| V-281366 | | TCMax must initiate a session lock after a 15-minute period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-281367 | | TCMax must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-281368 | | TCMax must protect audit information from any type of unauthorized read access. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity i... |
| V-281369 | | TCMax must be configured to prohibit or restrict using organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
... |
| V-281370 | | TCMax must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-281371 | | TCMax must enforce a minimum 15-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-281372 | | TCMax must enforce password complexity by requiring that at least one uppercase letter, one lowercase letter, and number, and one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-281373 | | TCMax must require the change of at least eight of the total number of characters when passwords are changed. | If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increa... |
| V-281374 | | TCMax must enforce 24 hours/1 day as the minimum password lifetime. | Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.
Restri... |
| V-281375 | | TCMax must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.
One method of minimizi... |
| V-281377 | | TCMax must accept personal identity verification (PIV) credentials. | Using PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DOD has mandated using the common access card (CAC) to... |
| V-281378 | | TCMax must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovere... |
| V-281379 | | For password-based authentication, TCMax must require immediate selection of a new password upon account recovery. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords ... |
| V-281380 | | TCMax must enforce a role-based access control (RBAC) policy over defined subjects and objects. | RBAC enables users to control, at both broad and granular levels, what administrators and end users can do. RBAC also enables users to more closely al... |
| V-281382 | | TCMax must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-281376 | | TCMax must protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepte... |
| V-281381 | | TCMax must be running a version supported by the vendor. | Running the current version ensures any product updates have been addressed and tested by the vendor.... |
