Blank Calendar Vector Template - Excel by bjf20887

VIEWS: 1,483 PAGES: 1220

More Info
									  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAG008 V0019910    I    The antivirus signature file
                         age exceeds 7 days.




DTAM001 V0006453    I    The McAfee VirusScan
                         Control Panel parameters are
                         not configured as required.

DTAM002 V0006467    II   The McAfee VirusScan on
                         access scan parameter for
                         Boot sectors is incorrect.
DTAM003 V0006468    II   The McAfee VirusScan on
                         access scan parameter for
                         floppy disks is incorrect.
DTAM004 V0006469    II   The McAfee VirusScan
                         message dialog parameters
                         are not configured as
                         required.
DTAM005 V0006470    II   The McAfee VirusScan
                         remove messages
                         parameters are not
                         configured as required.
DTAM006 V0006471    II   The McAfee VirusScan Clean
                         Infected file parameter is not
                         configured as required.

DTAM007 V0006472    II   The McAfee VirusScan
                         delete infected file parameter
                         is not configured as required.

DTAM008 V0006473    II   The McAfee VirusScan
                         quarantine parameter is not
                         configured as required.
DTAM009 V0006474    II   The McAfee VirusScan
                         Control Panel log parameter
                         is not configured as required.

DTAM010 V0006475    II   The McAfee VirusScan limit
                         log size parameter is not
                         configured as required.
DTAM011 V0006476    II   The McAfee VirusScan log
                         session parameter is not
                         configured as required.
DTAM012 V0006478    II   The McAfee VirusScan log
                         summary parameter is not
                         configured as required.
DTAM013 V0006583    II   The McAfee VirusScan log
                         encrypted files parameter is
                         not configured as required.
  PDI    VMSID     CAT          Requirement             Vulnerability   Status   Finding Notes

DTAM014 V0006584    II   The McAfee VirusScan log
                         user name parameter is not
                         configured as required.
DTAM016 V0006585    II   The McAfee VirusScan
                         autoupdate parameters are
                         not configured as required.
DTAM021 V0006586    II   The McAfee VirusScan
                         Exchange scanner is not
                         enabled.
DTAM022 V0006587    II   The McAfee VirusScan find
                         unknown programs email
                         parameter is not configured
                         as required.
DTAM023 V0006588    II   The McAfee VirusScan find
                         unknown macro virus email
                         parameter is not configured
                         as required.
DTAM026 V0006589    II   The McAfee VirusScan scan
                         inside archives email
                         parameter is not configured
                         as required.
DTAM027 V0006590    II   The McAfee VirusScan
                         decode MIME email
                         parameter is not configured
                         as required.
DTAM028 V0006591    II   The McAfee VirusScan scan
                         e-mail message body email
                         parameter is not configured
                         as required.
DTAM029 V0006592    II   The McAfee VirusScan
                         allowed actions email
                         parameter is not configured
                         as required.
DTAM030 V0006593    II   The McAfee VirusScan action
                         prompt email parameter is
                         not configured as required.

DTAM033 V0006594    II   The McAfee VirusScan return
                         reply email parameter is not
                         configured as required.

DTAM034 V0006595    II   The McAfee VirusScan
                         prompt message email
                         parameter is not configured
                         as required.
DTAM035 V0006596    II   The McAfee VirusScan log to
                         file email parameter is not
                         configured as required.
DTAM036 V0006597    II   The McAfee VirusScan limit
                         log size email parameter is
                         not configured as required.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAM037 V0006598    II   The McAfee VirusScan log
                         content email parameter is
                         not configured as required.
DTAM038 V0014651    II   He McAfee VirusScan
                         detects unwanted programs
                         email parameter is not
                         configured as required.
DTAM039 V0014652    II   The McAfee VirusScan
                         unwanted programs action
                         email parameter is not
                         configured as required.
DTAM045 V0006599    II   The McAfee VirusScan fixed
                         disk and running processes
                         are not configured as
                         required.
DTAM046 V0006600    II   The McAfee VirusScan
                         include subfolders parameter
                         is not configured as required.

DTAM047 V0006601    II   The McAfee VirusScan
                         include boot sectors
                         parameter is not configured
                         as required.
DTAM048 V0006602    II   The McAfee VirusScan scan
                         all files parameter is not
                         configured as required.
DTAM050 V0006604    II   The McAfee VirusScan
                         exclusions parameter is not
                         configured as required.
DTAM052 V0006611    II   The McAfee VirusScan scan
                         archives parameter is not
                         configured as required.
DTAM053 V0006612    II   The McAfee VirusScan
                         decode MIME encoded files
                         parameter is not configured
                         as required.
DTAM054 V0006614    II   The McAfee VirusScan find
                         unknown programs
                         parameter is not configured
                         as required.
DTAM055 V0006615    II   The McAfee VirusScan find
                         unknown macro viruses
                         parameter is not configured
                         as required.
DTAM056 V0006616    II   The McAfee VirusScan action
                         for Virus parameter is not
                         configured as required.

DTAM057 V0006617    II   The McAfee VirusScan
                         secondary action for virus
                         parameter is not configured
                         as required.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAM058 V0014654    II   The McAfee VirusScan check
                         for unwanted programs
                         parameter is not configured
                         as required.
DTAM059 V0006618    II   The McAfee VirusScan log to
                         file parameter is not
                         configured as required.
DTAM060 V0006620    II   The McAfee VirusScan log
                         file limit parameter is not
                         configured as required.
DTAM061 V0006621    II   The McAfee VirusScan log
                         session settings parameter is
                         not configured as required.

DTAM062 V0006624    II   The McAfee VirusScan log
                         session summary parameter
                         is not configured as required.

DTAM063 V0006625    II   The McAfee VirusScan
                         failure on encrypted files
                         parameter is not configured
                         as required.
DTAM064 V0006626    II   The McAfee VirusScan log
                         user name is not configured
                         as required.
DTAM070 V0006627    II   The McAfee VirusScan
                         schedule is not configured as
                         required.
DTAM090 V0014618    II   The McAfee VirusScan on
                         access scan parameter for
                         scipt scan is incorrect.
DTAM091 V0014619    II   The McAfee VirusScan on
                         access scan parameter for
                         connection blocking is
                         incorrect.
DTAM092 V0014620    II   The McAfee VirusScan on
                         access scan parameter for
                         connection blocking time is
                         incorrect.
DTAM093 V0014621    II   The McAfee VirusScan on
                         access scan parameter for
                         blocking unwanted programs
                         is incorrect.
DTAM100 V0014622    II   The McAfee VirusScan scan
                         default values for processes
                         are not configured as
                         required.
DTAM101 V0014623    II   The McAfee VirusScan scan
                         when writing to disk is not
                         configured as required.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAM102 V0014624    II   The McAfee VirusScan scan
                         when reading parameter is
                         not configured as required.

DTAM103 V0014625    II   The McAfee VirusScan scan
                         all files parameter is not
                         configured as required.
DTAM104 V0014626    II   The McAfee VirusScan
                         heuristics program viruses
                         parameter is not configured
                         as required.
DTAM105 V0014627    II   The McAfee VirusScan
                         heuristics macro viruses
                         parameter is not configured
                         as required.
DTAM106 V0014628    II   The McAfee VirusScan scan
                         inside archives parameter is
                         not configured as required.

DTAM107 V0014629    II   The McAfee VirusScan scan
                         MIME files parameter is not
                         configured as required.

DTAM110 V0014630    II   The McAfee VirusScan
                         process primary action
                         parameter is not configured
                         as required.
DTAM111 V0014631    II   The McAfee VirusScan
                         process secondary action
                         parameter is not configured
                         as required.
DTAM112 V0014633    II   The McAfee VirusScan log
                         user name parameter is not
                         configured as required.
DTAM130 V0014657    II   The McAfee VirusScan buffer
                         overflow protection is not
                         configured as required.
DTAM131 V0014658    II   The McAfee VirusScan buffer
                         overflow protection mode is
                         not configured as required.

DTAM132 V0014659    II   The McAfee VirusScan buffer
                         overflow message parameter
                         is not configured as required.

DTAM133 V0014660    II   The McAfee VirusScan buffer
                         overflow log parameter is not
                         configured as required.

DTAM134 V0014661    II   The McAfee VirusScan log
                         size limitation parameters are
                         not configured as required.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAM135 V0014662    II   The McAfee VirusScan
                         detection of Spyware is not
                         configured as required.
DTAM136 V0014663    II   The McAfee VirusScan
                         detection of Adware is not
                         configured as required.
DTAS002 V0006359    II   The Symantec Antivirus is
                         not configured to restart for
                         configuration changes.

DTAS003 V0006360    I    The Symantec Antivirus
                         autoprotect parameter is
                         incorrect.

DTAS004 V0006361    II   The Symantec Antivirus auto
                         protect-All Files configuration
                         is incorrect.

DTAS006 V0006362    II   The Symantec Antivirus
                         display message parameter
                         is incorrect.

DTAS007 V0006363    II   The Symantec Antivirus
                         exclude files configuration is
                         incorrect.

DTAS012 V0006368    II   The Symantec Antivirus
                         autoprotect read parameter is
                         incorrect.

DTAS013 V0006369    II   The Symantec Antivirus
                         AutoProtect parameter for
                         backup options is incorrect.

DTAS014 V0006370    II   The Symantec Antivirus
                         AutoProtect parameter for
                         autoenabler is incorrect.

DTAS015 V0006371    II   The Symantec Antivirus
                         AutoProtect parameter for
                         floppies is incorrect.

DTAS016 V0006372    II   The Symantec Antivirus
                         AutoProtect parameter for
                         Boot virus is incorrect.

DTAS017 V0006374    II   The Symantec Antivirus
                         AutoProtect parameter for
                         check floppy at shutdown is
                         incorrect.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAS020 V0006375    II   The Symantec Antivirus
                         email parameter for Boot
                         sectors is incorrect.

DTAS021 V0006376    II   The Symantec Antivirus
                         email client parameter for all
                         files is incorrect.

DTAS029 V0006383    II   The Symantec Antivirus
                         email client parameter for
                         compressed files is incorrect.

DTAS030 V0006384    II   The Symantec AntiVirus CE
                         History Options parameters
                         are not configured as
                         required.
DTAS031 V0006385    II   The Symantec Antivirus is
                         not scheduled to autoupdate.


DTAS032 V0006386    II   There is no Symantec
                         Antivirus Scheduled Scans or
                         Startup Scans task
                         configured to scan local
                         drive(s) at least weekly.
DTAS037 V0006387    II   The Symantec Antivirus
                         weekly scan parameter for all
                         files is incorrect.

DTAS040 V0006388    II   The Symantec Antivirus
                         weekly scan parameter for
                         memory enabled is incorrect.

DTAS041 V0006389    II   The Symantec Antivirus
                         weekly scan parameter for
                         messages is incorrect.

DTAS042 V0006390    II   The Symantec Antivirus
                         weekly scan parameter for
                         exclude files is incorrect.

DTAS047 V0006395    II   The Symantec Antivirus
                         weekly scan parameter for
                         compressed files is incorrect.

DTAS048 V0006396    II   The Symantec Antivirus
                         weekly scan parameter for
                         backup files is incorrect.

DTAS050 V0006397    II   The Symantec Antivirus
                         weekly scan parameter for
                         scan lock is incorrect.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAS060 V0014477    II   The Symantec Antivirus
                         autoprotect parameter for
                         Block Security Risks is
                         incorrect.
DTAS061 V0014481    II   The Symantec Antivirus
                         autoprotect parameter for
                         scan for security risks is
                         incorrect.
DTAS062 V0014482    II   The Symantec Antivirus
                         autoprotect parameter for
                         Delete Infected Files on
                         Creation is incorrect.
DTAS063 V0014591    II   The Symantec AntiVirus Auto-
                         Protect parameter for Threat
                         Tracer is incorrect.

DTAS064 V0014592    II   The Symantec Antivirus
                         autoprotect parameter for
                         Bloodhound technology is
                         incorrect.
DTAS065 V0014593    II   The Symantec Antivirus
                         autoprotect parameter for
                         Heuristics Level is incorrect.

DTAS066 V0014594    II   The Symantec Antivirus
                         autoprotect parameter for
                         macro virus first action is
                         incorrect.
DTAS067 V0014595    II   The Symantec Antivirus
                         autoprotect parameter for
                         macro virus second action is
                         incorrect.
DTAS068 V0014596    II   The Symantec Antivirus
                         autoprotect parameter for
                         non-macro first action virus is
                         incorrect.
DTAS069 V0014597    II   The Symantec Antivirus
                         autoprotect parameter for
                         check non-macro second
                         action is incorrect.
DTAS070 V0014598    II   The Symantec Antivirus
                         autoprotect parameter for
                         Security Risks first action is
                         incorrect.
DTAS071 V0014600    II   The Symantec Antivirus
                         autoprotect parameter for
                         Security Risks Second Action
                         is incorrect.
DTAS080 V0014601    II   The Symantec Antivirus
                         email client for notification
                         into the email is incorrect.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAS081 V0014602    II   The Symantec Antivirus
                         autoprotect email parameter
                         for macro virus first action is
                         incorrect.
DTAS082 V0014603    II   The Symantec Antivirus
                         autoprotect email parameter
                         for macro virus second action
                         is incorrect.
DTAS083 V0014604    II   The Symantec Antivirus
                         autoprotect email parameter
                         for non-macro first action
                         virus is incorrect.

DTAS084 V0014605    II   The Symantec Antivirus
                         autoprotect email parameter
                         for check non-macro second
                         action is incorrect.

DTAS085 V0014606    II   The Symantec Antivirus
                         autoprotect email parameter
                         for Security Risks first action
                         is incorrect.

DTAS086 V0014607    II   The Symantec Antivirus Auto-
                         Protect parameter for Email
                         Security Risks Second Action
                         is incorrect.
DTAS091 V0014609    II   The Symantec Antivirus
                         weekly scan parameter for
                         scanning load points is
                         incorrect.
DTAS092 V0014610    II   The Symantec Antivirus
                         weekly scan parameter for
                         well knowns before others is
                         incorrect.
DTAS093 V0014611    II   The Symantec Antivirus
                         weekly scan parameter for
                         macro virus first action is
                         incorrect.
DTAS094 V0014612    II   The Symantec Antivirus
                         weekly scan parameter for
                         macro virus second action is
                         incorrect.
DTAS095 V0014613    II   The Symantec Antivirus
                         weekly scan parameter for
                         non-macro first action virus is
                         incorrect.
DTAS096 V0014615    II   The Symantec Antivirus Auto-
                         Protect parameter for check
                         non-macro second action is
                         incorrect.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAS097 V0014616    II   The Symantec Antivirus
                         weekly scan parameter for
                         Security Risks first action is
                         incorrect.
DTAS098 V0014617    II   The Symantec Antivirus
                         weekly scan parameter for
                         Security Risks second action
                         is incorrect.
DTSG001 V0014678    I    AntiSpyware software is not
                         installed or not configured for
                         on access and on demand
                         detection.
DTSG002 V0014679    I    The Antispyware software is
                         not at a vendor supported
                         level.
DTSG003 V0014680    II   A migration plan does not
                         exist for Antispyware
                         software that is scheduled to
                         go non-support by the
                         vendor.
DTSG004 V0014682    II   The Antispyware software
                         does not have the latest
                         maintenance rollup of
                         software update applied
DTSG005 V0014684    II   The Antispyware software is
                         not configured to download
                         updates from a trusted
                         source.
DTSG006 V0014700    II   The Antispyware
                         definition/signature files are
                         not automatically set to be
                         updated at least weekly.
DTSG007 V0014701    I    The Antispyware signature
                         files are older than 7 days.
DTSG008 V0014702    II   Beta or non-production
                         Antispyware
                         definitions/signature files are
                         being used on a production
                         machine.
DTSG009 V0014704    I    The Antispyware software
                         does not start on-access
                         protection automatically when
                         the machine is booted.

DTSG010 V0014706    II   The Antispyware software is
                         not configured to perform a
                         scan of local hard drives at
                         least weekly.
DTSG011 V0014708    II   The Antispyware scheduled
                         scan is not configured to
                         scan memory and drives
                         (with an indepth scan option).
  PDI    VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

DTSG012 V0014709    II   The Antispyware, when
                         running in on access mode,
                         is not configured to inform
                         the user (or report or report to
                         a central monitoring console)
                         when malicious activity or
                         spyware is found.
DTSG013 V0014710    II   The Antispyware, when
                         running in a scheduled scan,
                         is not configured to inform
                         the user (or report to a
                         central monitoring console)
                         when malicious activity or
                         spyware is found.
DTSG014 V0014711    II   The Antispyware, when
                         running in on-demand mode,
                         is not configured to inform
                         the user (or report to a
                         central monitoring console)
                         when malicious activity or
                         spyware is found.
DTSG015 V0014712   III   The Antispyware software is
                         not configured to maintain
                         logs for at least 30 days.

DTSG016 V0014713   III   The Antispyware software is
                         not configured to maintain
                         logs for at least 30 days.

DTSG017 V0014714   III   The Antispyware software is
                         included in the incident
                         response procedures both for
                         the user and the site.
    Section

McAfee Local
Client, McAfee
Managed Client,
Symantec
Managed Client,
Symantec Local
Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Spyware



Spyware


Spyware




Spyware



Spyware



Spyware



Spyware

Spyware




Spyware




Spyware



Spyware
   Section

Spyware




Spyware




Spyware




Spyware



Spyware



Spyware
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement         Vulnerability   Status   Finding Notes
APP2010 V0006197 II The Program Manager will
                    ensure an SSP is established
                    to describe the technical,
                    administrative, and
                    procedural IA program and
                    policies governing the DoD
                    information system, and
                    identifying all IA personnel
                    and specific IA requirements
                    and objectives.

APP2020 V0016773     II    The Program Manager will
                           provide an Application
                           Configuration Guide to the
                           application hosting providers
                           to include a list of all potential
                           hosting enclaves and
                           connection rules and
                           requirements.
APP2040 V0006145     II    If the application contains
                           classified data, the Program
                           Manager will ensure a
                           Security Classification Guide
                           exists containing data
                           elements and their
                           classification.
APP2050 V0016775     II    The Program Manager will
                           ensure the system has been
                           assigned specific MAC and
                           confidentiality levels.

APP2060 V0016776     II    The Program Manager will
                           ensure the development
                           team follows a set of coding
                           standards.
APP2070 V0006170     III   The Program Manager and
                           designer will ensure any IA,
                           or IA enabled, products used
                           by the application are NIAP
                           approved or in the NIAP
                           approval process.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       23 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
APP2080 V0016777 II The Program Manager will
                    ensure COTS IA and IA
                    enabled products, comply
                    with NSA endorsed
                    robustness protection
                    profiles.
APP2090 V0016778 II The Program Manager will
                    document and obtain DAA
                    risk acceptance for all open
                    source, public domain,
                    shareware, freeware, and
                    other software
                    products/libraries with no
                    warranty and no source code
                    review capability, but are
                    required for mission
                    accomplishment.
APP2100 V0006169 II The Program Manager and
                    designer will ensure the
                    application design complies
                    with the DoD Ports and
                    Protocols guidance.
APP2110 V0016779 II The Program Manager and
                    designer will ensure the
                    application is registered with
                    the DoD Ports and Protocols
                    Database.
APP2120 V0016780 II The Program Manager will
                    ensure all levels of program
                    management, designers,
                    developers, and testers
                    receive the appropriate
                    security training pertaining to
                    their job function.
APP2130 V0016781 II The Program Manager will
                    ensure a vulnerability
                    management process is in
                    place to include ensuring a
                    mechanism is in place to
                    notify users, and users are
                    provided with a means of
                    obtaining security updates for
                    the application.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          24 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement             Vulnerability   Status   Finding Notes
APP2135 V0021519  I The Program Manager will
                    ensure all products are
                    supported by the vendor or
                    the development team.
APP2140 V0016782 II The Program Manager will
                    ensure a security incident
                    response process for the
                    application is established that
                    defines reportable incidents
                    and outlines a standard
                    operating procedure for
                    incident response to include
                    Information Operations
                    Condition (INFOCON).

APP2150 V0016783     II   The Program Manager will
                          ensure procedures are
                          implemented to assure
                          physical handling and
                          storage of information is in
                          accordance with the data's
                          sensitivity.
APP2160 V0006198     II   The Program Manager and
                          IAO will ensure development
                          systems, build systems, test
                          systems, and all components
                          comply with all appropriate
                          DoD STIGS, NSA guides,
                          and all applicable DoD
                          policies. The Test Manager
                          will ensure both client and
                          server machines are STIG
                          compliant.

APP3010 V0007013     II   The designer will create and
                          update the Design Document
                          for each release of the
                          application.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          25 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement             Vulnerability   Status   Finding Notes
APP3020 V0006148 II The designer will ensure
                    threat models are
                    documented and reviewed
                    for each application release
                    and updated as required by
                    design and functionality
                    changes or new threats are
                    discovered.
APP3050 V0006149 II The designer will ensure the
                    application does not contain
                    source code that is never
                    invoked during operation,
                    except for software
                    components and libraries
                    from approved third-party
                    products.
APP3060 V0006150 II The Designer will ensure the
                    application does not store
                    configuration and control files
                    in the same directory as user
                    data.
APP3070 V0016784 II The designer will ensure the
                    user interface services are
                    physically or logically
                    separated from data storage
                    and management services.

APP3080 V0006157     II   The designer will ensure the
                          application does not contain
                          invalid URL or path
                          references.
APP3100 V0006163     II   The Designer will ensure the
                          application removes
                          temporary storage of files
                          and cookies when the
                          application is terminated.
APP3110 V0016786     II   The designer will ensure the
                          application installs with
                          unnecessary functionality
                          disabled by default.
APP3120 V0006166     II   The designer will ensure the
                          application is not subject to
                          error handling vulnerabilities.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          26 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement           Vulnerability   Status   Finding Notes
APP3130 V0016787 I The designer will ensure the
                   application follows the secure
                   failure design principle.

APP3140 V0006167     II    The designer will ensure
                           application initialization,
                           shutdown, and aborts are
                           designed to keep the
                           application in a secure state.

APP3150 V0006137     II    The designer will ensure the
                           application uses the Federal
                           Information Processing
                           Standard (FIPS) 140-2,
                           validated cryptographic
                           modules and random number
                           generator if the application
                           implements encryption, key
                           exchange, digital signature,
                           and hash functionality.

APP3170 V0016788     II    The designer will ensure the
                           application uses encryption
                           to implement key exchange
                           and authenticate endpoints
                           prior to establishing a
                           communication channel for
                           key exchange.
APP3180 V0016789     II    The designer will ensure
                           private keys are accessible
                           only to administrative users.

APP3190 V0016790     II    The designer will ensure the
                           application does not connect
                           to a database using
                           administrative credentials or
                           other privileged database
                           accounts.

APP3200 V0016791     III   The designer will ensure
                           transaction based
                           applications implement
                           transaction rollback and
                           transaction journaling.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        27 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
APP3210 V0006135 II The designer will ensure the
                    appropriate cryptography is
                    used to protect stored DoD
                    information if required by the
                    information owner.
APP3220 V0016792 II The designer will ensure
                    sensitive data held in
                    memory is cryptographically
                    protected when not in use, if
                    required by the information
                    owner, and classified data
                    held in memory is always
                    cryptographically protected
                    when not in use.

APP3230 V0016793     II   The designer will ensure the
                          application properly clears or
                          overwrites all memory blocks
                          used to process sensitive
                          data, if required by the
                          information owner, and clears
                          or overwrites all memory
                          blocks used for classified
                          data.
APP3240 V0006142     II   The designer will ensure all
                          access authorizations to data
                          are revoked prior to initial
                          assignment, allocation or
                          reallocation to an unused
                          state.
APP3250 V0006136      I   The designer will ensure data
                          transmitted through a
                          commercial or wireless
                          network is protected using an
                          appropriate form of
                          cryptography.
APP3260 V0016794     II   The designer will ensure the
                          application uses mechanisms
                          assuring the integrity of all
                          transmitted information
                          (including labels and security
                          parameters).




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 28 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT         Requirement                     Vulnerability   Status   Finding Notes
APP3270 V0006146 I The designer will ensure the
                   application has the capability
                   to mark sensitive/classified
                   output when required.

APP3280 V0006127     II   The designer will ensure
                          applications requiring user
                          authentication are PK-
                          enabled and are designed
                          and implemented to support
                          hardware tokens (e.g., CAC
                          for NIPRNet).
APP3290 V0006128     II   The designer and IAO will
                          ensure PK-enabled
                          applications are designed
                          and implemented to use
                          approved credentials
                          authorized under the DoD
                          PKI program.
APP3300 V0006168     II   The designer will ensure
                          applications requiring server
                          authentication are PK-
                          enabled.
APP3305 V0006129      I   The designer will ensure the
                          application using PKI
                          validates certificates for
                          expiration, confirms origin is
                          from a DoD authorized CA,
                          and verifies the certificate
                          has not been revoked by
                          CRL or OCSP, and CRL
                          cache (if used) is updated at
                          least daily.
APP3310 V0016795      I   The designer will ensure the
                          application does not display
                          account passwords as clear
                          text.
APP3320 V0006130     II   The designer will ensure the
                          application has the capability
                          to require account passwords
                          that conform to DoD policy.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 29 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
APP3330 V0016796  I The designer will ensure the
                    application transmits account
                    passwords in an approved
                    encrypted format.
APP3340 V0016797  I The designer will ensure the
                    application stores account
                    passwords in an approved
                    encrypted format.
APP3350 V0006156  I The designer will ensure the
                    application does not contain
                    embedded authentication
                    data.
APP3360 V0016798 II The designer will ensure the
                    application protects access
                    to authentication data by
                    restricting access to
                    authorized users and
                    services.
APP3370 V0016799 II The designer will ensure the
                    application installs with
                    unnecessary accounts
                    disabled, or deleted, by
                    default.
APP3380 V0006131 II The designer will ensure the
                    application prevents the
                    creation of duplicate
                    accounts.
APP3390 V0016800  I The designer will ensure
                    users' accounts are locked
                    after three consecutive
                    unsuccessful logon attempts
                    within one hour.
APP3400 V0016801 II The designer will ensure
                    locked users' accounts can
                    only be unlocked by the
                    application administrator.
APP3405 V0016785  I The designer will ensure the
                    application supports
                    detection and/or prevention
                    of communication session
                    hijacking.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        30 of 1220
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
APP3410 V0006144 II The designer will ensure the
                    application provides a
                    capability to limit the number
                    of logon sessions per user
                    and per application.

APP3415 V0016802     II   The designer will ensure the
                          application provides a
                          capability to automatically
                          terminate a session and log
                          out after a system defined
                          session idle time limit is
                          exceeded.
APP3420 V0006155     II   The designer will ensure the
                          application provides a
                          capability to terminate a
                          session and log out.
APP3430 V0006153      I   The designer will ensure the
                          application removes
                          authentication credentials on
                          client computers after a
                          session terminates.
APP3440 V0006152     II   The designer will ensure the
                          application is capable of
                          displaying a customizable
                          click-through banner at logon
                          which prevents further
                          activity on the information
                          system unless and until the
                          user executes a positive
                          action to manifest agreement
                          by clicking on a box
                          indicating "OK."
APP3450 V0016803     II   The designer and IAO will
                          ensure application resources
                          are protected with permission
                          sets which allow only an
                          application administrator to
                          modify application resource
                          configuration files.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                31 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI    VMSID CAT         Requirement           Vulnerability   Status   Finding Notes
APP3460 V0016804 I The designer will ensure the
                   application does not rely
                   solely on a resource name to
                   control access to a resource.

APP3470 V0006154     II   The designer will ensure the
                          application is organized by
                          functionality and roles to
                          support the assignment of
                          specific roles to specific
                          application functions.
APP3480 V0006141      I   The designer will ensure
                          access control mechanisms
                          exist to ensure data is
                          accessed and changed only
                          by authorized personnel.

APP3500 V0006143     II   The designer will ensure the
                          application executes with no
                          more privileges than
                          necessary for proper
                          operation.
APP3510 V0006164      I   The designer will ensure the
                          application validates all input.

APP3530 V0016806     II   The designer will ensure the
                          web application assigns the
                          character set on all web
                          pages.
APP3540 V0016807      I   The designer will ensure the
                          application is not vulnerable
                          to SQL Injection, uses
                          prepared or parameterized
                          statements, does not use
                          concatenation or
                          replacement to build SQL
                          queries, and does not directly
                          access the tables in a
                          database.
APP3550 V0016808      I   The designer will ensure the
                          application is not vulnerable
                          to integer arithmetic issues.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       32 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI    VMSID CAT         Requirement                      Vulnerability   Status   Finding Notes
APP3560 V0016809 I The designer will ensure the
                   application does not contain
                   format string vulnerabilities.

APP3570 V0016810      I   The designer will ensure the
                          application does not allow
                          command injection.
APP3580 V0016811      I   The designer will ensure the
                          application does not have
                          cross site scripting (XSS)
                          vulnerabilities.
APP3585 V0021500     II   The designer will ensure the
                          application does not have
                          CSRF vulnerabilities.
APP3590 V0006165      I   The designer will ensure the
                          application does not have
                          buffer overflows, use
                          functions known to be
                          vulnerable to buffer
                          overflows, and does not use
                          signed values for memory
                          allocation where permitted by
                          the programming language.

APP3600 V0016812     II   The designer will ensure the
                          application has no canonical
                          representation vulnerabilities.

APP3610 V0016813      I   The designer will ensure the
                          application does not use
                          hidden fields to control user
                          access privileges or as a part
                          of a security mechanism.

APP3620 V0016814     II   The designer will ensure the
                          application does not disclose
                          unnecessary information to
                          users.
APP3630 V0016815     II   The designer will ensure the
                          application is not vulnerable
                          to race conditions.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  33 of 1220
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
APP3640 V0016816  II The designer will ensure the
                     application supports the
                     creation of transaction logs
                     for access and changes to
                     the data.
APP3650 V0006139 III The designer will ensure the
                     application has a capability to
                     notify an administrator when
                     audit logs are nearing
                     capacity as specified in the
                     system documentation.
APP3660 V0016817 III The designer will ensure the
                     application has a capability to
                     notify the user of important
                     login information.
APP3670 V0016818  II The designer will ensure the
                     application has a capability to
                     display the user's time and
                     date of the last change in
                     data content.
APP3680 V0006138  II The designer will ensure the
                     application design includes
                     audits on all access to need-
                     to-know information and key
                     application events.
APP3690 V0006140  II The designer and IAO will
                     ensure the audit trail is
                     readable only by the
                     application and auditors and
                     protected against
                     modification and deletion by
                     unauthorized individuals.
APP3700 V0006159  II The designer will ensure
                     unsigned Category 1A mobile
                     code is not used in the
                     application in accordance
                     with DoD policy.

APP3710 V0006161      II   The designer will ensure
                           signed Category 1A and
                           Category 2 mobile code
                           signature is validated before
                           executing.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           34 of 1220
   ____ Checklist _V_R_ (<date>)                                 <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement         Vulnerability   Status   Finding Notes
APP3720 V0006160 II The designer will ensure
                    unsigned Category 2 mobile
                    code executing in a
                    constrained environment has
                    no access to local system
                    and network resources.

APP3730 V0006162     II   The designer will ensure
                          uncategorized or emerging
                          mobile code is not used in
                          applications.
APP3740 V0006158     II   The designer will ensure the
                          application only embeds
                          mobile code in e-mail which
                          does not execute
                          automatically when the user
                          opens the e-mail body or
                          attachment.
APP3750 V0016819     II   The designer will ensure
                          development of new mobile
                          code includes measures to
                          mitigate the risks identified.
APP3760 V0019689     II   The designer will ensure web
                          services are designed and
                          implemented to recognize
                          and react to the attack
                          patterns associated with
                          application-level DoS
                          attacks.
APP3770 V0019690     II   The designer will ensure the
                          web service design includes
                          redundancy of critical
                          functions.
APP3780 V0019691     II   The designer will ensure web
                          service design of critical
                          functions is implemented
                          using different algorithms to
                          prevent similar attacks from
                          forming a complete
                          application level DoS.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      35 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
APP3790 V0019692 II The designer will ensure web
                    services are designed to
                    prioritize requests to increase
                    availability of the system.

APP3800 V0019693     II   The designer will ensure
                          execution flow diagrams are
                          created and used to mitigate
                          deadlock and recursion
                          issues.
APP3810 V0021498      I   The designer will ensure the
                          application is not vulnerable
                          to XML Injection.
APP3820 V0019695      I   The designer will ensure web
                          services provide a
                          mechanism for detecting
                          resubmitted SOAP
                          messages.
APP3830 V0019696     II   The designer and IAO will
                          ensure digital signatures
                          exist on UDDI registry entries
                          to verify the publisher.

APP3840 V0019697     II   The designer and IAO will
                          ensure UDDI versions are
                          used supporting digital
                          signatures of registry entries.

APP3850 V0019698     II   The designer and IAO will
                          ensure UDDI publishing is
                          restricted to authenticated
                          users.
APP3860 V0019701     II   The designer will ensure
                          SOAP messages requiring
                          integrity, sign the following
                          message elements: -
                          Message ID -Service
                          Request -Timestamp -SAML
                          Assertion (optionally included
                          in messages)
APP3870 V0019702      I   The designer will ensure
                          when using WS-Security,
                          messages use timestamps
                          with creation and expiration
                          times.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          36 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
APP3880 V0019703 I The designer will ensure
                   validity periods are verified
                   on all messages using WS-
                   Security or SAML assertions.

APP3890 V0019704     II   The designer shall ensure
                          each unique asserting party
                          provides unique assertion ID
                          references for each SAML
                          assertion.
APP3900 V0019705     II   The designer shall ensure
                          encrypted assertions, or
                          equivalent confidentiality
                          protections, when assertion
                          data is passed through an
                          intermediary, and
                          confidentiality of the
                          assertion data is required to
                          pass through the
                          intermediary.
APP3910 V0022028      I   The designer shall use the
                          <NotBefore> and
                          <NotOnOrAfter> when using
                          the <SubjectConfirmation>
                          element in a SAML assertion.


APP3920 V0022029      I   The designer shall use both
                          the <NotBefore> and
                          <NotOnOrAfter> elements or
                          <OneTimeUse> element
                          when using the <Conditions>
                          element in a SAML assertion.

APP3930 V0022032     II   The designer shall ensure if a
                          OneTimeUse element is
                          used in an assertion, there is
                          only one used in the
                          Conditions element portion of
                          an assertion.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       37 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
APP3940 V0022030 II The designer will ensure the
                    asserting party uses FIPS
                    approved random numbers in
                    the generation of
                    SessionIndex in the SAML
                    element AuthnStatement.
APP3950 V0022031 II The designer shall ensure
                    messages are encrypted
                    when the SessionIndex is
                    tied to privacy data.
APP3960 V0019706 II The designer will ensure the
                    application is compliant with
                    all DoD IT Standards
                    Registry (DISR) IPv6 profiles.

APP3970 V0019707     II    The designer will ensure
                           supporting application
                           services and interfaces have
                           been designed, or upgraded
                           for, IPv6 transport.

APP3980 V0019708     II    The designer will ensure the
                           application is compliant with
                           IPv6 multicast addressing
                           and features an IPv6 network
                           configuration options as
                           defined in RFC 4038.

APP3990 V0019709     II    The designer will ensure the
                           application is compliant with
                           the IPv6 addressing scheme
                           as defined in RFC 1884.

APP4010 V0016820     III   The Release Manager will
                           ensure the access privileges
                           to the configuration
                           management (CM) repository
                           are reviewed every 3 months.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         38 of 1220
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
APP4030 V0016822  II The Release Manager will
                     develop an SCM plan
                     describing the configuration
                     control and change
                     management process of
                     objects developed and the
                     roles and responsibilities of
                     the organization.
APP4040 V0016823  II The Release Manager will
                     establish a Configuration
                     Control Board (CCB), that
                     meets at least every release
                     cycle, for managing the CM
                     process.
APP5010 V0016824 III The Test Manager will
                     ensure at least one tester is
                     designated to test for security
                     flaws in addition to functional
                     testing.
APP5030 V0006147  II The Test Manager will
                     ensure the application does
                     not modify data files outside
                     the scope of the application.

APP5040 V0016825      II   The Test Manager will
                           ensure the changes to the
                           application are assessed for
                           IA and accreditation impact
                           prior to implementation.

APP5050 V0016826      II   The Test Manager will
                           ensure tests plans and
                           procedures are created and
                           executed prior to each
                           release of the application or
                           updates to system patches.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           39 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement         Vulnerability   Status   Finding Notes
APP5060 V0016827 II The Test Manager will
                    ensure test procedures are
                    created and at least annually
                    executed to ensure system
                    initialization, shutdown, and
                    aborts are configured to
                    ensure the system remains in
                    a secure state.

APP5070 V0016828     III   The Test Manager will
                           ensure code coverage
                           statistics are maintained for
                           each release of the
                           application.
APP5080 V0016829     II    The Test Manager will
                           ensure a code review is
                           performed before the
                           application is released.
APP5090 V0016830     II    The Test Manager will
                           ensure flaws found during a
                           code review are tracked in a
                           defect tracking system.
APP5100 V0016831     III   The Test Manager will
                           ensure fuzz testing is
                           included in the test plans and
                           procedures and performed
                           for each application release
                           based on application
                           exposure.
APP5110 V0016832     II    The Test Manager will
                           ensure security flaws are
                           fixed or addressed in the
                           project plan.
APP6010 V0016833     II    The IAO will ensure if an
                           application is designated
                           critical, the application is not
                           hosted on a general purpose
                           machine.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        40 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
APP6020 V0016834  II The IAO shall ensure if a
                     DoD STIG or NSA guide is
                     not available, a third-party
                     product will be configured by
                     the following in descending
                     order as available: 1)
                     commercially accepted
                     practices, (2) independent
                     testing results, or (3) vendor
                     literature.
APP6030 V0006151  II The IAO will ensure
                     unnecessary services are
                     disabled or removed.
APP6040 V0016835  II The IAO will ensure at least
                     one application administrator
                     has registered to receive
                     update notifications, or
                     security alerts, when
                     automated alerts are
                     available.
APP6050 V0016836  II The IAO will ensure the
                     system and installed
                     applications have current
                     patches, security updates,
                     and configuration settings.
APP6060 V0016837   I The IAO will ensure the
                     application is
                     decommissioned when
                     maintenance or support is no
                     longer available.
APP6070 V0016838 III Procedures are not in place
                     to notify users when an
                     application is
                     decommissioned.
APP6080 V0016839  II The IAO will ensure
                     protections against DoS
                     attacks are implemented.
APP6090 V0016840 III The IAO will ensure the
                     system alerts an
                     administrator when low
                     resource conditions are
                     encountered.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          41 of 1220
    ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement             Vulnerability   Status   Finding Notes
APP6100 V0006174  II The IAO will ensure
                     production database exports
                     have database administration
                     credentials and sensitive
                     data removed before
                     releasing the export.
APP6110 V0016841 III The IAO will review audit
                     trails periodically based on
                     system documentation
                     recommendations or
                     immediately upon system
                     security events.
APP6120 V0016842  II The IAO will report all
                     suspected violations of IA
                     policies in accordance with
                     DoD information system IA
                     procedures.
APP6130 V0016843 III The IAO will ensure, for
                     classified systems,
                     application audit trails are
                     continuously and
                     automatically monitored, and
                     alerts are provided
                     immediately when unusual or
                     inappropriate activity is
                     detected.
APP6140 V0006173  II The IAO will ensure
                     application audit trails are
                     retained for at least 1 year for
                     applications without SAMI
                     data, and 5 years for
                     applications including SAMI
                     data.
APP6160 V0006171  II The IAO will ensure recovery
                     procedures and technical
                     system features exist so
                     recovery is performed in a
                     secure and verifiable
                     manner. The IAO will
                     document circumstances
                     inhibiting a trusted recovery.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                            42 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement             Vulnerability   Status   Finding Notes
APP6170 V0016844 II The IAO will ensure back-up
                    copies of the application
                    software are stored in a fire-
                    rated container and not
                    collocated with operational
                    software.
APP6180 V0016845 II The IAO will ensure
                    procedures are in place to
                    assure the appropriate
                    physical and technical
                    protection of the backup and
                    restoration of the application.

APP6190 V0006172     II   The IAO will ensure data
                          backup is performed at
                          required intervals in
                          accordance with DoD policy.

APP6200 V0016846     II   The IAO will ensure a
                          disaster recovery plan exists
                          in accordance with DoD
                          policy based on the Mission
                          Assurance Category (MAC).

APP6210 V0016847     II   The IAO will ensure an
                          account management
                          process is implemented,
                          verifying only authorized
                          users can gain access to the
                          application, and individual
                          accounts designated as
                          inactive, suspended, or
                          terminated are promptly
                          removed.
APP6220 V0016848      I   The IAO will ensure
                          passwords generated for
                          users are not predictable and
                          comply with the
                          organization's password
                          policy.
APP6230 V0016849     II   The IAO will ensure the
                          application's users do not
                          use shared accounts.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          43 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
APP6240 V0006132 III The IAO will ensure all user
                     accounts are disabled which
                     are authorized to have
                     access to the application but
                     have not authenticated within
                     the past 90 days.

APP6250 V0006133     II   The IAO will ensure
                          unnecessary built-in
                          application accounts are
                          disabled.
APP6260 V0006134      I   The IAO will ensure default
                          passwords are changed.
APP6270 V0016850     II   The IAO will ensure
                          connections between DoD
                          enclaves and the Internet or
                          other public or commercial
                          wide area networks require a
                          DMZ.
APP6280 V0019687      I   The IAO will ensure web
                          servers are on logically
                          separate network segments
                          from the application and
                          database servers if it is a
                          tiered application.
APP6290 V0019688      I   The designer and the IAO will
                          ensure physical operating
                          system separation and
                          physical application
                          separation is employed
                          between servers of different
                          data types in the web tier of
                          Increment 1/Phase 1
                          deployment of the DoD DMZ
                          for Internet-facing
                          applications.
APP6300 V0019694     II   The IAO will ensure an XML
                          firewall is deployed to protect
                          web services.
APP6310 V0019699     II   The IAO will ensure web
                          service inquiries to UDDI
                          provide read-only access to
                          the registry to anonymous
                          users.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         44 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
APP6320 V0019700 II The IAO will ensure if the
                    UDDI registry contains
                    sensitive information and
                    read access to the UDDI
                    registry is granted only to
                    authenticated users.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        45 of 1220
Application Services Checklist V1R1.1 (21 Sep 06)                         <Test> - TN <Ticket Number>


  PDI    VMSID CAT           Requirement                      Vulnerability   Status   Finding Notes
APS0110 V0006199 II Application server does not
                    utilize a Public Key
                    Infrastructure (PKI).
APS0130 V0006200  I The application server or a
                    served application does not
                    verify the following when
                    presented with a PKI
                    certificate:1. Revoked
                    certificate 2. Invalid
                    certificate 3. Improperly
                    signed certificate Application
                    Server/ApplicationName(s):

APS0140 V0006202       II   Passwords are not encrypted
                            at logon. Passwords are not
                            required to meet complexity
                            requirements. Passwords are
                            not changeable by the user.
                            Accounts are not protected
                            by lockout on failed logon
                            attempts.

APS0210 V0006203       II   The following default
                            usernames and passwords
                            have not been modified from
                            their default values:
APS0320 V0006205       II   Sensitive data tis not
                            encrypted with NIST-
                            validated or NSA-approved
                            cryptography.
APS0350 V0006208       II   The application server is not
                            configured to encrypt
                            sensitive data in transit.
APS0410 V0006209       II   Auditing is not enabled for
                            the application server.
                            Auditing is not configured to
                            include logon events.
                            Auditing is not configured to
                            include attempts to access
                            security files. Auditing is not
                            configured to include actions
                            taken in response to failed l

Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                    46 of 1220
Application Services Checklist V1R1.1 (21 Sep 06)                <Test> - TN <Ticket Number>


  PDI    VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
APS0510 V0006210 II The application server
                    administrator role has been
                    assigned to unauthorized
                    personnel.
APS0530 V0006212 II If session time limits are
                    enforced by applications or
                    other mean external to the
                    application server, then this
                    check is NA. If the
                    applications are dependent
                    on the application server to
                    employ session time limits
                    and this is not configured to a
                    limit of 24 hours or less.
APS0540 V0012304 II The application server serves
                    data of different classification
                    levels to different audiences.
                    The application server does
                    not provide protection
                    through separation to
                    applications serving data of
                    different sensitivity to
                    different audiences.

APS0560 V0012322       II   External interfaces are
                            defined on the application
                            server that are not identified
                            in the functional architecture
                            for the applcation. Protection
                            mechanisms configured for
                            the interface are not
                            sufficient for the data being
                            exchanged.

APS0570 V0012308       II   Hyperlinks are not approved
                            prior to incorporation in the
                            application server content.
APS0590 V0012310       II   The web page does not
                            identify content obtained from
                            remote systems.
APS0615 V0012312       II   Application server software
                            and data are not located in
                            separate directories.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                           47 of 1220
Application Services Checklist V1R1.1 (21 Sep 06)                         <Test> - TN <Ticket Number>


  PDI    VMSID CAT           Requirement                      Vulnerability   Status   Finding Notes
APS0630 V0012323  I The application server
                    software is not a supported
                    version.
APS0640 V0012313 II A migration plan to upgrade
                    from an unsupported version
                    does not exist.
APS0670 V0012316 II A baseline of the application
                    server software directories
                    and files is not maintained.

APS0720 V0012319       II   A public WebLogic Platform
                            server is not installed in a
                            DMZ.
APS0730 V0006220       II   The application services is
                            not addressed in a disaster
                            recovery plan.
APS0740 V0006221       II   The application server
                            software and data is not
                            included in the site or system
                            backup strategy.
ASG0520 V0006211       II   The application server
                            process runs with privileges
                            not necessary for proper
                            operation.
ASG0540 V0006213       II   A classification guide does
                            not exist for the application.
ASG0550 V0006214       II   The application does not
                            mark printed and displayed
                            output with appropriate
                            classification labels.
ASG0750 V0006222       II   A process does not exist to
                            ensure application server log
                            files are retained for at least
                            one year.
ASG0760 V0006223       II   Application server does not
                            have an assigned IAO or
                            IAM.
ASJ0120 V0006201       II   Application server utilizes
                            unapproved DOD PKI
                            certificates.
ASJ0330 V0006206       II   Java file permissions are not
                            adequately restrictive.

Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                    48 of 1220
Application Services Checklist V1R1.1 (21 Sep 06)                        <Test> - TN <Ticket Number>


  PDI    VMSID CAT          Requirement                      Vulnerability   Status   Finding Notes
ASJ0840 V0011810 II Java cryptography is
                    inadequate implementing
                    poor entropy.
AST0310 V0006204 II Sensitive application data is
                    not adequately protected at
                    rest.
AST0340 V0006207 II OS level file permissions are
                    not adequately restrictive.

AST0560 V0006215       I    Application Security Manager
                            is not turned on.
AST0580 V0006216       II   Shutdown restriction‟s default
                            password has not been
                            changed.
AST0610 V0006217       II   Application server default
                            content has not been
                            removed.
AST0710 V0006218       I    Application server may be
                            controlled from outside the
                            enclave.
AST0720 V0006219       II   Java socket permissions are
                            inadequate.
AST0820 V0006225       II   Admin and Manager Web
                            Applications are not
                            adequately restrictive.
AST0830 V0011828       II   Application server‟s directory
                            listing is enabled.




Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                   49 of 1220
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBF003 V0017988    I    Installed version of Firefox
                         unsupported.
DTBF010 V0015982    II   The Firefox SSLV2
                         parameter is configured to
                         allow use of SSL 2.0.
DTBF020 V0015767    II   Firefox is configured to allow
                         use of SSL 3.0.
DTBF030 V0015983    II   Firefox is not configured to
                         allow use of TLS 1.0.
DTBF050 V0015768    II   FireFox is not configured to
                         ask which certificate to
                         present to a web site when a
                         certificate is required.
DTBF100 V0015770    II   Firefox automatically
                         executes or downloads MIME
                         types which are not
                         authorized for auto-download.

