "CCI-001858"
      ],
      "ruleFixText": "Configure the Nokia router to generate an immediate real-time alert of all audit failure events requiring real-time alerts into a syslog server. \n\nConfigure a log file:\n\n- exit all\n- configure log log-id <id>\n- from main, security, and change\n- to syslog <syslog id>\n\nConfigure a syslog:\n\n- exit all\n- configure log syslog <syslog id>\n- address <syslog server ip address>\n- level info\n- log-prefix <log prefix to be shown in syslog server>\n- port <UDP port #>\n- timestamp-format millisecond\n\nConfigure the syslog server to notify the appropriate personnel.",
      "ruleFixId": "F-88247r1203375_fix",
      "ruleCheckSystem": "C-88342r1203374_chk",
      "ruleCheckContent": "Verify the external syslog server is configured and online, as shown in the example below:\n\n- show log syslog\n# show log syslog\n\nSyslog Target Hosts\n\nSyslog Name\nId     Ip Address                                      Port        Sev Level\n         Below Level Drop                                Facility    Prefix\n           TLS Profile\n\n1\n1      1.1.1.1                                         514         info\n         0                                               local7      yes\n\nVerify syslog operation by a configuration change and verify the syslog server has received the entry. \n\nIf the syslog server does not receive the configuration change, this is a finding.\n\nIf an immediate alert of all audit failure events requiring real-time alerts is not generated, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40743,
      "benchmarkId": 686,
      "groupId": "V-283778",
      "title": "SRG-APP-000374-NDM-000299",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283778r1203581_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000650",
      "ruleTitle": "The Nokia router must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).",
      "ruleVulnDiscussion": "If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001890",
      "ruleIdents": [
        "CCI-001890"
      ],
      "ruleFixText": "Configure the Nokia router to record time stamps for audit records that can be mapped to UTC or GMT using the commands below:\n\n- configure log log-id <log id>\n- time-format utc",
      "ruleFixId": "F-88248r1203378_fix",
      "ruleCheckSystem": "C-88343r1203580_chk",
      "ruleCheckContent": "Verify a time zone is configured on the device, as shown in the example below:\n\n- show log log-id <log id>\nshow log log-id 101\n\n498 2025/11/10 18:35:48.230 UTC MINOR: USER #2011 management admin\n\"User from 10.2.0.2: NFS-Sr-2s#  configure log syslog 1\"\n\nIf the Nokia router does not record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40744,
      "benchmarkId": 686,
      "groupId": "V-283779",
      "title": "SRG-APP-000375-NDM-000300",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283779r1203583_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000660",
      "ruleTitle": "The Nokia router must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.",
      "ruleVulnDiscussion": "Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001889",
      "ruleIdents": [
        "CCI-001889"
      ],
      "ruleFixText": "Configure the Nokia router to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.\n\nConfigure the syslog for millisecond granularity using the command below:\n\n- configure log syslog timestamp-format millisecond\n\nOther log files use millisecond granularity by default.",
      "ruleFixId": "F-88249r1203381_fix",
      "ruleCheckSystem": "C-88344r1203582_chk",
      "ruleCheckContent": "Determine if the Nokia router records time stamps for audit records that meet a granularity of one second for a minimum degree of precision. This requirement may be verified by demonstration or configuration. \n\nVerify that \"TIMESTAMP Format\" is set to \"millisecond\":\n\n- show log log-id <log id>\nshow log log-id 101\n\n498 2025/11/10 18:35:48.230 UTC MINOR: USER #2011 management admin\n\"User from 10.2.0.2: NFS-Sr-2s#  configure log syslog 1\"\n\nIf the Nokia router does not record time stamps for audit records that meet a granularity of one second for a minimum degree of precision, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40745,
      "benchmarkId": 686,
      "groupId": "V-283780",
      "title": "SRG-APP-000395-NDM-000310",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283780r1203385_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000700",
      "ruleTitle": "The Nokia router must be configured to authenticate Simple Network Management Protocol (SNMP) messages using a Federal Information Processing Standard (FIPS)-validated Keyed-Hash message authentication code.",
