| V-256898 | | Automation Controller must implement cryptography mechanisms to protect the integrity of information. | Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability t... |
| V-256896 | | Automation Controller must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. | Application management includes the ability to control the number of sessions that utilize an application by all accounts and/or account types. Limiti... |
| V-256897 | | Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions. | Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server v... |
| V-256899 | | The Automation Controller management interface must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. | Automation Controller is required to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system management inte... |
| V-256900 | | Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation. | Automation Controller must be configured to use external logging to compile log records from multiple components within the server. The events occurri... |
| V-256901 | | Automation Controller must allocate log record storage capacity and shut down by default upon log failure (unless availability is an overriding concern). | It is critical that when a system is at risk of failing to process logs, it detects and takes action to mitigate the failure. Log processing failures ... |
| V-256902 | | Automation Controller must be configured to fail over to another system in the event of log subsystem failure. | Automation Controller hosts must be capable of failing over to another Automation Controller host which can handle application and logging functions u... |
| V-256903 | | Automation Controller's log files must be accessible by explicitly defined privilege. | A failure of the confidentiality of Automation Controller log files would enable an attacker to identify key information about the system that they mi... |
| V-256904 | | Automation Controller must be capable of reverting to the last known good configuration in the event of failed installations and upgrades. | Any changes to the components of Automation Controller can have significant effects on the overall security of the system.
In order to ensure a promp... |
| V-256905 | | Automation Controller must be configured to use an enterprise user management system. | Unauthenticated application servers render the organization subject to exploitation. Therefore, application servers must be uniquely identified and au... |
| V-256906 | | Automation Controller must be configured to authenticate users individually, prior to using a group authenticator. | Default superuser accounts, such as "root", are considered group authenticators. In the case of Automation Controller this is the "admin" account.... |
| V-256907 | | Automation Controller must utilize encryption when using LDAP for authentication. | To avoid access with malicious intent, passwords will need to be protected at all times. This includes transmission where passwords must be encrypted ... |
| V-256908 | | Automation Controller must use cryptographic mechanisms to protect the integrity of log tools. | Protecting the integrity of the tools used for logging purposes is a critical step in ensuring the integrity of log data. Log data includes all inform... |
| V-256909 | | Automation Controller must compare internal application server clocks at least every 24 hours with an authoritative time source. | When conducting forensic analysis and investigating system events, it is critical that timestamps accurately reflect the time of application events. I... |
| V-256910 | | Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions. | An untrusted source may leave the system vulnerable to issues such as unauthorized access, reduced data integrity, loss of confidentiality, etc.
Sati... |
| V-256911 | | Automation Controller must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs). | Security relevant software updates must be installed within the timeframes directed by an authoritative source in order to maintain the integrity and ... |