DTBF105 V0015771    II   Network shell protocol is
                         enabled in FireFox.
DTBF110 V0015772    II   Firefox not configured to
                         prompt user before download
                         and opening for required file
                         types.
DTBF120 V0015773    II   FireFox plug-in for ActiveX
                         controls is installed.
DTBF130 V0015989    II   Firefox is not configured to
                         provide warnings when a
                         user switches from a secure
                         (SSL-enabled) to a non-
                         secure page.
DTBF140 V0015774    II   Firefox formfill assistance
                         option is disabled.
DTBF150 V0015775    II   Firefox is configured to
                         autofill passwords.
DTBF160 V0015776    II   FireFox is configured to use a
                         password store with or
                         without a master password.
DTBF170 V0015777    II   Firefox does not clear
                         cookies upon closing.
DTBF180 V0015778    II   FireFox is not configured to
                         block pop-up windows.
DTBF181 V0015779    II   FireFox is configured to allow
                         JavaScript to move or resize
                         windows.
DTBF182 V0015985    II   Firefox is configured to allow
                         JavaScript to raise or lower
                         windows.
DTBF183 V0015986    II   Firefox is configured to allow
                         JavaScript to disable or
                         replace context menus.
  PDI      VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTBF184 V0015987      II   Firefox is configured to allow
                           JavaScript to hide or change
                           the status bar.
DTBF185 V0015988      II   Firefox is configured to allow
                           JavaScript to change the
                           status bar text.
DTBG003 V0006227      I    The installed version of IE is
                           at an unsupported version.
DTBG007 V0006317      II   IE is not capable to use 128-
                           bit encryption.
DTBG010 V0006318      II   The DOD Root Certificate is
                           not installed.
DTBI001   V0006228    II   The IE home page is not set
                           to blank, a local file, or a
                           trusted site.
DTBI002   V0006229    II   IE Local zone security
                           parameter is set incorrectly.

DTBI003   V0006230    II   The IE Trusted sites zone
                           security parameter is set
                           incorrectly.
DTBI004   V0006231    II   The IE Internet zone security
                           parameter is set incorrectly.

DTBI005   V0006232    II   The IE Restricted sites zone
                           security parameter is set
                           incorrectly.
DTBI006   V0006233    II   The IE Local zone includes
                           parameter is not set correctly.

DTBI007   V0006234    II   The IE third party cookies
                           parameter is not set correctly.

DTBI010   V0017296    II   Prevent performance of First
                           Run Customize settings is
                           not enabled.
DTBI011   V0007006    II   The IE search parameter is
                           not set correctly.
DTBI012   V0006236    II   The IE signature checking
                           parameter is not set correctly.

DTBI013   V0006237    II   The IE save encrypted pages
                           to disk parameter is not set
                           correctly.
DTBI014   V0006238    II   The IE SSL/TLS parameter is
                           not set correctly.
DTBI015   V0006239    II   The IE warning of invalid
                           certificates parameter is not
                           set correctly
DTBI016   V0006240    II   The IE changing zones
                           parameter is not set correctly.
  PDI      VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTBI017   V0006241    II   The IE form redirect
                           parameter is not set correctly.

DTBI021   V0006242    II   Users can change the
                           advanced settings in IE.
DTBI022   V0006243    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Internet Zone.
DTBI023   V0006244    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the
                           Internet Zone.
DTBI024   V0006245    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Internet
                           Zone.
DTBI025   V0016879    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Lockdown Zone.
DTBI026   V0006246    II   The Script ActiveX controls
                           marked safe for scripting
                           property is not set properly
                           for the Internet Zone.
DTBI030   V0006248    II   The Font download control is
                           not set properly for the
                           Internet Zone.
DTBI031   V0006249    II   The Java Permissions is not
                           set properly for the Internet
                           Zone.
DTBI032   V0006250    II   The Access data sources
                           across domains is not set
                           properly for the Internet
                           Zone.
DTBI034   V0006251    II   The Display mixed content is
                           not set properly for the
                           Internet Zone.
DTBI035   V0006252    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Internet
                           Zone.
DTBI036   V0006253    II   The Allow Drag and drop or
                           copy and paste files is not set
                           properly for the Internet
                           Zone.
DTBI037   V0006254    II   The Installation of desktop
                           items is not set properly for
                           the Internet Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI038   V0006255    II   The Launching programs and
                           files in IFRAME are not set
                           properly for the Internet
                           Zone.
DTBI039   V0006256    II   The Navigate sub-frames
                           across different domains is
                           not set properly for the
                           Internet Zone.
DTBI040   V0006257    II   The Software channel
                           permissions is not set
                           properly for the Internet
                           Zone.
DTBI041   V0006258    II   The Submit non-encrypted
                           form data is not set properly
                           for the Internet Zone.

DTBI042   V0006259    II   The Userdata persistence is
                           not set properly for the
                           Internet Zone.
DTBI044   V0006260    II   The Allow paste operations
                           via script is not set properly
                           for the Internet Zone.
DTBI045   V0006261    II   The Scripting of Java applets
                           is not set properly for the
                           Internet Zone.
DTBI046   V0006262    II   The user Authentication -
                           Logon is not set properly for
                           the Internet Zone.
DTBI052   V0006263    II   The Download signed
                           ActiveX controls property is
                           not set properly for the Local
                           Zone.
DTBI053   V0006264    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the Local
                           Zone.
DTBI054   V0006265    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Local Zone.
DTBI056   V0006266    II   The Script ActiveX controls
                           marked safe for scripting
                           property is not set properly
                           for the Local Zone.
DTBI061   V0006267    II   The Java Permissions is not
                           set properly for the Local
                           Zone.
DTBI062   V0006268    II   The Access data sources
                           across domains is not set
                           properly for the Local Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI065   V0006271    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Local Zone.
DTBI067   V0006272    II   The Installation of desktop
                           items is not set properly for
                           the Local Zone.
DTBI068   V0006273    II   The Launching programs and
                           files in IFRAME is not set
                           properly for the Local Zone.

DTBI070   V0006274    II   The Software channel
                           permissions is not set
                           properly for the Local Zone.
DTBI074   V0006275    II   The Allow paste operations
                           via script is not set properly
                           for the Local Zone.
DTBI076   V0006276    II   The User Authentication -
                           Logon is not set properly for
                           the Local Zone.
DTBI082   V0006277    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Trusted Sites Zone.
DTBI083   V0006278    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the
                           Trusted Sites Zone.
DTBI084   V0006279    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Trusted Sites
                           Zone.
DTBI086   V0006280    II   The ActiveX controls marked
                           safe for scripting property is
                           not set properly for the
                           Trusted Sites Zone.
DTBI091   V0006281    II   The Java Permissions is not
                           set properly for the Trusted
                           Sites Zone.
DTBI092   V0006282    II   The Access data sources
                           across domains is not set
                           properly for the Trusted Sites
                           Zone.
DTBI095   V0006283    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Trusted Sites
                           Zone.
  PDI      VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTBI097   V0006284    II   The Installation of desktop
                           items is not set properly for
                           the Trusted Sites Zone.
DTBI098   V0006285    II   The Launching programs and
                           files in IFRAME is not set
                           properly for the Trusted Sites
                           Zone.
DTBI100   V0006286    II   The Software channel
                           permissions is not set
                           properly for the Trusted Sites
                           Zone.
DTBI1010 V0022687     II   Internet Explorer Processes
                           Restrict ActiveX Install
                           (Explorer) property is properly
                           set.
DTBI1020 V0022688     II   Internet Explorer Processes
                           Restrict ActiveX Install
                           (IExplorer) property is
                           properly set.
DTBI104   V0006287    II   The Allow paste operations
                           via script is not set properly
                           for the Trusted Sites Zone.
DTBI106   V0006288    II   The User Authentication -
                           Logon is not set properly for
                           the Trusted Sites Zone.
DTBI112   V0006289    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Restricted Sites Zone.
DTBI113   V0006290    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the
                           Restricted Sites Zone.
DTBI114   V0006291    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Restricted
                           Sites Zone.
DTBI115   V0006292    II   Run ActiveX controls and
                           plug-ins property is not set
                           properly for the Restricted
                           Sites Zone.
DTBI116   V0006293    II   The Script ActiveX controls
                           marked safe for scripting
                           property is not set properly
                           for the Restricted Sites Zone.

DTBI119   V0006294    II   The File download control is
                           not set properly for the
                           Restricted Sites Zone.
DTBI120   V0006295    II   The Font download control is
                           not set properly for the
                           Restricted Sites Zone.
  PDI      VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTBI121   V0007007    II   The Java Permissions is not
                           set properly for the Restricted
                           Sites Zone.
DTBI122   V0006297    II   The Access data sources
                           across domains is not set
                           properly for the Restricted
                           Sites Zone.
DTBI123   V0006298    II   The Allow META REFRESH
                           is not set properly for the
                           Restricted Sites Zone.

DTBI124   V0006299    II   The Display mixed content is
                           not set properly for the
                           Restricted Sites Zone.
DTBI125   V0006300    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Restricted
                           Sites Zone.
DTBI126   V0006301    II   The Drag and drop or copy
                           and paste files is not set
                           properly for the Restricted
                           Sites Zone.
DTBI127   V0006302    II   The Installation of desktop
                           items is not set properly for
                           the Restricted Sites Zone.
DTBI128   V0006303    II   The Launching programs and
                           files in IFRAME is not set
                           properly for the Restricted
                           Sites Zone.
DTBI129   V0006304    II   The Navigate windows and
                           frames across different
                           domains are not set properly
                           for the Restricted Sites Zone.

DTBI130   V0006305    II   The Software channel
                           permissions is not set
                           properly for the Restricted
                           Sites Zone.
DTBI131   V0006306    II   The Submit non-encrypted
                           form data is not set properly
                           for the Restricted Sites Zone.

DTBI132   V0006307    II   The Userdata persistence is
                           not set properly for the
                           Restricted Sites Zone.
DTBI133   V0006308    II   The Active scripting is not set
                           properly for the Restricted
                           Sites Zone.
  PDI      VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

DTBI134   V0006309    II   The Allow paste operations
                           via script is not set properly
                           for the Restricted Sites Zone.

DTBI135   V0006310    II   The Scripting of Java applets
                           is not set properly for the
                           Restricted Sites Zone.

DTBI136   V0006311    II   The User Authentication -
                           Logon is not set properly for
                           the Restricted Sites Zone.
DTBI137   V0003433   III   Internet Explorer is
                           configured to notify users
                           when programs are modified
                           through the software
                           distribution channel.

DTBI140   V0006319    II   The Error Reporting tool for
                           IE is installed or enabled.
DTBI150   V0006312    II   The Microsoft Java VM is
                           installed.
DTBI151   V0006313    II   The Cipher setting for DES
                           56/56 is not set properly.
DTBI152   V0006314    II   The Cipher setting for Null is
                           not set properly.
DTBI153   V0006315    II   The Cipher setting for Triple
                           DES is not set properly.
DTBI160   V0006316    II   The Hash setting for SHA is
                           not set properly.
DTBI300   V0021887    II   Disable Configuring History -
                           History setting is not set to 40
                           days.
DTBI305   V0015490    II   Automatic configuration of
                           Internet Explorer is not
                           disabled.
DTBI310   V0015491    II   Showing the splash screen is
                           not disabled.
DTBI315   V0015492    II   Prevent participation in the
                           Customer Experience
                           Improvement Program is not
                           disabled.
DTBI316   V0003431    II   Internet Explorer is
                           configured to allow Automatic
                           Install of components.

DTBI317   V0003432    II   Internet Explorer is
                           configured to automatically
                           check for updates.
DTBI318   V0003429    II   Internet Explorer is
                           configured to allow users to
                           add/delete sites.
  PDI      VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

DTBI319   V0003428    II   Internet Explorer is
                           configured to allow users to
                           change policies.
DTBI320   V0003427    II   Internet Explorer is not
                           configured to require
                           consistent security zone
                           settings to all users.
DTBI325   V0015494    II   Turn off the Security Settings
                           Check feature is not disabled.

DTBI330   V0015495    II   Turn off Managing Phishing
                           filter is not disabled.
DTBI340   V0015497    II   Allow active content from
                           CDs to run on user machines
                           is not disabled.
DTBI350   V0015499    II   Allow software to run or
                           install even if the signature is
                           invalid is not disabled.
DTBI355   V0015500    II   Allow third-party browser
                           extensions are not disabled.

DTBI360   V0015501    II   Automatically check for
                           Internet Explorer updates are
                           not disabled.
DTBI365   V0015502    II   Check for server certificate
                           revocation is not enabled.
DTBI367   V0003430   III   Internet Explorer is not
                           configured to disable making
                           Proxy Settings Per Machine.

DTBI370   V0015503    II   Check for signatures on
                           downloaded programs is not
                           enabled.
DTBI375   V0015504    II   Intranet Sites: Include all
                           network paths (UNCs) are
                           disabled.
DTBI385   V0015507    II   Allow script-initiated windows
                           without size or position
                           constraints for Internet Zone
                           is not disabled.

DTBI390   V0015508    II   Allow script-initiated windows
                           without size or position
                           constraints for Restricted
                           Sites Zone is not disabled.

DTBI395   V0015509    II   Allow Scriptlets are not
                           disabled.
DTBI415   V0015513    II   Automatic prompting for file
                           downloads is not enabled.
DTBI425   V0015515    II   Java permissions for my
                           computer are not disabled.
  PDI      VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTBI430   V0015516    II   Java permissions for my
                           computer group policy are
                           not disabled.
DTBI435   V0015517    II   Java permissions for group
                           policy for Local Intranet Zone
                           are not disabled.
DTBI440   V0015518    II   Java permissions for group
                           policy for Trusted Sites Zone
                           are not disabled.
DTBI445   V0015519    II   Java permissions for group
                           policy for Internet Zone are
                           not disabled.
DTBI450   V0015520    II   Java permissions for group
                           policy for Restricted Sites
                           Zone are not disabled.
DTBI455   V0015521    II   Loose XAML files for Internet
                           Zone are not disabled.

DTBI460   V0015522    II   Loose XAML files for
                           Restricted Sites Zone are not
                           disabled.
DTBI465   V0015523    II   Open files based on content,
                           not file extension for Internet
                           Zone is not disabled.

DTBI470   V0015524    II   Open files based on content,
                           not file extension for
                           Restricted Sites Zone is not
                           disabled.
DTBI475   V0015525    II   Turn Off First-Run Opt-In for
                           Internet Zone is not disabled.

DTBI480   V0015526    II   Turn Off First-Run Opt-In for
                           Restricted Sites Zone is not
                           disabled.
DTBI485   V0015527    II   Turn on Protected Mode
                           Internet Zone is not enabled.

DTBI490   V0015528    II   Turn on Protected Mode for
                           Restricted Sites Zone is not
                           enabled.
DTBI495   V0015529    II   Use Pop-up Blocker for
                           Internet Zone is not enabled.

DTBI500   V0015530    II   Use Pop-up Blocker for
                           Restricted Sites Zone is not
                           enabled.
DTBI515   V0015533    II   Web sites in less privileged
                           Web content zones can
                           navigate into Internet Zone is
                           not disabled.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI520   V0015534    II   Web sites in less privileged
                           Web content zones can
                           navigate into Restricted Sites
                           Zone is not disabled.
DTBI575   V0015545    II   Allow binary and script
                           behaviors are not disabled.
DTBI580   V0015546    II   Automatic prompting for file
                           downloads is not enabled.
DTBI590   V0015548    II   Internet Explorer Processes
                           for MIME handling is not
                           enabled. (Reserved)
DTBI592   V0015565    II   Internet Explorer Processes
                           for MIME handling is not
                           enabled. (Explorer)
DTBI594   V0015566    II   Internet Explorer Processes
                           for MIME handling is not
                           enabled. (IExplore)
DTBI595   V0015549    II   Internet Explorer Processes
                           for MIME sniffing is not
                           enabled. (Reserved)
DTBI596   V0015603    II   Internet Explorer Processes
                           for MIME sniffing is not
                           enabled. (Explorer)
DTBI597   V0015604    II   Internet Explorer Processes
                           for MIME sniffing is not
                           enabled. (IExplore)
DTBI599   V0015568    II   Internet Explorer Processes
                           for MK protocol is not
                           enabled. (Reserved)
DTBI600   V0015550    II   Internet Explorer Processes
                           for MK protocol is not
                           enabled. (Explorer)
DTBI605   V0015551    II   Internet Explorer Processes
                           for MK protocol is not
                           enabled. (IExplore)
DTBI610   V0015552    II   Internet Explorer Processes
                           for Zone Elevation is not
                           enabled. (Reserved)
DTBI612   V0015569    II   Internet Explorer Processes
                           for Zone Elevation is not
                           enabled. (Explorer)
DTBI614   V0015570    II   Internet Explorer Processes
                           for Zone Elevation is not
                           enabled. (IExplore)
DTBI630   V0015556    II   Internet Explorer Processes
                           for Download prompt is not
                           enabled. (Reserved)
DTBI635   V0015557    II   Internet Explorer Processes
                           for Download prompt is not
                           enabled. (Explorer)
DTBI640   V0015558    II   Internet Explorer Processes
                           for Download prompt is not
                           enabled. (IExplore)
  PDI      VMSID     CAT          Requirement             Vulnerability   Status   Finding Notes

DTBI645   V0015559    II   Internet Explorer Processes
                           for restricting pop-up
                           windows is not enabled.
                           (Reserved)
DTBI647   V0015571    II   Internet Explorer Processes
                           for restricting pop-up
                           windows is not enabled.
                           (Explorer)
DTBI649   V0015572    II   Internet Explorer Processes
                           for restricting pop-up
                           windows is not enabled.
                           (IExplorer)
DTBI650   V0015560    II   Run .NET Framework-reliant
                           components not signed with
                           Authenticode are not
                           disabled.
DTBI655   V0015561    II   Run .NET Framework-reliant
                           components signed with
                           Authenticode are not
                           disabled.
DTBI670   V0015562    II   Scripting of Java applets is
                           not disabled.
DTBI675   V0015563    II   Turn off changing the URL to
                           be displayed for checking
                           updates to Internet Explorer
                           and Internet Tools is not
                           disabled.

DTBI680   V0015564    II   Turn off configuring the
                           update check interval is not
                           disabled.
DTBI685   V0015573    II   Configure Outlook Express is
                           not disabled.
DTBI690   V0015574    II   Disable AutoComplete for
                           forms is not enabled.
DTBI695   V0015575    II   Disable external branding of
                           Internet Explorer is not
                           enabled.
DTBI697   V0014245   III   Internet Explorer - Do not
                           allow users to enable or
                           disable add-ons.
DTBI705   V0015577    II   Disable the Reset Web
                           Settings feature is not
                           enabled.
DTBI715   V0015579    II   Turn off Crash Detection is
                           not enabled.
DTBI720   V0015580    II   Turn off page transitions is
                           not enabled.
DTBI725   V0015581    II   Turn on the auto-complete
                           feature for user names and
                           passwords on forms are not
                           disabled.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI730   V0015582    II   Turn on the Internet
                           Connection Wizard Auto
                           Detect is not disabled.
DTBI740   V0022108    II   Turn off Managing
                           SmartScreen Filter property
                           is not properly set.
DTBI750   V0022147   III   Include updated Web site
                           lists from Microsoft is
                           disabled.
DTBI760   V0022148    II   Delete Browsing History on
                           exit is disabled.
DTBI770   V0022149    II   Prevent Deleting Web sites
                           that the User has Visited is
                           enabled.
DTBI780   V0022150    II   Turn off InPrivate Browsing is
                           enabled.
DTBI800   V0022152    II   Allow scripting of Internet
                           Explorer web browser control
                           property is set (Internet
                           Zone).
DTBI810   V0022153    II   Include local directory path
                           when uploading files to a
                           server property is properly
                           set.
DTBI820   V0022154    II   Launching programs and
                           unsafe files property is
                           properly set (Internet Zone).
DTBI830   V0022155    II   Only allow approved domains
                           to use ActiveX controls
                           without prompt property is
                           properly set (Internet Zone).

DTBI840   V0022156    II   Turn on Cross-Site Scripting
                           (XSS) Filter property is
                           properly set (Internet Zone).

DTBI850   V0022157    II   Allow scripting of Internet
                           Explorer web browser control
                           property is properly
                           configured (Restricted Sites
                           Zone).
DTBI860   V0022158    II   Include local directory path
                           when uploading files to a
                           server is properly set
                           (Restricted Sites Zone).
DTBI870   V0022159    II   Launching programs and
                           unsafe files property is
                           properly set (Restricted Sites
                           Zone).
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI880   V0022160    II   Only allow approved domains
                           to use ActiveX controls
                           without prompt property is
                           properly set (Restricted Sites
                           Zone).
DTBI890   V0022161    II   Turn on Cross-Site Scripting
                           (XSS) Filter property is
                           properly set (Restricted Sites
                           Zone).
DTBI900   V0022171    II   Internet Explorer Processes
                           Restrict ActiveX Install
                           (Reserved) property is
                           properly set.
DTBI910   V0022634    II   Allow status bar updates via
                           script (Internet Zone)
                           property is properly set.
DTBI920   V0022635    II   Run .NET Framework-reliant
                           components not signed with
                           Authenticode (Internet Zone)
                           property is properly set.

DTBI930   V0022636    II   Run .NET Framework-reliant
                           components signed with
                           Authenticode (Internet Zone)
                           property is properly set.

DTBI940   V0022637    II   Allow Scriptlets (Restricted
                           Sites Zone) property is
                           properly set.
DTBI950   V0022638    II   Allow status bar updates via
                           script (Restricted Sites Zone)
                           property is properly set.
    Section

Firefox

Firefox


Firefox

Firefox

Firefox



Firefox




Firefox

Firefox



Firefox

Firefox




Firefox

Firefox

Firefox


Firefox

Firefox

Firefox


Firefox


Firefox
      Section

Firefox


Firefox


IE6

IE6

IE7, IE6, Firefox

IE6


IE6


IE6


IE6


IE6


IE6


IE6


IE8, IE7


IE6

IE6


IE6


IE6

IE6


IE6
      Section

IE6


IE6

IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6



IE6



IE8, IE7, IE6


IE8, IE7, IE6


IE8, IE7, IE6



IE6


IE6




IE8, IE7, IE6



IE8, IE7, IE6
      Section

IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6



IE6



IE8, IE7, IE6


IE8, IE7, IE6


IE6


IE8, IE7, IE6


IE6



IE6



IE6



IE6



IE8, IE7, IE6


IE6
      Section

IE6




IE6


IE6



IE6


IE6


IE6


IE6



IE6



IE6




IE6



IE8, IE7, IE6


IE6



IE6
      Section

IE6


IE6



IE6



IE8



IE8



IE6


IE6


IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6


IE8, IE7, IE6
      Section

IE8, IE7, IE6


IE8, IE7, IE6



IE8, IE7, IE6



IE6


IE6




IE8, IE7, IE6



IE8, IE7, IE6


IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6



IE6



IE8, IE7, IE6


IE8, IE7, IE6
      Section

IE8, IE7, IE6



IE6



IE8, IE7, IE6


IE6




IE6

IE6

IE6

IE6

IE6

IE6

IE8, IE7


IE8, IE7


IE8, IE7

IE8, IE7



IE8, IE7, IE6



IE8, IE7, IE6


IE8, IE7, IE6
    Section

IE8, IE7, IE6


IE8, IE7, IE6



IE8, IE7


IE8, IE7

IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7

IE8, IE7, IE6



IE8, IE7


IE8, IE7


IE8, IE7




IE8, IE7




IE8, IE7

IE8, IE7

IE8, IE7
    Section

IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7



IE8, IE7



IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7
    Section

IE8, IE7



IE8, IE7

IE8, IE7

IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7
    Section

IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7

IE8, IE7




IE8, IE7


IE8, IE7

IE8, IE7

IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7

IE8, IE7

IE8, IE7
      Section

IE8, IE7


IE8


IE8


IE8

IE8


IE8

IE8



IE8



IE8


IE8




IE8



IE8




IE8



IE8
      Section

IE8




IE8



IE8



IE8


IE8




IE8




IE8


IE8
    PDI      VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes
BTS-IAP-    V0014344 II The IAP ingress and egress
100                     filters bound to all interfaces
                        are not the most current as
                        directed by JTF-GNO.

BTS-IAP-    V0014345    II    JTF-GNO instructions on
110                           implementing exceptions to
                              the IAP filters are not
                              followed.
BTS-IPv6-   V0014352    II    IPv6 is enabled on
100                           unauthorized interfaces.
BTS-IPv6-   V0014357    II    IPv6 traffic is tunneled using
110                           other method than IPv4 or
                              GRE encapsulation.
BTS-IPv6-   V0014359    II    IPv6 is enabled on
120                           unauthorized 6to4 and 6to4
                              relay router interfaces.
BTS-IPv6-   V0014360    II    6to4 router is accepting
130                           native IPv6 packets without
                              access to a 6to4 relay router.

BTS-IPv6-   V0014361    II    6to4 relay router accepts
140                           IPv6 packets from IPv6
                              network with a destination
                              prefix other than 2002::/16.
BTS-IPv6-   V0014362    II    6to4 router is configured to
150                           accept tunneled IPv6 traffic
                              from undocumented sources.

BTS-IPv6-   V0014363    II    6to4 relay router is
160                           configured to accept tunneled
                              IPv6 traffic from
                              undocumented sources.
BTS-IPv6-   V0014364    II    6PE router at the backbone
170                           edge is not configured to
                              tunnel all IPv6 traffic using
                              MPLS encapsulation.
BTS-IPv6-   V0014365    II    IPv6 is enabled on
180                           unauthorized 6PE router
                              interfaces.
BTS-IPv6-   V0014366    II    CE-facing interfaces on the
190                           6PE router accepts MPLS
                              traffic.
BTS-      V0012652      II    Protocol Independent
MCAST-010                     Multicast (PIM) is not
                              disabled on all interfaces that
                              are not required to support
                              multicast routing.
BTS-      V0014342      III   PIM neighbor filter is not
MCAST-015                     bound to interfaces that have
                              PIM enabled.
   PDI     VMSID CAT             Requirement           Vulnerability   Status   Finding Notes
BTS-      V0012653 III The PIM router‟s receive path
MCAST-020              or interface filter does not
                       validate the source address
                       for all traffic destined to the
                       “all PIM routers” address
                       (224.0.0.13).

BTS-      V0012654      III   Customer-facing interfaces
MCAST-030                     on the PIM router and does
                              not block inbound and
                              outbound administratively-
                              scoped multicast traffic.
BTS-      V0014343      III   Customer-facing interfaces
MCAST-035                     do not block inbound and
                              outbound Auto-RP discovery
                              and announcement
                              messages.
BTS-      V0012655      III   PIM router accepts BSR
MCAST-040                     messages.
BTS-      V0012656      III   RP router is not configured to
MCAST-050                     limit the multicast forwarding
                              cache to ensure that its
                              resources are not saturated
                              managing an overwhelming
                              number of PIM and MSDP
                              SA entries.
BTS-      V0012657      III   The RP router peering with
MCAST-060                     customer PIM-SM routers
                              has not been configured with
                              a PIM import policy to block
                              join and registration
                              messages for reserved,
                              Martian, single-source
                              multicast (SSM), and any
                              other undesirable multicast
                              groups as well as any Bogon
                              source addresses.
BTS-      V0012659      II    The Multicast Source
MCAST-070                     Discovery Protocol (MSDP)
                              router's receive path or
                              interface filter is not
                              configured to only accept
                              MSDP packets from known
                              MSDP peers.
BTS-      V0012660      I     MSDP packets received by
MCAST-080                     an MSDP router are not
                              authenticated using MD5
                              passwords.
   PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
BTS-      V0012383 II MD5 passwords used for
MCAST-090              MSDP sessions with each
                       peering customer network
                       are not unique.
BTS-      V0012661 III The MSDP router peering
MCAST-100              with customer MSDP routers
                       has not been configured with
                       an import policy to block
                       source-active (SA) multicast
                       advertisements for reserved,
                       Martian, single-source
                       multicast (SSM), and any
                       other undesirable multicast
                       groups as well as any SA
                       messages with Bogon source
                       addresses.

BTS-      V0012662     III   An export policy has not been
MCAST-110                    configured on the MSDP
                             router to avoid global visibility
                             of multicast (S,G) states local
                             to the IP core.
BTS-      V0012663     III   The MSDP cache table is not
MCAST-120                    configured to limit the SA
                             count globally, as well as on
                             a per-peer and a per-source
                             basis.
BTS-      V0012388     II    Each VPN customer is not
MCAST-130                    assigned a unique Default-
                             MDT to keep its multicast
                             data and control traffic
                             separate from global as well
                             as other customers‟ multicast
                             traffic.
BTS-      V0012389     II    Each VPN customer is not
MCAST-140                    assigned a unique pool of
                             Data-MDTs to keep its
                             multicast data traffic separate
                             from global as well as other
                             customers‟ multicast traffic.

BTS-      V0012392     III   Group addresses are not
MCAST-150                    assigned for both Default-
                             MDT and Data-MDTs is from
                             the Administratively Scoped
                             IP Multicast range as defined
                             in RFC 2365.
BTS-MGMT- V0012394     I     All network devices are not
010                          located in a secure room with
                             limited access.
    PDI    VMSID CAT           Requirement         Vulnerability   Status   Finding Notes
BTS-MGMT- V0012674 II Login warning banner is not
030                   configured on the network
                      device.
BTS-MGMT- V0012675  I Access to the network
040                   component does not require
                      an account identifier and
                      password.
BTS-MGMT- V0012676  I Default and backdoor
050                   accounts have not been
                      removed.
BTS-MGMT- V0012677 II Expired or unauthorized
060                   accounts are not removed
                      from device.
BTS-MGMT- V0012678 II Each system administrator is
070                   not assigned an individual
                      account and password for the
                      purpose of administrative
                      access. CAVEAT: If
                      documented in the SSAA,
                      group accounts can be used
                      for network management
                      workstations located in a
                      controlled access area.

BTS-MGMT- V0012679     II   Accounts are not assigned
075                         the lowest privilege level that
                            allows system administrators
                            and engineers to perform
                            their duties.

BTS-MGMT- V0012396    III   A formal process for granting,
080                         creating, deleting, and
                            distributing accounts is not
                            implemented or the process
                            does not include an
                            authorization form and a
                            registration authority to
                            ensure that only authorized
                            users are gaining
                            management access to
                            network devices.
BTS-MGMT- V0012398    III   A log is not maintained that
085                         records the creation, deletion,
                            and distribution of all
                            accounts.
BTS-MGMT- V0012680     II   More than one emergency
090                         account is configured or the
                            account does not default to
                            the lowest authorization level.
    PDI    VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
BTS-MGMT- V0012399 III The emergency account log
095                    is not reviewed periodically to
                       ensure emergency accounts
                       are changed at regular
                       intervals and are not
                       compromised in any way.
BTS-MGMT- V0012699 II Username and passwords of
096                    all emergency accounts are
                       not stored in a sealed
                       envelope kept in a safe or on
                       file server attached to the
                       classified network.
BTS-MGMT- V0012681  I The network device is not
100                    password protected.
BTS-MGMT- V0012401  I Passwords are not set up
105                    and maintained in
                       accordance with DODI
                       8500.2 IAIA-1 and IAIA-2.
BTS-MGMT- V0012682  I Default manufacturer
110                    passwords are not removed
                       or changed from the device.
BTS-MGMT- V0012402 II Passwords are not encrypted
120                    both for storage and for
                       transmission.
BTS-MGMT- V0012683 II An authentication server is
130                    not being used to
                       authenticate all users prior to
                       acquiring administrative
                       access to the device.
BTS-MGMT- V0012698 II The authentication server is
135                    not compliant with the
                       security requirements
                       specified in the appropriate
                       operating system STIG.
BTS-MGMT- V0012684 II Two-factor authentication is
140                    not used to authenticate all
                       users prior to acquiring
                       administrative access to the
                       device.
BTS-MGMT- V0012685 III Two or more authentication
145                    servers are not configured to
                       support user authentication
                       for administrative access to
                       the device.

BTS-MGMT- V0014374      III   The key configured on the
150                           authentication server used for
                              communication with clients is
                              not unique.
    PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
BTS-MGMT- V0012405  I Keys are not set up and
160                   maintained in accordance
                      with DODI 8500.2 IAIA-1 and
                      IAIA-2.
BTS-MGMT- V0012406 II A key management policy is
165                   not implemented to include
                      key generation, distribution,
                      storage, usage, lifetime
                      duration, and destruction of
                      all keys used for encryption
                      within the backbone
                      infrastructure.
BTS-MGMT- V0012408 II Key lifetime exceeds 180
170                   days for Type 3 encryptors or
                      30 days for Type 1
                      encryptors.
BTS-MGMT- V0012686  I Key chains are used and
175                   there is no key exists within
                      the chain that is configured
                      with a lifetime of infinite, or
                      the lifetime key is not
                      changed 7 days after the
                      rotating keys have expired
                      and have been redefined.

BTS-MGMT- V0012411      II   All backbone network
190                          components were not IAVM
                             compliant prior to connecting
                             the component to the
                             backbone network.
BTS-MGMT- V0012412     III   IAVM notices are not
200                          responded to within the
                             specified time period.
BTS-MGMT- V0012747      I    Unsupported network
210                          components are being used
                             within the backbone network
                             infrastructure.
BTS-MGMT- V0012687      II   Software or firmware
220                          versions are not upgraded on
                             all network components as
                             directed by the PMO.
BTS-MGMT- V0012754     III   Documented procedures are
230                          not used for upgrading or
                             deploying new approved
                             software.
BTS-MGMT- V0012418     III   Testing procedures for new
240                          or upgraded hardware or
                             software are not maintained.
    PDI    VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
BTS-MGMT- V0012419 III Baseline configurations for all
250                    network components are not
                       maintained with incremental
                       backups.
BTS-MGMT- V0012420 III File servers used for network
260                    element configuration
                       management are not located
                       on the out-of-band network or
                       are not restricted to
                       authorized personnel.
                       Caveat: File servers used for
                       classified network element
                       configuration management
                       are not required to be
                       accessed via an out-of-band
                       network.

BTS-MGMT- V0012421      II    OSS LAN is not configured
270                           IAW the Network
                              Infrastructure STIG.
BTS-MGMT- V0012422      II    OSS servers and
280                           workstations are not
                              configured IAW the
                              appropriate OS STIG.
BTS-MGMT- V0012423      I     The OOBM network (DCN) is
290                           not configured IAW with the
                              Network Infrastructure STIG.

BTS-MGMT- V0012424      II    Dial-up connections for
300                           managing network elements
                              do not use FIPS 140-2
                              compliant encryption to
                              protect information in transit.

BTS-MGMT- V0012688      II    Management dial-up
310                           connections are not
                              authenticated using two-
                              factor authentication.
BTS-MGMT- V0012691      III   Communication server is not
320                           configured to use CHAP
                              authentication to authorized
                              users prior to allowing the
                              PPP connection.
BTS-MGMT- V0014375      III   Communication server is not
325                           configured to use CHAP
                              authentication or to enable
                              callback to authorized phone
                              numbers prior to allowing the
                              PPP connection.
    PDI    VMSID CAT          Requirement           Vulnerability   Status   Finding Notes
BTS-MGMT- V0012692 II The network element is not
330                   configured to timeout an idle
                      user session to 15 minutes or
                      less.
BTS-MGMT- V0012693 II In-band management
340                   connection to the device is
                      not encrypted using FIPS 140-
                      2 compliant cryptography.

BTS-MGMT- V0012694     II    OOBM interfaces or console
350                          port that is connected to a
                             terminal access server is not
                             used to connect to the DCN.
                             CAVEAT: If OOBM interfaces
                             are not available for a layer-3
                             device, this finding can be
                             downgraded to a Category III
                             if the device is configured to
                             ensure management traffic
                             and route advertisements
                             does not leak from the
                             management network into
                             the transit network and vise
                             versa using interface filters
                             and route policies.


BTS-MGMT- V0014376     II    A modem is connected to the
355                          network component
BTS-MGMT- V0012425     III   Optical link used for the
360                          Optical Supervisory Channel
                             (OSC) exceeds 20 spans or
                             there is not a DCN
                             connection at the near and
                             far end OTS terminals.
    PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
BTS-MGMT- V0012695 I SNMP Version 3 Security
370                  Model (both SHA packet
                     authentication and DES
                     encryption of the PDU) is not
                     used across the entire
                     network infrastructure.
                     CAVEAT: If Version 1 or
                     Version 2 is being used with
                     all of the appropriate patches
                     to mitigate the known security
                     vulnerabilities, this finding
                     can be downgraded to a
                     Category II. If Version 1 or
                     Version 2 is being used with
                     all of the appropriate patches
                     and the PMO has developed
                     a migration plan to implement
                     the Version 3 Security Model,
                     this finding can be
                     downgraded to a Category III.


BTS-MGMT- V0012696     I     SNMP community strings are
380                          not changed from the default
                             values and usernames do not
                             match any other password
                             values.
BTS-MGMT- V0012697     II    Different community names
390                          or usernames are not used
                             for read-only access and
                             read-write access.Write
                             access was enabled without
                             approval by the IAO.

BTS-MGMT- V0012426     III   There is no standard
400                          operating procedure (SOP)
                             for managing SNMP
                             community strings and
                             usernames to include the
                             following: - Community string
                             and username expiration
                             period. - Community string
                             and username creation will
                             comply with the password
                             requirements outlined in
                             Section 5.2.3 Passwords. -
                             SNMP community string and
                             username distribution
                             including determination of
                             membership
    PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
BTS-MGMT- V0012664 III A centralized syslog server is
410                    not deployed and configured
                       to store all syslog messages
                       for a minimum of 30 days
                       and then stored offline for
                       one year.

BTS-MGMT- V0012665     III   The syslog sever is not
420                          configured to collect syslog
                             messages from levels 0
                             through 6 at a minimum.
BTS-MGMT- V0012666     III   The syslog sever is not
430                          configured to accept
                             messages from only
                             authorized devices and
                             administrative access from
                             trusted management
                             workstations by restricting
                             access via source IP address
                             and destination port.

BTS-MGMT- V0014377     III   The syslog server is
440                          connected to a network that
                             is not the management
                             network.
BTS-MGMT- V0014378      II   The syslog server is not
450                          configured IAW the
                             respective OS STIG.
BTS-MGMT- V0014379     III   An HIDS is not implemented
460                          on the syslog server to
                             provide access control for the
                             syslog data as well as
                             provide the necessary
                             protection against
                             unauthorized user and
                             service access.
BTS-MGMT- V0012427      II   A COOP is not developed or
510                          is not maintained or the
                             COOP is not being exercised
                             periodically to provide
                             continuous operational
                             services of the backbone
                             network. At a minimum, the
                             COOP must be exercised
                             semi-annually for MAC I
                             networks and annually for
                             MAC II and III networks.
    PDI    VMSID CAT             Requirement          Vulnerability   Status   Finding Notes
BTS-MGMT- V0012428 II The COOP plan does not
520                    include the identification,
                       procurement, inventory,
                       storage, and deployment for
                       all critical spare
                       partsspecifically those parts
                       that can service single points
                       of failure.
BTS-MGMT- V0012430 II The COOP plan does not
530                    establish procedures for a
                       smooth transition of mission
                       essential backbone network
                       functions to include
                       management, operation, and
                       monitoring.
BTS-MPLS- V0012638  I Not all CE-facing interfaces
010                    on a PE router, providing
                       MPLS VPN services, are
                       bound to a VRF.
BTS-MPLS- V0012639 II CE-facing interface, on a PE
020                    router providing MPLS VPN
                       services, is configured to
                       accept MPLS traffic.
BTS-MPLS- V0012640 III A route policy has not been
030                    implemented to ensure
                       routes contained within any
                       VRF used for PE-CE links
                       are not advertised to any
                       customer networks.
BTS-MPLS- V0012431  I A unique RD is not assigned
040                    for each VPN.
BTS-MPLS- V0012641  I Incorrect RDs are configured
050                    for some VRFs.
BTS-MPLS- V0012642  I VRFs are not bound to the
060                    proper CE-facing interface.
BTS-MPLS- V0012643  I Incorrect RT is configured for
070                    VRF.
BTS-MPLS- V0012432 II Junior engineers who are not
080                    trained in the design of MPLS
                       VPN networks are authorized
                       to configure VRF information
                       including RT and RD and
                       their associated import and
                       export route policies.

BTS-MPLS- V0014338      II   PE-ASBR-facing interfaces
085                          are not bound to a VRF for a
                             VRF-to-VRF implementation
                             on the PE-ASBR router.
    PDI    VMSID CAT             Requirement          Vulnerability   Status   Finding Notes
BTS-MPLS- V0014339 III PE-ASBR-facing interfaces
086                    on a PE-ASBR are
                       configured to accept MPLS
                       traffic for a VRF-to-VRF
                       implementation.
BTS-MPLS- V0014340 II PE-ASBR-facing interfaces
087                    for a VRF-to-VRF
                       implementation are not
                       bound to the correct VPN.
BTS-MPLS- V0012644 III Route-target filtering are not
090                    configured to only import and
                       export those route
                       advertisements with RTs that
                       represent the inter-AS VPNs
                       provisioned by the AS.

BTS-MPLS- V0012645     III   The PE-ASBR leaks IPv4
100                          routes to the adjacent AS
                             across the MP-eBGP
                             connection
BTS-MPLS- V0014341      II   Multi-hop eBGP redistribution
110                          of labeled VPN-IPv4 routes
                             between source and
                             destination ASes is used to
                             implement inter-AS VPN
                             connectivity.
BTS-MSPP- V0012670     III   The MSPP does not log
010                          system events, circuit
                             provisioning, user actions,
                             and configuration changes.
BTS-MSPP- V0012433      II   A daily review of the MSPP
020                          audit data is not conducted
                             by the system administrator
                             or qualified personnel to
                             determine if attempted
                             attacks or inappropriate
                             activity has occurred.

BTS-MSPP- V0012434     III   The MSPP audit logs are not
030                          backed up on a weekly basis
                             or are not retained for at least
                             one year.
BTS-MSPP- V0012671     III   The MSPP is not configured
040                          to synchronize its clock with a
                             trusted stratum-1 SNTP
                             server.
BTS-MSPP- V0012672      II   Unused MSPP interfaces are
050                          not set to out of service when
                             not providing service.
    PDI      VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
BTS-OPTI-   V0012435 I SONET components are not
010                    installed in controlled areas
                       that restrict access to only
                       authorized personnel.

BTS-OPTI-   V0012436   II    A semi-annual security
020                          analysis of a sample (20% or
                             more) of the SONET
                             components is not conducted
                             and documented.

BTS-OPTI-   V0012667   II    SONET payload scrambling
030                          is not enabled using a self-
                             synchronous scrambler (1 +
                             X 43) applied to all backbone
                             facing PoS interfaces of all
                             PE routers as well as all P
                             router and ADM PoS
                             interfaces.
BTS-OPTI-   V0012437   II    An attack detection method
040                          such as Wideband Power
                             Detection, Optical Spectral
                             Analysis, Pilot Tone, or
                             Optical Time Domain
                             Reflectometry is not used
                             globally to detect and locate
                             attacks.
BTS-OPTI-   V0012438   II    Optical monitoring is not
050                          implemented at all service
                             delivery nodes.
BTS-OPTI-   V0012439   III   Additional monitoring points
060                          are not installed at regular
                             intervals within the spans of
                             the service delivery nodes.
BTS-OPTI-   V0012441    I    OTDR scans are not
070                          performed on all new fiber
                             spans before being placed in
                             production. Maintenance
                             scans are not performed
                             every six months.
BTS-OPTI-   V0012668   II    OSPF is being used by
080                          ODXCs to determine the
                             optimum path for dynamically
                             provisioning a circuit as well
                             as for in-band management
                             routing without MD5
                             authentication of the link-
                             state advertisements.
    PDI      VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes
BTS-OPTI-   V0012669 II LDP is being used on the
090                     control plane by ODXCs to
                        establish a circuit with
                        dynamic provisioning without
                        MD5 authentication.
BTS-OPTI-   V0012442 II MD5 keys used for routing
100                     protocol authentication are
                        not changed every 180 days.

BTS-OPTI-   V0012443    I    The ITF and OTN facilities
110                          used for ULH connections is
                             not secured because 1) the
                             facility is not in a government-
                             controlled area that allows
                             access to only authorized
                             personnel using 2-factor
                             authentication, or 2) access
                             to the facility is not monitored
                             and limited to essential and
                             authorized personnel, or 3) a
                             visitor log is not maintained.

BTS-OPTI-   V0012444   III   Diverse routes into and out of
120                          ITF and OTN facilities are not
                             engineered to reduce risk of
                             breaks to both fiber
                             segments residing in same
                             bundle, conduit, or right-of-
                             way.
BTS-OPTI-   V0012445   III   ULH connections are not
130                          created using carrier grade
                             transmission equipment
                             placed at Government owned
                             locations in order to minimize
                             the placement of optical
                             equipment in commercial
                             facilities.
BTS-OPTI-   V0012446   II    Secured storage cabinets
140                          requiring 2-factor
                             authentication for access are
                             not used at ITFs to house the
                             fiber optic equipment and
                             have locking cabinet doors.
    PDI      VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
BTS-OPTI-   V0012447 III Locking cabinet doors used
150                      at the ITFs are not equipped
                         with alarm sensors that
                         activate when doors are
                         opened or they do not report
                         to the GNSC or TNC within
                         its operating area via OOB in-
                         network circuits.

BTS-OPTI-   V0012448    I     Traffic traversing OCONUS
160                           DISN Core segments is not
                              bulk encrypted using NIST
                              certified Type III encryptors.
BTS-OPTI-   V0012449    I     SONET/SDH bulk encryptors
170                           are not deployed using Path
                              level encryption with Path
                              headers passed in the clear
                              wherever leased bandwidth
                              from commercial carriers is
                              used for transport.

BTS-OPTI-   V0012450    I     SONET/SDH bulk encryptors
180                           are not deployed using Line
                              level encryption with both
                              Section and Line overhead
                              encrypted wherever dark
                              fiber is used for transport.

BTS-OPTI-   V0012451    II    A COMSEC custodian is not
190                           assigned to manage the
                              SONET/SDH bulk encryption
                              devices and keys.

BTS-QoS-    V0012647    II    QoS policies is not
010                           configured on the PE router
                              to ensure all customer traffic
                              receives forwarding treatment
                              as specified in the SLA.

BTS-QoS-    V0012648    III   Traffic that is not in
030                           compliance with the
                              approved DSCP classification
                              is not placed into the
                              Scavenger class.
BTS-QoS-    V0012649    III   Traffic not in compliance with
040                           the customer‟s SLA is not
                              placed into the Scavenger
                              class.
    PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
BTS-QoS-   V0012650 III QoS policing is not
050                     configured on to validate the
                        use of classes reserved for
                        premium traffic and either
                        mark down or rate limit traffic
                        according to customer
                        projections and SLAs prior to
                        entering the core.

BTS-QoS-   V0012651    III   QoS policing has not been
060                          configured on PE router that
                             will mark down out-of-profile
                             traffic into the Scavenger
                             class.
BTS-QoS-   V0012727    II    QoS policies are not
070                          configured to ensure the
                             necessary congestion
                             management is implemented.
                             This will include classifying all
                             traffic and defining queues
                             with appropriate service
                             levels to accommodate the
                             different traffic classes.

BTS-RAS-   V0014346    III   AAA server is not used to
100                          authenticate the subscriber‟s
                             LNS prior to establishing an
                             L2TP tunnel with the LNS.

BTS-RAS-   V0014347     I    AAA server configuration
110                          does not correctly map
                             domain names to the
                             appropriate VPN.
BTS-RAS-   V0014349    II    The AAA server does not
120                          proxy the challenge response
                             message to the appropriate
                             VPN‟s AAA server to
                             authenticate the user.

BTS-RAS-   V0014350    III   The RAS, NAS, or LAC
130                          device is not configured to
                             use CHAP authentication to
                             provide a challenge query to
                             the client prior to initiating the
                             L2TP connection to validate
                             the domain name and user.
    PDI     VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
BTS-RAS-   V0014351 II AAA server is not used to
140                    validate the client‟s domain
                       name, username, and
                       password to the PPP
                       authentication challenge prior
                       to initiating the L2TP
                       connection.
BTS-RTR-   V0012559 II Neighbor authentication with
010                    MD5, SHA-1, or IPSec is not
                       implemented for all routing
                       protocols with all peer routers
                       within the same autonomous
                       system as well as between
                       autonomous systems.

BTS-RTR-   V0014770    II   MPLS signaling protocols
015                         deployed to build LSP tunnels
                            are not using a secured
                            hashing algorithm such as
                            MD5 or SHA-1for neighbor or
                            message authentication.