      "ruleVulnDiscussion": "Without authenticating devices, unidentified or unknown devices may be introduced, facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.\n\nA local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network or the internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).\n\nBecause of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to the limited number (and type) of devices that truly need to support this capability.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001967",
      "ruleIdents": [
        "CCI-001967"
      ],
      "ruleFixText": "Configure the Nokia router to authenticate SNMP messages using authentication with FIPS-compliant algorithms, as shown in the example below:\n\n- configure system security user <user name> snmp authentication hmac-sha2-256  <authentication key>",
      "ruleFixId": "F-88250r1203384_fix",
      "ruleCheckSystem": "C-88345r1203383_chk",
      "ruleCheckContent": "Review the Nokia router configuration to verify it authenticates SNMP messages using authentication with FIPS-compliant algorithms, as shown in the example below:\n\n- show system security user <user name> detail| match \"auth proto\"\n \nauth protocol      : hmac-sha2-256\n\nIf the Nokia router is not configured to authenticate SNMP messages using authentication with FIPS-validated algorithms, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40746,
      "benchmarkId": 686,
      "groupId": "V-283781",
      "title": "SRG-APP-000395-NDM-000347",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283781r1203388_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000710",
      "ruleTitle": "The Nokia router must be configured to authenticate Network Time Protocol (NTP) sources using authentication with a Federal Information Processing Standard (FIPS)-compliant algorithm.",
      "ruleVulnDiscussion": "If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent such tampering by authenticating the time source.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001967",
      "ruleIdents": [
        "CCI-001967"
      ],
      "ruleFixText": "Configure the Nokia router to authenticate NTP sources using authentication that is cryptographically based.\n\nConfigure NTP for authentication with MD-5, as shown in the example below:\n\n- configure system time ntp server <NTP server ip address> authentication-key <key id> key <key> type message-digest",
      "ruleFixId": "F-88251r1203387_fix",
      "ruleCheckSystem": "C-88346r1203386_chk",
      "ruleCheckContent": "Review the Nokia router configuration to determine if the Nokia router authenticates NTP endpoints before establishing a local, remote, or network connection using authentication that is cryptographically based.\n\nUsing the command below, verify NTP server \"Admin status\" and \"Oper status\" are listed and \"Auth Check\" is enabled.\n\n- show system ntp detail\n\nNTP Status\n\nConfigured         : Yes                Stratum              : 3\nAdmin Status       : up                 Oper Status          : up\nServer Enabled     : No                 Server Authenticate  : No\nClock Source       : 10.1.0.158\nAuth Check         : Yes\nAuth Keychain      : test\nAuth Errors        : 0                  Auth Errors Ignored  : 0\nAuth Key Id Errors : 0                  Auth Key Type Errors : 0\nCurrent Date & Time: 2025/11/12 02:19:32 UTC\n\nNOTE: Nokia router is limited to MD-5 for NTP authentication and incurs a permanent finding as it is not FIPS compliant. MD-5 partially reduces the risk but cannot fully mitigate it. \n\nIf the Nokia router does not authenticate NTP sources using authentication that is cryptographically based, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40747,
      "benchmarkId": 686,
      "groupId": "V-283782",
      "title": "SRG-APP-000411-NDM-000330",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283782r1223371_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "NOKI-ND-000740",
      "ruleTitle": "The Nokia router must use Federal Information Processing Standard (FIPS)-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.",
