| V-279166 | | The ALG providing user authentication intermediary services must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users). | Before continuing, the site must follow the configuration steps for adding Common Access Card (CAC) and LDAPS authentication realms and the SSH Consol... |
| V-279167 | | The Edge SWG must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. | For remote access to nonprivileged accounts, one factor of multifactor authentication must be provided by a device separate from the information syste... |
| V-279168 | | The Edge SWG must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Ensure a Web Access Policy (under SYME-00-002500) has been created for allow rules or all proxy access will be denied.
A deny-all, permit-by-exceptio... |
| V-279175 | | The Edge SWG must display the standard mandatory DOD-approved notice and consent banner before granting access to the network. | Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used ... |
| V-279176 | | The Edge SWG must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. | Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number o... |
| V-279177 | | The Edge SWG must ensure inbound and outbound traffic is monitored for compliance with remote access security policies. | Automated monitoring of remote access traffic allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by... |
| V-279178 | | The Edge SWG must be configured to comply with the required TLS settings in NIST SP 800-52. | NIST SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or inco... |
| V-279180 | | The Edge SWG must be configured to remove or disable unrelated or unneeded application proxy services. | Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies ... |
| V-279187 | | In the event of a system failure of the ALG function, the Edge SWG must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted. | Failure in a secure state can address safety or security in accordance with the mission needs of the organization. Failure to a secure state helps pre... |
| V-279194 | | The Edge SWG must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries. | Providing too much information in error messages risks compromising the data and security of the application and system.
Organizations carefully cons... |
| V-279203 | | The Edge SWG must control remote access methods. | Remote access devices, such as those providing remote access to network devices and information systems, lack automated control capabilities, increase... |
| V-279216 | | The Edge SWG providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
In addition to the reauthentication r... |
| V-279217 | | The Edge SWG using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked... |
| V-279219 | | The Edge must implement load balancing to limit the effects of known and unknown types of denial-of-service (DoS) attacks. | If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redund... |
| V-279222 | | The Edge SWG must fail securely in the event of an operational failure. | If a boundary protection device fails in an unsecure manner (open), information external to the boundary protection device may enter, or the device ma... |