BTS-RTR-   V0012646    II   The eBGP router does not
020                         have a unique key for each
                            eBGP neighbor that it peers
                            with.
BTS-RTR-   V0012452    II   MD5 keys used for routing
030                         protocol authentication are
                            not changed every 180 days.

BTS-RTR-   V0012560    I    Key chains are being used
040                         and there is no infinite key
                            exists within the chain. The
                            lifetime key is not changed
                            seven days after the rotating
                            keys expire and are
                            redefined.
BTS-RTR-   V0012561    II   The eBGP router is not
050                         configured to reject inbound
                            route advertisements for any
                            Bogon prefixes and any
                            prefixes belonging to the IP
                            core.
    PDI     VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
BTS-RTR-   V0014316 II The eBGP router is not
055                    configured to reject inbound
                       route advertisements for for
                       any IPv6 prefixes unless the
                       prefixes are received from a
                       customer network and 6PE is
                       implemented to transport
                       those prefixes across the
                       backbone using MP-iBGP.

BTS-RTR-   V0012562   II    The eBGP router is not
060                         configured to reject inbound
                            route advertisements from a
                            CE router for prefixes that
                            are not allocated to that
                            customer.
BTS-RTR-   V0012563   II    BGP is not configured to filter
070                         outbound route
                            advertisements for prefixes
                            that are not allocated to or
                            belong to any GIG IP
                            customers.
BTS-RTR-   V0014317   II    The eBGP router is not
075                         configured to reject outbound
                            route advertisements for for
                            any IPv6 prefixes unless the
                            prefixes are for a customer
                            network supported by a 6PE
                            deployment.

BTS-RTR-   V0012564   II    BGP is not configured to filter
080                         outbound route
                            advertisements belonging to
                            the IP core.
BTS-RTR-   V0012565   II    The eBGP router is not
100                         configured to reject inbound
                            route advertisements with an
                            originating AS that does not
                            belong to the specific
                            customer.
BTS-RTR-   V0012566   III   ASBR is not configured to
110                         deny updates received from
                            eBGP peers that do not list
                            their AS number as the first
                            AS in the AS_PATH attribute.

BTS-RTR-   V0012567   III   Graded damping algorithms
120                         are not used to penalize
                            longer prefixes (> /20) more
                            than shorter prefixes.
    PDI     VMSID CAT          Requirement             Vulnerability   Status   Finding Notes
BTS-RTR-   V0012568 II BGP is not configured to use
130                    the maximum prefixes
                       feature to protect against
                       route table flooding and prefix
                       de-aggregation attacks.

BTS-RTR-   V0012569    III   BGP is not configured to limit
140                          the prefix size on any route
                             advertisement to /24 or the
                             least significant prefixes
                             issued to the customer.

BTS-RTR-   V0012570    III   BGP is not configured to use
150                          Generalized TTL Security
                             Mechanism (GTSM) to
                             mitigate risks associated with
                             a control plane DoS attack.

BTS-RTR-   V0014318    III   Routers with RSVP-TE
152                          enabled do not have
                             message pacing configured
                             to adjust maximum burst and
                             maximum number of RSVP
                             messages to an output queue
                             based on the link speed and
                             input queue size of adjacent
                             core routers.

BTS-RTR-   V0012571    III   The router‟s loopback
155                          address is not used as the
                             router ID for OSPF, IS-IS,
                             iBGP, LDP, and MPLS-TE
                             configurations.
BTS-RTR-   V0012573    II    URPF strict mode is not
160                          enabled on all customer-
                             facing interfaces.
BTS-RTR-   V0012574    II    A filter is not implemented to
170                          block inbound packets with
                             source Bogon address
                             prefixes.
BTS-RTR-   V0012575    I     A filter is not implemented to
180                          block inbound packets
                             destined to the IP core
                             infrastructure address space.

BTS-RTR-   V0012576    I     A receive-path filter or
190                          ingress filter bound to all
                             interfaces is not implemented
                             to restrict all traffic destined
                             to the router.
    PDI     VMSID CAT            Requirement                    Vulnerability   Status   Finding Notes
BTS-RTR-   V0014319 III A receive-path filter is not
195                     implemented to restrict all
                        traffic destined to the router.

BTS-RTR-   V0012579     II   Management plane traffic
200                          destined for the router is not
                             restricted to only authorized
                             network management
                             stations.
BTS-RTR-   V0012580     II   BGP connections are not
210                          restricted to known IP
                             addresses of BGP routers
                             from the same or trusted AS.

BTS-RTR-   V0012581    III   NTP traffic is not restricted to
220                          only authorized NTP servers.

BTS-RTR-   V0012582     II   The router‟s receive path
230                          filter does not drop all
                             fragmented ICMP packets.
BTS-RTR-   V0012583     II   The maximum wait interval
240                          for establishing a TCP
                             connection request to the
                             router is not set to ten
                             seconds or less, or a method
                             to ratelimit TCP SYN traffic
                             destined to the router has not
                             been implemented.

BTS-RTR-   V0012586     II   CEF is not enabled on Cisco
250                          router.
BTS-RTR-   V0012585     II   IPv4 packets with Option
260                          Type = 131 or 137 are not
                             blocked or IP source routing
                             is not disabled.
BTS-RTR-   V0014320     II   IPv6 packets that include a
265                          Routing Header with Routing
                             Type 0 are not blocked or IP
                             source routing is not
                             disabled.
BTS-RTR-   V0012587    III   IP directed broadcast is not
270                          disabled on all router
                             interfaces.
BTS-RTR-   V0012589     II   IP redirects is not disabled on
280                          all router interfaces.
BTS-RTR-   V0012590     II   ICMP mask replies is not
290                          disabled on all router
                             interfaces.
    PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
BTS-RTR-   V0012591 II ICMP unreachables are not
300                    disabled on all customer-
                       facing interface interfaces.
                       Note: This requirement does
                       not force the router to block
                       ICMP Destination
                       Unreachable messages type
                       3, code 4 meaning
                       “Fragmentation Needed and
                       Don't Fragment was Set”
                       and, therefore, will not disrupt
                       Path MTU Discovery as
                       specified in RFC 1191. Black-
                       hole filtering enables traffic
                       destined for a particular IP
                       address to be forwarded to
                       an pseudo-interface where it
                       is discarded. The address of
                       the pseudo-interface is called
                       Null0. The interface is always
                       live but can never forward or
                       receive traffic. Hence, when a
                       route is pointed to the Null0
                       interface, traffic sent to that
                       destination is dropped.


BTS-RTR-   V0012592    III   Inactive interfaces are not
310                          disabled. CAVEAT: Inactive
                             physical interfaces or
                             subinterfaces that are
                             preconfigured for planned
                             access circuits that will soon
                             become active is permitted,
                             provided that a description is
                             defined for each interface.

BTS-RTR-   V0014321    III   There is no filter that denies
315                          all traffic applied to all
                             inactive interfaces.
BTS-RTR-   V0012593    III   Two or more authentication
320                          servers are not defined for
                             the purpose of granting
                             administrative access.
BTS-RTR-   V0012594    III   The router is not configured
330                          to use AAA tiered
                             authorization groups for
                             management authentication.
    PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
BTS-RTR-   V0014322 III Passwords are configured on
340                     line interfaces (VTY, console,
                        auxiliary, and asynchronous
                        lines).
BTS-RTR-   V0012601 II Individual accounts with
350                     username and password are
                        not being used to access the
                        router.
BTS-RTR-   V0012602 II Accounts are not assigned
360                     the lowest privilege level that
                        allows them to perform their
                        duties.
BTS-RTR-   V0012609  I Passwords are not encrypted
370                     using MD5 or SHA-1 hash
                        algorithm.
BTS-RTR-   V0012606 II Inactive accounts exist on the
380                     authentication server or
                        router.
BTS-RTR-   V0012607 II More than one local
390                     emergency account is
                        configured on the router, or
                        the emergency account is not
                        at the lowest privilege level.

BTS-RTR-   V0012453    II    There are no procedures to
395                          securely control the creation,
                             storage, deletion, and
                             distribution of local
                             emergency user accounts.
BTS-RTR-   V0012454    III   A log is not being maintained
400                          to record the creation,
                             change, deletion, and release
                             of all emergency accounts.

BTS-RTR-   V0012455    III   The emergency account log
405                          is not being reviewed
                             periodically to ensure
                             emergency accounts are
                             changed at regular intervals
                             and are not compromised in
                             any way.
BTS-RTR-   V0012610    III   A password is not required to
410                          gain access to the router's
                             diagnostics port.
BTS-RTR-   V0012615    III   CDP is not disabled on all
420                          external interfaces on all
                             Cisco PE and ASBR routers.
    PDI     VMSID CAT            Requirement          Vulnerability   Status   Finding Notes
BTS-RTR-   V0012616 III The router is not configured
430                     to send periodic TCP
                        keepalive messages to
                        connection end points if
                        telnet is being used for
                        administrative access.
BTS-RTR-   V0014323 II Logging is not enabled on the
440                     router.
BTS-RTR-   V0012618 III The router is not configured
450                     to log severity levels 0
                        through 6 events and send all
                        log data to a syslog server.

BTS-RTR-   V0014324    III   Router is not configured to
460                          send all log data to a syslog
                             server.
BTS-RTR-   V0012617    III   The router is not configured
470                          to log all denied packets.
BTS-RTR-   V0014325    III   The router is not configured
480                          to log all denied packets.
BTS-RTR-   V0014326    III   Configuration changes that
485                          identify the time, the
                             command, and the
                             administrator that executed
                             the command are not logged.

BTS-RTR-   V0012619    III   Two or more NTP servers
490                          are not defined on the router
                             to synchronize its time.

BTS-RTR-   V0012620    II    The router is configured to
500                          function as an NTP server.
BTS-RTR-               II    The router is not configured
510                          to use MD5 to authenticate
                             the time source.
BTS-RTR-   V0012622    III   The router is not configured
520                          to use its loopback address
                             as the source address when
                             originating TACACS+ or
                             RADIUS traffic.
BTS-RTR-   V0014327    III   The router is not configured
521                          to use its loopback address
                             as the source address when
                             originating syslog traffic.

BTS-RTR-   V0014328    III   The router is not configured
522                          to use its loopback address
                             as the source address when
                             originating NTP traffic.
    PDI     VMSID CAT            Requirement                Vulnerability   Status   Finding Notes
BTS-RTR-   V0014329 III The router is not configured
523                     to use its loopback address
                        as the source address when
                        originating SNMP traffic.

BTS-RTR-   V0014330   III   The router is not configured
524                         to use its loopback address
                            as the source address when
                            originating NetFlow traffic.

BTS-RTR-   V0014331   III   The router is not configured
525                         to use its loopback address
                            as the source address when
                            originating TFTP or FTP
                            traffic.
BTS-RTR-   V0014332   III   The router is not configured
526                         to use its loopback address
                            as the source address when
                            originating SSH traffic.

BTS-RTR-   V0014333   III   The router is not configured
527                         to use its loopback address
                            as the source address when
                            originating MSDP traffic.

BTS-RTR-   V0014334   III   The router is not configured
528                         to use its loopback address
                            as the source address for
                            iBGP peering sessions.
BTS-RTR-   V0014335   III   The router is not configured
529                         to use its loopback address
                            as the source addressfor
                            LDP peering sessions.
BTS-RTR-   V0012623    II   The latest operating system
530                         as directed by the PMO is not
                            implemented on the router.

BTS-RTR-   V0012730    II   The latest operating system
530                         as directed by the PMO is not
                            implemented on the router.

BTS-RTR-   V0012624   III   Finger service is not
540                         disabled.
BTS-RTR-   V0012625   III   TCP and UDP small servers
550                         are not disabled.
BTS-RTR-   V0012626   III   PAD services are not
560                         disabled.
BTS-RTR-   V0012627   III   Identification support is not
570                         disabled.
BTS-RTR-   V0012628    II   BSD r-command services are
580                         not disabled.
    PDI     VMSID CAT         Requirement                      Vulnerability   Status   Finding Notes
BTS-RTR-   V0012629 II FTP server is enabled.
590
BTS-RTR-   V0014336   II    TFTP server is not disabled.
595
BTS-RTR-   V0012630   III   DHCP server is enabled.
600
BTS-RTR-   V0012631   II    HTTP server is enabled.
610
BTS-RTR-   V0012632   III   Bootp server is enabled.
620
BTS-RTR-   V0012634   II    Configuration auto-loading is
630                         not disabled.
BTS-RTR-   V0012635   III   The router is configured as a
640                         client resolver and DNS
                            servers are not defined.
BTS-RTR-   V0012636   II    Proxy ARP is not disabled.
650
BTS-RTR-   V0012637   II    Gratuitous ARP is not
660                         disabled.
BTS-RTR-   V0014337   II    URPF strict mode is not
900                         enabled on CE routers‟ PE-
                            facing interfaces.
BTS-SDN-   V0012456   I     The facility used to house
010                         SDN equipment is not
                            secured 1) because the
                            facility is not in a government-
                            controlled area that allow
                            access to only authorized
                            personnel using 2-factor
                            authentication, or 2) access
                            to the facility is not monitored
                            and limited to essential and
                            authorized personnel, or 3) a
                            visitor log is not maintained.

BTS-SDN-   V0012457   II    A connection approval
020                         process to be used when
                            provisioning GIG services to
                            DoD customers is not
                            implemented or enforced.
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
DG0001 V0005658  I Vendor supported software is
                   evaluated and patched
                   against newly found
                   vulnerabilities.
DG0002 V0004758 II An upgrade/migration plan
                   should be developed to
                   address an unsupported
                   DBMS software version.
DG0003 V0005659 II The latest security patches
                   should be installed.
DG0005 V0006756 II Only necessary privileges to
                   the host system should be
                   granted to DBA OS accounts.

DG0007 V0006767     II    The database should be
                          secured in accordance with
                          DoD, vendor and/or
                          commercially accepted
                          practices where applicable.
DG0009 V0015608     II    Access to DBMS software
                          files and directories should
                          not be granted to
                          unauthorized users.
DG0010 V0002420     III   Database executable and
                          configuration files should be
                          monitored for unauthorized
                          modifications.
DG0011 V0003726     III   Configuration management
                          procedures should be
                          defined and implemented for
                          database software
                          modifications.
DG0012 V0004754     II    Database software
                          directories including DBMS
                          configuration files are stored
                          in dedicated directories
                          separate from the host OS
                          and other applications.

DG0013 V0015126     II    Database backup procedures
                          should be defined,
                          documented and
                          implemented.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      128 of 1220
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
DG0014 V0015609  II Default demonstration and
                    sample database objects and
                    applications should be
                    removed.
DG0016 V0003728 III Unused database
                    components, database
                    application software and
                    database objects should be
                    removed from the DBMS
                    system.
DG0017 V0003803  II A production DBMS
                    installation should not coexist
                    on the same DBMS host with
                    other, non-production DBMS
                    installations.

DG0019 V0003805     III   Application software should
                          be owned by a Software
                          Application account.
DG0020 V0015129      II   Backup and recovery
                          procedures should be
                          developed, documented,
                          implemented and periodically
                          tested.
DG0021 V0003806      II   A baseline of database
                          application software should
                          be documented and
                          maintained.
DG0025 V0015610      II   DBMS should use NIST FIPS
                          140-2, validated
                          cryptography.
DG0029 V0005685      II   Required auditing
                          parameters for database
                          auditing should be set.
DG0030 V0002507      II   Audit trail data should be
                          retained for one year.
DG0031 V0015133      II   Transaction logs should be
                          periodically reviewed for
                          unauthorized modification of
                          data. Users should be
                          notified of time and date of
                          the last change in data
                          content.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          129 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
DG0032 V0005686 II Audit records should be
                   restricted to authorized
                   individuals.
DG0040 V0002422 II The DBMS software
                   installation account should be
                   restricted to authorized
                   users.
DG0041 V0015110 II Use of the DBMS installation
                   account should be logged.

DG0042 V0015111     II    Use of the DBMS software
                          installation account should be
                          restricted to DBMS software
                          installation, upgrade and
                          maintenance actions.

DG0050 V0002423     II    Database software,
                          applications and
                          configuration files should be
                          monitored to discover
                          unauthorized changes.
DG0051 V0003808     II    Database job/batch queues
                          should be reviewed regularly
                          to detect unauthorized
                          database job submissions.

DG0052 V0003807     II    All applications that access
                          the database should be
                          logged in the DBMS audit
                          trail where available.
DG0053 V0003809     II    A single database connection
                          configuration file should not
                          be used to configure all
                          database clients.

DG0054 V0015611     III   The audit logs should be
                          periodically monitored to
                          discover DBMS access using
                          unauthorized applications.

DG0064 V0015120     II    DBMS backup and
                          restoration files should be
                          protected from unauthorized
                          access.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        130 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement         Vulnerability   Status   Finding Notes
DG0065 V0003810 II DBMS authentication should
                   require use of a DoD PKI
                   certificate.
DG0066 V0003811 II Procedures for establishing
                   temporary passwords that
                   meet DoD password
                   requirements for new
                   accounts should be defined,
                   documented and
                   implemented.
DG0067 V0003812  I Database account passwords
                   should be stored in encoded
                   or encrypted format whether
                   stored in database objects,
                   external host files,
                   environment variables or any
                   other storage locations.

DG0068 V0003813     II   DBMS tools or applications
                         that echo or require a
                         password entry in clear text
                         should be protected from
                         password display.
DG0069 V0015140     II   Procedures and restrictions
                         for import of production data
                         to development databases
                         should be documented,
                         implemented and followed.
DG0072 V0015612     II   Database password changes
                         by users should be limited to
                         one change within 24 hours
                         where supported by the
                         DBMS.
DG0076 V0003819     II   Sensitive information from
                         production database exports
                         should be modified after
                         import to a development
                         database.
DG0077 V0003820     II   Production databases should
                         be protected from
                         unauthorized access by
                         developers on shared
                         production/development host
                         systems.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      131 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
DG0078 V0015613  II Each database user,
                    application or process should
                    have an individually assigned
                    account.
DG0083 V0015102  II Automated notification of
                    suspicious activity detected
                    in the audit trail should be
                    implemented.
DG0084 V0015614 III The DBMS should be
                    configured to clear residual
                    data from memory, data
                    objects and files, and other
                    storage locations.
DG0085 V0015615  II The DBA role should not be
                    assigned excessive or
                    unauthorized privileges.
DG0088 V0015112 III The DBMS should be
                    periodically tested for
                    vulnerability management
                    and IA compliance.
DG0090 V0015131  II Sensitive information stored
                    in the database should be
                    protected by encryption.
DG0092 V0015132  II Database data files
                    containing sensitive
                    information should be
                    encrypted.
DG0093 V0003825  II Remote adminstrative
                    connections to the database
                    should be encrypted.

DG0095 V0003827     II    Audit trail data should be
                          reviewed daily or more
                          frequently.
DG0096 V0015138     III   The DBMS IA policies and
                          procedures should be
                          reviewed annually or more
                          frequently.
DG0097 V0015139     II    Plans and procedures for
                          testing DBMS installations,
                          upgrades, and patches
                          should be defined and
                          followed prior to production
                          implementation.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        132 of 1220
   ____ Checklist _V_R_ (<date>)                                 <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement        Vulnerability   Status   Finding Notes
DG0098 V0015617 II Access to external objects
                   should be disabled if not
                   required and authorized.
DG0099 V0015618 II Access to external DBMS
                   executables should be
                   disabled or restricted.
DG0101 V0015620 II OS accounts used to execute
                   external procedures should
                   be assigned minimum
                   privileges.

DG0102 V0015141     II    DBMS processes or services
                          should run under custom,
                          dedicated OS accounts.

DG0103 V0015621     II    The DBMS listener should
                          restrict database access by
                          network address.
DG0104 V0015622     III   DBMS service identification
                          should be unique and clearly
                          identifies the service.

DG0107 V0015144     II    Sensitive data is stored in the
                          database and should be
                          identified in the System
                          Security Plan and AIS
                          Functional Architecture
                          documentation.
DG0108 V0015145     III   The DBMS restoration
                          priority should be assigned.
DG0109 V0015146     II    The DBMS should not be
                          operated without
                          authorization on a host
                          system supporting other
                          application services.
DG0110 V0015179     II    The DBMS should not share
                          a host supporting an
                          independent security service.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                     133 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
DG0111 V0015147 II The DBMS data files,
                   transaction logs and audit
                   files should be stored in
                   dedicated directories or disk
                   partitions separate from
                   software or other application
                   files.
DG0112 V0015623 II DBMS system data files
                   should be stored in dedicated
                   disk directories.
DG0113 V0015624 II DBMS data files should be
                   dedicated to support
                   individual applications.
DG0114 V0015119 II DBMS files critical for DBMS
                   recovery should be stored on
                   RAID or other high-
                   availability storage devices.

DG0115 V0015625     II   Recovery procedures and
                         technical system features
                         exist to ensure that recovery
                         is done in a secure and
                         verifiable manner.

DG0116 V0015626     II   Database privileged role
                         assignments should be
                         restricted to IAO-authorized
                         DBMS accounts.
DG0118 V0015127     II   The IAM should review
                         changes to DBA role
                         assignments.
DG0123 V0015631     II   Access to DBMS system
                         tables and other
                         configuration or metadata
                         should be restricted to DBAs.

DG0124 V0015632     II   Use of DBA accounts should
                         be restricted to administrative
                         activities.
DG0126 V0015633     II   Password reuse should be
                         prevented where supported
                         by the DBMS.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       134 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
DG0128 V0015635   I DBMS default accounts
                    should be assigned custom
                    passwords.
DG0129 V0015636   I Passwords should be
                    encrypted when transmitted
                    across the network.
DG0130 V0015637  II DBMS passwords should not
                    be stored in compiled,
                    encoded or encrypted batch
                    jobs or compiled, encoded or
                    encrypted application source
                    code.
DG0131 V0015638 III DBMS default account
                    names should be changed.
DG0134 V0015640  II Concurrent connections to
                    the DBMS should be limited
                    and controlled.
DG0140 V0015643  II Access to DBMS security
                    should be audited.
DG0141 V0015644  II Attempts to bypass access
                    controls should be audited.
DG0142 V0015645  II Changes to configuration
                    options should be audited.
DG0145 V0015646  II Audit records should contain
                    required information.

DG0146 V0015647     II    Audit records should include
                          the reason for blacklisting or
                          disabling DBMS connections
                          or accounts.

DG0151 V0015648     II    Access to the DBMS should
                          be restricted to static, default
                          network ports.

DG0152 V0015148     II    DBMS network
                          communications should
                          comply with PPS usage
                          restrictions.
DG0153 V0015149     III   DBA roles assignments
                          should be assigned and
                          authorized by the IAO.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       135 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
DG0154 V0015150 III The DBMS requires a
                    System Security Plan
                    containing all required
                    information.
DG0155 V0015649  II The DBMS should have
                    configured all applicable
                    settings to use trusted files,
                    functions, features, or other
                    components during startup,
                    shutdown, aborts, or other
                    unplanned interruptions.
DG0156 V0015650 III The IAO for the DBMS
                    should be assigned and
                    authorized by the IAM.
DG0157 V0015651  II Remote DBMS
                    administration should be
                    documented and authorized
                    or disabled.
DG0158 V0015652  II DBMS remote administration
                    should be audited.

DG0159 V0015118     II    Remote administrative
                          access to the database
                          should be monitored by the
                          IAO or IAM.
DG0160 V0015653     III   The DBMS should limit failed
                          logins within a specified time
                          period.
DG0161 V0015103     II    An automated tool that
                          monitors audit data and
                          immediately reports
                          suspicious activity should be
                          employed for the DBMS.
DG0167 V0015104      I    Sensitive data served by the
                          DBMS should be protected
                          by encryption when
                          transmitted across the
                          network.
DG0170 V0015655     II    DBMS transaction journaling
                          should be enabled.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         136 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
DG0171 V0015656 II The DBMS should not have a
                   connection defined to access
                   or be accessed by a DBMS
                   at a different classification
                   level.
DG0175 V0015116 II The DBMS host platform and
                   other dependent applications
                   should be configured in
                   compliance with applicable
                   STIG requirements.

DG0176 V0015117     II   The DBMS audit logs should
                         be included in backup
                         operations.
DG0179 V0015658     II   The DBMS warning banner
                         should meet DoD policy
                         requirements.
DG0186 V0015122     II   The database should not be
                         directly accessible from
                         public or unauthorized
                         networks.
DG0187 V0015121     II   DBMS software libraries
                         should be periodically backed
                         up.
DG0190 V0015154     II   Credentials stored and used
                         by the DBMS to access
                         remote databases or
                         applications should be
                         authorized and restricted to
                         authorized users.
DG0192 V0015660     II   Remote database or other
                         external access should use
                         fully-qualified names.
DG0194 V0015108     II   Privileges assigned to
                         developers on shared
                         production and development
                         DBMS hosts and the DBMS
                         should be monitored every
                         three months or more
                         frequently for unauthorized
                         changes.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       137 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
DG0195 V0015109 II DBMS production application
                   and data directories should
                   be protected from developers
                   on shared
                   production/development
                   DBMS host systems.

DG0198 V0015662     II   Remote administration of the
                         DBMS should be restricted to
                         known, dedicated and
                         encrypted network addresses
                         and ports.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      138 of 1220
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0001 V0005658    I    Vendor supported software is
                        evaluated and patched
                        against newly found
                        vulnerabilities.

DG0002 V0004758    II   An upgrade/migration plan
                        should be developed to
                        address an unsupported
                        DBMS software version.
DG0003 V0005659    II   The latest security patches
                        should be installed.



DG0004 V0005683    II   Application object owner
                        accounts should be disabled
                        when not performing
                        installation or maintenance
                        actions.
DG0005 V0006756    II   Only necessary privileges to
                        the host system should be
                        granted to DBA OS accounts.


DG0007 V0006767    II   The database should be
                        secured in accordance with
                        DoD, vendor and
                        commercially accepted
                        practices where applicable.
DG0008 V0015607    II   Application objects should be
                        owned by accounts
                        authorized for ownership.
DG0009 V0015608    II   Access to DBMS software
                        files and directories should
                        not be granted to
                        unauthorized users.

DG0010 V0002420   III   Database executable and
                        configuration files should be
                        monitored for unauthorized
                        modifications.

DG0011 V0003726   III   Configuration management
                        procedures should be defined
                        and implemented for
                        database software
                        modifications.
DG0012 V0004754    II   Database data files should
                        not be stored in the same
                        logical storage partition as
                        database application
                        software.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0013 V0015126    II   Database backup procedures
                        should be defined,
                        documented and
                        implemented.

DG0014 V0015609    II   Default demonstration and
                        sample database objects and
                        applications should be
                        removed.
DG0015 V0003727   III   Database applications should
                        be restricted from using static
                        DDL statements to modify the
                        application schema.

DG0016 V0003728   III   Unused database
                        components, database
                        application software and
                        database objects should be
                        removed from the DBMS
                        system.
DG0017 V0003803    II   System resources and
                        database identifiers should
                        be clearly separated and
                        defined.

DG0019 V0003805   III   Application software should
                        be owned by a Software
                        Application account.


DG0020 V0015129    II   Backup and recovery
                        procedures should be
                        developed, documented,
                        implemented and periodically
                        tested.
DG0021 V0003806    II   A baseline of database
                        application software should
                        be documented and
                        maintained.

DG0025 V0015610    II   DBMS should use NIST FIPS
                        140-2, validated
                        cryptography.


DG0029 V0005685    II   Required auditing parameters
                        for database auditing should
                        be set.
DG0030 V0002507    II   Audit trail data should be
                        retained for one year.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0031 V0015133    II   Transaction logs should be
                        periodically reviewed for
                        unauthorized modification of
                        data. Users should be
                        notified of time and date of
                        the last change in data
                        content.
DG0032 V0005686    II   Audit records should be
                        restricted to authorized
                        individuals.
DG0040 V0002422    II   The DBMS software
                        installation account should be
                        restricted to authorized users.


DG0041 V0015110    II   Use of the DBMS installation
                        account should be logged.



DG0042 V0015111    II   Use of the DBMS software
                        installation account should be
                        restricted to DBMS software
                        installation, upgrade and
                        maintenance actions.

DG0050 V0002423    II   Database software,
                        applications and
                        configuration files should be
                        monitored to discover
                        unauthorized changes.
DG0051 V0003808    II   Database job/batch queues
                        should be reviewed regularly
                        to detect unauthorized
                        database job submissions.

DG0052 V0003807    II   All applications that access
                        the database should be
                        logged in the DBMS audit trail
                        where available.

DG0053 V0003809    II   A single database connection
                        configuration file should not
                        be used to configure all
                        database clients.

DG0054 V0015611   III   The audit logs should be
                        periodically monitored to
                        discover DBMS access using
                        unauthorized applications.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0060 V0002424    II   All database non-interactive,
                        n-tier connection, and shared
                        accounts that exist should be
                        documented and approved
                        by the IAO.

DG0063 V0015107    II   DBMS privileges to restore
                        database data or other
                        DBMS configurations,
                        features or objects should be
                        restricted to authorized
                        DBMS accounts.
DG0064 V0015120    II   DBMS backup and
                        restoration files should be
                        protected from unauthorized
                        access.

DG0065 V0003810    II   DBMS authentication should
                        require use of a DoD PKI
                        certificate.
DG0066 V0003811    II   Procedures for establishing
                        temporary passwords that
                        meet DoD password
                        requirements for new
                        accounts should be defined,
                        documented and
                        implemented.
DG0067 V0003812    I    Database passwords used by
                        batch and job processes
                        should be stored in encrypted
                        format.

DG0068 V0003813    II   DBMS tools or applications
                        that echo or require a
                        password entry in clear text
                        should be protected from
                        password display.
DG0069 V0015140    II   Procedures and restrictions
                        for import of production data
                        to development databases
                        should be documented,
                        implemented and followed.
DG0070 V0002508    II   Unauthorized user accounts
                        should not exist.
DG0071 V0003815    II   New passwords should be
                        required to differ from old
                        passwords by more than four
                        characters.
DG0073 V0003817    II   Database accounts should
                        not specify account lock
                        times less than the site-
                        approved minimum.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0074 V0015130    II   Unapproved inactive or
                        expired database accounts
                        should not be found on the
                        database.
DG0075 V0003818    II   Unauthorized database links
                        should not be defined and
                        active.
DG0076 V0003819    II   Sensitive information from
                        production database exports
                        should be modified after
                        import to a development
                        database.
DG0077 V0003820    II   Production databases should
                        be protected from
                        unauthorized access by
                        developers on shared
                        production/development host
                        systems.
DG0078 V0015613    II   Each database user,
                        application or process should
                        have an individually assigned
                        account.
DG0079 V0015152    II   DBMS login accounts require
                        passwords to meet
                        complexity requirements.
DG0080 V0003821    II   Application user privilege
                        assignment should be
                        reviewed monthly or more
                        frequently to ensure
                        compliance with least
                        privilege and documented
                        policy.
DG0083 V0015102    II   Automated notification of
                        suspicious activity detected in
                        the audit trail should be
                        implemented.

DG0085 V0015615    II   The DBA role should not be
                        assigned excessive or
                        unauthorized privileges.
DG0086 V0015106    II   DBA roles should be
                        periodically monitored to
                        detect assignment of
                        unauthorized or excess
                        privileges.
DG0087 V0015616   III   Sensitive data should be
                        labeled.
DG0088 V0015112   III   The DBMS should be
                        periodically tested for
                        vulnerability management
                        and IA compliance.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0089 V0015114   III   Developers should not be
                        assigned excessive privileges
                        on production databases.

DG0090 V0015131    II   Sensitive information stored
                        in the database should be
                        protected by encryption.


DG0091 V0003823   III   Custom and GOTS
                        application source code
                        stored in the database should
                        be protected with encryption
                        or encoding.
DG0092 V0015132    II   Database data files
                        containing sensitive
                        information should be
                        encrypted.

DG0093 V0003825    II   Remote adminstrative
                        connections to the database
                        should be encrypted.


DG0095 V0003827    II   Audit trail data should be
                        reviewed daily or more
                        frequently.


DG0096 V0015138   III   The DBMS IA policies and
                        procedures should be
                        reviewed annually or more
                        frequently.

DG0097 V0015139    II   Plans and procedures for
                        testing DBMS installations,
                        upgrades, and patches
                        should be defined and
                        followed prior to production
                        implementation.
DG0098 V0015617    II   Access to external objects
                        should be disabled if not
                        required and authorized.
DG0099 V0015618    II   Access to external DBMS
                        executables should be
                        disabled or restricted.


DG0100 V0015619    II   Replication accounts should
                        not be granted DBA
                        privileges.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0101 V0015620    II   OS accounts used to execute
                        external procedures should
                        be assigned minimum
                        privileges.

DG0102 V0015141    II   DBMS processes or services
                        should run under custom,
                        dedicated OS accounts.


DG0103 V0015621    II   The DBMS listener should
                        restrict database access by
                        network address.


DG0104 V0015622   III   DBMS service identification
                        should be unique and clearly
                        identifies the service.


DG0105 V0015128    II   DBMS application user roles
                        should not be assigned
                        unauthorized privileges.

DG0106 V0015143    II   Database data encryption
                        controls should be configured
                        in accordance with
                        application requirements.

DG0107 V0015144    II   Sensitive data is stored in the
                        database and should be
                        identified in the System
                        Security Plan and AIS
                        Functional Architecture
                        documentation.
DG0108 V0015145   III   The DBMS restoration priority
                        should be assigned.



DG0109 V0015146    II   The DBMS should not be
                        operated without
                        authorization on a host
                        system supporting other
                        application services.
DG0110 V0015179    II   The DBMS should not share
                        a host supporting an
                        independent security service.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DG0111 V0015147    II   The DBMS data files,
                        transaction logs and audit
                        files should be stored in
                        dedicated directories or disk
                        partitions separate from
                        software or other application
                        files.
DG0112 V0015623    II   DBMS system data files
                        should be stored in dedicated
                        disk directories.
DG0113 V0015624    II   DBMS data files should be
                        dedicated to support
                        individual applications.
DG0115 V0015625    II   Recovery procedures and
                        technical system features
                        exist to ensure that recovery
                        is done in a secure and
                        verifiable manner.

DG0116 V0015626    II   Database privileged role
                        assignments should be
                        restricted to IAO-authorized
                        DBMS accounts.
DG0117 V0015627    II   Administrative privileges
                        should be assigned to
                        database accounts via
                        database roles.
DG0118 V0015127    II   The IAM should review
                        changes to DBA role
                        assignments.


DG0119 V0015628    II   DBMS application users
                        should not be granted
                        administrative privileges to
                        the DBMS.
DG0120 V0015105    II   Unauthorized access to
                        external database objects
                        should be removed from
                        application user roles.

DG0121 V0015629    II   Application users privileges
                        should be restricted to
                        assignment using application
                        user roles.
DG0122 V0015630    II   Access to sensitive data
                        should be restricted to
                        authorized users identified by
                        the Information Owner.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0123 V0015631    II   Access to DBMS system
                        tables and other configuration
                        or metadata should be
                        restricted to DBAs.

DG0124 V0015632    II   Use of DBA accounts should
                        be restricted to administrative
                        activities.
DG0125 V0015153    II   DBMS account passwords
                        should be set to expire every
                        60 days or more frequently.

DG0126 V0015633    II   Password reuse should be
                        prevented where supported
                        by the DBMS.
DG0127 V0015634    II   DBMS account passwords
                        should not be set to easily
                        guessed words or values.
DG0128 V0015635    I    DBMS default accounts
                        should be assigned custom
                        passwords.
DG0129 V0015636    I    Passwords should be
                        encrypted when transmitted
                        across the network.


DG0130 V0015637    II   DBMS passwords used by
                        batch jobs or executables
                        should not be stored in the
                        job or executable files.
DG0133 V0015639    II   Unlimited account lock times
                        should be specified for
                        locked accounts.
DG0135 V0015641    II   Users should be alerted upon
                        login of previous successful
                        connections or unsuccessful
                        attempts to access their
                        account.
DG0138 V0015642    II   Access grants to sensitive
                        data should be restricted to
                        authorized user roles.
DG0140 V0015643    II   Access to DBMS security
                        should be audited.



DG0141 V0015644    II   Attempts to bypass access
                        controls should be audited.
DG0142 V0015645    II   Changes to configuration
                        options should be audited.
DG0145 V0015646    II   Audit records should contain
                        required information.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0146 V0015647    II   Audit records should include
                        the reason for blacklisting or
                        disabling DBMS connections
                        or accounts.

DG0152 V0015148    II   DBMS network
                        communications should
                        comply with PPS usage
                        restrictions.

DG0153 V0015149   III   DBA roles assignments
                        should be assigned and
                        authorized by the IAO.
DG0154 V0015150   III   The DBMS requires a
                        System Security Plan
                        containing all required
                        information.

DG0155 V0015649    II   The DBMS should verify
                        trustworthiness of data and
                        configuration files at startup.


DG0157 V0015651    II   Remote DBMS administration
                        should be documented and
                        authorized or disabled.


DG0158 V0015652    II   DBMS remote administration
                        should be audited.



DG0159 V0015118    II   Remote administrative
                        access to the database
                        should be monitored by the
                        IAO or IAM.

DG0161 V0015103    II   An automated tool that
                        monitors audit data and
                        immediately reports
                        suspicious activity should be
                        employed for the DBMS.
DG0165 V0015654    II   DBMS symmetric keys
                        should be protected in
                        accordance with NSA or
                        NIST-approved key
                        management technology or
                        processes.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0166 V0015142    II   Asymmetric keys should use
                        DoD PKI Certificates and be
                        protected in accordance with
                        NIST (unclassified data) or
                        NSA (classified data)
                        approved key management
                        and processes.

DG0167 V0015104    I    Sensitive data served by the
                        DBMS should be protected
                        by encryption when
                        transmitted across the
                        network.
DG0171 V0015656    II   The DBMS should not have a
                        connection defined to access
                        or be accessed by a DBMS
                        at a different classification
                        level.
DG0172 V0015657    II   Changes to DBMS security
                        labels should be audited.
DG0175 V0015116    II   The DBMS host platform and
                        other dependent applications
                        should be configured in
                        compliance with applicable
                        STIG requirements.

DG0176 V0015117    II   The DBMS audit logs should
                        be included in backup
                        operations.


DG0179 V0015658    II   The DBMS warning banner
                        should meet DoD policy
                        requirements.


DG0186 V0015122    II   The database should not be
                        directly accessible from
                        public or unauthorized
                        networks.

DG0187 V0015121    II   DBMS software libraries
                        should be periodically backed
                        up.


DG0190 V0015154    II   Credentials stored and used
                        by the DBMS to access
                        remote databases or
                        applications should be
                        authorized and restricted to
                        authorized users.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0191 V0015659    II   Credentials used to access
                        remote databases should be
                        protected by encryption and
                        restricted to authorized users.

DG0192 V0015660    II   Remote database or other
                        external access should use
                        fully-qualified names.
DG0194 V0015108    II   Privileges assigned to
                        developers on shared
                        production and development
                        DBMS hosts and the DBMS
                        should be monitored every
                        three months or more
                        frequently for unauthorized
                        changes.
DG0195 V0015109    II   DBMS production application
                        and data directories should
                        be protected from developers
                        on shared
                        production/development
                        DBMS host systems.

DG0198 V0015662    II   Remote administration of the
                        DBMS should be restricted to
                        known, dedicated and
                        encrypted network addresses
                        and ports.

DO0120 V0003842    II   The Oracle software
                        installation account should
                        not be granted excessive
                        host system privileges.

DO0140 V0002511    II   Access to the Oracle SYS
                        and SYSTEM accounts
                        should be restricted to
                        authorized DBAs.
DO0145 V0003845   III   OS DBA group membership
                        should be restricted to
                        authorized accounts.


DO0155 V0003846    II   Only authorized system
                        accounts should have the
                        SYSTEM tablespace
                        specified as the default
                        tablespace.
DO0157 V0003847   III   Database application user
                        accounts should be denied
                        storage usage for object
                        creation within the database.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DO0190 V0002515    II   The audit table should be
                        owned by SYS or SYSTEM.

DO0210 V0002516    II   Access to default accounts
                        used to support replication
                        should be restricted to
                        authorized DBAs.
DO0220 V0002517    II   Oracle instance names
                        should not contain Oracle
                        version numbers.
DO0221 V0003848   III   The Oracle SID should not be
                        the default SID.
DO0231 V0003849    II   Application owner accounts
                        should have a dedicated
                        application tablespace.
DO0233 V0015747    II   The directory assigned to the
                        DIAGNOSTIC_DEST
                        parameter should be
                        protected from unauthorized
                        access.
DO0234 V0003850    II   The directory assigned to the
                        AUDIT_FILE_DEST
                        parameter should be
                        protected from unauthorized
                        access.
DO0235 V0003851    II   The directory assigned to the
                        USER_DUMP_DEST
                        parameter should be
                        protected from unauthorized
                        access.
DO0236 V0003852    II   The directory assigned to the
                        BACKGROUND_DUMP_DE
                        ST parameter should be
                        protected from unauthorized
                        access.

DO0237 V0003853    II   The directory assigned to the
                        CORE_DUMP_DEST
                        parameter should be
                        protected from unauthorized
                        access.
DO0238 V0003854    II   The directories assigned to
                        the LOG_ARCHIVE_DEST*
                        parameters should be
                        protected from unauthorized
                        access.
DO0240 V0002519   III   The Oracle OS_ROLES
                        parameter should be set to
                        FALSE.
DO0243 V0003857    II   The Oracle
                        _TRACE_FILES_PUBLIC
                        parameter if present should
                        be set to FALSE.
 PDI    VMSID     CAT          Requirement              Vulnerability   Status   Finding Notes

DO0250 V0002520    II   Fixed user and public
                        database links should be
                        authorized for use.
DO0260 V0002521    II   A minimum of two Oracle
                        control files should be
                        defined and configured to be
                        stored on separate, archived
                        physical disks or archived
                        partitions on a RAID device.

DO0270 V0002522    II   A minimum of two Oracle
                        redo log groups/files should
                        be defined and configured to
                        be stored on separate,
                        archived physical disks or
                        archived directories on a
                        RAID device.
DO0286 V0003862    II   The Oracle
                        INBOUND_CONNECT_TIME
                        OUT and
                        SQLNET.INBOUND_CONNE
                        CT_TIMEOUT parameters
                        should be set to a value
                        greater than 0.
DO0287 V0003863    II   The Oracle
                        SQLNET.EXPIRE_TIME
                        parameter should be set to a
                        value greater than 0.

DO0320 V0003437    II   Application role permissions
                        should not be assigned to the
                        Oracle PUBLIC role.

DO0340 V0003438    II   Oracle application
                        administration roles should
                        be disabled if not required
                        and authorized.
DO0350 V0003439    II   Oracle system privileges
                        should not be directly
                        assigned to unauthorized
                        accounts.
DO0360 V0003440    II   Connections by mid-tier web
                        and application systems to
                        the Oracle DBMS should be
                        protected, encrypted and
                        authenticated according to
                        database, web, application,
                        enclave and network
                        requirements.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DO0420 V0003865   III   The XDB Protocol server
                        should be uninstalled if not
                        required and authorized for
                        use.
DO0430 V0003866   III   The Oracle Management
                        Agent should be uninstalled if
                        not required and authorized
                        or is installed on a database
                        accessible from the Internet.

DO3440 V0002527    II   The DBA role should not be
                        granted to unauthorized user
                        accounts.
DO3447 V0002531   III   The Oracle
                        OS_AUTHENT_PREFIX
                        parameter should be
                        changed from the default
                        value of OPS$.
DO3451 V0002533    II   The Oracle WITH GRANT
                        OPTION privilege should not
                        be granted to non-DBA or
                        non-Application administrator
                        user accounts.

DO3475 V0002539    II   Execute permission should
                        be revoked from PUBLIC for
                        restricted Oracle packages.
DO3536 V0002552    II   The IDLE_TIME profile
                        parameter should be set for
                        Oracle profiles IAW DoD
                        policy.
DO3538 V0002554    I    The Oracle
                        REMOTE_OS_AUTHENT
                        parameter should be set to
                        FALSE.
DO3539 V0002555    I    The Oracle
                        REMOTE_OS_ROLES
                        parameter should be set to
                        FALSE.
DO3540 V0002556    II   The Oracle
                        SQL92_SECURITY
                        parameter should be set to
                        TRUE.
DO3546 V0002558    II   The Oracle
                        REMOTE_LOGIN_PASSWO
                        RDFILE parameter should be
                        set to EXCLUSIVE or NONE.

DO3609 V0002561    II   System privileges granted
                        using the WITH ADMIN
                        OPTION should not be
                        granted to unauthorized user
                        accounts.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DO3610 V0002562    II   Required object auditing
                        should be configured.
DO3612 V0002564    II   System Privileges should not
                        be granted to PUBLIC.
DO3622 V0002574    II   Oracle roles granted using
                        the WITH ADMIN OPTION
                        should not be granted to
                        unauthorized accounts.
DO3630 V0002608    I    The Oracle Listener should
                        be configured to require
                        administration authentication.


DO3685 V0002586   III   The Oracle
                        O7_DICTIONARY_ACCESSI
                        BILITY parameter should be
                        set to FALSE.
DO3686 V0002587    I    Oracle accounts should not
                        have permission to view the
                        table SYS.LINK$ which
                        contain unencrypted
                        database link passwords.
DO3689 V0002589    II   Object permissions granted
                        to PUBLIC should be
                        restricted.
DO3696 V0002593    II   The Oracle
                        RESOURCE_LIMIT
                        parameter should be set to
                        TRUE.
DO3847 V0002607    II   Oracle passwords should not
                        be stored unencrypted in the
                        spoolmain.log file.
DO5037 V0002612    II   Oracle SQLNet and listener
                        log files should not be
                        accessible to unauthorized
                        users.

DO6740 V0003497    II   The Oracle Listener
                        ADMIN_RESTRICTIONS
                        parameter if present should
                        be set to ON.

DO6746 V0016031   III   The Oracle listener.ora file
                        should specify IP addresses
                        rather than host names to
                        identify hosts.

DO6747 V0016032    II   Remote administration
                        should be disabled for the
                        Oracle connection manager.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DO6748 V0016033    II   Case sensitivity for
                        passwords should be
                        enabled.
DO6749 V0016035    II   The Oracle
                        SEC_MAX_FAILED_LOGIN_
                        ATTEMPTS parameter
                        should be set to an IAO-
                        approved value between 1
                        and 3.
DO6750 V0016053    II   The Oracle
                        SEC_PROTOCOL_ERROR_
                        FURTHER_ACTION
                        parameter should be set to a
                        value of DELAY or DROP.
DO6751 V0016057    II   The SQLNet
                        SQLNET.ALLOWED_LOGO
                        N_VERSION parameter
                        should be set to a value of 10
                        or higher.
DO6752 V0016054    II   The Oracle
                        SEC_PROTOCOL_ERROR_
                        TRACE_ACTION parameter
                        should not be set to NONE.