      "ruleVulnDiscussion": "Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoW data may be compromised.\n\nNonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or internal network. \n\nCurrently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets the specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.\n\nSeparate requirements for configuring applications and protocols used by each application (e.g., Simple Network Management Protocol [SNMP] v3, Secure Shell [SSH] v2, Network Time Protocol [NTP], HyperText Transfer Protocol Secure [HTTPS], and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes layer 7 protocols such as Secure Copy (SCP) and Secure File Transfer Protocol (SFTP), which can be used for secure file transfers.\n\nSatisfies: SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-002890",
      "ruleIdents": [
        "CCI-002890",
        "CCI-003123"
      ],
      "ruleFixText": "Configure the Nokia router to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.\n\nWhen in FIPS mode, the non-FIPS algorithms are removed. To remove any of SSH ciphers, use the command below:\n\n- configure system security ssh\n\nUse the command below to view all ciphers available for \"client-cipher-list\", \"server-cipher-list\", \"client-mac-list\", and \"server-mac-list\":\n\n- info detail\n\nRemove any unwanted cipher from any of the lists above using the command below. For example, to remove cipher id 190 from server-cipher-list, use the following:\n \n- server-cipher-list no cipher 190",
      "ruleFixId": "F-88252r1203584_fix",
      "ruleCheckSystem": "C-88347r1203389_chk",
      "ruleCheckContent": "Verify the Nokia router uses FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.\n\nSSH server list example:\n\n- show system security ssh server-lists\n\nSSH Server configurable algorithm lists\n\nSSHv2 Cipher List   : aes256-ctr\n                      aes192-ctr\n                      aes128-ctr\n                      aes128-cbc\n                      aes192-cbc\n                      aes256-cbc\n\nSSHv2 MAC List      : hmac-sha2-512\n                      hmac-sha2-256\n\nSSHv2 KEX List      : ecdh-sha2-nistp521\n                      ecdh-sha2-nistp384\n                      ecdh-sha2-nistp256\n                      diffie-hellman-group16-sha512\n                      diffie-hellman-group14-sha256\n\nSSHv2 Host Key List : ecdsa-sha2-nistp521\n                      ecdsa-sha2-nistp256\n                      rsa-sha2-512\n                      rsa-sha2-256\n\nSSH client list example:\n\n- show system security ssh client-lists\n\nIf the Nokia router does not use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40748,
      "benchmarkId": 686,
      "groupId": "V-283783",
      "title": "SRG-APP-000435-NDM-000315",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283783r1223372_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000760",
      "ruleTitle": "The Nokia router must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.",
      "ruleVulnDiscussion": "DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nThis requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.\n\nThe security safeguards cannot be defined at the DoW level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-002385",
      "ruleIdents": [
        "CCI-002385"
      ],
      "ruleFixText": "Configure the Nokia router to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards.\n\nConfigure Distributed CPU Protection to rate limit various core/peering protocols, Link, ESM, interface protocols, and any other unspecified control traffic, as shown in the example below: \n\n- configure system security dist-cpu-protection policy <policy name> create \n- static-policer <name> create\n- rate packets <ppi| ma> within <seconds>\nOR\n- rate kbps <kbps | max> bytes mbs <size>\n- exceed-action discard\n- back\n- protocol <protocol name or all-unspecified> create\n\nApply the policy to each interface:\n\n- configure router inter <interface name> dist-cpu-protection <policy name>",
      "ruleFixId": "F-88253r1203393_fix",
      "ruleCheckSystem": "C-88348r1203392_chk",
      "ruleCheckContent": "Determine if the Nokia router protects against or limits the effects of all known types of DoS attacks by employing organization-defined security safeguards.\n\nVerify Distributed CPU Protection is configured for each interface, as shown in the example below:\n\n- show router interface detail | match OperDCpuProtPlcy\nOperDCpuProtPlcy : test\nOperDCpuProtPlcy : ssh\n\nIf the Nokia router does not protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40749,
      "benchmarkId": 686,
      "groupId": "V-283784",
      "title": "SRG-APP-000515-NDM-000325",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283784r1203397_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000850",
      "ruleTitle": "The Nokia router must off-load audit records onto a different system or media than the system being audited.",
