| V-251779 | | The NSX-T Manager must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-251780 | | The NSX-T Manager must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-251782 | | The NSX-T Manager must be configured to synchronize internal information system clocks using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly in... |
| V-251783 | | The NSX-T Manager must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generate... |
| V-251784 | | The NSX-T Manager must prohibit the use of cached authenticators after an organization-defined time period. | Some authentication implementations can be configured to use cached authenticators.
If cached authentication information is out-of-date, the validity... |
| V-251785 | | The NSX-T Manager must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-251786 | | The NSX-T Manager must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-251787 | | The NSX-T Manager must be configured to send logs to a central log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-251788 | | The NSX-T Manager must generate log records for the info level to capture the DoD-required auditable events. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack... |
| V-251790 | | The NSX-T Manager must be configured to conduct backups on an organizationally defined schedule. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configurat... |
| V-251791 | | The NSX-T Manager must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation con... |
| V-251792 | | The NSX-T Manager must obtain its public key certificates from an approved DoD certificate authority. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For Federal agenci... |
| V-251795 | | The NSX-T Manager must not provide environment information to third parties. | Providing technical details about an environment's infrastructure to third parties could unknowingly expose sensitive information to bad actors if int... |
| V-251797 | | The NSX-T Manager must disable unused local accounts. | Prior to NSX-T 3.1 and earlier, there are three local accounts: root, admin, and audit. These local accounts could not be disabled and no additional a... |
| V-251798 | | The NSX-T Manager must disable TLS 1.1 and enable TLS 1.2. | TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 must be enabled on all interfaces and TLS 1.1 a... |
| V-251799 | | The NSX-T Manager must disable SNMP v2. | SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol con... |
| V-251800 | | The NSX-T Manager must enable the global FIPS compliance mode for load balancers. | If unsecured protocols (lacking cryptographic mechanisms) are used for load balancing, the contents of those sessions will be susceptible to eavesdrop... |
| V-251796 | | The NSX-T Manager must disable SSH. | The NSX-T shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the NSX-T s... |
| V-251778 | | NSX-T Manager must restrict the use of configuration, administration, and the execution of privileged commands to authorized personnel based on organization-defined roles. | To mitigate the risk of unauthorized access, privileged access must not automatically give an entity access to an asset or security boundary. Authoriz... |
| V-251781 | | The NSX-T Manager must terminate the device management session at the end of the session or after 10 minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-251789 | | The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important... |
| V-251793 | | The NSX-T Manager must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the Information System Security Officer (ISSO). | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stor... |
| V-251794 | | The NSX-T Manager must be running a release that is currently supported by the vendor. | Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilit... |