DO6753 V0016055    II   Oracle Application Express or
                        Oracle HTML DB should not
                        be installed on a production
                        database.
DO6754 V0016056    II   Oracle Configuration
                        Manager should not remain
                        installed on a production
                        system.
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB
     Section

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB

Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB




Oracle 9i DB




Oracle 9i DB




Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB




Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 11g
Installation

Oracle 11g
Installation




Oracle 11g
Installation



Oracle 10g
Installation, Oracle
11g Installation


Oracle 11g
Installation



Oracle 10g
Installation, Oracle
11g Installation

Oracle 10g
Installation, Oracle
11g Installation
   ____ Checklist _V_R_ (<date>)                                 <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement          Vulnerability   Status   Finding Notes      Section
DG0001 V0005658 I Vendor supported software is                                           SQL7
                  evaluated and patched                                                  Installation,
                  against newly found                                                    SQL8 2000
                  vulnerabilities.                                                       Installation,
                                                                                         SQL9 2005
                                                                                         Installation
DG0002 V0004758     II   An upgrade/migration plan                                       SQL7
                         should be developed to                                          Installation,
                         address an unsupported                                          SQL8 2000
                         DBMS software version.                                          Installation,
                                                                                         SQL9 2005
                                                                                         Installation
DG0003 V0005659     II   The latest security patches                                     SQL7
                         should be installed.                                            Installation,
                                                                                         SQL8 2000
                                                                                         Installation,
                                                                                         SQL9 2005
                                                                                         Installation
DG0004 V0005683     II   Application object owner                                        SQL7
                         accounts should be disabled                                     Database,
                         when not performing                                             SQL8 2000
                         installation or maintenance                                     Database,
                         actions.                                                        SQL9 2005
                                                                                         Database
DG0005 V0006756     II   Only necessary privileges to                                    SQL7
                         the host system should be                                       Installation,
                         granted to DBA OS accounts.                                     SQL8 2000
                                                                                         Installation,
                                                                                         SQL9 2005
                                                                                         Installation
DG0007 V0006767     II   The database should be                                          SQL7
                         secured in accordance with                                      Installation,
                         DoD, vendor and/or                                              SQL8 2000
                         commercially accepted                                           Installation,
                         practices where applicable.                                     SQL9 2005
                                                                                         Installation
DG0008 V0015607     II   Application objects should be                                   SQL7
                         owned by accounts                                               Database,
                         authorized for ownership.                                       SQL8 2000
                                                                                         Database,
                                                                                         SQL9 2005
                                                                                         Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                     173 of 1220
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                     Vulnerability   Status   Finding Notes      Section
DG0009 V0015608 II Access to DBMS software                                                            SQL7
                   files and directories should                                                       Installation,
                   not be granted to                                                                  SQL8 2000
                   unauthorized users.                                                                Installation,
                                                                                                      SQL9 2005
                                                                                                      Installation
DG0010 V0002420     III   Database executable and                                                     SQL7
                          configuration files should be                                               Installation,
                          monitored for unauthorized                                                  SQL8 2000
                          modifications.                                                              Installation,
                                                                                                      SQL9 2005
                                                                                                      Installation
DG0011 V0003726     III   Configuration management                                                    SQL7
                          procedures should be                                                        Installation,
                          defined and implemented for                                                 SQL8 2000
                          database software                                                           Installation,
                          modifications.                                                              SQL9 2005
                                                                                                      Installation
DG0012 V0004754     II    Database software                                                           SQL7
                          directories including DBMS                                                  Installation,
                          configuration files are stored                                              SQL8 2000
                          in dedicated directories                                                    Installation,
                          separate from the host OS                                                   SQL9 2005
                          and other applications.                                                     Installation

DG0013 V0015126     II    Database backup procedures                                                  SQL7
                          should be defined,                                                          Installation,
                          documented and                                                              SQL8 2000
                          implemented.                                                                Installation,
                                                                                                      SQL9 2005
                                                                                                      Installation
DG0014 V0015609     II    Default demonstration and                                                   SQL7
                          sample database objects and                                                 Installation,
                          applications should be                                                      SQL8 2000
                          removed.                                                                    Installation,
                                                                                                      SQL9 2005
                                                                                                      Installation
DG0015 V0003727     III   Database applications should                                                SQL7
                          be restricted from using static                                             Database,
                          DDL statements to modify                                                    SQL8 2000
                          the application schema.                                                     Database,
                                                                                                      SQL9 2005
                                                                                                      Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  174 of 1220
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement            Vulnerability   Status   Finding Notes      Section
DG0016 V0003728 III Unused database                                                           SQL7
                    components, database                                                      Installation,
                    application software and                                                  SQL8 2000
                    database objects should be                                                Installation,
                    removed from the DBMS                                                     SQL9 2005
                    system.                                                                   Installation
DG0017 V0003803  II A production DBMS                                                         SQL7
                    installation should not coexist                                           Installation,
                    on the same DBMS host with                                                SQL8 2000
                    other, non-production DBMS                                                Installation,
                    installations.                                                            SQL9 2005
                                                                                              Installation
DG0019 V0003805     III   Application software should                                         SQL7
                          be owned by a Software                                              Installation,
                          Application account.                                                SQL8 2000
                                                                                              Installation,
                                                                                              SQL9 2005
                                                                                              Installation
DG0020 V0015129      II   Backup and recovery                                                 SQL7
                          procedures should be                                                Installation,
                          developed, documented,                                              SQL8 2000
                          implemented and periodically                                        Installation,
                          tested.                                                             SQL9 2005
                                                                                              Installation
DG0021 V0003806      II   A baseline of database                                              SQL7
                          application software should                                         Installation,
                          be documented and                                                   SQL8 2000
                          maintained.                                                         Installation,
                                                                                              SQL9 2005
                                                                                              Installation
DG0025 V0015610      II   DBMS should use NIST FIPS                                           SQL7
                          140-2, validated                                                    Installation,
                          cryptography.                                                       SQL8 2000
                                                                                              Installation,
                                                                                              SQL9 2005
                                                                                              Installation
DG0029 V0005685      II   Required auditing                                                   SQL8 2000
                          parameters for database                                             Installation,
                          auditing should be set.                                             SQL9 2005
                                                                                              Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          175 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes      Section
DG0030 V0002507 II Audit trail data should be                                                       SQL7
                   retained for one year.                                                           Installation,
                                                                                                    SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0031 V0015133     II   Transaction logs should be                                                 SQL7
                         periodically reviewed for                                                  Installation,
                         unauthorized modification of                                               SQL8 2000
                         data. Users should be                                                      Installation,
                         notified of time and date of                                               SQL9 2005
                         the last change in data                                                    Installation
                         content.
DG0032 V0005686     II   Audit records should be                                                    SQL7
                         restricted to authorized                                                   Installation,
                         individuals.                                                               SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0040 V0002422     II   The DBMS software                                                          SQL7
                         installation account should be                                             Installation,
                         restricted to authorized                                                   SQL8 2000
                         users.                                                                     Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0041 V0015110     II   Use of the DBMS installation                                               SQL7
                         account should be logged.                                                  Installation,
                                                                                                    SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0042 V0015111     II   Use of the DBMS software                                                   SQL7
                         installation account should be                                             Installation,
                         restricted to DBMS software                                                SQL8 2000
                         installation, upgrade and                                                  Installation,
                         maintenance actions.                                                       SQL9 2005
                                                                                                    Installation
DG0050 V0002423     II   Database software,                                                         SQL7
                         applications and                                                           Installation,
                         configuration files should be                                              SQL8 2000
                         monitored to discover                                                      Installation,
                         unauthorized changes.                                                      SQL9 2005
                                                                                                    Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                176 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes      Section
DG0051 V0003808 II Database job/batch queues                                                        SQL7
                   should be reviewed regularly                                                     Installation,
                   to detect unauthorized                                                           SQL8 2000
                   database job submissions.                                                        Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0052 V0003807     II    All applications that access                                              SQL7
                          the database should be                                                    Installation,
                          logged in the DBMS audit                                                  SQL8 2000
                          trail where available.                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0054 V0015611     III   The audit logs should be                                                  SQL7
                          periodically monitored to                                                 Installation,
                          discover DBMS access using                                                SQL8 2000
                          unauthorized applications.                                                Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0060 V0002424     II    All database non-interactive,                                             SQL7
                          n-tier connection, and shared                                             Installation,
                          accounts that exist should be                                             SQL8 2000
                          documented and approved                                                   Installation,
                          by the IAO.                                                               SQL9 2005
                                                                                                    Installation
DG0063 V0015107     II    DBMS privileges to restore                                                SQL7
                          database data or other                                                    Installation,
                          DBMS configurations,                                                      SQL8 2000
                          features or objects should be                                             Installation,
                          restricted to authorized                                                  SQL9 2005
                          DBMS accounts.                                                            Installation
DG0064 V0015120     II    DBMS backup and                                                           SQL7
                          restoration files should be                                               Installation,
                          protected from unauthorized                                               SQL8 2000
                          access.                                                                   Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0065 V0003810     II    DBMS authentication should                                                SQL7
                          require use of a DoD PKI                                                  Installation,
                          certificate.                                                              SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                177 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement          Vulnerability   Status   Finding Notes      Section
DG0066 V0003811 II Procedures for establishing                                            SQL7
                   temporary passwords that                                               Installation,
                   meet DoD password                                                      SQL8 2000
                   requirements for new                                                   Installation,
                   accounts should be defined,                                            SQL9 2005
                   documented and                                                         Installation
                   implemented.
DG0067 V0003812  I Database account passwords                                             SQL7
                   should be stored in encoded                                            Installation,
                   or encrypted format whether                                            SQL8 2000
                   stored in database objects,                                            Installation,
                   external host files,                                                   SQL9 2005
                   environment variables or any                                           Installation
                   other storage locations.

DG0068 V0003813     II   DBMS tools or applications                                       SQL7
                         that echo or require a                                           Installation,
                         password entry in clear text                                     SQL8 2000
                         should be protected from                                         Installation,
                         password display.                                                SQL9 2005
                                                                                          Installation
DG0069 V0015140     II   Procedures and restrictions                                      SQL7
                         for import of production data                                    Installation,
                         to development databases                                         SQL8 2000
                         should be documented,                                            Installation,
                         implemented and followed.                                        SQL9 2005
                                                                                          Installation
DG0070 V0002508     II   Unauthorized user accounts                                       SQL7
                         should not exist.                                                Installation,
                                                                                          SQL8 2000
                                                                                          Installation,
                                                                                          SQL9 2005
                                                                                          Installation
DG0071 V0003815     II   New passwords should be                                          SQL7
                         required to differ from old                                      Installation,
                         passwords by more than four                                      SQL8 2000
                         characters.                                                      Installation,
                                                                                          SQL9 2005
                                                                                          Installation
DG0072 V0015612     II   Database password changes                                        SQL7
                         by users should be limited to                                    Installation,
                         one change within 24 hours                                       SQL8 2000
                         where supported by the                                           Installation,
                         DBMS.                                                            SQL9 2005
                                                                                          Installation

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      178 of 1220
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DG0073 V0003817 II Database accounts should                                                        SQL7
                   not specify account lock                                                        Database,
                   times less than the site-                                                       SQL8 2000
                   approved minimum.                                                               Database,
                                                                                                   SQL9 2005
                                                                                                   Database
DG0074 V0015130     II   Unapproved inactive or                                                    SQL7
                         expired database accounts                                                 Installation,
                         should not be found on the                                                SQL8 2000
                         database.                                                                 Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0075 V0003818     II   Unauthorized database links                                               SQL7
                         should not be defined and                                                 Installation,
                         active.                                                                   SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0076 V0003819     II   Sensitive information from                                                SQL7
                         production database exports                                               Installation,
                         should be modified after                                                  SQL8 2000
                         import to a development                                                   Installation,
                         database.                                                                 SQL9 2005
                                                                                                   Installation
DG0077 V0003820     II   Production databases should                                               SQL7
                         be protected from                                                         Installation,
                         unauthorized access by                                                    SQL8 2000
                         developers on shared                                                      Installation,
                         production/development host                                               SQL9 2005
                         systems.                                                                  Installation
DG0078 V0015613     II   Each database user,                                                       SQL7
                         application or process should                                             Installation,
                         have an individually assigned                                             SQL8 2000
                         account.                                                                  Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0079 V0015152     II   DBMS login accounts require                                               SQL8 2000
                         passwords to meet                                                         Installation,
                         complexity requirements.                                                  SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               179 of 1220
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DG0080 V0003821 II Application user privilege                                                      SQL7
                   assignment should be                                                            Installation,
                   reviewed monthly or more                                                        SQL8 2000
                   frequently to ensure                                                            Installation,
                   compliance with least                                                           SQL9 2005
                   privilege and documented                                                        Installation
                   policy.
DG0083 V0015102 II Automated notification of                                                       SQL7
                   suspicious activity detected                                                    Installation,
                   in the audit trail should be                                                    SQL8 2000
                   implemented.                                                                    Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0084 V0015614     III   The DBMS should be                                                       SQL9 2005
                          configured to clear residual                                             Installation
                          data from memory, data
                          objects and files, and other
                          storage locations.
DG0085 V0015615     II    The DBA role should not be                                               SQL7
                          assigned excessive or                                                    Installation,
                          unauthorized privileges.                                                 SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0086 V0015106     II    DBA roles should be                                                      SQL7
                          periodically monitored to                                                Installation,
                          detect assignment of                                                     SQL8 2000
                          unauthorized or excess                                                   Installation,
                          privileges.                                                              SQL9 2005
                                                                                                   Installation
DG0087 V0015616     III   Sensitive data should be                                                 SQL9 2005
                          labeled.                                                                 Installation
DG0088 V0015112     III   The DBMS should be                                                       SQL7
                          periodically tested for                                                  Installation,
                          vulnerability management                                                 SQL8 2000
                          and IA compliance.                                                       Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0089 V0015114     III   Developers should not be                                                 SQL7
                          assigned excessive                                                       Installation,
                          privileges on production                                                 SQL8 2000
                          databases.                                                               Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               180 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes      Section
DG0090 V0015131 II Sensitive information stored                                                     SQL7
                   in the database should be                                                        Installation,
                   protected by encryption.                                                         SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0091 V0003823     III   Custom and GOTS                                                           SQL7
                          application source code                                                   Database,
                          stored in the database should                                             SQL8 2000
                          be protected with encryption                                              Database,
                          or encoding.                                                              SQL9 2005
                                                                                                    Database
DG0092 V0015132     II    Database data files                                                       SQL7
                          containing sensitive                                                      Installation,
                          information should be                                                     SQL8 2000
                          encrypted.                                                                Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0093 V0003825     II    Remote adminstrative                                                      SQL7
                          connections to the database                                               Installation,
                          should be encrypted.                                                      SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0095 V0003827     II    Audit trail data should be                                                SQL7
                          reviewed daily or more                                                    Installation,
                          frequently.                                                               SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0096 V0015138     III   The DBMS IA policies and                                                  SQL7
                          procedures should be                                                      Installation,
                          reviewed annually or more                                                 SQL8 2000
                          frequently.                                                               Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DG0097 V0015139     II    Plans and procedures for                                                  SQL7
                          testing DBMS installations,                                               Installation,
                          upgrades, and patches                                                     SQL8 2000
                          should be defined and                                                     Installation,
                          followed prior to production                                              SQL9 2005
                          implementation.                                                           Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                181 of 1220
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DG0098 V0015617 II Access to external objects                                                      SQL7
                   should be disabled if not                                                       Installation,
                   required and authorized.                                                        SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0099 V0015618     II    Access to external DBMS                                                  SQL7
                          executables should be                                                    Installation,
                          disabled or restricted.                                                  SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0100 V0015619     II    Replication accounts should                                              SQL7
                          not be granted DBA                                                       Installation,
                          privileges.                                                              SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0101 V0015620     II    OS accounts used to execute                                              SQL7
                          external procedures should                                               Installation,
                          be assigned minimum                                                      SQL8 2000
                          privileges.                                                              Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0102 V0015141     II    DBMS processes or services                                               SQL7
                          should run under custom,                                                 Installation,
                          dedicated OS accounts.                                                   SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0104 V0015622     III   DBMS service identification                                              SQL7
                          should be unique and clearly                                             Installation,
                          identifies the service.                                                  SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0105 V0015128     II    DBMS application user roles                                              SQL7
                          should not be assigned                                                   Database,
                          unauthorized privileges.                                                 SQL8 2000
                                                                                                   Database,
                                                                                                   SQL9 2005
                                                                                                   Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               182 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement           Vulnerability   Status   Finding Notes      Section
DG0106 V0015143 II Database data encryption                                                SQL7
                   controls should be configured                                           Installation,
                   in accordance with                                                      SQL8 2000
                   application requirements.                                               Installation,
                                                                                           SQL9 2005
                                                                                           Installation
DG0107 V0015144     II    Sensitive data is stored in the                                  SQL7
                          database and should be                                           Installation,
                          identified in the System                                         SQL8 2000
                          Security Plan and AIS                                            Installation,
                          Functional Architecture                                          SQL9 2005
                          documentation.                                                   Installation
DG0108 V0015145     III   The DBMS restoration                                             SQL7
                          priority should be assigned.                                     Installation,
                                                                                           SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation
DG0109 V0015146     II    The DBMS should not be                                           SQL7
                          operated without                                                 Installation,
                          authorization on a host                                          SQL8 2000
                          system supporting other                                          Installation,
                          application services.                                            SQL9 2005
                                                                                           Installation
DG0110 V0015179     II    The DBMS should not share                                        SQL7
                          a host supporting an                                             Installation,
                          independent security service.                                    SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation
DG0111 V0015147     II    The DBMS data files,                                             SQL7
                          transaction logs and audit                                       Installation,
                          files should be stored in                                        SQL8 2000
                          dedicated directories or disk                                    Installation,
                          partitions separate from                                         SQL9 2005
                          software or other application                                    Installation
                          files.
DG0114 V0015119     II    DBMS files critical for DBMS                                     SQL7
                          recovery should be stored on                                     Installation,
                          RAID or other high-                                              SQL8 2000
                          availability storage devices.                                    Installation,
                                                                                           SQL9 2005
                                                                                           Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       183 of 1220
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes      Section
DG0115 V0015625 II Recovery procedures and                                                        SQL7
                   technical system features                                                      Installation,
                   exist to ensure that recovery                                                  SQL8 2000
                   is done in a secure and                                                        Installation,
                   verifiable manner.                                                             SQL9 2005
                                                                                                  Installation
DG0116 V0015626     II   Database privileged role                                                 SQL7
                         assignments should be                                                    Installation,
                         restricted to IAO-authorized                                             SQL8 2000
                         DBMS accounts.                                                           Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation
DG0117 V0015627     II   Administrative privileges                                                SQL7
                         should be assigned to                                                    Installation,
                         database accounts via                                                    SQL8 2000
                         database roles.                                                          Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation
DG0118 V0015127     II   The IAM should review                                                    SQL7
                         changes to DBA role                                                      Installation,
                         assignments.                                                             SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation
DG0119 V0015628     II   DBMS application users                                                   SQL7
                         should not be granted                                                    Installation,
                         administrative privileges to                                             SQL8 2000
                         the DBMS.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation
DG0120 V0015105     II   Unauthorized access to                                                   SQL7
                         external database objects                                                Installation,
                         should be removed from                                                   SQL8 2000
                         application user roles.                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation
DG0121 V0015629     II   Application users privileges                                             SQL7
                         should be restricted to                                                  Database,
                         assignment using application                                             SQL8 2000
                         user roles.                                                              Database,
                                                                                                  SQL9 2005
                                                                                                  Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              184 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement           Vulnerability   Status   Finding Notes      Section
DG0122 V0015630 II Access to sensitive data                                                 SQL7
                   should be restricted to                                                  Database,
                   authorized users identified by                                           SQL8 2000
                   the Information Owner.                                                   Database,
                                                                                            SQL9 2005
                                                                                            Database
DG0123 V0015631     II   Access to DBMS system                                              SQL7
                         tables and other                                                   Installation,
                         configuration or metadata                                          SQL8 2000
                         should be restricted to DBAs.                                      Installation,
                                                                                            SQL9 2005
                                                                                            Installation
DG0124 V0015632     II   Use of DBA accounts should                                         SQL7
                         be restricted to administrative                                    Installation,
                         activities.                                                        SQL8 2000
                                                                                            Installation,
                                                                                            SQL9 2005
                                                                                            Installation
DG0125 V0015153     II   DBMS account passwords                                             SQL9 2005
                         should be set to expire every                                      Installation
                         60 days or more frequently.

DG0127 V0015634     II   DBMS account passwords                                             SQL7
                         should not be set to easily                                        Installation,
                         guessed words or values.                                           SQL8 2000
                                                                                            Installation,
                                                                                            SQL9 2005
                                                                                            Installation
DG0128 V0015635     I    DBMS default accounts                                              SQL7
                         should be assigned custom                                          Installation,
                         passwords.                                                         SQL8 2000
                                                                                            Installation,
                                                                                            SQL9 2005
                                                                                            Installation
DG0129 V0015636     I    Passwords should be                                                SQL7
                         encrypted when transmitted                                         Installation,
                         across the network.                                                SQL8 2000
                                                                                            Installation,
                                                                                            SQL9 2005
                                                                                            Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        185 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes      Section
DG0130 V0015637  II DBMS passwords should not                                              SQL7
                    be stored in compiled,                                                 Installation,
                    encoded or encrypted batch                                             SQL8 2000
                    jobs or compiled, encoded or                                           Installation,
                    encrypted application source                                           SQL9 2005
                    code.                                                                  Installation
DG0131 V0015638 III DBMS default account                                                   SQL9 2005
                    names should be changed.                                               Installation
DG0133 V0015639  II Unlimited account lock times                                           SQL7
                    should be specified for                                                Installation,
                    locked accounts.                                                       SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation
DG0138 V0015642     II   Access grants to sensitive                                        SQL7
                         data should be restricted to                                      Database,
                         authorized user roles.                                            SQL8 2000
                                                                                           Database,
                                                                                           SQL9 2005
                                                                                           Database
DG0140 V0015643     II   Access to DBMS security                                           SQL7
                         should be audited.                                                Installation,
                                                                                           SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation
DG0141 V0015644     II   Attempts to bypass access                                         SQL7
                         controls should be audited.                                       Installation,
                                                                                           SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation
DG0142 V0015645     II   Changes to configuration                                          SQL9 2005
                         options should be audited.                                        Installation
DG0145 V0015646     II   Audit records should contain                                      SQL8 2000
                         required information.                                             Installation,
                                                                                           SQL9 2005
                                                                                           Installation
DG0151 V0015648     II   Access to the DBMS should                                         SQL9 2005
                         be restricted to static, default                                  Installation
                         network ports.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       186 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes      Section
DG0152 V0015148 II DBMS network                                                                      SQL7
                   communications should                                                             Installation,
                   comply with PPS usage                                                             SQL8 2000
                   restrictions.                                                                     Installation,
                                                                                                     SQL9 2005
                                                                                                     Installation
DG0153 V0015149     III   DBA roles assignments                                                      SQL7
                          should be assigned and                                                     Installation,
                          authorized by the IAO.                                                     SQL8 2000
                                                                                                     Installation,
                                                                                                     SQL9 2005
                                                                                                     Installation
DG0154 V0015150     III   The DBMS requires a                                                        SQL7
                          System Security Plan                                                       Installation,
                          containing all required                                                    SQL8 2000
                          information.                                                               Installation,
                                                                                                     SQL9 2005
                                                                                                     Installation
DG0155 V0015649     II    The DBMS should have                                                       SQL7
                          configured all applicable                                                  Installation,
                          settings to use trusted files,                                             SQL8 2000
                          functions, features, or other                                              Installation,
                          components during startup,                                                 SQL9 2005
                          shutdown, aborts, or other                                                 Installation
                          unplanned interruptions.
DG0157 V0015651     II    Remote DBMS                                                                SQL7
                          administration should be                                                   Installation,
                          documented and authorized                                                  SQL8 2000
                          or disabled.                                                               Installation,
                                                                                                     SQL9 2005
                                                                                                     Installation
DG0158 V0015652     II    DBMS remote administration                                                 SQL7
                          should be audited.                                                         Installation,
                                                                                                     SQL8 2000
                                                                                                     Installation,
                                                                                                     SQL9 2005
                                                                                                     Installation
DG0159 V0015118     II    Remote administrative                                                      SQL7
                          access to the database                                                     Installation,
                          should be monitored by the                                                 SQL8 2000
                          IAO or IAM.                                                                Installation,
                                                                                                     SQL9 2005
                                                                                                     Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 187 of 1220
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DG0161 V0015103 II An automated tool that                                                          SQL7
                   monitors audit data and                                                         Installation,
                   immediately reports                                                             SQL8 2000
                   suspicious activity should be                                                   Installation,
                   employed for the DBMS.                                                          SQL9 2005
                                                                                                   Installation
DG0165 V0015654     II   DBMS symmetric keys                                                       SQL9 2005
                         should be protected in                                                    Database
                         accordance with NSA or
                         NIST-approved key
                         management technology or
                         processes.
DG0166 V0015142     II   Asymmetric keys should use                                                SQL9 2005
                         DoD PKI Certificates and be                                               Database
                         protected in accordance with
                         NIST (unclassified data) or
                         NSA (classified data)
                         approved key management
                         and processes.

DG0167 V0015104     I    Sensitive data served by the                                              SQL7
                         DBMS should be protected                                                  Installation,
                         by encryption when                                                        SQL8 2000
                         transmitted across the                                                    Installation,
                         network.                                                                  SQL9 2005
                                                                                                   Installation
DG0171 V0015656     II   The DBMS should not have a                                                SQL7
                         connection defined to access                                              Installation,
                         or be accessed by a DBMS                                                  SQL8 2000
                         at a different classification                                             Installation,
                         level.                                                                    SQL9 2005
                                                                                                   Installation
DG0172 V0015657     II   Changes to DBMS security                                                  SQL9 2005
                         labels should be audited.                                                 Database
DG0175 V0015116     II   The DBMS host platform and                                                SQL7
                         other dependent applications                                              Installation,
                         should be configured in                                                   SQL8 2000
                         compliance with applicable                                                Installation,
                         STIG requirements.                                                        SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               188 of 1220
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DG0176 V0015117 II The DBMS audit logs should                                                      SQL7
                   be included in backup                                                           Installation,
                   operations.                                                                     SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0179 V0015658     II   The DBMS warning banner                                                   SQL7
                         should meet DoD policy                                                    Installation,
                         requirements.                                                             SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0186 V0015122     II   The database should not be                                                SQL7
                         directly accessible from                                                  Installation,
                         public or unauthorized                                                    SQL8 2000
                         networks.                                                                 Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0187 V0015121     II   DBMS software libraries                                                   SQL7
                         should be periodically backed                                             Installation,
                         up.                                                                       SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DG0190 V0015154     II   Credentials stored and used                                               SQL7
                         by the DBMS to access                                                     Installation,
                         remote databases or                                                       SQL8 2000
                         applications should be                                                    Installation,
                         authorized and restricted to                                              SQL9 2005
                         authorized users.                                                         Installation
DG0194 V0015108     II   Privileges assigned to                                                    SQL7
                         developers on shared                                                      Installation,
                         production and development                                                SQL8 2000
                         DBMS hosts and the DBMS                                                   Installation,
                         should be monitored every                                                 SQL9 2005
                         three months or more                                                      Installation
                         frequently for unauthorized
                         changes.
DG0195 V0015109     II   DBMS production application                                               SQL7
                         and data directories should                                               Installation,
                         be protected from developers                                              SQL8 2000
                         on shared                                                                 Installation,
                         production/development                                                    SQL9 2005
                         DBMS host systems.                                                        Installation


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               189 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement           Vulnerability   Status   Finding Notes      Section
DG0198 V0015662 II Remote administration of the                                           SQL7
                   DBMS should be restricted to                                           Installation,
                   known, dedicated and                                                   SQL8 2000
                   encrypted network addresses                                            Installation,
                   and ports.                                                             SQL9 2005
                                                                                          Installation
DM0510 V0002426     II   C2 Audit mode should be                                          SQL8 2000
                         enabled or custom audit                                          Installation,
                         traces defined.                                                  SQL9 2005
                                                                                          Installation
DM0530 V0002427     II   Fixed Server roles should                                        SQL7
                         have only authorized users or                                    Installation,
                         groups assigned as                                               SQL8 2000
                         members.                                                         Installation,
                                                                                          SQL9 2005
                                                                                          Installation
DM0531 V0015151     II   Fixed Database roles should                                      SQL7
                         have only authorized users or                                    Database,
                         groups as members.                                               SQL8 2000
                                                                                          Database,
                                                                                          SQL9 2005
                                                                                          Database
DM0660 V0002436     II   MS SQL Server Instance                                           SQL8 2000
                         name should not incude a                                         Installation,
                         SQL Server or other software                                     SQL9 2005
                         version number.                                                  Installation
DM0900 V0003335     II   SQL Mail, SQL Mail                                               SQL7
                         Extended Stored Procedures                                       Installation,
                         (XPs) and Database Mail                                          SQL8 2000
                         XPs are required and                                             Installation,
                         enabled.                                                         SQL9 2005
                                                                                          Installation
DM0901 V0003336     II   SQL Server Agent email                                           SQL7
                         notification usage if enabled                                    Installation,
                         should be documented and                                         SQL8 2000
                         approved by the IAO.                                             Installation,
                                                                                          SQL9 2005
                                                                                          Installation
DM0919 V0015170     II   SQL Server services should                                       SQL7
                         be assigned least privileges                                     Installation,
                         on the SQL Server Windows                                        SQL8 2000
                         host.                                                            Installation,
                                                                                          SQL9 2005
                                                                                          Installation


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      190 of 1220
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DM0920 V0003832 II A Windows OS DBA group                                                          SQL7
                   should exist.                                                                   Installation,
                                                                                                   SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DM0921 V0003833     II   Windows OS DBA group                                                      SQL7
                         should contain only                                                       Installation,
                         authorized users.                                                         SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DM0924 V0003835     II   The SQL Server service                                                    SQL7
                         should use a least-privileged                                             Installation,
                         local or domain user account.                                             SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DM0927 V0003838     II   SQL Server registry keys                                                  SQL7
                         should be properly secured.                                               Installation,
                                                                                                   SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DM0928 V0015169     II   The SQL Server services                                                   SQL7
                         should not be assigned                                                    Installation,
                         excessive user rights.                                                    SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DM0929 V0015134     II   The Integration Services                                                  SQL9 2005
                         service account should not                                                Installation
                         be assigned excess host
                         system privileges.
DM0933 V0015155     II   The SQL Server Agent                                                      SQL7
                         service account should not                                                Installation,
                         be assigned excess user                                                   SQL8 2000
                         rights.                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               191 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes      Section
DM1709 V0002451 II The guest user account                                                           SQL7
                   should be disabled.                                                              Database,
                                                                                                    SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database
DM1715 V0002457     II   Object permission                                                          SQL7
                         assignments should be                                                      Database,
                         authorized.                                                                SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database
DM1749 V0002458     II   Permissions on system                                                      SQL7
                         tables should be restricted to                                             Database,
                         authorized accounts.                                                       SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database
DM1757 V0002460     II   Direct access to system table                                              SQL7
                         updates should be disabled.                                                Installation,
                                                                                                    SQL8 2000
                                                                                                    Installation
DM1758 V0002461     I    Extended stored procedure                                                  SQL7
                         xp_cmdshell should be                                                      Installation,
                         restricted to authorized                                                   SQL8 2000
                         accounts.                                                                  Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DM1760 V0002463     II   DDL permissions should be                                                  SQL7
                         granted only to authorized                                                 Database,
                         accounts.                                                                  SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database
DM1761 V0002464     II   Execute stored procedures at                                               SQL7
                         startup, if enabled, should                                                Installation,
                         have a custom audit trace                                                  SQL8 2000
                         defined.                                                                   Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                192 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes      Section
DM2095 V0002472 II OLE Automation extended                                                          SQL7
                   stored procedures should be                                                      Installation,
                   restricted to sysadmin                                                           SQL8 2000
                   access.                                                                          Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DM2119 V0002473     II   Registry extended stored                                                   SQL7
                         procedures should be                                                       Installation,
                         restricted to sysadmin                                                     SQL8 2000
                         access.                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DM2142 V0002485     II   Remote access should be                                                    SQL7
                         disabled if not authorized.                                                Installation,
                                                                                                    SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DM3566 V0002487     II   SQL Server authentication                                                  SQL7
                         mode should be set to                                                      Installation,
                         Windows authentication                                                     SQL8 2000
                         mode or Mixed mode.                                                        Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DM3763 V0002488     II   SQL Server Agent CmdExec                                                   SQL7
                         or ActiveScripting jobs should                                             Installation,
                         be restricted to sysadmins.                                                SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DM3930 V0015137     II   Error log retention shoud be                                               SQL7
                         set to meet log retention                                                  Installation,
                         policy.                                                                    SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DM5144 V0002498     II   Permissions using the WITH                                                 SQL7
                         GRANT OPTION should be                                                     Database,
                         granted only to DBA or                                                     SQL8 2000
                         application administrator                                                  Database,
                         accounts.                                                                  SQL9 2005
                                                                                                    Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                193 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes      Section
DM5267 V0002500 II Trace Rollover should be                                                         SQL8 2000
                   enabled for audit traces that                                                    Installation,
                   have a maximum trace file                                                        SQL9 2005
                   size.                                                                            Installation
DM6015 V0015124 II The Named Pipes network                                                          SQL7
                   protocol should be                                                               Installation,
                   documented and approved if                                                       SQL8 2000
                   enabled.                                                                         Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DM6030 V0015176     II   SQL Server event                                                           SQL7
                         forwarding, if enabled, should                                             Installation,
                         be operational.                                                            SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation
DM6045 V0015125     II   Only authorized users should                                               SQL9 2005
                         be assigned permissions to                                                 Installation
                         SQL Server Agent proxies.

DM6065 V0015113     II   SQL Server replications                                                    SQL9 2005
                         agents should be run under                                                 Installation
                         separate and dedicated OS
                         accounts.
DM6070 V0015178     II   Replication databases should                                               SQL7
                         have authorized db_owner                                                   Installation,
                         role members. The                                                          SQL8 2000
                         replication monitor role                                                   Installation,
                         should have authorized                                                     SQL9 2005
                         members.                                                                   Installation
DM6075 V0015182     II   Replication snapshot folders                                               SQL9 2005
                         should be protected from                                                   Installation
                         unauthorized access.
DM6085 V0015183     II   The Analysis Services ad hoc                                               SQL9 2005
                         data mining queries                                                        Installation
                         configuration option should
                         be disabled if not required.
DM6086 V0015184     II   Analysis Services                                                          SQL9 2005
                         Anonymous Connections                                                      Installation
                         should be disabled.
DM6087 V0015204     II   Analysis Services Links to                                                 SQL9 2005
                         Objects should be disabled if                                              Installation
                         not required.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                194 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes      Section
DM6088 V0015186 II Analysis Services Links From                                            SQL9 2005
                   Objects should be disabled if                                           Installation
                   not required.
DM6099 V0015181 II Analysis Services user-                                                 SQL9 2005
                   defined COM functions                                                   Installation
                   should be disabled if not
                   required.
DM6101 V0015188  I Analysis Services Required                                              SQL9 2005
                   Protection Level should be                                              Installation
                   set to 1.
DM6103 V0015190 II Analysis Services Security                                              SQL9 2005
                   Package List should be                                                  Installation
                   disabled if not required.
DM6108 V0015193 II The Analysis Services server                                            SQL9 2005
                   role should be restricted to                                            Installation
                   authorized users.

DM6109 V0015194     II    Only authorized accounts                                         SQL9 2005
                          should be assigned to one or                                     Installation
                          more Analysis Services
                          database roles.
DM6120 V0015199     III   Reporting Services Web                                           SQL9 2005
                          service requests and HTTP                                        Installation
                          access should be disabled if
                          not required.
DM6121 V0015205     III   Reporting Services                                               SQL9 2005
                          scheduled events and report                                      Installation
                          delivery should be disabled if
                          not required.
DM6122 V0015203     II    Reporting Services Windows                                       SQL9 2005
                          Integrated Security should be                                    Installation
                          disabled.

DM6123 V0015202     III   Use of Command Language                                          SQL9 2005
                          Runtime objects should be                                        Installation
                          disabled if not required.
DM6126 V0015206     II    Only authorized XML Web                                          SQL9 2005
                          Service endpoints should be                                      Installation
                          configured on the server.
DM6128 V0015165     II    Only authorized service                                          SQL9 2005
                          broker endpoints should be                                       Installation
                          configured on the server.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       195 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes      Section
DM6130 V0015198 II The Web Assistant                                                       SQL9 2005
                   procedures configuration                                                Installation
                   option should be disabled if
                   not required.
DM6140 V0015197 II Dedicated accounts should                                               SQL9 2005
                   be designated for SQL                                                   Installation
                   Server Agent proxies.
DM6145 V0015196 II Only authorized SQL Server                                              SQL9 2005
                   proxies should be assigned                                              Installation
                   access to subsystems.
DM6150 V0015201 II Cross database ownership                                                SQL9 2005
                   chaining, if required, should                                           Installation
                   be documented and
                   authorized by the IAO.
DM6155 V0015187 II Linked server providers                                                 SQL9 2005
                   should not allow ad hoc                                                 Installation
                   access.
DM6160 V0015166 II Database Engine Ad Hoc                                                  SQL9 2005
                   distributed queries should be                                           Installation
                   disabled.
DM6175 V0015159 II The Database Master key                                                 SQL9 2005
                   encryption password should                                              Database
                   meet DoD password
                   complexity requirements.
DM6179 V0015161 II The Database Master Key                                                 SQL9 2005
                   should be encrypted by the                                              Database
                   Service Master Key where
                   required.
DM6180 V0015162 II Database Master Key                                                     SQL9 2005
                   passwords shoud not be                                                  Database
                   stored in credentials within
                   the database.
DM6183 V0015168 II Symmetric keys should use a                                             SQL9 2005
                   master key, certificate, or                                             Database
                   asymmetric key to encrypt
                   the key.
DM6184 V0015164 II Asymmetric keys should be                                               SQL9 2005
                   derived from DoD PKI                                                    Database
                   certificates.
DM6185 V0015185 II Asymmetric private key                                                  SQL9 2005
                   encryption should use an                                                Database
                   authorized encryption type.
DM6188 V0015177 II The Service Master Key                                                  SQL9 2005
                   should be backed up, stored                                             Database
                   offline and off site.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       196 of 1220
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DM6189 V0015167 II The data directory should                                                       SQL7
                   specify a dedicated disk                                                        Installation,
                   partition and restricted                                                        SQL8 2000
                   access.                                                                         Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation
DM6193 V0015180     II   Only authorized users should                                              SQL9 2005
                         be granted access to                                                      Installation
                         Analysis Services data
                         sources.
DM6195 V0015173     II   Database TRUSTWORTHY                                                      SQL9 2005
                         status should be authorized                                               Installation
                         and documented or set to off.

DM6196 V0015172     II   Object permissions should                                                 SQL7
                         not be assigned to PUBLIC                                                 Database,
                         or GUEST.                                                                 SQL8 2000
                                                                                                   Database,
                                                                                                   SQL9 2005
                                                                                                   Database
DM6197 V0015171     II   Predefined roles should not                                               SQL7
                         be assigned to GUEST.                                                     Database,
                                                                                                   SQL8 2000
                                                                                                   Database
DM6198 V0015210     II   The Agent XPs option should                                               SQL9 2005
                         be set to disabled if not                                                 Installation
                         required.
DM6199 V0015211     II   The SMO and DMO SPs                                                       SQL9 2005
                         option should be set to                                                   Installation
                         disabled if not required.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               197 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT             Requirement          Vulnerability   Status   Finding Notes Section
DNS0100 V0013032 II  A name server is not
                     protected by equivalent or
                     better physical access
                     controls than the clients it
                     supports.
DNS0110 V0013034 II  The DNS log archival
                     requirements do not meet or
                     exceed the log archival
                     requirements of the operating
                     system on which the DNS
                     software resides.
DNS0115 V0013035 II  DNS logs are not reviewed
                     daily or a real-time log
                     analysis or network
                     management tool is not
                     employed to immediately
                     alert an administrator of
                     critical DNS system
                     messages.
DNS0120 V0013036 III A list of personnel authorized
                     to administer each zone and
                     name server is not
                     maintained.
DNS0125 V0013314 II  A zone or name server does
                     not have a backup
                     administrator.
DNS0130 V0013037 III A patch and DNS software
                     upgrade log; to include the
                     identity of the administrator,
                     date and time each patch or
                     upgrade was implemented, is
                     not maintained.

DNS0135 V0013038 II      Operating procedures do not
                         require that DNS
                         configuration, keys, zones,
                         and resource record data are
                         backed up on any day on
                         which there are changes.

DNS0140 V0013039 II      Configuration change logs
                         and justification for changes
                         are not maintained.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         198 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement          Vulnerability   Status   Finding Notes Section
DNS0145 V0013040 II Written procedures for the
                    replacement of cryptographic
                    keys used to secure DNS
                    transactions do not exist.

DNS0150 V0013041 II      The IAO has not established
                         written procedures for the
                         process of updating zone
                         records, who is authorized to
                         submit and approve update
                         requests, how the DNS
                         administrator verifies the
                         identity of the person from
                         whom he/she received the
                         request, and how the DNS
                         administrator documents any
                         changes made.

DNS0160 V0013050 III     The DNS architecture is not
                         documented to include
                         specific roles for each DNS
                         server, the security controls
                         in place, and what networks
                         are able to query each
                         server.
DNS0170 V0013313 II      The underlying operating
                         system of the DNS server is
                         not in compliance with the
                         appropriate OS STIG.
DNS0175 V0013051 I       The DNS server software is
                         either installed on or enabled
                         on an operating system that
                         is no longer supported by the
                         vendor.
DNS0185 V0013053 III     The contents of zones are
                         not reviewed at least
                         annually.
DNS0190 V0013052 III     The SA has not subscribed to
                         ISC's mailing list "bind
                         announce" for updates on
                         vulnerabilities and software
                         notifications.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      199 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI    VMSID CAT         Requirement           Vulnerability   Status   Finding Notes Section
DNS0200 V0013042 I An authoritative master name
                   server does not have at least
                   one and preferably two or
                   more active slave servers for
                   each of its zones. The slave
                   server does not reside on a
                   separate host.

DNS0205 V0013043 I       Name servers authoritative
                         for a zone are not located on
                         separate network segments if
                         the hosts records described
                         in the zone are themselves
                         located across more than
                         one network segment.

DNS0210 V0013044 II      A zone includes hosts
                         located in more than one
                         building or site, yet at least
                         one of the authoritative name
                         servers supporting the zone
                         is not as geographically and
                         topologically distributed as
                         the most remote host.

DNS0215 V0013045 III     Private IP space is used
                         within an Enclave without the
                         use of split DNS to prevent
                         private IPs from leaking into
                         the public DNS system.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      200 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes Section
DNS0220 V0013046 III The DNS database
                     administrator has not
                     documented the owner of
                     each zone (or group of
                     related records) and the date
                     the zone was created, last
                     modified, or verified. This
                     documentation will preferably
                     reside in the zone file itself
                     through comments, but if this
                     is not feasible, the DNS
                     database administrator will
                     maintain a separate
                     database for this purpose.

DNS0400 V0013047 II      The name server software on
                         production name servers is
                         not BIND, Windows 2000 or
                         later DNS, or alternatives
                         with equivalent security
                         functionality, configured in a
                         manner to satisfy the general
                         security requirements listed
                         in the STIG. The only
                         currently approved
                         alternative is CISCO CSS
                         DNS.
DNS0402 V0014763 I       The name server software on
                         production name servers is
                         not BIND, Windows 2000 or
                         later DNS, or alternatives
                         with equivalent vendor
                         support, configured in a
                         manner to satisfy the general
                         security requirements listed
                         in the STIG. The only
                         currently approved
                         alternative is CISCO CSS
                         DNS.
DNS0405 V0013048 II      Hosts outside an enclave can
                         directly query or request a
                         zone transfer from a name
                         server that resides on the
                         internal network (i.e., not in a
                         DMZ).

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         201 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes Section
EN540   V0004027 II  Servers do not employ Host
                     Based Intrusion Detection
                     (HIDS).
DNS0225 V0004467 III Record owners will validate
                     their zones no less than
                     annually. The DNS database
                     administrator will remove all
                     zone records that have not
                     been validated in over a year.

DNS0230 V0004468 III     Resource records for a host
                         in a zone file are included
                         and their fully qualified
                         domain name should reside
                         in another zone. The
                         exception is a glue record or
                         CNAME record supporting a
                         system migration.

DNS0235 V0004469 III     Zone-spanning CNAME
                         records, that point to a zone
                         with lesser security, are
                         active for more than six
                         months.
DNS0240 V0004470 I       The DNS database
                         administrator has not
                         ensured each NS record in a
                         zone file points to an active
                         name server authoritative for
                         the domain specified in that
                         record.
DNS0415 V0004473 II      DNS software does not run
                         on dedicated (running only
                         those services required for
                         DNS) hardware. The only
                         currently accepted exception
                         of this requirement is
                         Windows 2000/2003 DNS,
                         which must run on a domain
                         controller that is integrated
                         with Active Directory
                         services.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         202 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes Section
DNS0420 V0004475 II Permissions on files
                    containing DNS encryption
                    keys are inadequate.
DNS0425 V0004476 II Users and/or processes
                    other than the DNS software
                    account and/or the DNS
                    database administrator have
                    edit/write access to the zone
                    database files.

DNS0430 V0004477 II      Users or processes other
                         than the DNS software
                         administrator and the DNS
                         software account have read
                         access to the DNS software
                         configuration files and/or
                         users other than the DNS
                         software administrator have
                         write access to these files.

DNS0435 V0004478 II      The name server's IP
                         address is NOT statically
                         defined and configured
                         locally on the server. The
                         name server has a DHCP
                         address.
DNS0440 V0004479 II      An integrity checking tool is
                         not installed or not monitoring
                         for modifications to the
                         root.hints and named.conf
                         files.
DNS0450 V0004481 I       Dynamic updates are not
                         cryptographically
                         authenticated.
DNS0455 V0004482 I       The DNS software
                         administrator will configure
                         each master/slave server
                         supporting a zone to
                         cryptographically
                         authenticate zone transfers.
DNS0460 V0004483 II      A zone master server does
                         not limit zone transfers to a
                         list of active slave name
                         servers authoritative for that
                         zone.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                203 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement           Vulnerability   Status   Finding Notes Section
DNS0470 V0004485 II A name server is not
                    configured to only accept
                    notifications of zone changes
                    from a host authoritative for
                    that zone.
DNS0475 V0004486 II Recursion is not prohibited
                    on an authoritative name
                    server.
DNS0480 V0004487 II A caching name server does
                    not restrict recursive queries
                    to only the IP addresses and
                    IP address ranges of known
                    supported clients.

DNS0482 V0012774 II      The forwarding configuration
                         of DNS servers allows the
                         forwarding of queries to
                         servers controlled by
                         organizations outside of the
                         U.S. Government.
DNS0485 V0004488 I       The DNS software does not
                         log, at a minimum, success
                         and failure of starting and
                         stopping of the name server
                         service daemon, zone
                         transfers, zone update
                         notifications, and dynamic
                         updates.
DNS0490 V0004489 II      The DNS software
                         administrator has not
                         configured the DNS software
                         to send all log data to either
                         the system logging facility
                         (e.g., UNIX syslog or
                         Windows Application Event
                         Log) or an alternative logging
                         facility with security
                         configuration equivalent to or
                         more restrictive than the
                         system logging facility.

DNS0495 V0004490 III     Entries in the name server
                         logs do not contain
                         timestamps and severity
                         information.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        204 of 1220
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement            Vulnerability   Status   Finding Notes Section
DNS0500 V0004491 I   Valid root name servers do
                     not appear in the local root
                     zone file. G and H root
                     servers, at a minimum, do
                     not appear in the local root
                     zone files.
DNS0505 V0004492 III The DNS software
                     administrator has not
                     removed the root hints file on
                     an authoritative name server
                     in order for it to resolve only
                     those records for which it is
                     authoritative, and ensure that
                     all other queries are refused.

DNS4600 V0014756 III     The DNS administrator will
                         ensure non-routeable IPv6
                         link-local scope addresses
                         are not configured in any
                         zone. Such addresses begin
                         with the prefixes of "FE8",
                         "FE9", "FEA", or "FEB".

DNS4610 V0014757 III     AAAA addresses are
                         configured on a host that is
                         not IPv6 aware.
DNS0250 V0012440 III     A new TSIG key is not
                         generated and utilized for
                         each type of transaction.
                         (STIG has "new" and VMS
                         has "unique")
DNS0445 V0004480 II      A cryptographic key used to
                         secure DNS transactions has
                         been utilized on a name
                         server for more than one
                         year.
DNS0705 V0004493 III     The DNS software
                         administrator has not utilized
                         at least 160-bit HMAC-SHA1
                         keys if available.

DNS0710 V0004494 II      A TSIG key is not in its own
                         dedicated file.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          205 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes Section
DNS0715 V0004511 II A BIND name server is not
                    configured to accept control
                    messages only when the
                    control messages are
                    cryptographically
                    authenticated and sent from
                    an explicitly defined list of
                    DNS administrator
                    workstations.
DNS0720 V0004495 II A unique TSIG key is not
                    utilized for communication
                    between name servers
                    sharing zone information.
DNS4620 V0014758 II The DNS software
                    administrator will ensure the
                    named.conf options
                    statement does not include
                    the option "listen-on-v6 { any;
                    };" when an IPv6 interface is
                    not configured and enabled.

DNS4640 V0014759 III     The DNS administrator, when
                         implementing DNSSEC, will
                         create and maintain separate
                         key-pairs for key signing and
                         zone signing.

DNS4650 V0014760 III     The DNSSEC algorithm for
                         digital signatures is not
                         RSASHA1.
DNS4660 V0014761 III     The DNSSEC key signing
                         key is not at least 2048 bits.