      "ruleVulnDiscussion": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001851",
      "ruleIdents": [
        "CCI-001851"
      ],
      "ruleFixText": "Configure the Nokia router to off-load audit records onto a different system or media than the system being audited.\n\nOne option for off-loading audit records onto a different system is syslog. Configure syslog and the log file to be off-loaded to a syslog server as shown below:\n\n- configure log syslog <syslog id>\n- address <syslog server ip address>\n- level <messages with severity level equal or higher to be reported- recommend warning>\n- prefix <prefix message that will show up for each log entry>\n\nConfigure the log file that will be off-loaded to syslog server:\n\n- configure log log-id <log id>\n- from <select any combination of: main change security or debug>\n- to syslog <syslog id>",
      "ruleFixId": "F-88254r1203396_fix",
      "ruleCheckSystem": "C-88349r1203395_chk",
      "ruleCheckContent": "Check the Nokia router configuration to determine if the device off-loads audit records onto a different system or media than the system being audited.\n\nOne option for off-loading audit records onto a different system is syslog. Verify syslog has been configured using the command below:\n\n- show log syslog\n\nIf the device does not off-load audit records onto a different system or media, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40751,
      "benchmarkId": 686,
      "groupId": "V-283786",
      "title": "SRG-APP-000516-NDM-000340",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283786r1203403_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000900",
      "ruleTitle": "The Nokia router must be configured to conduct backups of system-level information contained in the information system when changes occur.",
      "ruleVulnDiscussion": "System-level information includes default and customized settings and security attributes, including Access Control Lists (ACLs) that relate to the network device configuration and software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial-of-service condition is possible for all who use this critical network component.\n\nThis control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.\n\nSatisfies: SRG-APP-000516-NDM-000340, SRG-APP-000516-NDM-000341",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000366",
      "ruleIdents": [
        "CCI-000366",
        "CCI-000537",
        "CCI-000539"
      ],
      "ruleFixText": "Manual backups can be initiated using the command below:\n\n- admin save",
      "ruleFixId": "F-88256r1203402_fix",
      "ruleCheckSystem": "C-88351r1203401_chk",
      "ruleCheckContent": "Verify with the site that system-level backups are done when changes occur (or weekly, whichever is shorter).\n\nThese can be via a centralized management system with scheduled backups or manually initiated backups. \n\nIf the router is not being maintained by approved backup methods, this is a finding.\n\nIf the router does not back up information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40752,
      "benchmarkId": 686,
      "groupId": "V-283787",
      "title": "SRG-APP-000516-NDM-000344",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283787r1203406_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000920",
      "ruleTitle": "The Nokia router must obtain its public key certificates from an appropriate certificate policy through an approved service provider.",
      "ruleVulnDiscussion": "The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network Information Assurance team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, is important in showing whether someone is an internal employee or outside threat.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000366",
      "ruleIdents": [
        "CCI-000366",
        "CCI-001159"
      ],
      "ruleFixText": "Configure the Nokia router to obtain its public key certificates from an appropriate certificate policy through an approved service provider.\n\nGenerate a key pair using the command below:\n\n- admin certificate gen-keypair\n\nGenerate a PKCS#10 certificate signing request with the key generated in the previous step (optionally an FQDN or IP address can be specified):\n\n- admin certificate gen-local-cert-req keypair <url-string> subject-dn <subject-dn> file <url-string>\n\nImport the key file:\n\n- admin certificate import type z,type> input <url-string> output <file name> format <format> \n\nImport the resulting certificate:\n\n- admin certificate import",
      "ruleFixId": "F-88257r1203405_fix",
      "ruleCheckSystem": "C-88352r1203404_chk",
      "ruleCheckContent": "Determine if the Nokia router obtains public key certificates from an appropriate certificate policy through an approved service provider. \n\nUse the command below for certificate-authority profile information:\n\n- show certificate ca-profile\n\nMax Cert Chain Depth: 7 (default)\n\nCertificate Display Format: 1 ASCII\n\nCA Profile\n\nCA Profile Admin Oper Cert File CRL File\n State State \n\nCA0 up up CA1-00cert.der CA1-00crl.der\nCA1 up up CA1-01cert.der CA1-01crl.der\nCA2 up up CA1-02cert.der CA1-02crl.der\nCA3 up up CA1-03cert.der CA1-03crl.der\nCA4 up up CA1-04cert.der CA1-04crl.der\nCA5 up up rsa_sha512_1024_0cert.d* rsa_sha512_1024_0crl.der\nCA6 up up rsa_sha512_1024_1cert.d* rsa_sha512_1024_1crl.der\nCA7 up up rsa_sha512_1024_2cert.d* rsa_sha512_1024_2crl.der\nCA8 up up rsa_sha512_1024_3cert.d* rsa_sha512_1024_3crl.der\nCA9 up up rsa_sha512_1024_4cert.d* rsa_sha512_1024_4crl.der\nCA10 up up rsa_sha512_1024_5cert.d* rsa_sha512_1024_5crl.der\nCA11 up up rsa_sha384_1024_0cert.d* rsa_sha384_1024_0crl.der\nCA12 up up rsa_sha384_1024_1cert.d* rsa_sha384_1024_1crl.der\nCA13 up up rsa_sha384_1024_2cert.d* rsa_sha384_1024_2crl.der\nCA14 up up rsa_sha384_1024_3cert.d* rsa_sha384_1024_3crl.der\nCA15 up up rsa_sha384_1024_4cert.d* rsa_sha384_1024_4crl.der\nCA16 up up rsa_sha384_1024_5cert.d* rsa_sha384_1024_5crl.der\nCMPv2 up up rsaCMPv2cert.der rsaCMPv2CRL.der\n\nEntries found: 18\n\nIf the Nokia router does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40753,
      "benchmarkId": 686,
      "groupId": "V-283788",
      "title": "SRG-APP-000516-NDM-000350",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283788r1203409_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "NOKI-ND-000930",
      "ruleTitle": "The Nokia router must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).",
      "ruleVulnDiscussion": "The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network Information Assurance team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, is important in showing whether someone is an internal employee or outside threat.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-001851",
      "ruleIdents": [
        "CCI-001851"
      ],
      "ruleFixText": "Configure the Nokia router to send log data to at least two central log servers:\n\n- configure log syslog <syslog id>\n- address <syslog server ip address>\n- level <messages with severity level equal or higher to be reported- recommend warning>\n- prefix <prefix message that will show up for each log entry>\n- timestamp-format millisecond\n\nConfigure the log file that will be off-loaded to the syslog server:\n\n- configure log log-id <log id>\n- from main change security \n- to syslog <syslog id>",
      "ruleFixId": "F-88258r1203408_fix",
      "ruleCheckSystem": "C-88353r1203407_chk",
      "ruleCheckContent": "Verify the Nokia router is configured to send log data to at least two central log servers, as shown in the example below: \n\n- show log syslog\n\nSyslog Target Hosts\n\nSyslog Name\nId Ip Address Port Sev Level\n Below Level Drop Facility Prefix\n TLS Profile\n\nSunnyvale Server\n1 10.1.1.2 514 emergency\n 0 local7 yes\nNaperville Server \n2 192.168.0.10 514 info\n 0 local7 yes\n\nIf the Nokia router is not configured to send log data to at least two central log servers, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40754,
      "benchmarkId": 686,
      "groupId": "V-283789",
      "title": "SRG-APP-000516-NDM-000351",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283789r1207744_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "high",
      "ruleVersion": "NOKI-ND-000940",
      "ruleTitle": "The Nokia router must be running an operating system release that is currently supported by the vendor.",
      "ruleVulnDiscussion": "Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.\n\nSatisfies: SRG-APP-000516-NDM-000351, SRG-APP-000457-NDM-000352",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-000366",
      "ruleIdents": [
        "CCI-000366",
        "CCI-002605"
      ],
      "ruleFixText": "Upgrade the Nokia router to an operating system that is supported by the vendor.",
      "ruleFixId": "F-88259r1203411_fix",
      "ruleCheckSystem": "C-88354r1203410_chk",
      "ruleCheckContent": "Verify the Nokia router complies with this requirement. \n\nUse the command below to verify the operating system release:\n\n- show version\n\nIf the Nokia router is not running an operating system release that is currently supported by the vendor, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40756,