DNS4670 V0014762 III     The DNSSEC key signing
                         key does not have a
                         minimum roll over period of
                         one year.
DNS4680 V0014764 III     The DNSSEC zone signing
                         key size is not at least 1024
                         bits.
DNS4690 V0014765 III     The DNSSEC zone signing
                         key minimum roll over period
                         is not at least 60 days.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         206 of 1220
   ____ Checklist _V_R_ (<date>)                                <Test> - TN <Ticket Number>
  PDI    VMSID CAT         Requirement         Vulnerability   Status   Finding Notes Section
DNS4700 V0014766 I The DNSSEC private key file
                   permissions are not owned
                   by the DNS administrator or
                   the permissions are not set
                   to a minimum of 600.

DNS4710 V0014767 II      DNSSEC is not enabled for
                         signing files between name
                         servers with DNSSEC
                         capabilities.
DNS4440 V0003617 III     BIND is not configured to run
                         as a dedicated non-privileged
                         user account. BIND is
                         running as a root user.

DNS4445 V0012967 III     The SA has not configured
                         BIND in a chroot(ed)
                         directory structure.
DNS4450 V0003618 II      A UNIX or UNIX-based name
                         server is running
                         unnecessary
                         daemon/services and/or is
                         configured to start an
                         unnecessary daemon,
                         service, or program upon
                         boot up.
DNS4460 V0003619 III     It is possible to obtain a
                         command shell by logging on
                         to the DNS user account.

DNS4470 V0003620 II      Permissions on critical UNIX
                         name server files are not as
                         restrictive as required.

DNS4480 V0012966 II      Inadequate file permissions
                         on BIND name servers.
DNS4720 V0024996 I       DNS is using a statically
                         configured source port.
DNS4730 V0024997 II      BIND recursive servers
                         disable query randomization.

DNS4530 V0003621 II      ISC BIND is not configured to
                         run as a dedicated non-
                         privileged service user
                         account.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                    207 of 1220
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement            Vulnerability   Status   Finding Notes Section
DNS4540 V0003622 III The ISC BIND service user is
                     a member of a group other
                     than Everyone and
                     Authenticated Users.
DNS4550 V0003623 III The ISC BIND service does
                     not have the appropriate user
                     rights required for the proper
                     configuration and security of
                     ISC BIND.
DNS4570 V0003624 II  The appropriate encryption
                     software is not correctly
                     installed and configured on
                     Windows ISC BIND name
                     servers and it is required that
                     in-band remote management
                     be performed from hosts
                     outside the enclave in which
                     the name server resides.

DNS4590 V0003626 II      The ownership and
                         permissions on all Windows
                         ISC BIND name servers are
                         not as restrictive as required.

DNS0260 V0012479 II      Computer accounts for
                         DHCP servers are members
                         of the DNSUpdateProxy
                         group.
DNS0805 V0004501 I       The DHCP server service is
                         not disabled on any Windows
                         2000/2003 DNS server that
                         supports dynamic updates.

DNS0810 V0004502 I       Zone transfers are not
                         prohibited or a VPN solution
                         is not implemented that
                         requires cryptographic
                         authentication of
                         communicating devices and
                         is used exclusively by name
                         servers authoritative for the
                         zone.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          208 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement           Vulnerability   Status   Finding Notes Section
DNS0815 V0004503 II Forwarders on an
                    authoritative Windows
                    2000/2003 DNS server are
                    not disabled.
DNS0825 V0004505 I  WINS lookups is not
                    prohibited on a Windows
                    2000/2003 DNS server.
DNS4580 V0003625 II Shares other than the default
                    administrative shares are
                    enabled on a name server.

DNS4630 V0014768 II      The IPv6 protocol is installed
                         and the server is only
                         configured to respond to IPv4
                         A records.
DNS0900 V0004506 III     The shared secret in the APP
                         session(s) was not a
                         randomly generated 32
                         character text string.
DNS0905 V0004507 II      The Cisco CSS DNS is
                         utilized to host the
                         organizations authoritative
                         records and DISA Computing
                         Services does not support
                         that host in its csd.disa.mil
                         domain and associated high-
                         availability server
                         infrastructure.
DNS0910 V0004508 III     Zones are delegated with the
                         CSS DNS.
DNS0915 V0004512 I       CSS DNS does not
                         cryptographically
                         authenticate APP sessions.

DNS0920 V0004509 III     The CSS DNS does not
                         transmit APP session data
                         over an out-ofband network if
                         one is available.
DNS0925 V0004510 II      Forwarders are not disabled
                         on the CSS DNS.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       209 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement           Vulnerability   Status   Finding Notes Section
DNS0225 V0004467 III DNS database administrators
                     with the assistance of record
                     owners will validate the zone
                     records annually. The DNS
                     database administrator will
                     remove all zone records that
                     are not validated each year.


DNS0235 V0004469 III     Zone-spanning CNAME
                         records, that point to a zone
                         with lesser security, are
                         active for more than six
                         months.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        210 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes
APPNET00 V0007022 II The File IO permission
01                   allows an application to
                     access system files directly.

APPNET00 V0007023      II   The Isolated Storage
03                          permission is used to allow
                            applications to store
                            temporary data to a local
                            user data store.
APPNET00 V0007024      II   The User Interface
04                          Permission for windowing
                            controls access to user
                            interface windows.
APPNET00 V0007025      II   The User Interface
05                          Permission for clipboard
                            controls application access to
                            clipboards used by the user
                            or other applications.
APPNET00 V0007026      II   The Reflection permission
06                          controls an application's
                            discovery of other system
                            resources and applications.
APPNET00 V0007027      II   The Printing permission
07                          controls application access to
                            system printing resources.

APPNET00 V0007028      II   The DNS permission controls
08                          application access to DNS
                            resources available to the
                            host system.
APPNET00 V0007029      II   The Socket Access
09                          permission controls
                            application access to network
                            ports defined on the host
                            system.
APPNET00 V0007030      II   The Web Access permission
10                          controls application access to
                            HTTP requests to designated
                            URLs or the configuration of
                            HTTP settings.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 211 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes
APPNET00 V0007031 II The Message Queue
11                   permission controls
                     application access to
                     communications across the
                     network.
APPNET00 V0007033 II The Service Controller
12                   permission controls
                     application access to the
                     control of Windows services.

APPNET00 V0007034      II   The Database permissions
13                          control application access to
                            databases defined on the
                            host system.
APPNET00 V0007035      II   The Security permission
14                          Extend Infrastructure controls
                            application access to
                            message processing.
APPNET00 V0007037      II   The Security permission
15                          Enable Remoting
                            Configuration defines the
                            communication channels
                            available to an application.
APPNET00 V0007038      II   The Security permission
16                          Enable Serialization
                            Formatter controls access to
                            serialized data. Serialized
                            data is data formatted into a
                            series of bits for storing or
                            transmitting.

APPNET00 V0007039      II   The Security permission
17                          Enable Thread Control is
                            used to control application
                            access to abort, suspend, or
                            resume its threads.
APPNET00 V0007040      II   The Security permission
18                          Allow Principal control
                            controls application access to
                            Windows user information.

APPNET00 V0007041      II   The Security permission
19                          Enable Assembly Execution
                            allows applications to
                            execute.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 212 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
   PDI    VMSID CAT           Requirement         Vulnerability   Status   Finding Notes
APPNET00 V0007042 II The Security permission Skip
20                   Verification controls the
                     execution of code that is
                     verified as being type safe.

APPNET00 V0007043      II   The Security permission
21                          Allow Calls to Unmanaged
                            Assemblies controls
                            application access to
                            applications not managed by
                            the .Net Framework.
APPNET00 V0007044      II   The Security permission
22                          Allow Policy Control controls
                            application access to it's the
                            current security policy
                            configuration.
APPNET00 V0007045      II   The Security permission
23                          Allow Domain Policy controls
                            defines application access to
                            its own application domain
                            security policy.

APPNET00 V0007046      II   The Security permission
24                          Allow Evidence Control is
                            used to control an
                            application's access to
                            supply or modify evidence
                            used to determine access to
                            system resources.
APPNET00 V0007048      II   The Security permission
25                          Assert any Permission that
                            Has Been Granted controls
                            application access to
                            permissions assigned to any
                            code in the assembly that
                            called it.
APPNET00 V0007049      II   The Performance Counter
26                          permission controls
                            application access to system
                            performance monitoring
                            resources.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      213 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
   PDI    VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
APPNET00 V0007051 II The Environment Variables
27                   permission controls
                     application access to system
                     environment variables and to
                     other system resource
                     names.
APPNET00 V0007052 II The Event Log permission
28                   controls application access to
                     event log resources defined
                     on the system.
APPNET00 V0007053 II The Registry permission
29                   controls application access to
                     the Windows registry.
APPNET00 V0007054 II The Directory Services
30                   permission controls
                     application access to the
                     system Directory Service
                     resources.
APPNET00 V0007055 II The Strong Name
31                   Membership Condition
                     establishes the requirement
                     for all code defined in the
                     group to be configured with a
                     Strong Name. Strong Name
                     verification should not be
                     omitted in a production
                     environment.
APPNET00 V0007056 II The First Match Code Group
32                   is used to control the depth
                     to which a branch of the code
                     group tree is traversed when
                     assigning membership to
                     assemblies.
APPNET00 V0007057 II The File Code Groups and
33                   Net Code Groups are used to
                     establish directory access
                     and web site connections
                     respectively by the
                     application.
APPNET00 V0007058 II The Level Final Code Group
35                   Attribute prevents permission
                     sets farther down in the Code
                     Group hierarchy from being
                     applied to the assembly.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        214 of 1220
   ____ Checklist _V_R_ (<date>)                                 <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement         Vulnerability   Status   Finding Notes
APPNET00 V0007059 II The Zone Membership
41                   Condition determines policy
                     level based on the URL zone
                     of the application origin.

APPNET00 V0007060      I    The use of the CAS policy
45                          can be enabled or disabled
                            on the system.
APPNET00 V0007061      II   The Windows system may be
46                          configured to allow use of
                            certificates that are
                            designated as being for test
                            use.
APPNET00 V0007062      II   The Windows system may be
47                          configured to check the
                            application for use of expired
                            certificates.
APPNET00 V0007063      II   The Publisher Member
48                          Condition requires member
                            code to be certified using
                            certificates originating from a
                            trusted source.
APPNET00 V0007064      II   This checks the setting that
49                          determines whether
                            certificates are checked for
                            revocation status.
APPNET00 V0007065      II   The settings reviewed in this
50                          check determine the handling
                            of certificates with differing
                            unknown statuses due to
                            temporary unavailability of a
                            certificate verification service.
                            For example, certificate
                            verification that is dependent
                            on real-time access to a
                            certificate status server could
                            be unavailable due to a break
                            in network communications.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                     215 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
   PDI    VMSID CAT            Requirement          Vulnerability   Status   Finding Notes
APPNET00 V0007066  II This Windows setting
51                    determines whether the
                      system requires certificates
                      to be time stamped to verify
                      the certificate is current.
APPNET00 V0007067  II The Strong Name
52                    Membership condition
                      requires that member
                      assemblies be defined with
                      Strong Names.
APPNET00 V0007068 III The use of duplicate code
54                    group names within a level of
                      the CAS policy can lead to
                      mis-assignment of
                      permissions.
APPNET00 V0007069  II CAS Policy and CAS Policy
55                    Configuration files are
                      required for a complete
                      system baseline and disaster
                      recovery event.
APPNET00 V0007070  II The typefilterlevel="Full"
60                    attribute allows unfiltered
                      code to access system
                      resources.
APPNET00 V0018395  II Verify the installed .Net
61                    Frameworks are still
                      supported by Microsoft.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        216 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)             <Test> - TN <Ticket Number>
   PDI    VMSID CAT            Requirement          Vulnerability   Status   Finding Notes
DRSN1001 V0004661 III An IAO must be appointed in
                      writing.
DRSN1002 V0004669 III There must be a separation
                      of duties between the Special
                      Security Officer (SSO) and
                      the Information Assurance
                      Officer
DRSN1003 V0004681 III DRSN Collateral switch
                      nodes must be located in an
                      approved TS exclusion area.

DRSN1004               II    A facility housing DRSN end
                             terminals or instruments
                             must be certified and
                             approved for operations at
                             the highest classification of
                             the instrument.

DRSN1005               III   No policy and/or procedure is
                             defined and enforced that
                             provides for inspection of
                             unattended facilities upon
                             entry and/or there is no
                             procedure for providing
                             granular documentation of
                             the inspection and/or there is
                             no defined reporting
                             procedures for detected
                             incidents.
DRSN1006               III   No means of detection or
                             reporting of physical
                             tampering has been provided
                             for equipment cabinets
                             and/or devices.
DRSN1007               III   The IAO must conduct and/or
                             document self-inspections of
                             the DRSN components at
                             least semi-annually for
                             security risks.
DRSN1008               II    Facilities housing DRSN
                             switches and/or peripheral
                             and OAM&P/NM systems
                             have NO access controls or
                             they are improperly used.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        217 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)              <Test> - TN <Ticket Number>
   PDI      VMSID    CAT         Requirement         Vulnerability   Status   Finding Notes
DRSN1009              II There is no personnel
                         security program defined,
                         documented, and/or enforced

DRSN1010               II    Personnel working on and in
                             areas housing DRSN
                             switches as well as
                             peripheral and OAM&P/NM
                             systems must possess a
                             current security clearance
                             appropriate to the area.
DRSN1011               II    Personnel physical access to
                             facilities housing DRSN
                             switches, peripheral, and
                             OAM&P/NM systems must
                             be properly controlled.
DRSN1012 V0004615      II    A non-disclosure agreement
                             (NDA) required for access to
                             classified information must
                             be on file.
DRSN1014               II    All personnel supporting a
                             DRSN switch must be briefed
                             (or “read on”) regarding the
                             security requirements
                             relating to all missions
                             supported by the switch.

DRSN1015 V0004660      III   Personnel accessing the
                             DRSN must possess the
                             appropriate need-to-know.
DRSN1016 V0004677      II    Visit Authorization Letters
                             must be on file for contractor
                             personnel.
DRSN1017               II    Contractor personnel
                             performing hardware or
                             software installation or
                             maintenance, must possess
                             a verified individual clearance
                             and need-to-know or are not
                             escorted




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         218 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)               <Test> - TN <Ticket Number>
   PDI      VMSID    CAT         Requirement          Vulnerability   Status   Finding Notes
DRSN1018              II Cleaning crews must be
                         properly cleared for the
                         area(s) to be cleaned and/or
                         perform janitorial services
                         during normal working hours.

DRSN1019 V0004676      II   Users must have their status
                            and affiliation displayed as
                            part of their e-mail address.

DRSN1020               II   Temporary Foreign/Local
                            National personnel must be
                            properly supervised or
                            escorted.
DRSN1021               II   Foreign/Local National
                            personnel hired by a
                            base/post/camp/station for
                            the purpose of operating or
                            performing OAM&P / NM
                            functions on DRSN switches
                            and subsystems must be
                            properly cleared.
DRSN1022               II   Foreign/Local National
                            personnel must not have
                            duties or access privileges
                            that exceed those allowed by
                            DoDI 8500.2 E3.4.8.
DRSN1023 V0004616      I    Foreign National access to
                            DRSN must be approved in
                            writing by the DoD
                            Component Head IAW DoD,
                            DOS, and DCI policies.

DRSN1024               I    DRSN terminals accessible
                            by properly cleared non-U.S.
                            citizens, authorized for
                            unsupervised access, must
                            be assigned “foreign-access”
                            SALs.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          219 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)              <Test> - TN <Ticket Number>
   PDI      VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
DRSN1025            II Allied or foreign national
                       personnel authorized for
                       unsupervised access to
                       network terminals must be
                       authorized in writing by the
                       commander who is
                       responsible for the network
                       terminals.
DRSN1026 V0004668 III Site personnel must receive
                       the proper security training.
DRSN1027            II Site personnel must receive
                       the proper security training
                       and/or be familiar with the
                       documents located in the
                       security library.
DRSN1028 V0004675   II Authorized personnel must
                       be assigned an appropriate
                       ADP Access Level.
DRSN1029 V0004618   II Personnel with IA
                       responsibilities must be
                       trained and certified.
DRSN1030           III The IAO must maintain an up-
                       to-date IA policy and
                       information library.
DRSN1031            II Users of classified
                       communications systems
                       must verify the clearance and
                       need-to-know of the distant
                       parties with whom they
                       communicate.
DRSN1032            II Personnel authorized
                       uncontrolled access to the
                       physical area in which
                       classified communications
                       systems, are located,
                       mustensure only authorized
                       persons access the
                       equipment.
DRSN1033             I Foreign nationals who are
                       authorized for unsupervised
                       access to classified
                       communications systems,
                       located in U.S.-controlled
                       areas, must be properly
                       cleared.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         220 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                 <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement           Vulnerability   Status   Finding Notes
DRSN1035              II A DRSN Approved Products
                         List (APL) must be
                         implemented/maintained
                         and/or must test systems for
                         IO and IA.
DRSN1036              II A DRSN system in operation
                         must be listed on the DRSN
                         APL or in the process of
                         being tested.
DRSN1037             III All applicable STIGs and
                         deployment limitations must
                         be applied to installed
                         systems.
DRSN1038             III A DRSN system must be
                         implemented as APL listed
                         using the configuration that
                         was approved and for the
                         approved purpose.
DRSN1039             III DSN/DRSN APL, NIAP
                         CCEVS, and/or FIPS CMVP
                         listing must be considered for
                         products being considered
                         for procurement, installation,
                         or upgrade and connection to
                         the DISN.

DRSN1040               I    Interfaces to DRSN RED
                            switch must be properly
                            approved by OSD, JS, and/or
                            DRSN PMO appropriate in
                            accordance with CJCSI
                            6215.01B.
DRSN1041              III   Ongoing “compliance with all
                            applicable STIGs and
                            checklists” requirements and
                            validation measures must be
                            included in RFPs,
                            specifications, and contracts
                            for procured or leased
                            systems or services.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                             221 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI      VMSID    CAT          Requirement                Vulnerability   Status   Finding Notes
DRSN1042              III Support for C&A
                          requirements must be
                          included in RFPs,
                          specifications, and contracts
                          for procured systems.

DRSN1043               III   Vendor testing and approval
                             of STIG or checklist or IAVM
                             required security patches and
                             other configuration changes
                             must be included in RFPs,
                             specifications, and contracts
                             for support of procured
                             systems.

DRSN1044               III   Commercially contracted
                             (leased or procured) systems
                             and services must comply
                             with all applicable STIGs

DRSN1045 V0004674       I    The local switch site must be
                             accredited.
DRSN1046 V0004665      III   A formal system security
                             baseline must exist.
DRSN1047               II    Security related SOPs have
                             must be established and
                             followed.
DRSN1048 V0004666      II    A site specific SSAA must
                             exist.
DRSN1049               II    Deviations from program
                             directed or published
                             standard system baseline
                             security configurations must
                             be approved
DRSN1051               II    PMO must maintain overall
                             site/system/network
                             documentation and topology
                             diagrams and must include
                             all site level documentation.

DRSN1052               II    IAVM notices must be
                             responded to within the time
                             period specified within the
                             notice.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 222 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN1053              II IAVMs must be addressed
                         using RTS system vendor
                         approved or provided
                         patches.
DRSN1054              II DRSN assets must be
                         registered in a VMS and/or
                         DISA owned assets are not
                         registered in the DISA VMS
DRSN1055             III DRSN SAs must be
                         registered in the DISA or
                         similar VMS as the assets for
                         which they are responsible
                         are.
DRSN1056             III Systems/devices must be
                         IAVM compliant before
                         connection to the network
DRSN1057              II The PMO has no or has a
                         deficient configuration
                         management process.
DRSN1058              II DRSN IAO must be involved
                         in the configuration
                         management process and/or
                         does not ensure adherence
                         to the security requirements
                         of the STIG(s).

DRSN1059              III   The NOCs and IAOs must be
                            aware of the configuration
                            management process and/or
                            must adhere to the
                            documented process.

DRSN1060              II    Testing procedures for all
                            new or upgraded hardware
                            and software have not been
                            created and/or are not
                            maintained
DRSN1061              II    Site staff does not verify
                            and/or record the identity of
                            individuals installing or
                            modifying a device or
                            software.
DRSN1063              II    Public domain software
                            products are in use.


  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                            223 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                 <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement            Vulnerability   Status   Finding Notes
DRSN1064             II A standard software or OS
                        release version must be
                        tested and designated for
                        use on all similar systems
DRSN1065             II All similar devices are NOT
                        deployed or upgraded to the
                        most current tested and
                        certified software versions as
                        directed by the PMO.
DRSN1066             II The latest software loads and
                        patches are NOT applied to
                        all systems to take
                        advantage of security
                        enhancements.
DRSN1067             II Installed maintenance and/or
                        security patches are not
                        tested and/or approved
DRSN1068             II System software has been
                        upgraded to a major new
                        software version that has
                        NOT been tested, certified,
                        and placed on the
                        DSN/DRSN APL before
                        installatioN.
DRSN1069             II Baseline configurations for all
                        similar systems and devices
                        in the network are not tested,
                        certified, identified,
                        documented, and/or
                        maintained by the PMO.

DRSN1070              III   The appropriate current /
                            standard PMO approved
                            baseline configuration is not
                            used on all systems and
                            devices
DRSN1071              III   The current and previous
                            device configurations are not
                            “backed up” and/or are not
                            stored in a secured location
                            that is not collocated with the
                            system/device.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                             224 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                  <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement             Vulnerability   Status   Finding Notes
DRSN1072             III A network-addressing plan
                         that addresses logical
                         address grouping to enhance
                         routing and flexibility has not
                         been developed,
                         documented, maintained,
                         and/or enforced by the PMO.

DRSN1073              III   The current approved
                            network addressing plan is
                            not implemented.
DRSN1074              III   A naming convention for all
                            network devices has not
                            been developed,
                            documented, maintained,
                            and/or enforced.
DRSN1075              III   Network devices are not
                            named in accordance with
                            the documented and
                            approved naming convention.

DRSN1076              III   The DNS names of network
                            devices are not coordinated
                            with the device names.
DRSN1077              II    No procedures are in place
                            and/or followed that ensure
                            the integrity of master copies
                            of all operational software,
                            operational backup files,
                            audit information and current
                            hardware/firmware
                            configuration data.

DRSN1078              II    System configurations and
                            data for all devices are not
                            backed up at a minimum on a
                            weekly basis and/or backups
                            are not properly stored.

DRSN1079              III   A COOP/Disaster recovery
                            plan has not been developed,
                            documented, tested,
                            periodically exercised, and/or
                            maintained.


  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                              225 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN1080             III No software
                         upgrade/deployment
                         procedure has been defined
                         and/or do not include testing
                         and validation of the
                         upgrade.
DRSN1081             III Upgrade procedures are not
                         referenced in change
                         management documentation.

DRSN1082              II    Up-to-date back-up media is
                            not available prior to software
                            or configuration modification

DRSN1083              III   Current operating and saved
                            configurations are NOT
                            synchronized locally within
                            one hour of configuration
                            changes
DRSN1084              II    Configurations are not
                            backed up to a different local
                            system, or offline, one hour
                            following software or
                            configuration modification.
DRSN1085               I    DRSN links and trunks are
                            NOT encrypted using NSA-
                            approved cryptographic
                            interface configurations
                            approved by the PMO.
DRSN1086               I    Unencrypted DRSN lines,
                            links, and trunks (i.e., those
                            carrying classified red
                            signals), are NOT protected
                            by a PDS or SDS
DRSN1088               I    Distribution System(s)
                            (PDSs) are NOT inspected
                            and/or certified as required,
                            initially, periodically, and
                            when modified, by the
                            appropriate designated
                            Certified TEMPEST
                            Technical Authority (CTTA).




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                            226 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                       <Test> - TN <Ticket Number>
   PDI      VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
DRSN1089            I COMSEC keying material is
                      not properly handled or
                      stored IAW NSTISSI 4010
                      and/or DoD component
                      directives.
DRSN1090 V0004672   I COMSEC material is not
                      being stored in a GSA
                      approved container.
DRSN1091           II COMSEC Keying Material is
                      not changed in accordance
                      with the approved schedule.

DRSN1092               II   COMSEC Keying Materials
                            are not properly managed
DRSN1094               II   Encryption software used to
                            protect sensitive information
                            (not classified) is not Federal
                            Information Processing
                            Standard (FIPS) 140-2
                            validated.
DRSN1095 V0004680      I    Instruments located in local
                            commanders quarters
                            operate at SCI level and are
                            not limited to TS or Secret.
DRSN1096               I    DRSN information not
                            properly classified and/or
                            handled IAW established
                            policies
DRSN1097 V0004683      II   Documents associated with
                            DRSN switches are not
                            properly classified and/or
                            class marked (labeled).
DRSN1098 V0004685      II   Systems, devices, terminals,
                            and/or storage devices are
                            not properly marked with the
                            highest security level of the
                            information being stored,
                            displayed, or processed.

DRSN1099               I    DRSN information not
                            properly classified and/or
                            handled IAW established
                            policies.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  227 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)               <Test> - TN <Ticket Number>
   PDI     VMSID    CAT         Requirement           Vulnerability   Status   Finding Notes
DRSN1101             II No SOP exists or is followed
                        that ensures all suspected or
                        actual security compromises
                        are properly reported to all
                        appropriate authorities,
                        investigated, and repaired
                        IAW DRSN and national
                        security policy.

DRSN2001              III   A DoD Voice/Video/RTS
                            system or device is NOT
                            configured in substantial
                            compliance with all
                            applicable STIGs or the
                            appropriate STIGs have not
                            been applied to the fullest
                            extent possible.
DRSN2002              II    Critical systems,
                            subsystems, and/or
                            components share the
                            general use data network.
DRSN2003              II    Critical DRSN/RTS
                            servers/devices are not
                            dedicated to their main
                            purpose and contain
                            applications not required for
                            the critical operations.
DRSN2004              III   Unused device connections
                            or physical ports on
                            backbone communications
                            devices such as routers,
                            ATM switches, and other
                            network elements, are not
                            disabled or removed.
DRSN2005              III   Unused network access
                            device connections or
                            physical ports are not
                            appropriately secured from
                            unauthorized use




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                           228 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                 <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement            Vulnerability   Status   Finding Notes
DRSN2006             II An unclassified speaker
                        system is improperly
                        designed/implemented such
                        that speakers located in
                        classified areas can pick up
                        classified conversations and
                        transmit them out of the
                        classified area.
DRSN2007             II Voice/Video/RTS devices
                        located in SCIFs do not
                        prevent on-hook audio pick-
                        up and/or do not have a
                        speakerphone feature
                        disabled or are not
                        implemented in accordance
                        with DCID 6/9 or TSG
                        Standard 2.
DRSN2008             II A classified speaker system
                        is improperly
                        designed/implemented such
                        that speakers located in
                        classified areas can pick up
                        classified conversations and
                        transmit them, or broadcast
                        the carried classified
                        information out of the
                        classified area.
DRSN2009             II No policy for speakerphones
                        on classified systems

DRSN2010              II   A policy is NOT in place
                           and/or enforced regarding
                           the placement and use of
                           speakerphones connected to
                           secure telephone systems
                           (e.g., the DRSN) that are
                           located SCIFs.
DRSN2011              I    A policy is NOT in place
                           and/or enforced regarding
                           the placement and use of
                           speakerphones connected to
                           secure telephone systems
                           (e.g., the DRSN) that are
                           located SCIFs.


  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                             229 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)             <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement        Vulnerability   Status   Finding Notes
DRSN2101             II The out-of-band or direct
                        connection method for
                        system device management
                        is not used.
DRSN2102             II An OOB management
                        network is not dedicated to
                        device management.
DRSN2104             II System management access
                        (in-band or OOB) does not
                        enforce DoD policy for role
                        based access, two-factor
                        authentication, encrypted
                        sessions, and/or auditing.

DRSN2105              II   Network management traffic
                           and/or session login is NOT
                           encrypted, or is not using
                           FIPS 140-2 validated crypto
                           modules.
DRSN2106              II   The use of in-band
                           management is NOT limited
                           to emergency situations,
                           and/or is not approved and
                           documented on a case by
                           case basis.
DRSN2107              II   The use of in-band
                           management is NOT
                           restricted to a limited number
                           of authorized IP addresses
                           (10 or less).
DRSN2108              II   Idle connections DO NOT
                           disconnect in 15 min.
DRSN2109              II   The component is not
                           configured to be unavailable
                           for 60 seconds after 3
                           consecutive failed logon
                           attempts.
DRSN2110              II   A Management network
                           DOES NOT comply with the
                           Enclave and/or Network
                           Infrastructure STIGs.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                         230 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                     <Test> - TN <Ticket Number>
   PDI     VMSID    CAT         Requirement                 Vulnerability   Status   Finding Notes
DRSN2111             I Access to systems or
                        devices and/or management
                        networks is granted to non-
                        government employees or
                        contractors that is not
                        controlled or monitored.

DRSN2112              II   OOB management routers
                           and terminal servers DO
                           NOT limit the source of any
                           management connection to
                           authorized source addresses.

DRSN2113              II   OOB management routers
                           and terminal servers DO
                           NOT maintain separation
                           between the management
                           and production networks.
DRSN2115              I    Unapproved modems are
                           used against policy for
                           management of DRSN
                           switches, assets, and/or
                           communications devices.
DRSN2116              II   Modems do not comply with
                           the requirements for user
                           authentication and access to
                           connected devices,
                           management access, and
                           encryption.
DRSN2117              II   Modem authentication dose
                           not use a separate
                           authentication server located
                           within the extended enclave
                           and/or encryption is not used.

DRSN2118              II   Modems are not physically
                           protected to prevent
                           unauthorized device
                           changes.
DRSN2119              II   A detailed listing of all
                           modems is not being
                           maintained.
DRSN2120              II   Unauthorized modems are
                           installed.


  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                 231 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN2121             II Modem phone lines are not
                        restricted and configured to
                        their mission required
                        purpose (i.e. inward/outward
                        dial only).
DRSN2122             II Modem phone lines are not
                        restricted to single-line
                        operation
DRSN2123             II The option of Automatic
                        Number Identification (ANI) is
                        available but not being used.

DRSN2125               I    SSH version 1, or version 1
                            compatibility mode is used
DRSN2126              II    A vulnerable version of SSH
                            is in use
DRSN2127               I    SNMP V1 or V2 has been
                            enabled on the network
                            infrastructure. SNMP V3 has
                            been enabled on the network
                            infrastructure without the V3
                            User-based Security Model
                            authentication and privacy.

DRSN2128              II    A standard operating
                            procedure for SNMP
                            community string
                            management is not establish
                            and/or maintained
DRSN2129              III   Both privileged and non-
                            privileged SNMP modes are
                            used on all devices SNMP
                            but different community
                            names are not used for read-
                            only access and read-write
                            access.
DRSN2130              II    NM servers and/or NM
                            systems do not restrict
                            access to them from
                            authorized IP addresses
DRSN2131               I    SNMP community strings are
                            not changed from the default
                            values.
DRSN2133              II    The finger service is not
                            disabled

  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                            232 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)             <Test> - TN <Ticket Number>
   PDI     VMSID    CAT         Requirement         Vulnerability   Status   Finding Notes
DRSN2134              I HTTP, and/or TELNET, is not
                        disabled or secured
DRSN2136             II TFTP usage is not justified
                        and/or documented
DRSN2138             II FTP username and password
                        are NOT configured

DRSN2139              II    Encryption protocols are
                            used to transmit traffic
                            directly to a host a host
                            based but a host intrusion
                            detection (HID) system is not
                            in use.
DRSN2140              II    VPN traffic bypasses the
                            Network IDS
DRSN2150              II    FTP user IDs do not expire
                            and/or passwords are not
                            changed every 90 days.
DRSN2151               I    FTP or Telnet is used with a
                            userid (UID)/password that
                            has administrative or root
                            privileges.
DRSN2152              III   “Anonymous” FTP is used
                            within the enclave.
DRSN2153               I    Remote control software is
                            used to allow access to
                            systems, servers, or network
                            devices from non-DoD non-
                            secure networks outside the
                            enclave.
DRSN2154               I    Unrestricted remote control
                            access to DoD systems,
                            servers, or network devices
                            is permitted or is in use.
DRSN2155              II    Remote control software is
                            not properly secured and or
                            is not DAA approved
DRSN2157              II    A properly worded Login
                            Banner is not used on all
                            management access ports
                            and/or OAM&P/NM
                            workstations.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                         233 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)               <Test> - TN <Ticket Number>
   PDI      VMSID    CAT           Requirement        Vulnerability   Status   Finding Notes
DRSN2201                I Administrative/management
                          ports on a device or system
                          does not use the strongest
                          password method available
                          on the device
DRSN2202               II Access to all management
                          system workstations and
                          administrative / management
                          ports is NOT remotely
                          authenticated
DRSN2204              III Strong two-factor
                          authentication is NOT used
                          to access all management
                          system workstations and
                          administrative / management
                          ports on all devices or
                          systems.
DRSN2205                I Default accounts/passwords,
                          and manufacturer backdoor
                          accounts have not been
                          removed or changed prior to
                          connection to the network.

DRSN2207 V0004658      II    Switch personnel are not
                             assigned individual userids
                             and passwords.
DRSN2208             II-III- Shared user/SA accounts are
                       IV used and not documented.

DRSN2209               III   Passwords must meet
                             complexity requirements.
DRSN2210               II    The option to use passwords
                             that are randomly generated
                             by the DSN/DRSN
                             component is available but
                             not being used.

DRSN2211               II    Users/SAs are not required
                             to change their password
                             during their first session
                             logon or following a reset.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          234 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)          <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement         Vulnerability   Status   Finding Notes
DRSN2212 V0004663 II Passwords are not changed
                     every 90 days, after
                     departure of personnel, and
                     after suspected compromise.

DRSN2213               II    Users/SA are permitted to
                             change their passwords at an
                             interval of less than 24 hours
                             without ISSO/IAO
                             intervention.
DRSN2214               III   Password reuse/history is not
                             set to 8 or greater of the
                             previous passwords used.
DRSN2215               III   User/SA accounts are not
                             disabled after 35 days of
                             inactivity.
DRSN2216               II    A users/SAs account is not
                             automatically disabled after
                             three notifications of
                             password expiration.
DRSN2217                I    User/SA passwords can be
                             retrieved and viewed in clear
                             text by another user/SA.
DRSN2218                I    Users‟/SA‟s passwords are
                             displayed in the clear when
                             logging into the
                             system/device.
DRSN2219               II    Passwords are viewable in
                             the clear in configuration files
                             viewable online or in offline
                             storage
DRSN2220                I    Password lists are not
                             encrypted when stored on
                             management workstations or
                             systems that manage device
                             login for a SA (single sign-on
                             systems etc) or on the
                             system/device itself
DRSN2221               II    All system administrative and
                             maintenance user accounts
                             are not documented and/or
                             stored in a secure or
                             controlled manner (e.g., in a
                             safe).


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                     235 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)           <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
DRSN2222 V0004662 II The ISSO/IAO has not
                     recorded the passwords of
                     high level users (ADMIN)
                     used on DSN/DRSN
                     components and stored them
                     in a secure or controlled
                     manner.
DRSN2223          II User names and passwords
                     must be encrypted when
                     logging into system devices
                     remotely across a network.
DRSN2225          II Un-needed device
                     management accounts have
                     not been removed or
                     disabled.
DRSN2226          II More than 2 emergency
                     accounts are configured on a
                     device.
DRSN2227          II Local emergency usernames
                     and passwords are not
                     stored in a locked container
                     (safe) at the NOC or access
                     to the container is not
                     controlled and/or logged.

DRSN2228               II   Local emergency accounts
                            are use to access devices
                            under non emergency
                            conditions.
DRSN2229               II   Local emergency
                            management accounts are
                            not changed and
                            documented following use.
DRSN2230               II   A device is capable of
                            encrypting the local
                            emergency password,
                            however this feature is not
                            being used.
DRSN2231               II   Roll Based DAC not
                            employed or availavle




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      236 of 1220
    DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI       VMSIDCAT            Requirement                Vulnerability   Status   Finding Notes
DRSN2232            II System administrative and
                       maintenance users are
                       assigned accounts with
                       privileges that are not
                       commensurate with their
                       assigned responsibilities.
DRSN2233           III Unauthorized SAs have the
                       ability to access stored
                       configuration files
DRSN2234           III The option to restrict user
                       access based on duty hours
                       is available but is not being
                       utilized.
DRSN2235 V0004664   II An audit trail is not being
                       maintained for all access
                       requests to DRSN RED
                       switch operating information,
                       control functions, and
                       software.
DRSN2236            II System auditing does not
                       capture all events that are
                       required to be recorded
DRSN2237            II System auditing does not
                       capture all information
                       required to be recorded for
                       each event
DRSN2238           III A centralized audit server is
                       not used to collect audit
                       records from system and
                       network devices
DRSN2239           III The audit collection server is
                       not restricted by IP address
                       and can accept/poll devices
                       that are not with in its scope

DRSN2240               II   Audit data files and
                            directories are readable by
                            personnel NOT authorized by
                            the IAO.
DRSN2241               II   Audit logs not
                            stored/archived per policy.
                            i.e., 90 days online and 9
                            months offline for a total of
                            12 months


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                237 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)              <Test> - TN <Ticket Number>
   PDI      VMSID CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN2242           II Audit logs are not reviewed
                      daily or completely
DRSN2350            I RED/BLACK isolation is not
                      maintained between red and
                      black switch nodes or their
                      management systems
DRSN2351 V0004682   I RED and BLACK distribution
                      systems do not maintaining
                      required separation/isolation.

DRSN2352               I    RED switch network
                            originated audio is not
                            encrypted on an unclassified
                            network before the crypto
                            equipment enters secure
                            mode.
DRSN2353               I    The RED/BLACK mgmt. LAN
                            is not properly protected

DRSN2354               II   BLACK switch
                            implementations are not
                            approved in writing by the
                            local commander.
DRSN2358               I    DRSN consoles and/or
                            terminals do not maintain
                            RED/BLACK isolation.
DRSN2359 V0004684      I    There is no fail-safe design
                            of the red/black interface in
                            place to preclude switching
                            from operating in both black
                            and red modes
                            simultaneously.
DRSN2360               I    DRSN Console operator
                            intervention not implemented
                            per policy.
DRSN2361 V0004670      I    Switch subscriber terminals
                            are configured for automatic
                            answering.
DRSN2362               II   Interfaces configured for auto-
                            answer are not approved by
                            the appropriate DAA and the
                            DRSN PMO and/or are not
                            certified for IO and IA under
                            DoDI 8100.3.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         238 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                     <Test> - TN <Ticket Number>
   PDI      VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes
DRSN2363           II Speaker(s) or
                      speakerphone(s) are not
                      approved by all parties as
                      required.
DRSN2364            I External device(s) used with
                      a DRSN RED switch user
                      instrument is not configured
                      to operate at the security
                      level of its associated
                      terminal, and/or is not
                      approved by the appropriate
                      DAA.
DRSN2365 V0004678   I DRSN phones are enabled
                      when not under the
                      immediate control of cleared
                      personnel.
DRSN2366            I RED Switch must permit
                      instrument disablement for
                      when appropriately cleared
                      personnel do not man them.

DRSN2367               I   Each DRSN Terminal does
                           not have unique enable code.

DRSN2368 V0004673      I   DRSN terminal enable codes
                           are not changed every 90
                           days, or when there is a
                           suspected compromise, or
                           when an instrument and/or
                           Subscriber Directory Number
                           (SDN) is reassigned to
                           another user.

DRSN2369               I   Enable codes are not treated
                           as classified SECRET

DRSN2370 V0004673      I   Subscriber terminals do not
                           have labels affixed showing
                           highest security level
                           authorized for the instrument.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                239 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)              <Test> - TN <Ticket Number>
   PDI     VMSID    CAT        Requirement           Vulnerability   Status   Finding Notes
DRSN2372             II PushTo-Talk (PTT) handsets
                        have been removed without
                        DAA approval and/or there is
                        no procedure for maintaining
                        the secure integrity of the
                        instrument.

DRSN2373              I    Participants of ongoing
                           conferences established
                           through DRSN RED
                           Switches are NOT informed
                           of a change in the
                           classification, SCI character,
                           or foreign access of the
                           conference.
DRSN2375              II   Recording equipment is not
                           approved by the DRSN PMO
                           and/or as applicable, by the
                           DAA/INSCI if installed in a
                           SCIF.
DRSN2376              II   No SOP for the handling of
                           call or conference recordings
                           exists and/or is not followed
                           to ensure their proper
                           handling, storage,
                           dissemination, and/or
                           destruction.
DRSN2377              II   Recordings of calls and/or
                           conferences are not handled
                           per the SOP that details their
                           proper handling, storage,
                           dissemination, and/or
                           destruction.

DRSN2383              I    A “Barge in Tone” and visual
                           indication is not provided to
                           all parties in a call when the
                           security level of the call is
                           downgraded or upgraded
                           during normal calls or during
                           call forwarding, call transfer,
                           and when adding or deleting
                           conferees to/from a
                           conference call.


  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                          240 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                 <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement            Vulnerability   Status   Finding Notes
DRSN2384             I DRSN RED switch Terminals
                        must display proper
                        classification level or SAL of
                        terminals with which they
                        communicate.
DRSN2385             I A DRSN Terminal does not
                        properly display the self-
                        authenticating security level
                        of the call or conference in
                        progress, and/or does not
                        properly display the identity
                        data of the distant terminal or
                        identify the network and/or
                        equipment type associated
                        with the distant party and/or
                        when a conference call is in
                        progress.

DRSN2371              I    Manual Override of Security
                           Features is permitted and/or
                           is not audited
DRSN2386              II   A DRSN RED telephone that
                           is enabled for Flash, Flash-
                           Override, and Flash-Override-
                           Override precedence is not
                           documented as having Joint
                           Staff approval.

DRSN2387              II   Documentation on SAL
                           assignments for the DRSN
                           switch and its access lines is
                           not maintained and/or
                           available for inspection.
DRSN2388              II   The approved and
                           documented SAL
                           assignments are not those
                           implemented on the switch.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                             241 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)                <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN2389             II A cryptographic-interface that
                        is in addition to the primary
                        trunk interface has not been
                        reported to the DRSN PMO
                        and/or identified on the
                        configuration listing of the
                        accreditation package, and/or
                        the documentation is not
                        available for inspection.

DRSN2390              II   Insufficient quantity -
                           cryptographic-interface (STU-
                           III/R, STE-R, etc) per SAL or
                           SALs improperly assigned.

DRSN2400              II   A VoIP/VoSIP security
                           architecture is missing or is
                           inadequate and/or does not
                           comply with all applicable
                           STIGs.
DRSN2401              II   WAN based VoIP/VoSIP
                           service core equipment is not
                           in a dedicated enclave that
                           can be protected.
DRSN2402              II   WAN based VoIP/VoSIP
                           service delivery is not
                           redundant in core equipment
                           or delivery circuits.

DRSN2403              II   A WAN based VoIP/VoSIP
                           service provider‟s customer‟s
                           VoIP/VoSIP enclave is not
                           properly implemented or
                           protected.
DRSN2404              II   WAN based VoIP/VoSIP
                           implementation does not
                           utilize out of band
                           management methods or
                           networks.
DRSN2405              II   VoIP/VoSIP implementation
                           is not substantially compliant
                           with all applicable OS and
                           application STIGs.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                            242 of 1220
   DoD Defense Red Switch Network Checklist (28 Mar 06)              <Test> - TN <Ticket Number>
   PDI     VMSID    CAT         Requirement          Vulnerability   Status   Finding Notes
DRSN2406             II The VoIP/VoSIP
                        implementation has not been
                        tested and certified in
                        compliance with DoDI 8100.3
                        requirements, and not placed
                        on the DRSN APL.

DRSN2407              II   Inter-enclave VoIP/VoSIP
                           communications is used as
                           the primary C2
                           communications system




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                          243 of 1220
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes Section
DS00.0100 V0008527 III There is no policy to ensure                                                  AD,
                       that changes to the directory                                                 Generic
                       schema are subject to a
                       configuration management
                       process.
DS00.0110 V0008550  II For a directory service used                                                   AD,
                       by e-mail components                                                           Generic
                       (server or client), the
                       contractor abbreviation (ctr)
                       or country code (for foreign
                       nationals) is not maintained
                       for the *DoD* e-mail address
                       and display name attributes.

DS00.0120 V0008316      I    Directory service data files                                             AD,
                             do not have proper access                                                Generic
                             permissions.
DS00.0130 V0002370      I    Directory service data                                                   AD,
                             objects do not have proper                                               Generic
                             access permissions.
DS00.0140 V0004243     II    Directory service data                                                   AD,
                             objects do not have proper                                               Generic
                             audit settings.
DS00.0150 V0008322     II    A time synchronization tool is                                           AD,
                             not implemented on the                                                   Generic
                             directory server.
DS00.0151 V0008324     III   The time synchronization tool                                            AD,
                             does not log changes to the                                              Generic
                             time source.
DS00.0160 V0002369     II    Directory data is not backed                                             AD,
                             up on a daily or weekly basis.                                           Generic




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  244 of 1220
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI      VMSID    CAT            Requirement               Vulnerability   Status   Finding Notes Section
DS00.1100             III Note: At this time there is a                                              Generic
                          Common Criteria Protection
                          Profile for directory products
                          titled, “US Government
                          Directory Protection Profile
                          For Medium Robustness
                          Environments”. However,
                          there are no products that
                          have been evaluated for
                          conformance to this
                          Protection Profile. Therefore
                          this check is not currently
                          active.

DS00.1120 V0008530     III   Appropriate documentation is                                             AD,
                             not maintained for each                                                  Generic
                             cross-directory authentication
                             configuration.

DS00.1130 V0014834     II    An encryption, signing, or                                               Generic
                             other cryptographic algorithm
                             used in a directory server
                             application is not FIPS 140-2,
                             validated.

DS00.1140 V0008522     II    A directory service                                                      AD,
                             implementation that spans                                                Generic
                             enclave boundaries does not
                             use a VPN to protect
                             directory network traffic.
DS00.1150 V0008320     II    Directory program or                                                     AD,
                             configuration files do not                                               Generic
                             have proper access
                             permissions.
DS00.1155 V0014775     II    Directory server software                                                Generic
                             files are not monitored for
                             unauthorized modifications.
DS00.1160 V0014836      I    A non-vendor supported                                                   Generic
                             directory server product
                             release is in use.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  245 of 1220
    ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes Section
DS00.1165 V0014776  II A migration plan has not                                               Generic
                       been developed to remove or
                       upgrade a directory server
                       product for which vendor
                       security patch support is
                       soon being or already has
                       been dropped.
DS00.1170 V0014779 III The directory server product                                            Generic
                       is not documented in the
                       CCB and C&A software
                       inventory or the inventory
                       backup copy is not subject to
                       adequate physical
                       protections.
DS00.1180 V0008326  II A directory server supporting                                           AD,
                       (directly or indirectly) system                                         Generic
                       access or resource
                       authorization is not running
                       on a machine dedicated to
                       that function. The same host
                       is running an application
                       such as a database server, e
                       mail server, e mail client,
                       web server, or DHCP server.

DS00.1190 V0008317     II   The directory server data                                          AD,
                            files are located on the same                                      Generic
                            logical partition as data files
                            owned by users.
DS00.2100 V0014838     II   The directory server is not                                        AD,
                            configured or is not capable                                       Generic
                            of supporting version 3 of the
                            LDAP protocol.
DS00.2110 V0014813     II   Passwords used with or                                             Generic
                            stored in the directory do not
                            adhere to complexity
                            requirements for length or
                            composition according to the
                            parameters of the DoD policy
                            currently in effect.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           246 of 1220
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement            Vulnerability   Status   Finding Notes Section
DS00.2115 V0014814  II Passwords used with or                                                Generic
                       stored in the directory do not
                       expire, or a history of
                       previously used passwords is
                       not kept according to the
                       parameters of the DoD policy
                       currently in effect.
DS00.2120 V0014815   I Factory set, default, or                                               Generic
                       standard passwords are
                       defined in the directory.
DS00.2121 V0014805 III Factory set, default, or                                               Generic
                       standard accounts or groups
                       that could be renamed or
                       removed are defined in the
                       directory.
DS00.2130 V0014816   I Passwords stored in the                                                Generic
                       directory are not encrypted.
DS00.2140 V0014820   I PKI certificates used in a                                             AD,
                       directory service are not                                              Generic
                       issued by the DoD PKI or an
                       approved External Certificate
                       Authority (ECA).
DS00.3130 V0014798   I Directory data (outside the                                            AD,
                       root DSE) of a non-public                                              Generic
                       directory can be read through
                       anonymous access.