      "benchmarkId": 686,
      "groupId": "V-283791",
      "title": "SRG-APP-000875-NDM-000280",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283791r1203418_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-001000",
      "ruleTitle": "The Nokia router must be configured to implement a local cache of revocation data to support path discovery and validation for public key-based authentication.",
      "ruleVulnDiscussion": "Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For Public Key Infrastructure (PKI) solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. \n\nFor Personal Identity Verification (PIV) cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. \n\nImplementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004068",
      "ruleIdents": [
        "CCI-004068"
      ],
      "ruleFixText": "Configure the Nokia router to implement a local cache of revocation data using the command below:\n\n- configure system security pki ca-profile ocsp\n- responder-url <OCSCP responder URL>\n- transmission-profile <profile name>",
      "ruleFixId": "F-88261r1203417_fix",
      "ruleCheckSystem": "C-88356r1203416_chk",
      "ruleCheckContent": "Verify the Nokia router is configured to implement a local cache of revocation data to support path discovery and validation.\n\nUse the command below to display the current cached OCSP results:\n\n- show certificate ocsp-cache\n\nOCSP Cache information\n\nEntry                         Valid Until         Cert Status\n Issuer\n Serial#\n\nIf the Nokia router is not configured to implement a local cache of revocation data to support path discovery and validation, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40757,
      "benchmarkId": 686,
      "groupId": "V-283792",
      "title": "SRG-APP-000880-NDM-000290",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283792r1203421_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-001010",
      "ruleTitle": "The Nokia router must be configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions within the system by logically separated communications paths.",
      "ruleVulnDiscussion": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through an external or internal network. Communications paths can be logically separated using encryption.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004192",
      "ruleIdents": [
        "CCI-004192"
      ],
      "ruleFixText": "Configure the out-of-band management session using the management port.\n\nAssign an IP address to the management port:\n\n- bof address <ip address>\n\nConfigure any static-routes needed:\n\n- bof static-route <ip prefix/mask> next-hop <ip address>",
      "ruleFixId": "F-88262r1203420_fix",
      "ruleCheckSystem": "C-88357r1203419_chk",
      "ruleCheckContent": "Verify the out-of-band management IP address and static-routes are configured:\n\n-  show bof\n\n    primary-image    cf3:\\TiMOS-SR-24.10.R5\n    primary-config   cf3:\\config.cfg\n    secondary-image  cf3:\\TiMOS-SR-24.3.R3\n    license-file     cf3:\\license-xma.txt\n    address          10.1.0.156/24 active\n    address          10.1.0.157/24 standby\n    static-route     0.0.0.0/1 next-hop 10.1.0.1\n    static-route     128.0.0.0/1 next-hop 10.1.0.1\n\nIf the out-of-band management IP address and static-routes are not configured, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40758,
      "benchmarkId": 686,
      "groupId": "V-283793",
      "title": "SRG-APP-000910-NDM-000300",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283793r1203590_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-001020",
      "ruleTitle": "The Nokia router must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.",
      "ruleVulnDiscussion": "Public Key Infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004909",
      "ruleIdents": [
        "CCI-004909"
      ],
      "ruleFixText": "Configure the Nokia router to include only approved trust anchors in trust stores or certificate stores managed by the organization.\n\n Configure the TLS certification profile:\n\n- configure system security tls cert-profile <profile name> create \n- entry <id> create\n- cert <cert file name>\n- key <key file name>\n\nConfigure TLS-approved trust anchors:\n\n- configure system security tls trust-anchor-profile <name> create\n- trust-anchor <ca profile name>",
      "ruleFixId": "F-88263r1203423_fix",
      "ruleCheckSystem": "C-88358r1203589_chk",