DS00.3131 V0014797     III   The root DSE of a non-public                                     Generic
                             directory can be read through
                             anonymous access.

DS00.3140 V0014799      I    Update access to the                                             Generic
                             directory schema is not
                             restricted to appropriate
                             accounts.
DS00.3150 V0014807     III   The number of accounts is                                        Generic
                             excessive or documentation
                             does not exist for the
                             accounts that are assigned
                             proxy authorization
                             permission.
DS00.3170 V0014800     III   Tools are not installed to                                       Generic
                             support reviewing audit data
                             from a directory server.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          247 of 1220
    ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes Section
DS00.3175 V0014790 III Audit data from a directory                                            Generic
                       server is not backed up at
                       least weekly on external
                       media or on a system other
                       than where the server
                       executes.
DS00.3180 V0014791 III Audit data from a directory                                             Generic
                       server is not retained for at
                       least one year.
DS00.3185 V0014804  II Directory server audit data                                             Generic
                       files do not have proper
                       access permissions.
DS00.3190 V0014810  II The number of accounts is                                               Generic
                       excessive or documentation
                       does not exist for the
                       accounts that are members
                       of locally defined privileged
                       groups in the directory.
DS00.3200 V0008549  II Accounts from another                                                   AD,
                       directory are members of                                                Generic
                       privileged groups and the
                       other directory is not under
                       the control of the same
                       organization or subject to the
                       same security policies.
DS00.3210 V0008344   I An account used to execute                                              Generic
                       the directory server or a
                       directory service process is a
                       member of a privileged group
                       on the OS or is assigned
                       administrative privileges and
                       the level of privilege assigned
                       exceeds what is needed.


DS00.3220 V0014808     II   An account used for a                                              Generic
                            directory server or process
                            application is not dedicated
                            to that function.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           248 of 1220
    ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                     Vulnerability   Status   Finding Notes Section
DS00.3230 V0008553 II Replication is not enabled to                                                   AD,
                      occur at least daily for a                                                      Generic
                      directory service in which
                      identification, authentication,
                      or authorization data is
                      replicated.

DS00.3240 V0014839     II    Available options of the                                                  Generic
                             directory server are not
                             configured to enforce the
                             referential integrity of
                             identification, authentication,
                             and authorization data.

DS00.3250 V0014812     II    Accounts are not locked out                                               Generic
                             after multiple, consecutive,
                             unsuccessful logon (bind)
                             attempts according to the
                             parameters of the DoD policy
                             currently in effect.

DS00.3260 V0008327     II    OS services that are critical                                             AD,
                             for the directory server are                                              Generic
                             not configured for automatic
                             startup.
DS00.3270 V0014780     III   There is no policy to ensure                                              AD,
                             that code that is not vendor-                                             Generic
                             provided and is used in a
                             directory server
                             implementation that updates
                             identification, authentication,
                             or authorization data is
                             subject to a configuration
                             management process.

DS00.3280 V0014782     II    A directory service                                                       Generic
                             implementation that transfers
                             replication data over wireless
                             or non-DoD networks does
                             not use encryption to protect
                             the network traffic.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   249 of 1220
    ____ Checklist _V_R_ (<date>)                                       <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement              Vulnerability   Status   Finding Notes Section
DS00.3281 V0014783 II A directory service                                                      AD,
                      implementation at a                                                      Generic
                      classified confidentiality level,
                      that transfers replication data
                      through a network cleared to
                      a lower level than the data or
                      includes SAMI data, does not
                      use separate, NSA-approved
                      cryptography.

DS00.3290 V0014828      II   Directory administration                                           Generic
                             sessions over a network are
                             not encrypted.
DS00.3300 V0014824      II   A replication implementation                                       Generic
                             does not include
                             authentication of the source
                             *and* target directory servers
                             (mutual authentication).

DS00.3310 V0014809      II   An account used for directory                                      Generic
                             replication is not dedicated to
                             that function.
DS00.3320 V0014826      I    The password of the                                                Generic
                             replication account is not
                             encrypted in transit.
DS00.3330 V0014822      II   Directory administration does                                      Generic
                             not include authentication of
                             the target directory server
                             *and* administration client
                             (mutual authentication).

DS00.3340 V0014823      II   Directory updates performed                                        Generic
                             under proxy credentials do
                             not include authentication of
                             the target directory server
                             *and* proxy client (mutual
                             authentication).

DS00.3350 V0014794     III   A directory server that                                            Generic
                             utilizes PKI certificates does
                             not perform certificate
                             validation that includes CRL
                             or OCSP checking.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                            250 of 1220
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement           Vulnerability   Status   Finding Notes Section
DS00.3360 V0014830 III A directory service                                                   Generic
                       implementation does not use
                       data signing or other
                       methods to ensure the
                       integrity of directory
                       administration and replication
                       traffic over a network.

DS00.3370 V0014831     III   The directory server does not                                    AD,
                             have a default to terminate                                      Generic
                             LDAP network connections
                             that have been inactive five
                             (5) minutes or more.

DS00.3375 V0014795     III   Accounts are defined with                                        Generic
                             inactivity timeout values
                             higher than five (5) minutes
                             and the accounts are not
                             listed in local documentation.

DS00.4100 V0014785     III   Privileged remote access to                                      Generic
                             a directory server is not
                             implemented through a
                             managed access control
                             point and with increased
                             session security
                             mechanisms.
DS00.4110 V0014786     III   Sessions for privileged                                          Generic
                             remote access to a directory
                             server are not logged or the
                             logs are not reviewed at least
                             weekly.
DS00.4120 V0014787     III   Non-privileged remote                                            Generic
                             access to a directory server
                             is not implemented through a
                             managed access control
                             point.
DS00.4130 V0014788     II    Remote access to a directory                                     Generic
                             server is not encrypted.

DS00.4140 V0008523     II    The VPN used to protect                                          AD,
                             directory network traffic does                                   Generic
                             not support visibility to an
                             IDS.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          251 of 1220
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement           Vulnerability   Status   Finding Notes Section
DS00.6110 V0014789 III Code used in a directory                                              AD,
                       service implementation that                                           Generic
                       is not vendor-provided is not
                       backed up periodically.
DS00.6120 V0008525 III Disaster recovery plans do                                             AD,
                       not include sufficient                                                 Generic
                       directory service architecture
                       information such as hierarchy
                       and replication structure.

DS00.6130 V0014793     III   Disaster recovery plans do                                       Generic
                             not include identification of
                             software products used in
                             directory server operations.
DS00.6140 V0008524     II    Only one directory server                                        AD,
                             supports a directory service.                                    Generic

DS00.7100 V0008526     III   Cross-directory                                                  AD,
                             authentication configurations                                    Generic
                             have not been evaluated with
                             respect to possible
                             INFOCON procedures.

DS00.7110 V0014777     II    Security related patches for                                     Generic
                             directory server products are
                             not applied or the application
                             status is not documented.

DS05.0100              III   Note: At this time there is no                                   Generic
                             Common Criteria Protection
                             Profile for directory
                             synchronization products.
                             Therefore this check is not
                             currently active.

DS05.0110              III   Note: At this time there is no                                   Generic
                             Common Criteria Protection
                             Profile for directory
                             synchronization products.
                             Therefore this check is not
                             currently active.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          252 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
   PDI     VMSID CAT          Requirement            Vulnerability   Status   Finding Notes Section
DS05.0120 V0011782 II An encryption, signing, or                                            Generic
                      other cryptographic algorithm
                      used in a directory
                      synchronization application is
                      not FIPS 140-2, validated.

DS05.0130 V0011760     II   A synchronization                                                Generic
                            implementation that spans
                            enclave boundaries and uses
                            LDAP or HTTP protocol does
                            not use a VPN to protect the
                            network traffic.

DS05.0140 V0011761     II   A synchronization                                                Generic
                            implementation that spans
                            enclave boundaries and uses
                            LDAPS or HTTPS protocol
                            does not use a DoDI 8551.1-
                            compliant solution to protect
                            the network traffic.

DS05.0150 V0011787     II   Directory synchronization                                        Generic
                            program or configuration files
                            do not have proper access
                            permissions.
DS05.0155 V0014772     II   Synchronization application                                      Generic
                            software files are not
                            monitored for unauthorized
                            modifications.
DS05.0160 V0011784     I    A non-vendor supported                                           Generic
                            directory synchronization
                            product is in use.
DS05.0170 V0011762     II   A migration plan has not                                         Generic
                            been developed to remove or
                            upgrade a synchronization
                            product for which vendor
                            security patch support is
                            soon being or already has
                            been dropped.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         253 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes Section
DS05.0180 V0011763 III A synchronization product                                           Generic
                       used in routine, scheduled
                       operations is not documented
                       in the CCB and C&A
                       software inventory or the
                       inventory backup copy is not
                       subject to adequate physical
                       protections.

DS05.0190 V0011785     II    Public domain software is                                      Generic
                             used to perform directory
                             synchronization operations.
DS05.0200 V0011786     III   The source code for a                                          Generic
                             directory synchronization
                             application is located in the
                             same directory as data that is
                             input to or output from the
                             application.
DS05.0210 V0011764      I    A password used in the                                         Generic
                             execution of a
                             synchronization
                             implementation is embedded
                             in a script or stored in an
                             unencrypted file.

DS05.0220 V0011783     II    PKI certificates used in a                                     Generic
                             directory synchronization
                             application are not issued by
                             the DoD PKI or an approved
                             External Certificate Authority
                             (ECA).
DS05.0230 V0011788      I    Directory synchronization                                      Generic
                             data files do not have proper
                             access permissions.
DS05.0240 V0011789     II    A directory synchronization                                    Generic
                             data file that contains a
                             substantial aggregate of the
                             directory data for an entire
                             geographic command is not
                             encrypted.
DS05.0250 V0011790     II    A directory synchronization                                    Generic
                             application is not configured
                             to collect audit data.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        254 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes Section
DS05.0260 V0011791 III Tools are not installed to                                          Generic
                       support reviewing audit data
                       from a directory
                       synchronization application.
DS05.0270 V0011765 III Audit data from a                                                    Generic
                       synchronization
                       implementation is not backed
                       up at least weekly on
                       external media or on a
                       system other than where the
                       implementation executes.

DS05.0280 V0011766     III   Audit data from a                                              Generic
                             synchronization
                             implementation is not
                             retained for at least one year.

DS05.0290 V0011792     II    Directory synchronization                                      Generic
                             audit data files do not have
                             proper access permissions.
DS05.0320 V0011767     III   There is no policy to ensure                                   Generic
                             that code that is not vendor-
                             provided and is used in a
                             synchronization
                             implementation that updates
                             security principal accounts is
                             subject to a configuration
                             management process.

DS05.0330 V0011769     II    A synchronization                                              Generic
                             implementation that transfers
                             data over wireless or non-
                             DoD networks does not use
                             encryption to protect the
                             network traffic.
DS05.0331 V0014773     II    A synchronization                                              Generic
                             implementation at a
                             classified confidentiality level,
                             that transfers data through a
                             network cleared to a lower
                             level than the
                             synchronization data or
                             transfers SAMI data, does
                             not use separate, NSA-
                             approved cryptography.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        255 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes Section
DS05.0340 V0011771 II A synchronization                                                    Generic
                      implementation that transfers
                      a substantial aggregate of
                      the directory data for an
                      entire geographic command
                      does not use encryption to
                      protect the network traffic.

DS05.0350 V0011772     III   A synchronization product                                      Generic
                             that utilizes PKI certificates
                             does not perform certificate
                             validation that includes CRL
                             or OCSP checking.
DS05.0360 V0011770     III   A synchronization                                              Generic
                             implementation does not use
                             data signing or other
                             methods to ensure the
                             integrity of directory data
                             network traffic.
DS05.0370 V0011773     II    A synchronization                                              Generic
                             implementation does not
                             perform authentication of the
                             synchronization client *and*
                             target directory server
                             (mutual authentication).
DS05.0380 V0011774     II    Privileged remote access to                                    Generic
                             a synchronization
                             implementation is not
                             implemented through a
                             managed access control
                             point and with increased
                             session security
                             mechanisms.
DS05.0390 V0011775     II    Sessions for privileged                                        Generic
                             remote access to a
                             synchronization
                             implementation are not
                             logged or the logs are not
                             reviewed at least weekly.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        256 of 1220
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes Section
DS05.0400 V0011776 III Non-privileged remote                                                         Generic
                       access to a synchronization
                       implementation is not
                       implemented through a
                       managed access control
                       point.

DS05.0410 V0011777     II    Remote access to a                                                       Generic
                             synchronization
                             implementation is not
                             encrypted.
DS05.0420 V0011778     II    Physical access to a host                                                Generic
                             used in routine, scheduled
                             synchronization operations is
                             not restricted to authorized
                             personnel.
DS05.0430 V0011779     II    Production data from routine,                                            Generic
                             scheduled synchronization
                             operations is not backed up
                             periodically.

DS05.0440 V0011768     III   Code used in a                                                           Generic
                             synchronization
                             implementation that is not
                             vendor-provided is not
                             backed up periodically.
DS05.0450 V0011780     III   Disaster recovery plans do                                               Generic
                             not include identification of
                             products used in routine,
                             scheduled synchronization
                             operations.
DS05.0460 V0011781     II    Security related patches for                                             Generic
                             synchronization products are
                             not applied or the application
                             status is not documented.

DS10.0150 V0008303     II    The Directory Services                                                   AD
                             Restore Mode (DSRM)
                             password does not meet
                             complexity standards.
DS10.0151 V0008310     II    There is no policy to ensure                                             AD
                             that the DSRM password is
                             changed often enough.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  257 of 1220
   ____ Checklist _V_R_ (<date>)                                               <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                     Vulnerability   Status   Finding Notes Section
DS10.0160 V0008551 III An AD domain that has no                                                       AD
                       Windows NT domain
                       controllers is at a domain
                       functional level that allows
                       the addition of new Windows
                       NT domain controllers.

DS10.0170 V0008533     II   An external, forest, or realm                                              AD
                            AD trust relationship is
                            defined where access
                            requirements do not support
                            the need.
DS10.0180 V0008534     I    An external, forest, or realm                                              AD
                            AD trust relationship is
                            defined between systems at
                            different classification levels.

DS10.0181 V0008536     I    An external, forest, or realm                                              AD
                            AD trust relationship is
                            defined between a DoD
                            system and a non-DoD
                            system without explicit
                            approval of the DAA and
                            appropriate documentation of
                            the external network
                            connection(s).
DS10.0190 V0008538     II   An outgoing external or forest                                             AD
                            trust is configured without
                            SID filtering.
DS10.0200 V0008540     II   An outgoing forest trust is                                                AD
                            configured without Selective
                            Authentication.
DS10.0210 V0012780     I    The Synchronize Directory                                                  AD
                            Service Data user right has
                            been assigned to an account.

DS10.0220 V0008547     II   The Pre-Windows 2000                                                       AD
                            Compatible Access group
                            includes the Everyone or
                            Anonymous Logon groups.
DS10.0230 V0008555     II   The dsHeuristics option is                                                 AD
                            not configured to prevent
                            anonymous access to AD.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   258 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
   PDI     VMSID CAT          Requirement           Vulnerability   Status   Finding Notes Section
DS10.0240 V0008548 II The number of accounts is                                            AD
                      excessive or documentation
                      does not exist for the
                      accounts that are members
                      of the Domain Admins,
                      Enterprise Admins, Schema
                      Admins, Group Policy
                      Creator Owners, or Incoming
                      Forest Trust Builders groups.

DS10.0260 V0008521     II    The number of accounts is                                      AD
                             excessive or documentation
                             does not exist for the
                             accounts that have been
                             delegated AD object
                             ownership or update
                             permissions and are *not*
                             members of Windows built-in
                             administrative groups.
DS10.0295 V0008557     II    The domain controller                                          AD
                             holding the forest
                             authoritative time source is
                             not configured to use a DoD-
                             authorized external time
                             source.
DS10.0310 V0008313     II    Physical access to the AD                                      AD
                             forest root FSMO domain
                             controllers is not restricted to
                             specifically authorized
                             personnel.
DS10.0320 V0008311     II    The offline copy of the DSRM                                   AD
                             password is not subject to
                             adequate physical
                             protections.
DS10.9100 V0012778     III   The AD domain and forest in                                    AD
                             which the domain controller
                             resides have not been
                             reviewed for vulnerabilities.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        259 of 1220
    ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                     Vulnerability          Status     Finding Notes
DSN01.01 V0007921 III The IAO does not conduct            Denial of Service
                      and document self-                  (DoS), loss of
                      inspections of the DSN              confidentiality, and
                      components at least semi-           unauthorized
                      annually for security risks.        access may occur if
                                                          a self-inspections of
                                                          the DSN
                                                          components is not
                                                          conducted.
DSN01.02 V0007922     III   The sites telephone switch is Theft of services,
                            not frequently monitored for misuse of services,
                            changing calling patterns and degradation of
                            system uses for possible      services provided
                            security concerns.            by the system, and
                                                          unauthorized
                                                          access may occur if
                                                          effective monitoring
                                                          procedures are not
                                                          in place,
                                                          conducted, and
                                                          audited..


DSN01.03 V0007923     II    The ISSO/IAO does not            The inability to
                            ensure that administration       properly maintain
                            and maintenance personnel        and troubleshoot
                            have proper access to the        the system may
                            facilities, functions,           result if this
                            commands, and calling            requirement is not
                            privileges required to perform   met.
                            their job.
DSN02.01 V0007924     III   DSN systems are not              The DoD voice
                            registered in the DISA VMS       system may not be
                                                             protected as
                                                             required and may
                                                             be vulnerable to
                                                             attack or loss of
                                                             availability due to a
                                                             multitude of OS and
                                                             application
                                                             vulnerabilities.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                        260 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                     Vulnerability       Status     Finding Notes
DSN02.02 V0007925 III System Administrators (SAs)         The DoD voice
                      responsible for DSN                 system may not be
                      information systems are not         protected as
                      registered with the DISA            required and may
                      VMS.                                be vulnerable to
                                                          attack or loss of
                                                          availability due to a
                                                          multitude of OS and
                                                          application
                                                          vulnerabilities.
DSN02.03 V0007926     II    The ISSO/IAO and              The
                            ISSM/IAM, in coordination     telecommunication
                            with the SA, will be          system may be left
                            responsible for ensuring that vulnerable to issues
                            all IAVM notices are          outlined within
                            responded to within the       respective IAVAs.
                            specified time period.
DSN02.04 V0008338     II    IAVMs are not addressed       Patches that have
                            using RTS system vendor       not been approved
                            approved or provided          can break features
                            patches.                      or disable the
                                                          system entirely.
DSN02.05 V0008339     III   DoD voice/video/RTS           Vulnerabilities that
                            information system assets     are not tracked and
                            and vulnerabilities are not   managed under
                            tracked and managed using some sort of
                            any vulnerability             management
                            management system as          system may allow
                            required by DoD policy.       for repeat and
                                                          untreated
                                                          vulnerabilities,
                                                          resulting in severe
                                                          system
                                                          degradation.
DSN03.01 V0008340     III   A DoD Voice/Video/RTS         A DoS, loss of
                            system or device is NOT       confidentiality, and
                            configured in compliance with unauthorized
                            all applicable STIGs or the   access, to name a
                            appropriate STIGs have not few examples, may
                            been applied to the fullest   occur if the STIG
                            extent possible.              requirements are
                                                          not met to the
                                                          fullest extend
                                                          possible.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                     261 of 1220
    ____ Checklist _V_R_ (<date>)                                                <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                        Vulnerability         Status     Finding Notes
DSN03.02 V0008341 III The purchase / maintenance              Denial of Service
                      contract, or specification, for         (DoS), loss of
                      the Voice/Video/RTS system              confidentiality, and
                      under review does not                   unauthorized
                      contain verbiage requiring              access may occur if
                      compliance and validation               STIG guidance is
                      measures for all applicable             not adhered to.
                      STIGs.

DSN03.03 V0008342     III   The DAA, IAM, IAO, or SA          The possibility to
                            for the system DOES NOT           certify and accredit
                            enforce contract                  the system, operate
                            requirements for STIG             it legally, or connect
                            compliance and validation         it to another DoD
                                                              system may be the
                                                              result.

DSN03.04 V0008345      II   A Voice/Video/RTS system is       The possibility to
                            in operation but is not listed    certify and accredit
                            on the DSN APL nor is it in       the system, operate
                            the process of being tested.      it legally, or connect
                                                              it to another DoD
                                                              system may be the
                                                              result.

DSN03.05 V0008346     III   A Voice/Video/RTS system          The possibility to
                            or device is NOT installed        certify and accredit
                            according to the deployment       the system, operate
                            restrictions and/or mitigations   it legally, or connect
                            contained in the IA test          it to another DoD
                            report, Certifying Authoritys     system may be the
                            recommendation and/or             result.
                            DSAWG approval
                            documentation.

DSN03.06 V0008347     III   A Voice/Video/RTS system          The possibility to
                            or device is NOT installed in     certify and accredit
                            the same configuration and        the system, operate
                            being used for the same           it legally, or connect
                            purpose that was tested for       it to another DoD
                            prior to DSAWG approval           system may be the
                            and DSN APL listing.              result.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                          262 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI     VMSID CAT             Requirement                    Vulnerability       Status     Finding Notes
DSN03.07 V0008348 III The requirement of DSN APL          The possibility to
                      listing is not being                certify and accredit
                      considered during the               the system, operate
                      procurement, installation,          it legally, or connect
                      connection, or upgrade to the       it to another DoD
                      sites Voice/Video/RTS               system may be the
                      infrastructure.                     result.

DSN04.01 V0007930     II   Switch administration,         System not on a
                           ADIMSS, or other Network       dedicated LAN may
                           Management terminals are       be exposed to
                           not located on a dedicated     unnecessary IP
                           LAN.                           network
                                                          vulnerabilities.
DSN04.02 V0007931     II   Network Management             Denial of Service
                           routers located at switch      (DoS), degradation
                           sites are not configured to    of service, loss of
                           provide IP and packet level    confidentiality, and
                           filtering/protection.          unauthorized
                                                          access may occur.

DSN04.03 V0007932     II   Administration terminals are   Denial of Service
                           used for other day-to-day      (DoS), degradation
                           functions (i.e. email, web     of service, loss of
                           browsing, etc).                confidentiality, and
                                                          unauthorized
                                                          access may occur.

DSN04.04 V0007933     II   Switch Administration          Denial of Service
                           terminals do not connect       (DoS), degradation
                           directly to the switch         of service, loss of
                           administration port or         confidentiality, and
                           connect via a controlled,      unauthorized
                           dedicated, out of band         access may occur.
                           network used for switch
                           administration support.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                      263 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                      Vulnerability      Status     Finding Notes
DSN04.05 V0007934 III Attendant console ports are          This type of access
                      available to unauthorized            to unauthorized
                      users by not allowing any            users or
                      instrument other than the            subscribers can
                      Attendant console to connect         result in disruption
                      to the Attendant console port.       of call processing,
                                                           calls monitored, or
                                                           unauthorized class
                                                           of service.

DSN04.06 V0007935     III   The ISSO/IAO has not          The inability to
                            established Standard          effectively maintain
                            Operating Procedures.         the network or
                                                          voice service while
                                                          applying security
                                                          policy and
                                                          vulnerability
                                                          mitigation may
                                                          exist.
DSN04.07 V0008545     II    OAM&P / NM and CTI            Denial of Service
                            networks are NOT dedicated (DoS), degradation
                            to the system that they serve of service, loss of
                            in accordance with their      confidentiality, and
                            separate DSN APL              unauthorized
                            certifications.               access may occur.

DSN04.08 V0008544     II    An OAM&P / NM and CTI          The loss of
                            network/LAN is connected to    protection from
                            the local general use (base)   external sources is
                            LAN without appropriate        forgone resulting in
                            boundary protection.           Denial of Service
                                                           (DoS), degradation
                                                           of service, loss of
                                                           confidentiality, and
                                                           unauthorized
                                                           access.

DSN04.09 V0008542     II    An OAM&P / NM and CTI          Denial of Service
                            network/LAN is connected to    (DoS), degradation
                            the local general use (base)   of service, loss of
                            LAN without appropriate        confidentiality, and
                            boundary protection.           unauthorized
                                                           access may occur.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                     264 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                      Vulnerability        Status     Finding Notes
DSN04.10 V0008541 II An OAM&P / NM or CTI                 Denial of Service
                     network DOES NOT comply              (DoS), degradation
                     with the Enclave and/or              of service, loss of
                     Network Infrastructure               confidentiality, and
                     STIGs.                               unauthorized
                                                          access may occur.

DSN05.01 V0007936     II   Applicable security packages The inability to
                           have not been installed on   properly secure the
                           the system.                  system, leaving it
                                                        vulnerable to
                                                        attack.

DSN06.01 V0007937     II   The IAO DOES NOT ensure        Unauthorized
                           that all temporary             access and
                           Foreign/Local National         disclosure of official
                           personnel given access to      or classified
                           DSN switches and               information may
                           subsystems for the purpose     result if this
                           of installation and            requirement is not
                           maintenance, are controlled    met.
                           and provided direct
                           supervision and oversight
                           (e.g., escort) by a
                           knowledgeable and
                           appropriately cleared U.S.
                           citizen.
DSN06.02 V0008519     II   Foreign/Local National         Unauthorized
                           personnel hired by a           access and
                           base/post/camp/station for     disclosure of official
                           the purpose of operating or    or classified
                           performing OAM&P / NM          information may
                           functions on DSN switches      result if this
                           and subsystems have not        requirement is not
                           been vetted through the        met.
                           normal process for providing
                           SA clearance as dictated by
                           the local Status of Forces
                           Agreement (SOFA).




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                      265 of 1220
   ____ Checklist _V_R_ (<date>)                                                 <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                         Vulnerability        Status     Finding Notes
DSN06.03 V0008520 II Foreign/Local National                  Unauthorized
                     personnel have duties or                access and
                     access privileges that exceed           disclosure of official
                     those allowed by DODI                   or classified
                     8500.2 E3.4.8.                          information may
                                                             result if this
                                                             requirement is not
                                                             met.
DSN06.04 V0007940     III   The option to restrict user      Unauthorized
                            access based on duty hours       access to the
                            is available but is not being    system outside of
                            utilized.                        duty hours provides
                                                             the opportunity for
                                                             misuse or system
                                                             abuse.

DSN06.05 V0008558     II    System administrative and        Denial of Service
                            maintenance users are            (DoS), degradation
                            assigned accounts with           of service, loss of
                            privileges that are not          confidentiality, and
                            commensurate with their          unauthorized
                            assigned responsibilities.       access may occur.

DSN06.06 V0008556     III   All system administrative and Denial of Service
                            maintenance user accounts (DoS), degradation
                            are not documented.           of service, loss of
                                                          confidentiality, and
                                                          unauthorized
                                                          access may occur.

DSN06.07 V0008554     III   The available option of          Denial of Service
                            Command classes or               (DoS), degradation
                            command screening is NOT         of service, loss of
                            being used to limit system       confidentiality, and
                            privileges                       unauthorized
                                                             access may occur.

DSN07.01 V0007941     III   The Direct Inward System         If this feature is not
                            Access feature and/or            controlled, risk of
                            access to Voice Mail is not      unauthorized
                            controlled by either class of    access to the DSN
                            service, special authorization   could result in call
                            code, or PIN.                    fraud and abuse.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                         266 of 1220
   ____ Checklist _V_R_ (<date>)                                                <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement                         Vulnerability      Status     Finding Notes
DSN07.02 V0007942 III Direct Inward System Access             If the special
                      and Voice Mail access codes             access code is not
                      are not changed semi-                   changed
                      annually.                               periodically, the
                                                              service is more
                                                              likely to be
                                                              compromised, thus
                                                              degrading system
                                                              access security.

DSN07.03 V0007943     III   Personal Identification           If the PIN is not
                            Numbers (PIN) assigned to         changed
                            special subscribers used to       periodically, the
                            control Direct Inward System      service is more
                            Access and Voice Mail             likely to be
                            services are not being            compromised, thus
                            controlled like passwords         degrading system
                            and deactivated when no           access security.
                            longer required.
DSN07.04 V0007944     III   Privilege authorization, Direct   This can lead to call
                            Inward System Access              fraud and abuse,
                            and/or Voice Mail special         and access control
                            authorization codes or            to the system may
                            individually assigned PINS        be lost.
                            are not changed when
                            compromised.
DSN08.01 V0007945     III   Equipment, cabling, and           The result could be
                            terminations that provide         Denial of Service
                            emergency life safety             (DoS) to the
                            services such as 911 (or          system.
                            European 112) services
                            and/or emergency
                            evacuation paging systems
                            are NOT clearly identified
                            and marked.
DSN08.02 V0008537     III   There is no system installed      Reduced
                            that can provide emergency        awareness by site
                            life safety or security           personnel of
                            announcements                     potentially life
                                                              threatening
                                                              situations or
                                                              security breaches if
                                                              security
                                                              announcement are
                                                              not installed.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                         267 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                      Vulnerability      Status     Finding Notes
DSN08.03 V0008539 II A policy is NOT in place             The unauthorized
                     and/or NOT enforced                  access to classified
                     regarding the use of                 information for
                     unclassified telephone/RTS           which the recipient
                     instruments located in areas         does not either
                     or rooms where classified            have the proper
                     meetings, conversations, or          clearance or need-
                     work normally occur.                 to-know may be the
                                                          result.

DSN08.04 V0008543     II    Voice/Video/RTS devices       The unauthorized
                            located in SCIFs do not       access to classified
                            prevent on-hook audio pick-   information for
                            up and/or do not have a       which the recipient
                            speakerphone feature          does not either
                            disabled or are not           have the proper
                            implemented in accordance     clearance or need-
                            with DCID 6/9 or TSG          to-know may be the
                            Standard 2.                   result.

DSN09.01 V0007946     III   SS7 links are not clearly     The potential for
                            identified and routed         inadvertent Denial
                            separately from termination   of Service (DoS) or
                            point to termination point.   degradation of
                                                          service may be the
                                                          result.
DSN09.02 V0007947     III   The SS7 termination blocks The potential for
                            are not clearly identified at inadvertent Denial
                            the MDF.                      of Service (DoS) or
                                                          degradation of
                                                          service may be the
                                                          result.
DSN09.03 V0007948     III   Power cabling that serves     The potential for
                            SS7 equipment is not          inadvertent Denial
                            diversely routed to separate of Service (DoS) or
                            Power Distribution Frames     degradation of
                            (PDF) and identified.         service may be the
                                                          result.
DSN09.04 V0007949     III   Power cabling that serves     The potential for
                            SS7 equipment is not clearly inadvertent Denial
                            identified at both the        of Service (DoS) or
                            termination point and at the degradation of
                            fusing position.              service may be the
                                                          result.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                    268 of 1220
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement            Vulnerability       Status     Finding Notes
DSN09.05 V0007950  II Links within the SS7 network The potential for
                      are not encrypted.           inadvertent Denial
                                                   of Service (DoS),
                                                   degradation of
                                                   service, and
                                                   unauthorized
                                                   access may be the
                                                   result.
DSN10.02 V0007952  II A DoD VoIP system, device, The potential for
                      or network is NOT configured inadvertent Denial
                      in compliance with all       of Service (DoS),
                      applicable STIGs or the      degradation of
                      appropriate STIGs have not service, and
                      been applied to the fullest  unauthorized
                      extent possible.             access may be the
                                                   result.
DSN11.01 V0007953  II Transport circuits are not   The potential for
                      encrypted.                   inadvertent Denial
                                                   of Service (DoS),
                                                   man-in-the-middle,
                                                   degradation of
                                                   service, and
                                                   unauthorized
                                                   access may be the
                                                   result.
DSN11.02 V0007954 III Physical access to           Physical access to
                      commercial Add/Drop          systems by
                      Multiplexers (ADMs) is not   unauthorized
                      restricted.                  personnel leaves
                                                   the system
                                                   components
                                                   vulnerable to a
                                                   multitude of attacks
                                                   and accidental de-
                                                   activation or
                                                   disconnection.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                             269 of 1220
    ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                   Vulnerability       Status     Finding Notes
DSN12.01 V0007955 III The ISSO/IAO does not             The inability of site
                      maintain a library of security    personnel to easily
                      documentation.                    access security
                                                        related information
                                                        and be aware of
                                                        policy and
                                                        vulnerabilities
                                                        promotes security
                                                        awareness
                                                        defienciency.
DSN13.01 V0007956     II   Users are not required to    Default passwords
                           change their password during used over the long-
                           their first session.         term may allow for
                                                        unauthorized
                                                        system and
                                                        network access, or
                                                        subject to
                                                        disclosure through
                                                        password cracking
                                                        tools.
DSN13.02 V0007957      I   Default passwords and user Default passwords
                           names have not been          used over the long-
                           changed.                     term may allow for
                                                        unauthorized
                                                        system and
                                                        network access, or
                                                        subject to
                                                        disclosure through
                                                        password cracking
                                                        tools.
DSN13.03 V0007958     II   Shared user accounts are     The potential for
                           used and not documented by inadvertent Denial
                           the ISSO/IAO.                of Service (DoS),
                                                        degradation of
                                                        service, and
                                                        unauthorized
                                                        access may be the
                                                        result.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   270 of 1220
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement                    Vulnerability      Status     Finding Notes
DSN13.04 V0007959 III The option to disable user           The potential for
                      accounts after 30 days of            inadvertent Denial
                      inactivity is not being used.        of Service (DoS),
                                                           degradation of
                                                           service, and
                                                           unauthorized
                                                           access may be the
                                                           result.
DSN13.05 V0007960      I    Management access points Unprotected
                            (i.e.                          account provides
                            administrative/maintenance access to anyone
                            ports, system access, etc.)    who knows the user
                            are not protected by requiring account name.
                            a valid username and a valid
                            password for access.

DSN13.06 V0007961     III   Passwords do not meet         By not meeting
                            complexity requirements.      DoD complexity
                                                          requirement, nor
                                                          having a password
                                                          entirely, the system
                                                          may be open to
                                                          DoS, degradation of
                                                          service, loss of
                                                          confidentiality, and
                                                          unauthorized
                                                          access.

DSN13.07 V0007962     II    Maximum password age           Passwords that do
                            does not meet minimum          not change, or
                            requirements.                  remain the same
                                                           for an extended
                                                           period of time, are
                                                           more subject to
                                                           password cracking
                                                           tools.
DSN13.08 V0007963     II    Users are permitted to         Permitting
                            change their passwords at an passowrds to be
                            interval of less than 24 hours changed in
                            without ISSO/IAO               immediate
                            intervention.                  succession within
                                                           24-hours allows
                                                           users to cycle
                                                           through their
                                                           password history.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                    271 of 1220
    ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement              Vulnerability           Status     Finding Notes
DSN13.09 V0007964 III Password reuse is not set to Passwords that do
                      8 or greater.                 not change, or
                                                    remain the same
                                                    for an extended
                                                    period of time, are
                                                    more subject to
                                                    password cracking
                                                    tools and potential
                                                    compromise of the
                                                    system.
DSN13.10 V0007966  II User passwords can be         Passwords in the
                      retrieved and viewed in clear clear will be
                      text by another user.         compromised,
                                                    resulting in the
                                                    potential for
                                                    malicious system
                                                    and network
                                                    activity.
DSN13.11 V0007967  II User passwords are            Passwords in the
                      displayed in the clear when clear will be
                      logging into the system.      compromised,
                                                    resulting in the
                                                    potential for
                                                    malicious system
                                                    and network
                                                    activity.
DSN13.12 V0007968 III The option to use passwords User defined
                      that are randomly generated passwords have
                      by the DSN component is       the potential to be
                      available but not being used. guessed.


DSN13.13 V0007969     II   The system is not configured   Systems that do not
                           to disable a users account     prompt users for a
                           after three notifications of   password change
                           password expiration.           or lock users out
                                                          after three failed
                                                          attempts are
                                                          vulnerable to
                                                          password cracking.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   272 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                       Vulnerability       Status     Finding Notes
DSN13.14 V0007965 II The ISSO/IAO has not                  This helps prevent
                     recorded the passwords of             time consuming
                     high level users (ADMIN)              password recovery
                     used on DSN components                techniques and
                     and stored them in a secure           denial of
                     or controlled manner.                 administrator
                                                           access.
DSN13.15 V0007970     II   Crash-restart vulnerabilities   System integrity,
                           are present on the DSN          DoS, loss of
                           system component.               confidentiality, and
                                                           system
                                                           compromise may
                                                           exist if there is not
                                                           a measure in place
                                                           to return the system
                                                           away from the
                                                           default settings.

DSN13.16 V0008560     II   Access to all management        Loss of
                           system workstations and         management
                           administrative / management     control, system
                           ports is NOT remotely           abuse, Denial of
                           authenticated                   Service (DoS),
                                                           degradation of
                                                           service, system
                                                           compromise, and
                                                           unauthorized
                                                           access may occur.

DSN13.17 V0008559     II   Strong two-factor               Loss of
                           authentication is NOT used      management
                           to access all management        control and system
                           system workstations and         abuse may occur if
                           administrative / management     two-factor
                           ports on all devices or         authentication is
                           systems                         not used throughout
                                                           the system.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                      273 of 1220
    ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                        Vulnerability      Status     Finding Notes
DSN14.01 V0007971 II The DSN system component                 Loss of
                     is not installed in a controlled         management
                     space with visitor access                control, system
                     controls applied.                        abuse, Denial of
                                                              Service (DoS),
                                                              degradation of
                                                              service, system
                                                              compromise, and
                                                              unauthorized
                                                              access may occur.

DSN14.02 V0007972      II   Documented procedures do       Denial of Service
                            not exist that will prepare for(DoS) due to the
                            a suspected compromise of a    inability to quickly
                            DSN component.                 recover from the
                                                           compromise.
DSN15.01 V0007973      II   Audit records are NOT stored The inability to take
                            in an unalterable file and can administrative
                            be accessed by individuals     action or prosecute
                            not authorized to analyze      for inappropriate
                            switch access activity.        actions or system
                                                           abuse may be the
                                                           result.

DSN15.02 V0007974      II   Audit records do not record       By not recording
                            the identity of each person       security events the
                            and terminal device having        auditing process is
                            access to switch software or      degraded, and
                            databases.                        unauthorized
                                                              system activity may
                                                              go unreported.

DSN15.03 V0007975      II   Audit records do not record       By not recording
                            the time of the access.           relevant security
                                                              events the auditing
                                                              process is
                                                              degraded, and
                                                              unauthorized
                                                              system activity may
                                                              go unreported.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                       274 of 1220
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                      Vulnerability     Status     Finding Notes
DSN15.04 V0007976 II The auditing records do not          By not recording
                     record activities that may           relevant security
                     change, bypass, or negate            events the auditing
                     safeguards built into the            process is
                     software.                            degraded, and
                                                          unauthorized
                                                          system activity may
                                                          go unreported.

DSN15.05 V0007977     II   Audit record archive and       By not archiving
                           storage do not meet            relevant security
                           minimum requirements.          events the auditing
                                                          process is
                                                          degraded, and
                                                          unauthorized
                                                          system activity may
                                                          go unreported.

DSN15.06 V0007978     II   Audit records are not being    By not archiving
                           reviewed by the ISSO/IAO       relevant security
                           weekly.                        events the auditing
                                                          process is
                                                          degraded, and
                                                          unauthorized
                                                          system activity may
                                                          go unreported.

DSN15.07 V0008546     II   The auditing process DOES      By not recording
                           NOT record security relevant   relevant security
                           actions such as the changing   events the auditing
                           of security levels or          process is
                           categories of information      degraded, and
                                                          unauthorized
                                                          system activity may
                                                          go unreported.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   275 of 1220
   ____ Checklist _V_R_ (<date>)                                                 <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                            Vulnerability     Status     Finding Notes
DSN16.01 V0007979 II An Information Systems                    No, or inadequate
                     Security Officer/Information              oversight, concern
                     Assurance Officer                         for security issues
                     (ISSO/IAO) is not designated              relating to the
                     for each telecommunications               telecommunications
                     switching system or DSN                   switching system or
                     Site.                                     DSN site will result
                                                               if this requirement
                                                               is not met.

DSN16.02 V0007980     II    Site personnel have not            The system may be
                            received the proper security       left vulnerable due
                            training and/or are not            to ignorance of
                            familiar with the documents        policy, procedures,
                            located in the security library.   and threats to the
                                                               system.

DSN16.03 V0007981     III   The ISSO/IAO does not              Denial of Service
                            maintain a DSN Personnel           (DoS), and
                            Security Certification letter on   unauthorized
                            file for each person involved      access to network
                            in DSN A/NM duties.                or voice system
                                                               resources or the
                                                               services they
                                                               contain may result
                                                               is this requirement
                                                               is not met.
DSN16.04 V0007982     II    System administrators are          If physical and
                            NOT appropriately cleared.         administrative
                                                               access to systems
                                                               is not confirmed
                                                               and controlled, this
                                                               may result in
                                                               unauthorized
                                                               access or
                                                               compromise.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                         276 of 1220
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                       Vulnerability      Status     Finding Notes
DSN17.01 V0007983 II Site staff does not verify and         Denial of Service
                     record the identity of                 (DoS), and
                     individuals installing or              unauthorized
                     modifying a device or                  access to network
                     software.                              or voice system
                                                            resources or the
                                                            services they
                                                            contain may result
                                                            is this requirement
                                                            is not met.
DSN17.02 V0007984     II   System images are not being      Denial of Service
                           backed up on a weekly basis      (DoS), or
                           to the local system and a        degradation of
                           copy is not being stored on a    service may occur if
                           removable storage device         systems operations
                           and/or is not being stored off   cannot be restored
                           site.                            quickly.

DSN17.03 V0007985     II   Site staff does not ensure       Denial of Service
                           backup media is available        (DoS), or
                           and up to date prior to          degradation of
                           software modification.           service may occur if
                                                            systems operations
                                                            cannot be restored
                                                            quickly.

DSN17.04 V0008531     II   The latest software loads and    Denial of Service
                           patches are NOT applied to       (DoS), degradation
                           all systems to take              of service, loss of
                           advantage of security            confidentiality, and
                           enhancements.                    unauthorized
                                                            access may occur.

DSN17.05 V0008532     II   Maintenance and security         Denial of Service
                           patches are NOT approved         (DoS), degradation
                           by the local DAA prior to        of service, loss of
                           installation in the system       confidentiality, and
                                                            unauthorized
                                                            access may occur if
                                                            system operations
                                                            are not restored
                                                            quickly, or based
                                                            off untested code.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                      277 of 1220
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                     Vulnerability         Status     Finding Notes
DSN17.06 V0008535 II Major software version               Denial of Service
                     upgrades have NOT been               (DoS), degradation
                     tested, certified, and placed        of service, loss of
                     on the DSN APL before                confidentiality, and
                     installation.                        unauthorized
                                                          access may occur if
                                                          system operations
                                                          are not restored
                                                          quickly, or based
                                                          off untested code.

DSN18.01 V0007986     II   Modems are not physically      Failure to control
                           protected to prevent           physical access to
                           unauthorized device            modems could
                           changes.                       result in modem
                                                          settings being
                                                          changed to allow
                                                          unauthorized
                                                          access to DSN
                                                          system
                                                          components.
DSN18.02 V0007987     II   A detailed listing of all      The potential for
                           modems is not being            non-approved
                           maintained.                    modems may be
                                                          present if a listing is
                                                          not maintained.
DSN18.03 V0007988     II   Unauthorized modems are        Denial of Service
                           installed.                     (DoS), degradation
                                                          of service, loss of
                                                          confidentiality, and
                                                          unauthorized
                                                          access may occur.

DSN18.04 V0007989     II   Modem phone lines are not      An attacker may
                           restricted and configured to   use special
                           their mission required         features to forward
                           purpose (i.e. inward/outward   modem or voice
                           dial only).                    calls to destinations
                                                          that cause toll-
                                                          fraud, or forward
                                                          the numer to itself
                                                          causing a denial of
                                                          service.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                       278 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                     Vulnerability      Status     Finding Notes
DSN18.05 V0007990 II Modem phone lines are not            By restricting
                     restricted to single-line            modem phone lines
                     operation.                           to single-line
                                                          operations, the risk
                                                          of unauthorized
                                                          access is limited by
                                                          preventing the
                                                          added functions of
                                                          a multi-line to be
                                                          used by an
                                                          unauthorized
                                                          person to gain
                                                          access.

DSN18.06 V0007991     III   The option of Automatic        Without number
                            Number Identification (ANI) is logs, auditing for
                            available but not being used. unauthorized
                                                           accesses and toll-
                                                           fraud becomes
                                                           increasingly
                                                           difficult.
DSN18.07 V0007992     II    Authentication is not required Without
                            for every session requested. authentication,
                                                           unauthorized
                                                           access or sessions
                                                           may be granted.

DSN18.08 V0007993     III   The option to use the         Security
                            oecallback feature for remote authentication may
                            access is not being used.     be degraded, and
                                                          remote unmanned
                                                          sites could be
                                                          abused.
DSN18.09 V0007994     III   FIPS 140-2 validated Link     Denial of Service
                            encryption mechanisms are (DoS), degradation
                            not being used to provide     of service, loss of
                            end-to-end security of all    confidentiality, and
                            data streams entering the     unauthorized
                            remote access port of a       access may occur.
                            telephone switch.
DSN18.10 V0007995     III   The option to use two-factor Unauthorized
                            authentication when           persons may be
                            accessing remote access       able to access DSN
                            ports is not being used.      components.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                    279 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                       Vulnerability      Status     Finding Notes
DSN18.11 V0007996 II Administrative/maintenance            Denial of Service
                     ports are not being controlled        (DoS), degradation
                     by deactivating or physically         of service, loss of
                     disconnecting remote access           confidentiality, and
                     devices when not in use.              unauthorized
                                                           access may occur.

DSN18.12 V0007997     II   Idle connections DO NOT         Critical and
                           disconnect in 15 min.           sensitive system
                                                           areas may not be
                                                           protected from
                                                           exposure to
                                                           unauthorized
                                                           personnel with
                                                           physical access to
                                                           an unattended
                                                           administration or
                                                           maintenance
                                                           terminal.
DSN18.13 V0007998     II   The DSN component is not        If the time that the
                           configured to be unavailable    port is unavailable
                           for 60 seconds after 3          is substantially
                           consecutive failed logon        greater than 60
                           attempts.                       seconds, DoS
                                                           could result by
                                                           maliciously
                                                           attempting logins
                                                           on all ports.
DSN18.14 V0007999     II   Serial                          A management port
                           management/maintenance          may be available
                           ports are not configured to     with an active
                           oeforce out or drop any         session that might
                           interrupted user session.       allow unauthorized
                                                           use by someone
                                                           other than the
                                                           authenticated user.


DSN18.15 V0008518     II   An OOB Management DOES          Denial of Service
                           NOT comply with the Enclave     (DoS), degradation
                           and/or Network Infrastructure   of service, loss of
                           STIGs.                          confidentiality, and
                                                           unauthorized
                                                           access may occur.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                     280 of 1220
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT         Requirement                        Vulnerability        Status     Finding Notes
DSN18.16 V0008517 II OOB management network                Mitigating
                     are NOT dedicated to                  unauthorized
                     management of like or                 access to the
                     associated systems                    managed systems
                                                           of the sensitive
                                                           management traffic
                                                           may result if the
                                                           requirement is not
                                                           met.
DSN18.17 V0008516     II   Network                         A management or
                           management/maintenance          maintenance port
                           ports are not configured to     may be available
                           oeforce out or drop any user with an active
                           session that is interrupted for session that might
                           more than 15 seconds.           allow unauthorized
                                                           use by someone
                                                           other than the
                                                           authenticated user.

DSN19.01 V0008000     II   A properly worded Login        Having no banner
                           Banner is not used on all      foregoes the
                           system/device management       possibility to
                           access ports and/or            provide a definitive
                           OAM&P/NM workstations.         warning to any
                                                          possible intruders
                                                          that may want to
                                                          access the system
                                                          that certain
                                                          activities are illegal,
                                                          but simultaneously
                                                          advises the
                                                          authorized and
                                                          legitimate users of
                                                          their obligations
                                                          relating to
                                                          acceptable use of
                                                          the computerized or
                                                          networked
                                                          environment.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                       281 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                     Vulnerability       Status     Finding Notes
DSN20.01 V0008515 I A SMU component is not                Physical access to
                    installed in a controlled             systems by
                    space with visitor access             unauthorized
                    controls applied.                     personnel leaves
                                                          the system
                                                          components
                                                          vulnerable to a
                                                          multitude of attacks
                                                          and accidental de-
                                                          activation or
                                                          disconnection.

DSN20.02 V0008514     III   The SMU ADIMSS              Denial of Service
                            connection is NOT dedicated (DoS), degradation
                            to the ADIMSS network       of service, loss of
                                                        confidentiality, and
                                                        unauthorized
                                                        access may occur.

DSN20.03 V0008513     II    The ADIMSS server             Denial of Service
                            connected to the SMU is       (DoS), degradation
                            NOT dedicated to ADIMSS       of service, loss of
                            functions.                    confidentiality, and
                                                          unauthorized
                                                          access to the
                                                          ADIMSS network
                                                          may occur.
DSN20.04 V0008512     II    The SMU management port Denial of Service
                            or management workstations (DoS), degradation
                            is improperly connected to a of service, loss of
                            network that is not dedicated confidentiality, and
                            to management of the SMU. unauthorized
                                                          access may occur.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                    282 of 1220
   ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
  PDI     VMSID CAT             Requirement            Vulnerability   Status   Finding Notes
EN005    V0016162  II PKI usage and
                      implementation is not
                      compliant with DoD
                      Instruction 8520.02, Public
                      Key Infrastructure (PKI) and
                      Public Key (PK) Enabling, 1
                      April 2004.
EN010    V0003914  II Enclave assets and/or
                      systems that support enclave
                      protection are not registered
                      with an IAVM tracking
                      mechanism (e.g.,
                      Vulnerability Management
                      System (VMS) and AVTR).
EN020    V0003915 III System Administrators (SAs)
                      are not responsible for critical
                      assets or are not registered
                      with a vulnerability
                      management tracking system
                      and therefore are not aware
                      of critical patch releases or
                      vulnerabilities.

EN030    V0003916    II    IAVM notices are not
                           responded to within the
                           specified period of time.
EN040    V0003917    II    Security related patches
                           have not been applied to all
                           systems.
EN041    V0004712    II    A documented security patch
                           management process is not
                           in place or cannot be
                           validated.
EN042    V0004713    III   Workstations do not use an
                           automated patch distribution
                           process from a trusted site or
                           secure source (i.e., tools
                           such as Windows Update
                           Services (WUS), scripts,
                           Tivoli, etc.) to distribute and
                           apply security related
                           patches.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                            283 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement         Vulnerability   Status   Finding Notes
EN043    V0007572 III Patch testing is not
                      performed, prior to
                      deployment, in a
                      nonproduction environment.
EN050    V0003920  II INFOCON procedures are
                      not followed in accordance
                      with Strategic Command
                      Directive SD 527-1, 27
                      January 2006.
EN070    V0014264 III Supplemental SA INFOCON
                      procedures are not available
                      as required.
EN080    V0003922 III IA or IA enabled products do
                      not meet the minimum EAL
                      and robustness level
                      requirements as established
                      by the Designated Approving
                      Authority (DAA).

EN090    V0003923    III   The acquisition of IA or IA-
                           enabled products does not
                           meet the requirements as set
                           forth by NSTISSP 11 and the
                           DODI 8500.2.
EN100    V0003924    III   Enclave assets are not
                           assigned a Mission
                           Assurance Category (MAC)
                           or not assigned the correct
                           MAC.
EN270    V0004001    II    Low assurance/risky (red
                           port) PPS traffic is allowed
                           through a virtual private
                           network (VPN) without
                           addressing the risk to the
                           other enclaves and is not
                           approved by the DAA.
EN280    V0014265    III   Exceptions to the minimum
                           Enclave requirements have
                           not been approved by the
                           appropriate authority.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        284 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement           Vulnerability   Status   Finding Notes
EN290    V0014266 II An external intrusion
                     detection system (IDS) is not
                     present at the enclave
                     perimeter as directed by the
                     Computer Network Defense
                     Service Provider (CNDSP).

EN300    V0004004    II    The external NID is not under
                           the operational control of the
                           CNDSP and is not located
                           outside of a local firewall.

EN360    V0004010    III   Permitted IPs and ports,
                           protocols and services are
                           not documented.
EN430    V0004016    II    The DNS server and
                           architecture is not configured
                           in accordance with the DNS
                           STIG.
EN440    V0004017     I    Privileged level user remote
                           access is not encrypted.
EN460    V0004019    III   Content security checking is
                           not employed for email, ftp,
                           or http data.
EN465    V0014276    II    A policy and procedure is not
                           in place to monitor all virus
                           alerts (to include desktop
                           clients) and/or reporting any
                           malicious activity to
                           appropriate personnel is not
                           being accomplished.

EN480    V0004021    II    A policy is not in place to
                           ensure a DMZ is established
                           within the Enclave Security
                           Architecture to host any
                           remotely or publicly
                           accessible system.

EN540    V0004027    II    Servers do not employ Host
                           Based Intrusion Detection
                           (HIDS).




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        285 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI     VMSID CAT             Requirement                 Vulnerability   Status   Finding Notes
EN550    V0004122 III The SA is not responding to
                      initial real time HIDs alarms
                      and do not perform analysis
                      of reports.
EN560    V0004123  II Significant events are not
                      reported to the sites
                      Computer Network Defense
                      Service Provider (CNDSP)
                      and/or auditing requirements
                      are not met in accordance
                      with the DoDI 8500.2.

EN610    V0004128    III   Local policies have not been
                           developed to ensure
                           information posted to the
                           Internet/Intranet is reviewed
                           by a duly appointed PAO or
                           authorized content reviewer
                           for sensitive information.
EN620    V0004129    II    The web servers are not
                           configured in accordance
                           with the Web Server STIG.
EN670    V0004134     I    Classified or sensitive
                           information is transmitted
                           over unapproved
                           communications systems or
                           non-DOD systems.
EN680    V0004135     I    Anonymous mail
                           redirection/relay is not
                           blocked.
EN690    V0014278    II    Email systems are not
                           configured to block
                           attachments IAW the NSA
                           guide to Email Security in the
                           Wake of Recent Malicious
                           Code Incidents.
EN710    V0004138    III   DOD policy on mobile code is
                           not being followed.
EN730    V0004139    II    The Database Management
                           System (DBMS) is not
                           secured in accordance with
                           the Database STIG.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 286 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI     VMSID CAT         Requirement           Vulnerability   Status   Finding Notes
EN735    V0004756 II Wireless Local Area
                     Networks (LANS) and/or
                     devices are not secured in
                     accordance with the Wireless
                     STIG.
EN795    V0014305 II Annual assessments are not
                     being performed in
                     accordance with DoD 8500.2.

EN800    V0014283    III   The site does not coordinate
                           access for the SIPRNet PMO
                           to perform random
                           assessments within the
                           Enclave.
EN805    V0004755    II    The application infrastructure
                           is not in compliance with the
                           Application Security and
                           Development and Application
                           Services STIGs.

EN890    V0015748     I    FTP and/or telnet from
                           outside the enclave into the
                           enclave is permitted, without
                           applying the appropriate
                           security requirements.

EN900    V0015749    II    FTP user IDs do not expire
                           and/or passwords are not
                           changed every 90 days.
EN910    V0015750     I    FTP or Telnet is used with a
                           userid (UID)/password that
                           has administrative or root
                           privileges.
EN920    V0015751    III   An anonymous FTP
                           connection within the enclave
                           is established.
ENCTO-   V0016161    II    The site is not in compliance
0712                       with the JTF-GNO issued
                           CTO-07-12, Deployment of
                           the Host Based Security
                           System.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       287 of 1220
   ____ Checklist _V_R_ (<date>)                                       <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement              Vulnerability   Status   Finding Notes
ENCTO-   V0011939 II The site is not in compliance
0715                 with JTF-GNO
                     Communications Tasking
                     Order 07-15, PKI
                     Implementation Phase 2.
ENCTO-   V0004145 II Scanning, remediation, and
08005                reporting of vulnerabilities are
                     not maintained in accordance
                     with JTF CTO 08-005.

ENCTO-   V0016160    II   The site is not in compliance
08008A                    with JTF-GNO issued CTO-
                          08-008A which requires the
                          use of the standardized DoD
                          Warning Banner and user
                          agreement. Compliance has
                          not been reported as outlined
                          in CTO 08-008A

ENTD100 V0003918     II   Test and development
                          systems are not connected to
                          an isolated network
                          separated from production
                          systems.
ENTD110 V0003919     II   Out of band access is not
                          utilized to access a test and
                          development enclave
                          remotely.
ENTD120 V0014306     II   Development is performed on
                          platforms that are not STIG
                          compliant and/or within a non-
                          STIG compliant
                          infrastructure.
ENTD130 V0014307     II   Network infrastructure
                          devices, such as router,
                          switches, firewalls, etc., that
                          support the
                          Test/Development enclave,
                          are not STIG compliant.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           288 of 1220
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement           Vulnerability   Status   Finding Notes
ENTD140 V0014308 II Documentation which details
                    the description and function
                    of each system, the zone the
                    system resides in, the SA of
                    the system, applications, OS,
                    and hardware of the system
                    is incomplete or missing.

ENTD150 V0014309     II   Systems in test and
                          development zones are
                          connected to a DoD
                          production network without
                          security controls, as required
                          by the appropriate STIGs. A
                          Connection Approval
                          Process (CAP) has not been
                          used prior to connection to a
                          DoD network.

ENTD160 V0014310     II   Test and development
                          systems are not physically
                          disconnected or blocked at
                          the firewall from external
                          networks during the
                          installation of an operating
                          system.
ENTD170 V0014311     II   Development is performed in
                          a Zone D test enclave.
ENTD180 V0014312      I   Zone D systems have direct
                          connectivity to a DoD
                          network.
ENTD190 V0014371      I   Zone D systems contain
                          production or “live” DoD data
                          or privacy act information and
                          are connected to an external
                          network.

ENTD200 V0014372      I   DoD client
                          workstations/laptops, used
                          for DoD official business,
                          interact or connect (to
                          include remote access) to a
                          Zone D system or network.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       289 of 1220
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement             Vulnerability   Status   Finding Notes
ENTD210 V0014373  I Zone C systems have
                    external connectivity to a
                    network other than that of an
                    additional testing facility with
                    the same security
                    requirements (e.g. Zone C to
                    Zone C).
ENTD220 V0014472 II Zone C systems are not
                    tightly restricted and/or
                    controlled via network
                    resources to avoid T&D
                    systems traffic or data from
                    entering the DoD network.
ENTD230 V0014380 II Zone B network connections
                    (all incoming/outgoing traffic)
                    are not strictly controlled via
                    network infrastructure
                    devices to include the
                    establishment of a VPN,
                    VLAN or TACLANE.

ENTD240 V0014381      II   A Network Infrastructure
                           STIG compliant DMZ has not
                           been established for the
                           downloading of applicable
                           software for a Zone B
                           environment.
ENTD250 V0014434      II   External to internal (ingress)
                           network initiated connections
                           are permitted for Zone B
                           environments.
ENTD260 V0014457      II   Zone B egress traffic is not
                           restricted via source and
                           destination filtering as well
                           and ports, protocols and
                           services. Zone B traffic is not
                           restricted to facilitate system
                           testing.
ENTD270 V0014458      II   Systems residing in a Zone A
                           test/development
                           environment are not STIG
                           compliant. POA&Ms are not
                           in place to address any open
                           findings for systems.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          290 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
ENTD280 V0014459 II Zone A systems are not
                    separated/isolated from
                    production assets via
                    network infrastructure
                    devices, e.g., VLANs,
                    separate subnets.
ENTD290 V0014460 II Zone A systems do not
                    comply with the requirements
                    in the DoD PPS Assurance
                    Category Assignments List
                    (CAL) for PPS utilization.

ENTD300 V0014461     II   Zone A systems do not utilize
                          a Connection Approval
                          Process to include
                          assessment and scanning for
                          security baselines, and final
                          ATC.
ENTD310 V0014464     II   The IAO will ensure, if
                          remote access is required to
                          a non STIG compliant system
                          in Zone B, dedicated clients
                          (non-production) are utilized
                          to access Zone B systems
                          from a VPN or dialup
                          connection. No connectivity
                          will occur from a production
                          STIG compliant client (e.g.,
                          STIG‟d Government
                          Furnished Equipment) to a
                          non-STIG‟d system in Zone
                          B.

ENTD320 V0014465     II   Non-STIG‟d systems connect
                          or communicate with STIG
                          compliant production
                          systems via a remote access
                          solution.
ENTD330 V0014466      I   Virtual machine guest
                          operating systems (OS)
                          which are used to access a
                          T&D zone communicate with
                          the host OS or a production
                          OS.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      291 of 1220
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
ENTD340 V0014467  I In a virtual machine remote
                    access solution, T&D client
                    traffic is not restricted such
                    that all network traffic can
                    only flow to and from the
                    T&D zone.
ENTD350 V0014468 II Non-production “guests”
                    communicate with DoD
                    networks via the LAN.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          292 of 1220
    PDI      VMSID CAT         Requirement            Vulnerability   Status   Finding Notes
7.035       V0003765 I IAVM Alert 2002-A-0003,
                       Apache Web Server Chunk
                       Handling Vulnerability, has
                       not been applied.
1999-0001   V0005749 I Mountd Remote Buffer
                       Overflow Vulnerability
1999-0003   V0005751 I Remote FTP Vulnerability
1999-A-     V0005753 I Statd and Automountd
0006                   Vulnerabilities
2000-A-     V0005777 I Cross-Site Scripting
0001                   Vulnerability
2000-A-     V0005778 I Gauntlet Firewall for Unix and
0003                   WebShield Cyberdaemon
                       Buffer Overflow Vulnerability

2000-B-     V0005780    I    Bind NXT Buffer Overflow
0001
2000-B-     V0005781    I    Netscape Navigator
0002                         Improperly Validates SSL
                             Sessions
2000-B-     V0005782    I    Multiple Buffer Overflows in
0003                         Kerberos Authenticated
                             Services
2000-B-     V0005783    I    Washington University FTP
0004                         Daemon (wu-ftpd) Site Exec
                             Vulnerability and setproctitle()
                             Vulnerabilty
2000-B-     V0005784    I    Input Validation Problem in
0005                         rpc.statd
2000-T-0006 V0005791    II   Frame Domain Cverification,
                             Unauthorized Cookie Access
                             and Malformed Component
                             Attribute Vulnerabilities

2000-T-0015 V0005798    II   BMC Best/1 Version 6.3
                             Performance Management
                             System Vulnerability
2001-A-     V0005799    I    Multiple Vulnerabilities in
0001                         BIND
2001-A-     V0005803    I    IPlanet Web Servers Expose
0007                         Sensitive Data via Buffer
                             Overflow.
2001-A-     V0005804    I    Gauntlet Firewall for Unix and
0009                         WebShield CSMAP and
                             smap/smapd Buffer Overflow
                             Vulnerability
2001-A-     V0005805    I    Format String Vulnerability in
0011                         CDE ToolTalk
2001-A-     V0005807    I    SSH CRC32 Remote Integer
0013                         Overflow Vulnerability
    PDI     VMSID CAT        Requirement                      Vulnerability   Status   Finding Notes
2001-B-    V0005811 I Encoding Intrusion Detection
0003                  System Bypass Vulnerability

2001-B-     V0005812   I    WU-FTPd Remote Code
0004                        Execution Vulnerability
2001-T-0004 V0005816   II   MySQLd Vulnerability

2001-T-0005 V0005817   II   Input Validation Problems in
                            LPRng
2001-T-0008 V0005820   II   Buffer Overflow in telnetd

2001-T-0009 V0005821   II   Symantec Norton Antivirus
                            LiveUpdate Host Verification
                            Vulnerability
2001-T-0015 V0005825   II   Multiple Vulnerabilities in lpd
                            Daemon
2001-T-0017 V0005826   II   OpenSSH UseLogin Multiple
                            Vulnerabilities
2001-T-0018 V0005827   II   Short Password Vulnerability
                            in SSH Communications
                            Security
2002-A-    V0005830    I    Apache Web Server Chunk
0003                        Handling Vulnerability
2002-A-    V0005837    I    Multiple Simple Network
SNMP-003                    Management Protocol
                            Vulnerabilities in Servers and
                            Applications
2002-A-    V0005838    I    Multiple Simple Network
SNMP-004                    Management Protocol
                            Vulnerabilities in Perimeter
                            Devices
2002-A-    V0005839    I    Multiple Simple Network
SNMP-005                    Management Protocol
                            Vulnerabilities in Enclave
                            Devices
2002-A-    V0005840    I    Multiple Simple Network
SNMP-006                    Management Protocol
                            Vulnerabilities in Servers and
                            Applications
2002-B-    V0005842    I    Multiple Vulnerabilities in
0003                        PHP
2002-B-    V0005847    I    Multiple Simple Network
SNMP-002                    Management Protocol
                            Vulnerabilities in Servers and
                            Applications
2002-T-0004 V0005851   II   Kerberos Telnet Protocol
                            Vulnerability
2002-T-0005 V0005852   II   Multiple Vulnerabilities in
                            Oracle Database Server
2002-T-0006 V0005853   II   Multiple Vulnerabilities in
                            Oracle9i Application Server
    PDI      VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
2002-T-0015 V0005862 II Integer Overflow Vulnerability
                        in SunRPC derived XDR
                        Libraries
2002-T-0016 V0005863 II Multiple Vendor kadmind
                        Remote Buffer Overflow
                        Vulnerability
2002-T-     V0005867 II Multiple Simple Network
SNMP-003                Management Protocol
                        Vulnerabilities in Servers and
                        Applications
2003-A-     V0005873  I Multiple Vulnerabilities in
0006                    Multiple Versions of Oracle
                        Database Server
2003-A-     V0005908  I Multiple Vulnerabilities in
0015                    OpenSSL
2003-B-     V0005877  I Multiple Buffer Overflow
0001                    Vulnerabilities in Various
                        DNS Resolver Libraries
2003-B-     V0005879  I Sendmail Memory Corruption
0003                    Vulnerability
2003-B-     V0005906  I Sendmail Prescan Variant
0005                    Remote Buffer Overrun
                        Vulnerability
2003-T-0004 V0005883 II Multiple Vulnerabilities in
                        Oracle 9i Application Server
2003-T-0007 V0005886 II Sun RPC XDR Library
                        Integer Overflow Vulnerability

2003-T-0015 V0005896    II   Multiple Vendor PDF
                             Hyperlinks Arbitrary
                             Command Execution
                             Vulnerability
2003-T-0018 V0005900    II   Real Networks Helix
                             Universal Server Vulnerability

2003-T-0020 V0005904    II   OpenSSH Buffer
                             Mismanagement and Multiple
                             Portable OpenSSH PAM
                             Vulnerabilities
2003-T-0024 V0005916    II   RSync Daemon Mode
                             Undisclosed Remote Heap
                             Overflow Vulnerability
2004-A-     V0005923    I    Multiple Vulnerabilities in
0002                         Check Point Firewall
2004-A-     V0005929    I    ISS Internet Security
0004                         Systems ICQ Parsing Buffer
                             Overflow Vulnerability
2004-B-     V0005921    I    Cisco Voice Product
0003                         Vulnerabilities on IBM
                             Servers
    PDI        VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
2004-B-       V0005946  I HP Web Jetadmin Multiple
0007                      Vulnerabilities
2004-B-       V0005954  I Oracle E-Business Suite
0009                      Multiple SQL Injection
                          Vulnerability
2004-T-0002   V0005924 II Oracle 9i
                          Application/Database Server
                          Denial Of Service
                          Vulnerability
2004-T-0003   V0005925 II Apache-SSL Client
                          Certificate Forging
                          Vulnerability
2004-T-0005   V0005928 II Oracle9i Lite Mobile Server
                          Multiple Vulnerabilities
2004-T-0008   V0005934 II TCPDump ISAKMP
                          Decoding Routines Multiple
                          Remote Buffer Overflow
2004-T-0011   V0005940 II Oracle Application Server
                          Web Cache HTTP Request
                          Method Heap Overrun
                          Vulnerability
2004-T-0018   V0005955 II Multiple Vulnerabilities in ISC
                          DHCP 3
2004-T-0022   V0005964 II Check Point VPN-1, ASN.1
                          Buffer Overflow Vulnerabilty
2004-T-0038   V0005988 II Sun Java System Web And
                          Application Servers Remote
                          Denial Of Service
                          Vulnerability
2005-A-       V0006033  I Multiple Vulnerabilities in
0014                      Oracle E-Business and
                          Application Suite
2005-A-       V0011666  I Multiple Vulnerabilities in
0019                      Oracle E-Business and
                          Applications Suite
2005-A-       V0011700  I Multiple Vulnerabilities in
0034                      Oracle E-Business and
                          Applications Suite
2005-A-       V0011703  I VERITAS NetBackup Java
0037                      User-Interface Remote
                          Format String Vulnerability
2005-A-       V0011709  I VERITAS NetBackup Volume
0041                      Manager Daemon Buffer
                          Overflow Vulnerability
2005-B-       V0006015  I Symantec UPX Parsing
0007                      Engine Remote Heap
                          Overflow Vulnerability
2005-B-       V0006016  I Trend Micro VSAPI ARJ
0008                      Handling Heap Overflow
                          Vulnerability
    PDI      VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
2005-T-0007 V0006018 II Multiple Vulnerabilities in
                        Computer Associates
                        Products
2005-T-0010 V0006021 II Multiple Vulnerabilities in
                        Sybase Software
2005-T-0013 V0011646 II Computer Associates
                        BrighStor ARCserve Backup
                        UniversalAgent Remote
                        Buffer Overflow
2005-T-0031 V0011680 II Multiple Vulnerabilities in
                        Computer Associates
                        Message Queuing
                        (CAM/CAFT)
2005-T-0035 V0011684 II Check Point SecurePlatform
                        NGX Firewall Rules Bypass
                        Vulnerability

2005-T-0038 V0011687   II   Sun Java System Application
                            Server Web Application JAR
                            Disclosure
2006-A-    V0011723    I    Multiple Vulnerabilities in
0007                        Oracle E-Business Suite and
                            Applications
2006-A-    V0011724    I    Computer Associates (CA)
0008                        iTechnology iGateway
                            Service Vulnerability
2006-A-    V0011732    I    Oracle E-Business Suite
0011                        Unspecified Vulnerability
2006-A-    V0011737    I    Sendmail Asynchronous
0013                        Signal Handling Remote
                            Code Execution Vulnerability

2006-A-    V0011748    I    Multiple Vulnerabilities in
0020                        Oracle E-Business Suite and
                            Applications
2006-A-    V0011756    I    Multiple Vulnerabilities in
0023                        Macromedia Flash
2006-A-    V0012321    I    Multiple Vulnerabilities in
0032                        Oracle E-Business Suite and
                            Applications
2006-A-    V0012899    I    Multiple Vulnerabilities in
0050                        Oracle E-Business Suite and
                            Applications
2006-T-0002 V0011726   I    Multiple Vulnerabilities within
                            BEA WebLogic Software

2006-T-0008 V0011750   II   HP Color LaserJet 2500/4600
                            Toolbox Directory Traversal
                            Vulnerability
    PDI      VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
2006-T-0013 V0011805  I RealVNC Remote
                        Authentication Bypass
                        Vulnerability
2006-T-0016 V0012055 II Sun ONE and Sun Java
                        System Application Server
                        Cross-Site Scripting
                        Vulnerability
2007-A-     V0013583  I Multiple Vulnerabilities in
0010                    Oracle E-Business Suite and
                        Applications
2007-A-     V0013605  I Trend Micro Antivirus UPX
0013                    Compressed PE File Buffer
                        Overflow Vulnerability
2007-A-     V0013996  I Multiple Vulnerabilities in
0025                    Oracle E-Business Suite and
                        Applications
2007-A-     V0014480  I Symantec AntiVirus
0038                    Malformed CAB and RAR
                        Compression Remote
                        Vulnerabilities
2007-B-     V0014462  I RPC Remote Code
0012                    Execution Vulnerabilities in
                        MIT Kerberos
2007-B-     V0014587  I Multiple Vulnerabilities in
0018                    Oracle E-Business Suite
2007-B-     V0015376 II Multiple RealPlayer Remote
0035                    Code Execution
                        Vulnerabilities
2007-T-0025 V0014383  I Multiple Vulnerabilities in MIT
                        Kerberos
2007-T-0033 V0014842  I Hewlett-Packard Openview
                        Multiple Remote Buffer
                        Overflow Vulnerabilities
2007-T-0037 V0015097  I MIT Kerberos Administration
                        Daemon Remote Code
                        Execution Vulnerabilities

2008-A-     V0015746    II   SQL Injection in Cisco
0011                         Unified Communications
                             Manager Vulnerability
2008-A-     V0015966     I   Multiple Vulnerabilities in
0020                         Oracle E-Business Suite
2008-A-     V0016019     I   Cisco Unified
0032                         Communications Manager
                             Denial of Service
                             Vulnerabilities
2008-A-     V0016023     I   IBM Lotus Sametime
0034                         Multiplexer Buffer Overflow
                             Vulnerability
    PDI     VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
2008-A-    V0016039  I Multiple Security
0038                   Vulnerabilities in Sun Java
                       ASP
2008-A-    V0016170  I DNS Protocol Cache
0045                   Poisoning Vulnerability
2008-A-    V0016172 II Multiple Vulnerabilities in
0049                   Oracle E-Business Suite
2008-A-    V0016319  I Multiple Vulnerabilities in the
0052                   Oracle WebLogic Server
                       component in BEA Product
                       Suite
2008-A-    V0016523 II Multiple RealPlayer Remote
0053                   Code Execution
                       Vulnerabilities
2008-A-    V0017786  I Multiple Vulnerabilities in
0075                   Oracle E-Business Suite
2008-B-    V0015753 II Multiple Apache HTTP
0017                   Server Vulnerabilities
2008-B-    V0015755  I Multiple Symantec
0020                   Decomposer Denial of
                       Service Vulnerabilities
2008-B-    V0015780  I Multiple MIT Kerberos
0024                   Vulnerabilities
2008-B-    V0015994  I Sun Java System Directory
0041                   Server Remote Unauthorized
                       Access Vulnerability

2008-B-    V0016022    I    Multiple CA ARCserve
0043                        Backup Remote
                            Vulnerabilities
2008-B-    V0016025    II   Multiple Sun Java System
0045                        Application Server and Web
                            Server Vulnerabilities
2008-B-    V0017414    I    Multiple Vulnerabilities in
0064                        Openwsman (VMWare)
2008-B-    V0017742    I    Multiple HP OpenView
0073                        Network Node Manager
                            Vulnerabilities
2008-B-     V0017874   I    Multiple Vulnerabilities in
0078                        VMware
2008-T-0003 V0015665   II   Sun Java Web Proxy Server
                            and Sun Java Web Server
                            Multiple Cross-Site Scripting
                            Vulnerabilities
2008-T-0010 V0015935   II   CA BrightStor ARCserve
                            Backup ListCtrl ActiveX
                            Control Buffer Overflow
                            Vulnerability
2008-T-0017 V0015995   II   CA Products DSM
                            gui_cm_ctrls ActiveX Control
                            Code Execution
    PDI      VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
2008-T-0026 V0016046  I SNMP Remote
                        Authentication Bypass
                        Vulnerability
2008-T-0046 V0017144 II Red Hat OpenSSH
                        Vulnerability
2008-T-0048 V0017352 II Apache mod_proxy_ftp Cross-
                        Site Scripting Vulnerability

2008-T-0049 V0017350    I    Multiple Vulnerabilities in
                             RedHat Fedora Directory
                             Server
2008-T-0050 V0017465    I    Denial of Service
                             Vulnerabilities in Cisco
                             Unified Communications
                             Manager
2008-T-0052 V0017542   III   MySQL Command-Line
                             Client HTML Injection
                             Vulnerability
2008-T-0054 V0017737    I    Cisco Unity Remote
                             Administration Authentication
                             Bypass Vulnerability

2008-T-0063 V0017904   II    Multiple Vulnerabilities in
                             Symantec Backup Exec
2008-T-0064 V0017917    I    Bzip2 Remote Denial-of-
                             Service Vulnerability
2009-A-    V0018000    II    Vulnerability in Oracle
0006                         Collaboration Suite
2009-A-    V0018005     I    Multiple Oracle/BEA
0009                         Weblogic Security
                             Vulnerabilities
2009-A-    V0018613     I    Multiple Vulnerabilities in
0023                         OpenSSL
2009-A-    V0019765    II    Multiple Vulnerabilities in
0057                         Oracle Enterprise Manager
2009-A-    V0019802     I    ISC BIND Denial of Service
0060                         Vulnerability
2009-A-    V0021637     I    Snort Remote Denial Of
0089                         Service Vulnerability
2009-B-    V0018295     I    Multiple Vulnerabilities in
0006                         VMware
2009-B-    V0018638     I    Multiple Vulnerabilities in
0015                         VMware
2009-B-    V0018766     I    VMware Hosted Products
0016                         Code Execution Vulnerability

2009-B-    V0018751     I    Multiple MIT Kerberos
0017                         Vulnerabilities
2009-B-    V0019297     I    Multiple Vulnerabilities in
0021                         VMware Products
    PDI      VMSID CAT            Requirement             Vulnerability   Status   Finding Notes
2009-B-     V0019438 II Multiple Vulnerabilities in
0026                     Apache Tomcat
2009-B-     V0019859  I Multiple Apache HTTP
0034                     Server Vulnerabilities
2009-B-     V0021686  I Multiple Vulnerabilities in
0051                     Apache
2009-T-0024 V0018983  I Multiple Vulnerabilities in
                         Linux Kernel
2009-T-0050 V0021503  I Multiple Vulnerabilities in
                         Wireshark
2009-T-0051 V0021537  I PHP 5.2.10 Denial of Service
                         Vulnerability
ESX0010     V0015783 II ESX Server is not configured
                         in accordance with the UNIX
                         STIG.
ESX0020     V0015784 II An NFS Server is running on
                         the ESX Server host
ESX0030     V0015785 II VMotion virtual switches are
                         not configured with a
                         dedicated physical network
                         adapter
ESX0040     V0015786 II There is no dedicated VLAN
                         or network segment
                         configured for virtual disk file
                         transfers.
ESX0050     V0015787 II Permissions on the
                         configuration and virtual disk
                         files are incorrect.
ESX0055     V0016881 II Permissions on the virtual
                         disk files are incorrect.
ESX0060     V0015788 II ISCSI VLAN or network
                         segment is not configured for
                         iSCSI traffic.
ESX0070     V0015789 II CHAP authentication is not
                         configured for iSCSI traffic.
ESX0080     V0015790 II ISCSI storage equipment is
                         not configured with the latest
                         patches and updates.
ESX0090     V0015791 II ISCSI passwords are not
                         compliant with DoD policy.
ESX0100     V0015792 II Static discoveries are not
                         configured for hardware
                         iSCSI initiators.
ESX0110     V0015793 II USB drives automatically
                         load when inserted into the
                         ESX Server host.
ESX0120     V0015801 III The ESX Server does not
                         meet the minimum
                         requirement of two network
                         adapters.
   PDI     VMSID CAT             Requirement          Vulnerability   Status   Finding Notes
ESX0130   V0015802 II The service console and
                       virtual machines are not on
                       dedicated VLANs or network
                       segments.
ESX0140   V0015803 III Notify Switches feature is not
                       enabled to allowfor
                       notifications to be sent to
                       physical switches.
ESX0150   V0015804 II The ESX Server external
                       physical switch ports are
                       configured to VLAN 1.
ESX0160   V0015805 II Permissions have been
                       changed on the /usr/sbin/esx*
                       utilities
ESX0170   V0015806 II Virtual machines are
                       connected to public virtual
                       switches and are not
                       documented.
ESX0180   V0015807 II Virtual switch port group is
                       configured to VLAN 1
ESX0190   V0015808 II Virtual switch port group is
                       configured to VLAN 1001 to
                       1024.
ESX0200   V0015809 II Virtual switch port group is
                       configured to VLAN 4095.
ESX0210   V0015810 II Port groups are not
                       configured with a network
                       label.
ESX0220   V0015811 II Unused port groups have not
                       been removed
ESX0230   V0015812 II Virtual switches are not
                       labeled.
ESX0240   V0015813 II Virtual switch labels begin
                       with a number.
ESX0250   V0015815  I The MAC Address Change
                       Policy is set to "Accept" for
                       virtual switches.
ESX0260   V0015817  I Forged Transmits are set to
                       "Accept" on virtual switches
ESX0270   V0015818  I Promiscuous Mode is set to
                       "Accept" on virtual switches.

ESX0280   V0015819    I    Promiscuous mode is
                           enabled for virtual switches
                           during the ESX Server boot
                           process.
ESX0290   V0015820    II   External physical switch ports
                           configured for EST mode are
                           configured with spanning-tree
                           enabled.
   PDI     VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
ESX0300   V0015821 II The non-negotiate option is
                      not configured for trunk links
                      between external physical
                      switches and virtual switches
                      in VST mode.

ESX0310   V0015822    II    Undocumented VLANs are
                            configured on ESX Server in
                            VST mode.
ESX0320   V0015824    II    ESX Server firewall is not
                            configured to High Security.
ESX0330   V0015825    II    A third party firewall is
                            configured on ESX Server.
ESX0340   V0015826    II    IP tables or internal
                            router/firewall is not
                            configured to restrict IP
                            addresses to services.
ESX0350   V0015827    III   ESX Server required services
                            are not documented.

ESX0360   V0015828    II    ESX Server service console
                            administrators are not
                            documented
ESX0370   V0015829    II    Hash signatures for the /etc
                            files are not stored offline.
ESX0380   V0015833    II    Hash signatures for the /etc
                            files are not reviewed
                            monthly.
ESX0390   V0015835    II    The setuid and setgid flags
                            have been disabled.
ESX0400   V0015836    II    ESX Server is not
                            authenticating the time
                            source with a hashing
                            algorithm.
ESX0410   V0015840    II    ESX Server does not record
                            log files.
ESX0420   V0015841    II    ESX Server log files are not
                            reviewed daily.
ESX0430   V0015842    II    Log file permissions have not
                            been configured to restrict
                            unauthorized users
ESX0440   V0015843    III   ESX Server does not send
                            logs to a syslog server.
ESX0450   V0015844    II    Auditing is not configured on
                            the ESX Server.
ESX0460   V0015845    III   The IAO/SA does not
                            subscribe to vendor security
                            patches and update
                            notifications.
   PDI     VMSID CAT            Requirement          Vulnerability   Status   Finding Notes
ESX0470   V0015846 II The ESX Server software
                       version is not at the latest
                       release.
ESX0480   V0015847 II ESX Server updates are not
                       tested.
ESX0490   V0015848 II VMware tools are not used to
                       update the ESX Server.
ESX0500   V0015849  I ESX Server software version
                       is not supported.
ESX0510   V0015850  I VMware and third party
                       applications are not
                       supported.
ESX0520   V0015851 III There are no procedures for
                       the backup and recovery of
                       the ESX Server,
                       management servers, and
                       virtual machines.
ESX0530   V0015852 II The ESX Servers and
                       management servers are not
                       backed up in accordance to
                       the MAC level of the servers.

ESX0540   V0015853    II   Disaster recovery plan does
                           not include ESX Servers,
                           VirtualCenter servers, virtual
                           machines, and necessary
                           peripherals associated with
                           the system.
ESX0550   V0015854    II   Backups are not located in
                           separate logical partitions
                           from production data.
ESX0560   V0015855    II   VI client sessions to the ESX
                           Server are unencrypted.

ESX0570   V0015856    II   VI Web Access sessions to
                           the ESX Server are
                           unencrypted.
ESX0580   V0015857    II   VirtualCenter
                           communications to the ESX
                           Server are unencrypted.
ESX0590   V0015858    II   SNMP write mode is enabled
                           on ESX Server.
ESX0600   V0015859    II   VirtualCenter server is
                           hosting other applications
                           such as database servers, e-
                           mail servers or clients, dhcp
                           servers, web servers, etc.

ESX0610   V0015860    II   Patches and security updates
                           are not current on the
                           VirtualCenter Server.
   PDI     VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes
ESX0650   V0015864 II VirtualCenter virtual machine
                      is not configured in an ESX
                      Server cluster with High
                      Availability enabled.

ESX0660   V0015865    II   VirtualCenter virtual machine
                           does not have a CPU
                           reservation.
ESX0670   V0015866    II   VirtualCenter virtual machine
                           does not have a memory
                           reservation.
ESX0680   V0015867   III   VirtualCenter virtual machine
                           CPU alarm is not configured.

ESX0690   V0015868   III   VirtualCenter virtual machine
                           memory alarm is not
                           configured.
ESX0700   V0015869    II   Unauthorized users have
                           access to the VirtualCenter
                           virtual machine.
ESX0710   V0015870    II   No dedicated VirtualCenter
                           administrator created within
                           the Windows Administrator
                           Group on the Windows
                           Server for managing the
                           VirtualCenter environment.
ESX0720   V0015871    II   No logon warning banner is
                           configured for VirtualCenter
                           users.
ESX0725   V0017020    II   VirtualCenter is not using
                           DoD approved certificates.
ESX0730   V0015872    II   VI Client sessions with
                           VirtualCenter are
                           unencrypted.
ESX0740   V0015873    II   VI Web Access sessions with
                           VirtualCenter are
                           unencrypted.
ESX0750   V0015874    I    VirtualCenter vpxuser has
                           been modified.
ESX0760   V0015875   III   Users assigned to
                           VirtualCenter groups are not
                           documented.
ESX0770   V0015876   III   Users in the VirtualCenter
                           Server Windows
                           Administrators group are not
                           documented.
ESX0780   V0015877    II   VirtualCenter Server groups
                           are not reviewed monthly
   PDI     VMSID CAT           Requirement        Vulnerability   Status   Finding Notes
ESX0790   V0015878 II No documented configuration
                      management process exists
                      for VirtualCenter changes.

ESX0800   V0015879   II    There is no VirtualCenter
                           baseline configuration
                           document for users, groups,
                           permissions, and roles.

ESX0810   V0015880   II    VirtualCenter does not log
                           user, group, permission or
                           role changes.
ESX0820   V0015881   II    VirtualCenter logs are
                           reviewed daily.
ESX0828   V0016851   III   ESX administrators have not
                           received proper training to
                           administer the ESX Server.

ESX0860   V0015882   II    There is no up-to-date
                           documentation of the
                           virtualization infrastructure.
ESX0863   V0015973   II    ESX Server is not properly
                           registered in VMS.
ESX0866   V0015974   II    ESX Server assets are not
                           configured with the correct
                           posture in VMS.
ESX0869   V0015975   II    VirtualCenter Server assets
                           are not properly registered in
                           VMS.
ESX0872   V0015984   II    VirtualCenter Server assets
                           are not configured with the
                           correct posture in VMS.
ESX0880   V0015884   II    ISO images are not restricted
                           to authorized users.

ESX0890   V0015885   II    ISO images do not have hash
                           checksums.
ESX0900   V0015886   II    ISO images are not verified
                           for integrity when moved
                           across the network.
ESX0910   V0015887   III   Master templates are not
                           stored on a separate
                           partition.
ESX0920   V0015888   II    Master templates are not
                           restricted to authorized users
                           only.
ESX0930   V0015889   III   The VMware-converter utility
                           is not used for VMDK imports
                           or exports.
ESX0940   V0015890   II    Nonpersistent disk mode is
                           set for virtual machines.
   PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes
ESX0950   V0015891 III No policy exists to assign
                       virtual machines to
                       personnel.
ESX0960   V0015892 III VI Console is used to
                       administer virtual machines.
ESX0970   V0015893 II Clipboard capabilities (copy
                       and paste) are enabled for
                       virtual machines.
ESX0980   V0015894 II VMware Tools drag and drop
                       capabilities are enabled for
                       virtual machines.

ESX0990   V0015895    II   The VMware Tools setinfo
                           variable is enabled for virtual
                           machines.
ESX1000   V0015896   III   Configuration tools are
                           enabled for virtual machines.

ESX1010   V0015897    II   Virtual machines are not time
                           synchronized with the ESX
                           Server or an authoritative
                           time server.
ESX1020   V0015898   III   The IAO/SA does not
                           document and approve virtual
                           machine renames.
ESX1030   V0015899    II   Test and development virtual
                           machines are not logically
                           separated from production
                           virtual machines.
ESX1040   V0015900   III   No policy exists to restrict
                           copying and sharing virtual
                           machines over networks and
                           removable media.
ESX1050   V0015901    II   Virtual machine moves are
                           not logged from one physical
                           server to another.
ESX1060   V0015902    II   Virtual machine moved to
                           removable media are not
                           documented.
ESX1070   V0015903    II   Virtual machines are
                           removed from the site without
                           approval documentation.

ESX1080   V0015904    II   Production virtual machines
                           are not located in a controlled
                           access area.
ESX1090   V0015905   III   Virtual machine rollbacks are
                           performed when virtual
                           machine is connected to the
                           network.
   PDI     VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
ESX1100   V0015906 II Virtual machine OS log files
                      are not saved before rollback.

ESX1110   V0015907    II   Virtual machine log files do
                           not have a size limit.
ESX1120   V0015908    II   ESX Server is not configured
                           to maintain a specific number
                           of log files via log rotation.

ESX1130   V0015909    II   Virtual machine log files are
                           not maintained for 1 year.
ESX1140   V0015913    II   Virtual machines are not
                           backed up in accordance with
                           the MAC level.
ESX1150   V0015972    II   Virtual machines are not
                           registered in VMS.
ESX1160   V0015919   III   Virtual machine requirements
                           are not documented before
                           creating a virtual machine.

ESX1170   V0015921    II   Unused hardware is enabled
                           in virtual machines.
ESX1180   V0015924    II   Guest OS selection does not
                           match installed OS.
ESX1190   V0015926    I    Guest operating system is
                           not supported by ESX Server.

ESX1200   V0015931    II   Anti-virus software and
                           signatures are out of date for
                           "off" and "suspended" virtual
                           machines
ESX1210   V0015932    II   OS patches and updates are
                           out of date on "off" and
                           "suspended" virtual
                           machines.
ESX1220   V0017043    II   Virtual machines are not
                           configured with the correct
                           posture in VMS.
GEN000020 V0000756    II   The UNIX host is bootable in
                           single user mode without a
                           password.
GEN000040 V0000757    II   The UNIX host is not
                           configured to require a
                           password when booted to
                           single-user mode and is not
                           documented.
   PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
GEN000060 V0000758 II The UNIX host cannot be
                      configured to require a
                      password when booted to
                      single-user mode and is not
                      located in a controlled access
                      area.
GEN000260 V0000759 II A shared account is not
                      justified and documented by
                      the IAO.
GEN000280 V0000760 II A shared, i.e., default,
                      application, or utility -account
                      is logged into directly.

GEN003320 V0000986      II    Default system accounts
                              (with the exception of root)
                              are listed in the at.allow file or
                              excluded from the cron.deny
                              file if cron.allow does not
                              exist.
GEN003680 V0000972      III   Network services required for
                              operations have not been
                              documented by the IAO.

GEN003700 V0012005      II    All inetd/xinetd services are
                              disabled and inetd (xinetd for
                              Linux) is not disabled.
GEN003820 V0004687      I     A system has a vulnerable
                              trust relationship through rsh
                              or remsh.
GEN003840 V0004688      I     A system has the rexec
                              service active.
GEN003860 V0004701      III   A system has the finger
                              service active.
GEN003865 V0012049      II    Network Analysis tools are
                              enabled.
GEN003960 V0004369      II    The traceroute command
                              owner is NOT root.
GEN003980 V0004370      II    The traceroute command
                              group owner is not sys, bin,
                              or root.
GEN004000 V0004371      II    Traceroute file permissions
                              are less restrictive than 700.

GEN004020 V0004372      III   The browser is NOT capable
                              of 128-bit encryption.

GEN004040 V0004373      II    A browser SmartUpdate, or
                              software update feature, is
                              enabled.
   PDI     VMSID CAT            Requirement         Vulnerability   Status   Finding Notes
GEN004060 V0004374 II The browser has
                       unencrypted secure content
                       caching enabled.
GEN004100 V0004376 III The browser is configured to
                       allow active scripting.
GEN004120 V0004377 II The browser is not configured
                       to give a warning when form
                       data is redirected.

GEN004160 V0004379     II    The browser gives no
                             warning before viewing
                             remote data with a security
                             certificate that does not
                             match the remote address.
GEN004180 V0004380     II    The browser home page is
                             not configured for a blank
                             page or a locally generated
                             page.
GEN004200 V0004381     II    The browser is NOT
                             configured for Secure Socket
                             Layer (SSL) v2 and SSL v3.

GEN004220 V0004382     I     An SA browses the WEB as
                             root.
GEN004240 V0001038     II    The browser is not a
                             supported version.
GEN004260 V0001039     III   The browser does not issue a
                             warning prior to accepting a
                             cookie from a remote site.

GEN004280 V0001041     III   A browser does not issue a
                             warning when submitting non
                             encrypted form data.
GEN004300 V0001042     III   The browser does not issue a
                             warning prior to viewing a
                             document with both secure
                             and non-secure content.
GEN004320 V0001043     III   The browser does not issue a
                             warning prior to leaving an
                             encrypted or secure site.
GEN004540 V0012006     II    The sendmail help command
                             is not disabled.
GEN004560 V0004384     III   The O Smtp greeting in
                             sendmail.cf, or equivalent,
                             has not been changed to
                             mask the version.
GEN004580 V0004385     I     .forward files were found.
GEN004600 V0004689     I     A sendmail server has an out-
                             of-date version of sendmail
                             active.
   PDI     VMSID CAT             Requirement            Vulnerability   Status   Finding Notes
GEN004620 V0004690  I A UNIX sendmail server has
                       the debug feature active.
GEN004640 V0004691  I A UNIX sendmail server has
                       a uudecode alias active.
GEN004660 V0004692 III A sendmail server has the
                       EXPN feature active.
GEN004680 V0004693 III A sendmail server has the
                       VRFY feature active.
GEN004700 V0004694 III A UNIX sendmail server has
                       the wizard backdoor active.
GEN004720 V0012007 II FTP or telnet within an
                       enclave is not behind the
                       premise router and protected
                       by a firewall and router
                       access control lists.
GEN004760 V0012008  I FTP or telnet from outside
                       the enclave into the enclave
                       is enabled and not within
                       requirements.
GEN004780 V0012009  I FTP or telnet
                       userids/passwords have
                       administrative or root
                       privileges.
GEN004800 V0012010 II An AORL is not used to
                       document the use of
                       unencrypted FTP or telnet or
                       the risk is not accepted as
                       part of the accreditation
                       package.
GEN004840 V0004702 II A system allows anonymous
                       FTP access.
GEN005020 V0004388  I An anonymous ftp account
                       does not implement STIG
                       security guidance.
GEN005040 V0012011 II An FTP user's umask is not
                       077.
GEN005060 V0012013  I FSP is enabled.
GEN005140 V0004695  I TFTP is active and it is not
                       justified and documented with
                       the IAO.
GEN005180 V0012014 II .Xauthority files are more
                       permissive than 600.
GEN005200 V0004697  I A system is exporting X
                       displays to the world.
GEN005220 V0012016 II Authorized X clients are not
                       listed in the X*.hosts (or
                       equivalent) file(s) if the
                       .Xauthority utility is not used.
   PDI     VMSID CAT            Requirement          Vulnerability   Status   Finding Notes
GEN005240 V0012017 II Access to the X-terminal host
                      is not limited to authorized X
                      clients.
GEN005260 V0012018 II The X Window System
                      connections are not required
                      and the connections are not
                      disabled.

GEN005280 V0004696     II   A UNIX system has the
                            UUCP service active.
GEN005360 V0012019     II   The snmpd.conf file is not
                            owned by root and group
                            owned by sys or the
                            application.
GEN005380 V0004392     II   An snmp server runs more
                            than network management
                            and DBMS software and
                            there is no IAO justifying
                            documentation.
GEN005400 V0004393     II   Either /etc/syslog.conf is not
                            owned by root or is more
                            permissive than 640.
GEN005420 V0004394     II   The /etc/syslog.conf group
                            owner is NOT root, bin, or
                            sys.
GEN005440 V0012020     II   Local hosts are used as
                            loghosts for systems outside
                            the local network.
GEN005460 V0004395     II   A system is using a remote
                            log host not justified and
                            documented with the IAO.
GEN005480 V0012021     II   The syslog deamon accepts
                            remote messages and is not
                            an IAO documented loghost.