      "ruleCheckContent": "Verify the Nokia router is configured to include only approved trust anchors in trust stores or certificate stores managed by the organization. \n\nUse the command below to view the trust anchor information for TLS:\n\n- show system security tls trust-anchor-profile\n\nIf the Nokia router is not configured to include only approved trust anchors in trust stores or certificate stores managed by the organization, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40759,
      "benchmarkId": 686,
      "groupId": "V-283794",
      "title": "SRG-APP-000920-NDM-000320",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283794r1203427_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-001030",
      "ruleTitle": "The Nokia router must be configured to synchronize system clocks within and between systems or system components.",
      "ruleVulnDiscussion": "Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. \n\nTime is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. \n\nOrganizations may define different time granularities for system components. Time service can be critical to other security capabilities such as access control and identification and authentication depending on the nature of the mechanisms used to support the capabilities.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004922",
      "ruleIdents": [
        "CCI-004922"
      ],
      "ruleFixText": "Configure the Nokia router to synchronize system clocks within and between systems or system components.\n\nConfigure NTP server to be used for timing using the command below:\n\n- configure system time ntp server <NTP server ip address>authentication-key <key id> key <key> type message-digest",
      "ruleFixId": "F-88264r1203426_fix",
      "ruleCheckSystem": "C-88359r1203425_chk",
      "ruleCheckContent": "Verify the Nokia router is configured to synchronize system clocks within and between systems or system components.\n\nVerify NTP server is configured:\n\n- show system ntp detail\n\nNTP Status\n\nConfigured         : Yes                Stratum              : 3\nAdmin Status       : up                 Oper Status          : up\nServer Enabled     : No                 Server Authenticate  : No\nClock Source       : 10.1.0.158\nAuth Check         : Yes\nAuth Keychain      :\nAuth Errors        : 0                  Auth Errors Ignored  : 0\nAuth Key Id Errors : 0                  Auth Key Type Errors : 0\nCurrent Date & Time: 2025/12/02 13:45:31 UTC\n\nIf the Nokia router is not configured to synchronize system clocks within and between systems or system components, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40760,
      "benchmarkId": 686,
      "groupId": "V-283795",
      "title": "SRG-APP-000925-NDM-000330",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283795r1203430_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-001040",
      "ruleTitle": "The Nokia router must be configured to compare the internal system clocks on an organization-defined frequency with an organization-defined authoritative time source.",
      "ruleVulnDiscussion": "Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004923",
      "ruleIdents": [
        "CCI-004923"
      ],
      "ruleFixText": "Configure the Nokia router to compare the internal system clocks on an organization-defined frequency with an organization-defined authoritative time source. \n\nConfigure NTP server to be used for timing using the command below:\n\n- configure system time ntp server <NTP server ip address>authentication-key <key id> key <key> type message-digest",
      "ruleFixId": "F-88265r1203429_fix",
      "ruleCheckSystem": "C-88360r1203428_chk",
      "ruleCheckContent": "Verify the Nokia router is configured to compare the internal system clocks on an organization-defined frequency with organization defined authoritative time source. \n\nVerify NTP server is configured:\n\n- show system ntp detail\n\nNTP Status\n\nConfigured         : Yes                Stratum              : 3\nAdmin Status       : up                 Oper Status          : up\nServer Enabled     : No                 Server Authenticate  : No\nClock Source       : 10.1.0.158\nAuth Check         : Yes\nAuth Keychain      :\nAuth Errors        : 0                  Auth Errors Ignored  : 0\nAuth Key Id Errors : 0                  Auth Key Type Errors : 0\nCurrent Date & Time: 2025/12/02 13:45:31 UTC\n\nIf the Nokia router is not configured to compare the internal system clocks on an organization-defined frequency with an organization-defined authoritative time source, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    },
    {
      "id": 40761,
      "benchmarkId": 686,
      "groupId": "V-283799",
      "title": "SRG-APP-000825-NDM-000180",
      "description": "<GroupDescription></GroupDescription>",
      "ruleId": "SV-283799r1203603_rule",
      "ruleWeight": "10.0",
      "ruleSeverity": "medium",
      "ruleVersion": "NOKI-ND-000970",
      "ruleTitle": "The Nokia router must be configured to implement multifactor authentication for local, network, and/or remote access to privileged and nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.",
      "ruleVulnDiscussion": "Requiring a device separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication reduces the likelihood of compromising authenticators or credentials stored on the system. \n\nAdversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process.\n\nSatisfies: SRG-APP-000825-NDM-000180, SRG-APP-000156-NDM-000250, SRG-APP-000820-NDM-000170",
      "ruleFalsePositives": "",
      "ruleFalseNegatives": "",
      "ruleDocumentable": "false",
      "ruleMitigations": "",
      "ruleIdent": "CCI-004047",
      "ruleIdents": [
        "CCI-004047",
        "CCI-001941",
        "CCI-004046"
      ],
      "ruleFixText": "Configure the Nokia router to enable message/response multifactor authentication for RADIUS and TACACS+. \n\nFor TACACS+, use the command shown below:\n\n- configure system security tacplus interactive-authentication \n\nFor RADIUS, use the command shown below:\n\n- configure system security radius interactive-authentication",
      "ruleFixId": "F-88269r1203602_fix",
      "ruleCheckSystem": "C-88364r1203601_chk",
      "ruleCheckContent": "Verify the Nokia router is configured for interactive authentication mode.\n\nFor TACACS+, use the example shown below:\n\n- configure system security tacplus\n\n>config>system>security>tacplus# info\n----------------------------------------------\n                interactive-authentication\n----------------------------------------------\n\nFor RADIUS, use the example shown below:\n\n- configure system security radius\n\n>config>system>security>radius# info\n----------------------------------------------\n                interactive-authentication\n----------------------------------------------\n\nIf interactive-authentication is not present in this scenario, this is a finding.",
      "createdAt": "2026-07-11T12:27:49.737Z",
      "updatedAt": "2026-07-11T12:27:49.737Z"
    }
  ],
  "profiles": [
    {
      "id": 6107,
      "benchmarkId": 686,
      "profileId": "MAC-1_Classified",
      "title": "I - Mission Critical Classified",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:49.879Z",
      "updatedAt": "2026-07-11T12:27:49.879Z"
    },
    {
      "id": 6108,
      "benchmarkId": 686,
      "profileId": "MAC-1_Public",
      "title": "I - Mission Critical Public",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:49.879Z",
      "updatedAt": "2026-07-11T12:27:49.879Z"
    },
    {
      "id": 6109,
      "benchmarkId": 686,
      "profileId": "MAC-1_Sensitive",
      "title": "I - Mission Critical Sensitive",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:49.879Z",
      "updatedAt": "2026-07-11T12:27:49.879Z"
    },
    {
      "id": 6110,
      "benchmarkId": 686,
      "profileId": "MAC-2_Classified",
      "title": "II - Mission Support Classified",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:49.879Z",
      "updatedAt": "2026-07-11T12:27:49.879Z"
    },
    {
      "id": 6111,
      "benchmarkId": 686,
      "profileId": "MAC-2_Public",
      "title": "II - Mission Support Public",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:49.879Z",
      "updatedAt": "2026-07-11T12:27:49.879Z"
    },
    {
      "id": 6112,
      "benchmarkId": 686,
      "profileId": "MAC-2_Sensitive",
      "title": "II - Mission Support Sensitive",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:49.879Z",
      "updatedAt": "2026-07-11T12:27:49.879Z"
    },
    {
      "id": 6113,
      "benchmarkId": 686,
      "profileId": "MAC-3_Classified",
      "title": "III - Administrative Classified",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:49.879Z",
      "updatedAt": "2026-07-11T12:27:49.879Z"
    },
    {
      "id": 6114,
      "benchmarkId": 686,
      "profileId": "MAC-3_Public",
      "title": "III - Administrative Public",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:49.879Z",
      "updatedAt": "2026-07-11T12:27:49.879Z"
    },
    {
      "id": 6115,
      "benchmarkId": 686,
      "profileId": "MAC-3_Sensitive",
      "title": "III - Administrative Sensitive",
      "description": "<ProfileDescription></ProfileDescription>",
      "createdAt": "2026-07-11T12:27:49.879Z",
      "updatedAt": "2026-07-11T12:27:49.879Z"
    }
  ]
}