GEN005500 V0004295      I   SSH, or a similar utility, is
                            running and SSHv1 protocol
                            is used.
GEN005540 V0012022     II   Encrypted communications
                            are not configured for IP
                            filtering and logon warning
                            banners.
GEN005560 V0004397     II   The system is not a router
                            but has no default gateway
                            defined.
GEN005580 V0004398     II   A system used for routing
                            also uses other applications
                            and/or utilities.
GEN005600 V0012023     II   IP forwarding is not disabled.
   PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
GEN005620 V0004703 III A Lotus Domino 5.0.5 Web
                       Application was found
                       vulnerable to the .nsf, .box,
                       and .ns4 directory traversal
                       exploit.
GEN005640 V0004706 III A system running Squid Web
                       Proxy Cache server was
                       found vulnerable to the
                       authentication header
                       forwarding exploit.
GEN005660 V0004707 II A system running Squid Web
                       Proxy Cache was found
                       vulnerable to the MSNT auth
                       helper buffer overflow exploit.

GEN005680 V0004709      III   The SA will ensure the Squid
                              Proxy Cache server is not a
                              vulnerable version.
GEN005700 V0004708      III   An iPlanet Web Server was
                              found with the search engine
                              NS-query-pat file viewing
                              vulnerability.
GEN006000 V0012024      II    A public instant messaging
                              client is installed.
GEN006040 V0012025      II    A peer-to-peer file-sharing
                              application is installed and
                              not authorized and
                              documented with the DAA.
GEN006060 V0004321      II    Samba is running and is not
                              being used.
GEN006080 V0001026      II    The Samba Web
                              Administration tool is not
                              used with ssh port
                              forwarding.
GEN006100 V0001027      II    The /etc/smb.conf file is not
                              owned by root.
GEN006120 V0001056      II    The /etc/smb.conf file does
                              not have a group owner of
                              root.
GEN006140 V0001028      II    The /etc/smb.conf file is more
                              permissive than 644.
GEN006160 V0001029      II    The smbpasswd file is not
                              owned by root.
GEN006180 V0001058      II    The /etc/smbpasswd file
                              does not have a group owner
                              of root.
GEN006200 V0001059      II    The /etc/smbpasswd file has
                              permissions more permissive
                              than 600.
GEN006220 V0001030      II    The smb.conf file is not
                              configured correctly.
   PDI     VMSID CAT          Requirement           Vulnerability   Status   Finding Notes
GEN006240 V0001023 II A Linux Internet Network
                      News server is not authorized
                      and documented by the IAO.

GEN006260 V0004273     II   A Linux /etc/news/hosts.nntp
                            is more permissive than 600.

GEN006280 V0004274     II   A Linux
                            /etc/news/hosts.nntp.nolimit
                            is more permissive than 600.

GEN006300 V0004275     II   A Linux
                            /etc/news/nnrp.access is
                            more permissive than 600.
GEN006320 V0004276     II   Linux /etc/news/passwd.nntp
                            is more permissive than 600.

GEN006340 V0004277     II   Linux files in /etc/news are
                            not owned by root or news.
GEN006360 V0004278     II   Linux /etc/news files group
                            owner is not root or news.
GEN006380 V0004399     I    NIS/NIS+ is implemented
                            under UDP.
GEN006420 V0012026     II   NIS maps are not protected
                            through hard-to-guess
                            domain names.
GEN006560 V0012028     II   The system vulnerability
                            assessment tool, host-based
                            intrusion detection tool, and
                            file system integrity baseline
                            tool does not notify the SA
                            and the IAO of a security
                            breach or a suspected
                            security breach.

GEN006620 V0012030     II   The access control program
                            is not configured to grant and
                            deny system access to
                            specific hosts.
GEN006640 V0012765     II   An approved DOD virus scan
                            program in not used and/or
                            updated.
IAVA0010   V0001002    I    A TCP_WRAPPERS Trojan
                            exists on the system.
IAVA0020   V0001006    II   There are Internet Message
                            Access Protocol (IMAP) or
                            Post Office Protocol (POP)
                            vulnerabilities.
IAVA0025   V0001007    II   A vulnerability exists in mime-
                            aware mail and news clients.
    PDI     VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
IAVA0150   V0007520 II There are multiple
                        vulnerabilities in Sybase
                        Software.
IAVA0295   V0003612 III There are multiple SSH
                        vulnerabilities.
IAVA0380   V0004547 II A vulnerable version of the
                        H.323 Protocol is in use.
IAVA0510   V0004699  I A BSD system has the FTP
                        RNFR command
                        vulnerability.
LNX00060   V0004246 II A Linux system Password
                        Configuration Table has the
                        User Password set to ON.
LNX00080   V0004247  I A Linux system is using a
                        boot diskette as the boot
                        loader.
LNX00100   V0004248  I A Linux system has not been
                        configured with GRUB as the
                        default boot loader and the
                        boot loader in use has not
                        been authorized, justified,
                        and documented with the
                        IAO.
LNX00120   V0004255  I The Linux /boot partition is on
                        removable media and is not
                        stored in a secure container.

LNX00140   V0004249    I    The Linux boot-loader does
                            not use an MD5 encrypted
                            password.
LNX00160   V0004250    II   Linux /boot/grub/grub.conf is
                            more permissive than 600.

LNX00180   V0004252    I    A Linux system authorized to
                            use LILO does not have a
                            global password in
                            /etc/lilo.conf.
LNX00200   V0012036    I    The LILO Boot Loader
                            password is not encrypted.
LNX00220   V0004253    I    A Linux /etc/lilo.conf file is
                            more permissive than 600.
LNX00260   V0004256    I    A site SOP does not restrict
                            the use of Kickstart to
                            isolated development LANs.

LNX00300   V0004262    II   A Linux system does not
                            have the rpc.ugidd daemon
                            disabled.
LNX00320   V0004268    I    A Linux system has special
                            privilege accounts, such as
                            shutdown and halt.
   PDI      VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
LNX00340   V0004269 II A Linux system has
                       unnecessary accounts.
LNX00360   V0001021 II A Linux X server does not
                       have the correct options
                       enabled.
LNX00380   V0001022 II A Linux X server has one of
                       the following options enabled:
                       -ac, -core (except for
                       debugging purposes), or -
                       nolock.
LNX00400   V0001025 II The /etc/login.access file is
                       not owned by root.
LNX00420   V0001054 II The /etc/login.access file
                       does not have a privileged
                       group owner.
LNX00440   V0001055 II The /etc/login.access
                       permissions are more
                       permissive than 640.
LNX00480   V0004334 II Linux /etc/sysctl.conf is not
                       owned by root.
LNX00500   V0004335 II Linux /etc/sysctl.conf group
                       owner is not root.
LNX00520   V0004336 II Linux /etc/sysctl.conf file is
                       more permissive than 600.
LNX00540   V0012037  I The insecure option is set.
LNX00560   V0004339  I A Linux NFS Server has the
                       insecure file locking option.
LNX00580   V0004342  I The Linux x86 CTRL-ALT-
                       DELETE key sequence has
                       not been disabled.
LNX00600   V0004346 II Linux PAM grants sole
                       access to admin privileges to
                       the first user who logs into
                       the console.
LNX00620   V0012038 II The /etc/securetty file is not
                       group owned by root, sys, or
                       bin.
LNX00640   V0012039 II The /etc/securetty file is not
                       owned by root.
LNX00660   V0012040 II The /etc/securetty file is more
                       permissive than 640.
LNX00680   V0012041 II A vulnerable RealPlayer
                       version is installed.
SOL00040   V0004353 II /etc/security/audit_user has a
                       different auditing level for
                       specific users.
SOL00060   V0004352 II /etc/security/audit_user is not
                       owned by root.
SOL00080   V0004351 II The /etc/security/audit_user
                       group is not root, sys, or bin.
   PDI        VMSID CAT            Requirement             Vulnerability   Status   Finding Notes
SOL00100     V0004245 II /etc/security/audit_user is
                          more permissive than 640.
SOL00400     V0004300 II An NFS server does not have
                          logging implemented.
USB00.001.   V0006764 III There is no document
00                        instructing users that USB
                          devices be powered off for at
                          least 60 seconds prior to
                          being connected to an IS.
USB01.001.   V0006765 II MP3 players, camcorders, or
00                        digital cameras are being
                          attached to ISs without prior
                          DAA approval.
USB01.002.   V0006766 II USB devices are attached to
00                        a DoD IS without prior IAO
                          approval.
USB01.003.   V0006768 II Disguised jump drives are not
00                        banned from locations
                          containing DOD ISs.
USB01.004.   V0006769 II Notices are not prominently
00                        displayed informing everyone
                          of the ban of disguised jump
                          drives.
USB01.005.   V0006770 II Persistent memory USB
00                        devices are not treated as
                          removable media and
                          contrary to DODD 5200.1-R;
                          the devices are not secured,
                          transported, and sanitized in
                          a manner appropriate for the
                          classification level of the data
                          they contain.

USB01.006. V0006771      II   Persistent memory USB
00                            devices are not labeled in
                              accordance with the
                              classification level of the data
                              they contain.
USB01.007. V0006772      II   Sensitive data stored on a
00                            USB device with persistent
                              memory, that the data owner
                              requires encryption is not
                              encrypted using NIST-
                              certified cryptography.
USB01.008. V0006773      II   USB devices with persistent
00                            memory are not formatted in
                              a manner to allow the
                              application of Access
                              Controls to files or data
                              stored on the device.
   PDI      VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
USB01.009. V0006774 II There is no section within the
00                      SFUG, or equivalent
                        documentation, describing
                        the correct usage and
                        handling of USB
                        technologies.
USB01.010. V0006775 III The USB usage section of
00                      the SFUG, or equivalent
                        document, does not contain a
                        discussion of the devices that
                        contain persistent non-
                        removable memory.
 Section
ESX Server



ESX Server

ESX Server
ESX Server

ESX Server

ESX Server



ESX Server

ESX Server


ESX Server


ESX Server



ESX Server

ESX Server




ESX Server


ESX Server

ESX Server


ESX Server



ESX Server

ESX Server
 Section
ESX Server


ESX Server

ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

ESX Server

ESX Server


ESX Server

ESX Server



ESX Server



ESX Server



ESX Server



ESX Server

ESX Server



ESX Server

ESX Server

ESX Server
 Section
ESX Server


ESX Server


ESX Server



ESX Server


ESX Server

ESX Server


ESX Server

ESX Server


ESX Server

ESX Server


ESX Server



ESX Server


ESX Server



ESX Server


ESX Server

ESX Server


ESX Server
 Section
ESX Server

ESX Server


ESX Server



ESX Server


ESX Server

ESX Server


ESX Server



ESX Server

ESX Server

ESX Server



ESX Server


ESX Server


ESX Server


ESX Server


ESX Server


ESX Server


ESX Server
 Section
ESX Server


ESX Server

ESX Server



ESX Server



ESX Server



ESX Server


ESX Server


ESX Server


ESX Server

ESX Server



ESX Server


ESX Server

ESX Server


ESX Server


ESX Server


ESX Server
 Section
ESX Server


ESX Server



ESX Server


ESX Server


ESX Server


ESX Server



ESX Server


ESX Server

ESX Server


ESX Server

ESX Server


ESX Server



ESX Server


ESX Server

ESX Server



ESX Server
 Section
ESX Server


ESX Server

ESX Server

ESX Server



ESX Server


ESX Server

ESX Server

ESX Server


ESX Server

ESX Server



ESX Server


ESX Server


ESX Server

ESX Server


ESX Server

ESX Server



ESX Server



ESX Server
 Section
ESX Server


ESX Server

ESX Server


ESX Server


ESX Server



ESX Server


ESX Server



ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

ESX Server
 Section
ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

Virtual
Center


Virtual
Center


ESX Server


ESX Server

Virtual
Center

Virtual
Center
ESX Server


ESX Server

Virtual
Center

ESX Server


ESX Server
  Section
Virtual
Center


Virtual
Center


ESX Server


ESX Server


Virtual
Center


Virtual
Center
Virtual
Center

Virtual
Center
Virtual
Center

ESX Server

Virtual
Center
Virtual
Center
Virtual
Center

Virtual
Center
Virtual
Center

ESX Server



ESX Server
 Section
ESX Server




ESX Server


ESX Server

ESX Policy

ESX Server



ESX Server


ESX Server


ESX Server

ESX Policy


ESX Server

ESX Server



ESX Server

ESX Policy

ESX Server


ESX Server

ESX Server

ESX Policy
 Section
ESX Server


ESX Server

ESX Server

ESX Server

ESX Server


ESX Policy




ESX Server




ESX Policy




ESX Server


ESX Server


ESX Server


ESX Server


ESX Server

Virtual
Center




Virtual
Center
  Section
Virtual
Center



Virtual
Center

Virtual
Center

Virtual
Center

Virtual
Center

Virtual
Center

Virtual
Center




Virtual
Center

Virtual
Center
Virtual
Center

Virtual
Center

ESX Server

ESX Policy


ESX Policy



ESX Policy
 Section
ESX Policy



ESX Policy




Virtual
Center

ESX Policy

ESX Policy



ESX Policy


ESX Server

ESX Server


Virtual
Center

Virtual
Center

ESX Server


ESX Server

ESX Server


ESX Server


ESX Server


ESX Policy


Virtual
Center
 Section
ESX Policy


ESX Policy

Virtual
Center

Virtual
Center


Virtual
Center

Virtual
Center

Virtual
Center


ESX Policy


Virtual
Center


ESX Policy



ESX Server


ESX Policy


ESX Policy



ESX Server


ESX Policy
 Section
ESX Server


ESX Server

ESX Server



ESX Server

ESX Server


ESX Server

ESX Policy



Virtual
Machine
Virtual
Machine
Virtual
Machine

Virtual
Machine


Virtual
Machine


Virtual
Machine

ESX Server


ESX Server
 Section
ESX Server




ESX Server


ESX Server



ESX Server




ESX Server



ESX Server


ESX Server


ESX Server

ESX Server

ESX Server

ESX Server

ESX Server


ESX Server


ESX Server


ESX Server
 Section
ESX Server


ESX Server

ESX Server



ESX Server




ESX Server



ESX Server



ESX Server

ESX Server

ESX Server



ESX Server


ESX Server



ESX Server


ESX Server

ESX Server



ESX Server
ESX Server
 Section
ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server




ESX Server



ESX Server



ESX Server




ESX Server

ESX Server


ESX Server

ESX Server
ESX Server


ESX Server

ESX Server

ESX Server
 Section
ESX Server


ESX Server




ESX Server

ESX Server



ESX Server




ESX Server


ESX Server


ESX Server


ESX Server


ESX Server



ESX Server


ESX Server



ESX Server


ESX Server


ESX Server
 Section
ESX Server




ESX Server




ESX Server




ESX Server


ESX Server



ESX Server

ESX Server



ESX Server

ESX Server



ESX Server

ESX Server


ESX Server

ESX Server

ESX Server


ESX Server


ESX Server
 Section
ESX Server



ESX Server


ESX Server



ESX Server


ESX Server


ESX Server

ESX Server

ESX Server

ESX Server


ESX Server




ESX Server



ESX Server


ESX Server

ESX Server



ESX Server
 Section
ESX Server


ESX Server

ESX Server

ESX Server


ESX Server


ESX Server


ESX Server




ESX Server



ESX Server


ESX Server


ESX Server



ESX Server

ESX Server

ESX Server



ESX Server


ESX Server
 Section
ESX Server

ESX Server


ESX Server




ESX Server

ESX Server


ESX Server


ESX Server

ESX Server

ESX Server

ESX Server
ESX Server

ESX Server


ESX Server



ESX Server


ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

ESX Server
 Section
ESX Server

ESX Server

ESX Server




ESX Server



ESX Server


ESX Server


ESX Server



ESX Server




ESX Server




ESX Server




ESX Server
 Section
ESX Server




ESX Server
  PDI     VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
EMG0-056 V0018865 III The E-mail Administrator role
                      is not assigned and
                      authorized by the IAO.
EMG0-075 V0018877 II E-mail Administrator Groups
                      do not ensure least privilege.

EMG0-090 V0018885     III   E-mail acceptable use policy
                            is not documented in the
                            System Security Plan or does
                            not require annual user
                            review.
EMG0-092 V0018886     III   E-mail Acceptable Use Policy
                            does not contain required
                            elements.
EMG1-002 V0018681     III   Unneeded OMA E-mail Web
                            Virtual Directory is not
                            removed.
EMG1-004 V0018682     III   Unneeded Active Sync E-mail
                            Web Virtual Directory is not
                            removed.
EMG1-007 V0018759     II    Default web site allows
                            anonymous access.
EMG1-012 V0018683     III   Unneeded "Public" E-mail
                            Virtual Directory is not
                            removed.
EMG1-103 V0018786      I    Public Folder access does
                            not require secure channels
                            and encryption.
EMG1-105 V0018787      I    Outlook Web Access (OWA)
                            does not require secure
                            channels and encryption.

EMG1-110 V0018733     II    E-mail web applications are
                            operating on non-standard
                            ports.
EMG2-005 V0018666     II    E-mail Server Global Sending
                            or Receiving message size is
                            set to Unlimited.

EMG2-006 V0018671     III   The Global Recipient Count
                            limit is set to "Unlimited".
EMG2-010 V0018667     III   Sending or Receiving
                            message size is not set to
                            Unlimited on the SMTP
                            virtual server.
EMG2-013 V0018661     II    Mailbox server is not
                            protected by E-mail Edge
                            Transport role (E-mail Secure
                            Gateway) performing Global
                            Accept/Deny list filtering.
  PDI     VMSID CAT             Requirement         Vulnerability   Status   Finding Notes
EMG2-015 V0018663 II The Mailbox server is not
                     protected by an Edge
                     Transport Server Role (E-
                     mail Secure Gateway)
                     performing 'Block List'
                     filtering.
EMG2-017 V0018664 II Mailbox server is not
                     protected by an Edge
                     Transport Server role (E-mail
                     Secure Gateway) performing
                     Block List exception filtering
                     at the perimeter.

EMG2-021 V0018675     II   The E-Mail server is not
                           protected by having
                           connections from "Sender
                           Filter" sources dropped by
                           the Edge Transport Server
                           role (E-Mail Secure Gateway)
                           at the perimeter.
EMG2-024 V0018673     II   The Mailbox server is not
                           protected by having filtered
                           messages archived by the
                           Edge Transport Role server
                           (E-mail Secure Gateway) at
                           the perimeter.
EMG2-026 V0018674     II   The Mailbox server is not
                           protected by having blank
                           sender messages filtered by
                           the Edge Transport Role
                           server (E-mail Secure
                           Gateway) at the perimeter.
EMG2-029 V0018662     II   Mailbox Server is not
                           protected by an Edge
                           Transport Server (E-mail
                           Secure Gateway) performing
                           SPAM evaluation.

EMG2-030 V0018721     II   E-mail servers are not
                           protected by an Edge
                           Transport Server role (E-mail
                           Secure Gateway) removing
                           disallowed message
                           attachments at the network
                           perimeter.
  PDI     VMSID CAT          Requirement              Vulnerability   Status   Finding Notes
EMG2-031 V0018672 II The Exchange E-mail
                     Services environment is not
                     protected by an Edge
                     Transport Server (E-Mail
                     Secure Gateway) performing
                     Non-existent recipient filtering
                     at the perimeter.

EMG2-038 V0018818      II    E-mail Services are not
                             protected by having an Edge
                             Transport Server (E-mail
                             Secure Gateway) performing
                             outbound message signing at
                             the perimeter.

EMG2-043 V0018665      II    Mailbox Server is not
                             protected by an Edge
                             Transport Server (E-mail
                             Secure Gateway) performing
                             Sender Authentication at the
                             perimeter.

EMG2-046 V0018660      II    Automated Response
                             Messages are Enabled.
EMG2-105 V0018734      II    E-mail SMTP services are
                             using Non-PPSM compliant
                             ports.
EMG2-107 V0018670      II    Message Recipient Count
                             Limit is not limited on the
                             SMTP virtual server.
EMG2-109 V0018735      II    SMTP Virtual Server is not
                             bound to the PPSM Standard
                             Port.
EMG2-111 V0018780      II    Exchange Server is not
                             protected by an Edge
                             Transport Server (E-mail
                             Secure Gateway) that
                             performs Anonymous
                             Connections interaction with
                             Internet-based E-mail
                             servers.
EMG2-114 V0018690      III   Maximum outbound
                             connection timeout limit is not
                             at 10 minutes or less.
EMG2-117 V0018693      III   Maximum Inbound
                             Connection Timeout Limit is
                             not 10 or less.
EMG2-120 V0018691      III   Outbound Connection Limit
                             per Domain Count is not 100
                             or less.
  PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
EMG2-123 V0018687 III The Outbound Delivery Retry
                      Values are not at the
                      Defaults, or do not have
                      alternate values documented
                      in the System Security Plan.

EMG2-124 V0018770     II   SMTP Virtual Server Auditing
                           is not active.
EMG2-125 V0018692    III   Inbound Connection Count
                           Limit is not set to "Unlimited".

EMG2-126 V0018689    III   SMTP Maximum outbound
                           connections are not at 1000,
                           or an alternate value is not
                           documented in System
                           Security Plan.
EMG2-129 V0018668    III   The SMTP Virtual Server
                           Session Size is not set to
                           "Unlimited".
EMG2-130 V0018688    III   SMTP Maximum Hop Count
                           is not 30.
EMG2-131 V0018701     II   Smart-Host is specified at the
                           Virtual Server level.
EMG2-133 V0018762     I    One or more SMTP Virtual
                           Servers do not have a Valid
                           Certificate.
EMG2-136 V0018643    III   E-mail user mailboxes do not
                           have Storage Quota
                           Limitations.
EMG2-139 V0018644    III   E-mail Public Folders do not
                           have Storage Quota
                           Limitations.
EMG2-143 V0018704    III   The SMTP Virtual Server is
                           configured to perform DNS
                           lookups for anonymous E-
                           mails.
EMG2-144 V0018782     II   SMTP Virtual Servers do not
                           Require Secure Channels
                           and Encryption.
EMG2-146 V0018700     II   SMTP virtual Server does not
                           Restrict Relay Access.
EMG2-148 V0018702    III   The SMTP Virtual Server
                           performs reverse DNS
                           lookups for anonymous
                           message delivery.
EMG2-149 V0018669    III   The SMTP Virtual Server
                           Message Count Limit is not
                           20.
EMG2-250 V0018694     II   SMTP Connection
                           Restrictions do not use the
                           "Deny All" strategy.
  PDI     VMSID CAT         Requirement                    Vulnerability   Status   Finding Notes
EMG2-251 V0018696 II ExAdmin Virtual Directory is
                     not Configured for Integrated
                     Windows Authentication.

EMG2-255 V0018805     II   Scripts are Permitted to
                           Execute in the ExAdmin
                           Virtual Server.
EMG2-256 V0018760     I    OWA does not require only
                           Integrated Windows
                           Authentication.
EMG2-259 V0018803     II   Scripts are permitted to
                           execute in the OWA Virtual
                           Server.
EMG2-263 V0018806     II   Users do not have correct
                           permissions in the OWA
                           Virtual Server.
EMG2-266 V0018719     II   Users do not have correct
                           permissions in the Public
                           Virtual Server.
EMG2-269 V0018807     II   ExAdmin does not have
                           correct permissions in the
                           ExAdmin Virtual Server.
EMG2-271 V0018745     I    OWA Virtual Server has
                           Forms-Based Authentication
                           enabled.
EMG2-272 V0018695    III   SMTP Sender, Recipient, or
                           Connection Filters are not
                           engaged.
EMG2-275 V0018804     II   Scripts are permitted to
                           execute in the Public Folder
                           web server.
EMG2-303 V0018812    III   Exchange application
                           memory is not zeroed out
                           after message deletion.
EMG2-305 V0018788    III   ExAdmin is configured for
                           Secure Channels and
                           Encryption.
EMG2-307 V0018725    III   Mailbox Stores Restore
                           Overwrite is enabled.
EMG2-311 V0018726    III   Public Folder Stores Restore
                           Overwrite is enabled.

EMG2-313 V0018641     II   User mailboxes are hosted
                           on non-Mailbox Server role.
EMG2-317 V0018727    III   E-mail message copies are
                           not archived.
EMG2-318 V0018646    III   Mailbox Stores "Do Not
                           Mount at Startup" is enabled.
  PDI     VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
EMG2-320 V0018655 II Public Folder Stores "Do not
                     Mount at Startup" is enabled.

EMG2-323 V0018642     I    E-mail Server does not
                           require S/MIME capable
                           clients.
EMG2-327 V0018744     I    E-mail Public Folders do not
                           require S/MIME capable
                           clients.
EMG2-333 V0018705    III   E-mail Server "Circular
                           Logging" is not set
                           appropriately.
EMG2-340 V0018723     II   Mailboxes and messages are
                           not retained until backups are
                           complete.
EMG2-344 V0018724     II   Public Folder stores and
                           documents are not retained
                           until backups are complete.
EMG2-507 V0018645    III   Public Folders Store storage
                           quota limits are overridden.

EMG2-511 V0018658    III   Public Folder "Send on
                           Behalf of" feature is in use.
EMG2-710 V0018686     II   Message size restrictions are
                           specified on routing group
                           connectors.
EMG2-713 V0018685    III   Connectors are not clearly
                           named as to direction or
                           purpose.
EMG2-718 V0019198     II   Message size restriction is
                           specified at the SMTP
                           connector level. .
EMG2-721 V0018698     II   The SMTP connectors do not
                           specify use of a "Smart
                           Host".
EMG2-730 V0018697     II   Routing Group is not selected
                           as the SMTP connector
                           scope.
EMG2-736 V0018699     I    SMTP connectors allow
                           unauthenticated relay.
EMG2-743 V0018784     I    SMTP Connectors perform
                           outbound anonymous
                           connections.
EMG2-803 V0018703     II   Virtual Server default
                           outbound security is not
                           anonymous and TLS.
EMG2-806 V0018715     II   SMTP Queue Monitor is not
                           configured with a threshold
                           and alert.
  PDI     VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
EMG2-807 V0018713 II CPU Monitoring Notifications
                     are not configured with
                     threshold and action.

EMG2-810 V0018707    II    E-mail "Subject Line" logging
                           is enabled during production
                           operations.
EMG2-811 V0018706    II    E-mail Diagnostic Logging is
                           enabled during production
                           operations.
EMG2-813 V0018714    II    Virtual memory monitoring
                           notifications are not
                           configured with threshold and
                           action.
EMG2-815 V0018716    II    Windows 2003 Services
                           Monitoring Notifications are
                           not configured with
                           thresholds and actions.
EMG2-817 V0018717    II    Exchange Core Services
                           Monitors are not configured
                           with threshold and actions.
EMG2-825 V0018710    II    SMTP Virtual Server Audit
                           Records are not directed to a
                           separate partition.
EMG2-831 V0018711    II    Exchange sends fatal errors
                           to Microsoft.
EMG2-833 V0018767    II    The "Disable Server
                           Monitoring" feature is
                           enabled.
EMG2-835 V0018712    II    Disk Space Monitoring is not
                           Configured with Threshold
                           and Action.
EMG2-840 V0018763    III   Audit Records do not contain
                           all required fields.
EMG2-863 V0019186    II    Mailbox access control
                           mechanisms are not audited
                           for changes.
EMG3-005 V0018881    III   The E-mail backup and
                           recovery strategy is not
                           documented or is not tested
                           on an INFOCON compliant
                           frequency.
EMG3-006 V0018880    II    Audit logs are not included in
                           backups.

EMG3-007 V0018883    II    E-mail backups do not meet
                           schedule or storage
                           requirements.
EMG3-009 V0018882    II    E-mail backup and recovery
                           data is not protected.
  PDI     VMSID CAT          Requirement              Vulnerability   Status   Finding Notes
EMG3-010 V0018884 II E-mail critical software copies
                     are not stored offsite in a fire
                     rated container.
EMG3-015 V0018857 II Annual procedural reviews
                     are not conducted at the site.

EMG3-020 V0018858      II    Exchange with Outlook Web
                             Access is not deployed as
                             Front-end/Back-end
                             Architecture.
EMG3-028 V0018868      III   E-mail software installation
                             account usage is not logged.

EMG3-037 V0018869      III   E-mail audit trails are not
                             reviewed daily.

EMG3-045 V0018864      II    E-Mail Configuration
                             Management (CM)
                             procedures are not
                             implemented.
EMG3-050 V0018867      II    E-mail Services are not
                             documented in System
                             Security Plan.
EMG3-058 V0018741      II    E-mail software is not
                             monitored for change on
                             INFOCON frequency
                             schedule.
EMG3-071 V0018879      II    E-mail audit records are not
                             retained for 1 year.

EMG3-079 V0018878      II    Automated audit reporting
                             tools are not available.

EMG3-106 V0019546      I     E-mail services and servers
                             are not protected by routing
                             all SMTP traffic through an
                             Edge Transport Server.
EMG3-108 V0019548      I     E-mail web services are not
                             protected by having an
                             application proxy server
                             outside the enclave.
EMG3-115 V0018731      II    E-mail application installation
                             is sharing a partition with
                             another application.

EMG3-116 V0018792      II    SMTP service banner
                             response reveals
                             configuration details.
EMG3-119 V0018795      II    E-mail Services accounts are
                             not restricted to named
                             services.
  PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes
EMG3-121 V0018801 II Services permissions do not
                     reflect least privilege.
EMG3-145 V0018796 II E-Mail service accounts are
                     not operating at least
                     privilege.
EMG3-150 V0018819 II E-Mail audit trails are not
                     protected against
                     unauthorized access.
EMG3-801 V0018676 II E-Mail server has unneeded
                     processes or services active.

EMG3-802 V0018742     II   Security support data or
                           process is sharing a directory
                           or partition with Exchange.

EMG3-805 V0018743     II   Exchange software baseline
                           copy does not exist.

EMG3-817 V0018684     II   VRFY command is resident
                           on Exchange 2003 server.
EMG3-823 V0018732     II   Audit data is sharing
                           directories or partitions with
                           the E-mail application.
EMG3-824 V0018802     II   Exchange application
                           permissions are not at vendor
                           recommended settings.

EMG3-828 V0018799     II   E-mail restore permissions
                           are not restricted to E-mail
                           administrators.
EMG3-829 V0018820     I    E-mail servers do not have E-
                           mail aware virus protection.
  Section
Email
Services
Policy 2003
Email
Services
Policy 2003
Email
Services
Policy 2003


Email
Services
Policy 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003
Exchange
Server 2003


Exchange
Server 2003
  Section
Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003
  Section
Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003




Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
  Section
Exchange
Server 2003




Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003



Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003
  Section
Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003
Exchange
Server 2003
  Section
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
  Section
Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Email
Services
Policy 2003


Email
Services
Policy 2003
Email
Services
Policy 2003
Email
Services
Policy 2003
  Section
Email
Services
Policy 2003
Email
Services
Policy 2003
Email
Services
Policy 2003

Email
Services
Policy 2003
Email
Services
Policy 2003
Email
Services
Policy 2003

Email
Services
Policy 2003
Exchange
Server 2003


Email
Services
Policy 2003
Email
Services
Policy 2003
Email
Services
Policy 2003

Email
Services
Policy 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003
  Section
Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
 PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes     Section
H20100 V0014282 II A static IP address does not                                                     McAfee ePO
                   exist for the ePO server.                                                        Server

H20120 V0014483     II   **The ePO server is not                                                    McAfee ePO
                         located in a protected                                                     Server
                         Enclave Security Services
                         DMZ or screened subnet.
H20140 V0014484     II   The ePO server's                                                           McAfee ePO
                         management workstations,                                                   Server
                         outside the enclave, do not
                         use encrypted VPNs for
                         access.
H20160 V0014485     II   VPN traffic into the ePO is                                                McAfee ePO
                         not visible to a network                                                   Server
                         intrusion detection system.
H20200 V0014486     I    The ePO server perimeter                                                   McAfee ePO
                         protection is not in deny by                                               Server
                         default with allowable
                         exceptions.
H20220 V0014487     II   **The distributed repository is                                            McAfee ePO
                         not in a protected enclave                                                 Distributed
                         non-public DMZ.                                                            Repository

H20180 V0014488     II   The ePO server is not being                                                McAfee ePO
                         protected by a local Network                                               Server
                         IDS.
H20260 V0014489     II   The site has not registered                                                McAfee ePO
                         the HBSS server within the                                                 Server
                         Ports and Protocols
                         database.
H30100 V0014491    III   The HBSS is not under direct                                               McAfee ePO
                         control of a site CCB.                                                     Server
H30140 V0014493     II   The ePO server does not                                                    McAfee ePO
                         have at least two entries for                                              Server
                         DoD controlled source
                         repositories.
H30160 V0014494    III   A non-DoD controlled DNS                                                   McAfee ePO
                         server is used for resolution                                              Server
                         for the ePO server.
H36960 V0014495     II   The ePO server firewall rules                                              McAfee ePO
                         are inadequate.                                                            Server




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  363 of 1220
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
 PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes     Section
H30200 V0014496 II HBSS is operating on                                                     McAfee ePO
                   different classification levels                                          Server
                   or across mixed DoD and
                   Non-DoD systems or
                   networks.
H30220 V0014497  I **The ePO server is shared                                               McAfee ePO
                   with other applications.                                                 Server
H30240 V0014498 II **The ePO is not using the                                               McAfee ePO
                   correct port assignments.                                                Server
H30260 V0014499 II The ePO software directories                                             McAfee ePO
                   are not adequately protected                                             Server
                   from unauthorized
                   modification.
H30280 V0014500 II HBSS does not have the                                                   McAfee
                   current security patches                                                 Policy
                   installed.                                                               Auditor,
                                                                                            McAfee
                                                                                            System
                                                                                            Compliance
                                                                                            Profiler,
                                                                                            McAfee
                                                                                            Infocon
                                                                                            Asset
                                                                                            Tracking,
                                                                                            McAfee ePO
                                                                                            Agent,
                                                                                            McAfee ePO
                                                                                            Server,
                                                                                            McAfee
                                                                                            Host
                                                                                            Intrusion
                                                                                            Protection
                                                                                            Module,
                                                                                            McAfee
                                                                                            Rogue
                                                                                            System
                                                                                            Sensor
H30300 V0014501     I    **The ePO server is using                                          McAfee ePO
                         the default keys.                                                  Server
H30400 V0014502     II   The ePO server has agents                                          McAfee ePO
                         using the default keys.                                            Server
H30500 V0014503     II   The ePO server does not                                            McAfee ePO
                         have a scheduled task to pull                                      Server
                         updates daily.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          364 of 1220
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
 PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes     Section
H30540 V0014504 II The ePO server does not                                                  McAfee ePO
                   have a scheduled task to                                                 Server
                   replicate changes to
                   repositories daily.
H30560 V0014505 II The ePO server does not                                                  McAfee ePO
                   have a scheduled task to do                                              Server
                   complete repository updates
                   at least weekly.
H30580 V0014506 II The ePO server does not                                                  McAfee ePO
                   have a scheduled task to                                                 Server
                   identify Inactive Agents daily.

H30640 V0014507      I    The ePO server is part of a                                       McAfee ePO
                          domain.                                                           Server
H30620 V0014508     II    The ePO server is managed                                         McAfee ePO
                          remotely by an unauthorized                                       Server
                          machine.
H30700 V0014509     II    The ePO server is not being                                       McAfee ePO
                          regularly checked for file                                        Server
                          integrity.
H31100 V0014510      I    The ePO SQL database                                              McAfee ePO
                          installation is shared with                                       Server
                          other applications.
H31120 V0014511     III   The SQL database                                                  McAfee ePO
                          installation partition is not                                     Server
                          separated from the other
                          parts of the application.
H50110 V0014512     II    The SQL Database reviewer                                         McAfee ePO
                          account is not configured as                                      Server
                          least privilege.
H33100 V0014513     II    The workstation used for                                          McAfee ePO
                          remote access is not                                              Remote
                          dedicated to HBSS.                                                Console

H33120 V0014514      I    The workstation used for                                          McAfee ePO
                          remote access is not blocked                                      Remote
                          from other connections..                                          Console

H33130 V0014515     II    The workstation used for                                          McAfee ePO
                          remote access is not                                              Remote
                          protected both logically and                                      Console
                          physically by a DoD enclave




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          365 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes     Section
H33140 V0014516 II The ePO server's                                                               McAfee ePO
                   management workstation                                                         Remote
                   outside the enclave does not                                                   Console
                   use VPNs for access.
H33150 V0014517  I The ePO server's remote                                                        McAfee ePO
                   console machine is a part of                                                   Remote
                   a domain                                                                       Console

H33160 V0014518     II   The ePO server's remote                                                  McAfee ePO
                         console machine does not                                                 Remote
                         have a static IP address.                                                Console

H34100 V0014519     II   Rogue System Detection is                                                McAfee ePO
                         not in place.                                                            Server
H35100 V0014520     II   The ePO agent is not                                                     McAfee ePO
                         configured for Agent                                                     Agent
                         Wakeup.
H35120 V0014521     II   The ePO agent is not                                                     McAfee ePO
                         configured correctly for the                                             Agent
                         policy enforcement interval.
H35140 V0014522     I    The ePO agent to server                                                  McAfee ePO
                         communication is not                                                     Agent
                         enabled.
H35160 V0014523     II   The ePO agent to server                                                  McAfee ePO
                         communication interval is too                                            Agent
                         long.
H35180 V0014524     II   The ePO agent policy age                                                 McAfee ePO
                         parameter is set to an                                                   Agent
                         interval that is too long.
H35200 V0014525     II   The ePO agent property type                                              McAfee ePO
                         is set incorrectly.                                                      Agent
H35220 V0014526     II   The ePO agent is not                                                     McAfee ePO
                         configured to upload events                                              Agent
                         immediately
H35300 V0014527     II   The ePO agent is not
                         configured for logging.
H35320 V0014528     I    The ePO agent is configured                                              McAfee ePO
                         to allow remote access to                                                Agent
                         logs.
H35400 V0014529     II   The ePO agent is not                                                     McAfee ePO
                         configured to use ePO                                                    Agent
                         repositories.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                366 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement           Vulnerability   Status   Finding Notes     Section
H35420 V0014530 II The ePO agent is not                                                   McAfee ePO
                   configured to use multiple                                             Agent
                   ePO repositories.
H35440 V0014531 II The ePO agent is not                                                   McAfee ePO
                   configured to use DoD                                                  Agent
                   controlled ePO repositories.
H36100 V0014532 II The HIPS parameter that                                                McAfee
                   controls the 'add and remove'                                          Host
                   programs option is enabled.                                            Intrusion
                                                                                          Protection
                                                                                          Module
H36140 V0014533     I    The HIPS Admin password                                          McAfee
                         for the User Interface has not                                   Host
                         been changed from the                                            Intrusion
                         default.                                                         Protection
                                                                                          Module
H36120 V0014534     I    The HIPS Admin password                                          McAfee
                         for the User Interface is not                                    Host
                         known or not protected.                                          Intrusion
                                                                                          Protection
                                                                                          Module
H36160 V0014535     II   The HIPS User Interface                                          McAfee
                         Admin password does not                                          Host
                         meet password complexity                                         Intrusion
                         requirements.                                                    Protection
                                                                                          Module
H36180 V0014536     II   The HIPS Admin password                                          McAfee
                         for the User Interface time                                      Host
                         based password is enabled.                                       Intrusion
                                                                                          Protection
                                                                                          Module
H36200 V0014537     II   The HIPS User Interface                                          McAfee
                         parameter for disabling                                          Host
                         features from the tray is                                        Intrusion
                         incorrect                                                        Protection
                                                                                          Module
H36220 V0014538     II   The ePO Server's HIPS                                            McAfee ePO
                         Trusted Network address list                                     Server
                         allows unacceptable
                         networks.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        367 of 1220
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
 PDI    VMSID CAT         Requirement                      Vulnerability   Status   Finding Notes      Section
H36260 V0014540 II The HIPS Trusted Network                                                         McAfee
                   address list allows                                                              Host
                   unacceptable networks.                                                           Intrusion
                                                                                                    Protection
                                                                                                    Module
H36280 V0014541     II   The HIPS Trusted Network                                                   McAfee
                         address list includes the local                                            Host
                         subnet automatically.                                                      Intrusion
                                                                                                    Protection
                                                                                                    Module
H36300 V0014542     II   The HIPS trusted application                                               McAfee
                         list has not been reviewed                                                 Host
                         against the machine's                                                      Intrusion
                         expected baseline.                                                         Protection
                                                                                                    Module
H36400 V0014543     I    The HIPS policy has not                                                    McAfee
                         enabled Host IPS.                                                          Host
                                                                                                    Intrusion
                                                                                                    Protection
                                                                                                    Module
H36420 V0014544     I    The HIPS policy has not                                                    McAfee
                         enabled Network IPS.                                                       Host
                                                                                                    Intrusion
                                                                                                    Protection
                                                                                                    Module
H36440 V0014545     I    The HIPS policy has not                                                    McAfee
                         enabled the automatic                                                      Host
                         blocking of network intruders.                                             Intrusion
                                                                                                    Protection
                                                                                                    Module
H36410 V0014546     II   The HIPS policy allows the                                                 McAfee
                         retention of existing client                                               Host
                         rules.                                                                     Intrusion
                                                                                                    Protection
                                                                                                    Module
H36500 V0014547     I    The HIPS policy for High                                                   McAfee
                         Severity is not set properly.                                              Host
                                                                                                    Intrusion
                                                                                                    Protection
                                                                                                    Module
H36510 V0014548     II   The HIPS policy for Medium                                                 McAfee ePO
                         Severity is not set properly.                                              Server




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  368 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes      Section
H36640 V0014552 II The HIPS policy does not                                                        McAfee
                   contain an appropriate rules                                                    Host
                   hierarchy.                                                                      Intrusion
                                                                                                   Protection
                                                                                                   Module
H36660 V0014553     II   The HIPS policy does not                                                  McAfee
                         include the signature for                                                 Host
                         protection of the ePO                                                     Intrusion
                         registry.                                                                 Protection
                                                                                                   Module
H36661 V0014554     II   The HIPS policy does not                                                  McAfee ePO
                         include the signature for                                                 Server
                         protection of the ePO Server
                         KeyStore.
H36662 V0014555     II   The HIPS policy does not                                                  McAfee
                         include the signature for                                                 Host
                         protection of the INFOCON                                                 Intrusion
                         registry key.                                                             Protection
                                                                                                   Module
H36663 V0014556     II   The HIPS policy does not                                                  McAfee ePO
                         include the signature for                                                 Remote
                         protection of Server.ini.                                                 Console

H36663 V0014556     II   The HIPS policy does not                                                  McAfee ePO
                         include the signature for                                                 Server
                         protection of Server.ini.
H36664 V0014557     II   The HIPS policy does not                                                  McAfee
                         include the signature for                                                 Host
                         protection of HIPs                                                        Intrusion
                         preferences.                                                              Protection
                                                                                                   Module
H36900 V0014560     II   The HIPS for the ePO server                                               McAfee ePO
                         does not have the firewall                                                Server
                         installed and enabled.

H36920 V0014561     II   The HIPS for the ePO server                                               McAfee ePO
                         does not have the firewall set                                            Server
                         for regular protection.

H36940 V0014562     II   The HIPS for the ePO server                                               McAfee ePO
                         has the firewall set to retain                                            Server
                         client rules.
H37100 V0014563     II   The Assets Module Baseline                                                McAfee ePO
                         has not been installed on all                                             Agent
                         clients.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 369 of 1220
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes     Section
H38100 V0014565 II The distributed repository is                                                  McAfee ePO
                   not a super agent repository.                                                  Distributed
                                                                                                  Repository

H40100 V0014566     I    Default operating system                                                 McAfee ePO
                         passwords exist on the                                                   Server
                         HBSS Server.
H40120 V0014567     I    Default passwords exist                                                  McAfee ePO
                         within the HBSS application.                                             Server

H40140 V0014568     II   The ePO does not have                                                    McAfee ePO
                         users assigned in appropriate                                            Server
                         roles.
H40160 V0014569     II   The ePO users are granted                                                McAfee ePO
                         access without proper                                                    Server
                         procedures and/or
                         verification of need to know.
H40180 V0014570     II   The ePO does not have a                                                  McAfee ePO
                         comprehensive account                                                    Server
                         management process.
H40220 V0014571     II   The account used for                                                     McAfee ePO
                         vulnerability scanning on the                                            Server
                         ePO server does not meet
                         creation and deletion
                         requirements.
H50100 V0014572     II   SA account is being used                                                 McAfee ePO
                         within the application.                                                  Server
H50120 V0014573     II   **A plan for grouping of                                                 McAfee ePO
                         machines for updates and                                                 Server
                         alerts is not in place.
H50240 V0014574     II   Procedures do not exist or                                               McAfee ePO
                         are not followed to mark                                                 Server
                         classified or sensitive data.
H60100 V0014575     II   HBSS Audit Logs are not                                                  McAfee ePO
                         being retained for at least                                              Server
                         one year.
H60120 V0014577     II   HBSS audit log reviews are                                               McAfee ePO
                         not performed at least                                                   Server
                         weekly.
H60140 V0014578     II   The HBSS audit data is not                                               McAfee ePO
                         backed up at least weekly to                                             Server
                         a different system or media.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                370 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement           Vulnerability   Status   Finding Notes     Section
H60160 V0014579 II The HBSS audit data is not                                             McAfee ePO
                   being properly protected from                                          Server
                   unauthorized access.
H60180 V0014580 II The Remote Admin access of                                             McAfee ePO
                   ePO is not being reviewed.                                             Server

H80100 V0014581     II   The disaster recovery plan                                       McAfee ePO
                         does not include HBSS.                                           Server
H80120 V0014582     II   The ePO Data Backup                                              McAfee ePO
                         Frequency or content is                                          Server
                         inadequate.
H90120 V0014583     II   The ePO server is not                                            McAfee ePO
                         registered in VMS.                                               Server
H90140 V0014584     II   The ePO does not have the                                        McAfee ePO
                         correct attributes within VMS.                                   Server

H90160 V0014585     II   HBSS is has not been                                             McAfee ePO
                         incorporated into the site's                                     Server
                         incident response plan.
H20280 V0014843     II   The site is not using a proxy                                    McAfee ePO
                         for http/https traffic.                                          Server
H40200 V0014868     II   The account management                                           McAfee ePO
                         process does not enforce                                         Server
                         password complexity.
H31160 V0014939     II   The SQL Database is not                                          McAfee ePO
                         configured as least privilege                                    Server
                         or unauthorized users have
                         access to data.
H35000 V0015346     II   The site does not scan hosts                                     McAfee ePO
                         before installation of the                                       Server
                         HBSS client.
H80200 V0015354     II   Offline copies of the HBSS                                       McAfee ePO
                         database are not encrypted.                                      Server

H90200 V0015357     II   The HBSS SA or Analyst has                                       McAfee ePO
                         not completed training.                                          Server
H90300 V0015358     II   The site does not incorporate                                    McAfee ePO
                         the installation of HBSS                                         Server
                         agents on new hosts prior to
                         network connection.

H36000 V0015363     II   HIPS module is not                                               McAfee ePO
                         deployed.                                                        Agent




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        371 of 1220
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
 PDI    VMSID CAT           Requirement                Vulnerability   Status   Finding Notes     Section
H30290 V0017880 II HBSS application does not                                                    McAfee ePO
                   have a DoD Certificate                                                       Server
                   installed.
H30120 V0017882 II The HBSS is not using the                                                    McAfee ePO
                   approved WSUS                                                                Server
                   configuration for Microsoft
                   patches.
H34120 V0017883 II The Rogue system detector                                                    McAfee
                   is performing OS                                                             Rogue
                   fingerprinting.                                                              System
                                                                                                Sensor
H35110 V0017884     II   The ePO agent is not                                                   McAfee ePO
                         configured to only accept                                              Agent
                         connections from the ePO
                         server.
H30720 V0017885     II   The ePO server does not                                                McAfee ePO
                         have MyAverts disabled.                                                Server
H30740 V0017886     II   The ePO server does not                                                McAfee ePO
                         have the correct warning                                               Server
                         banner.
H30760 V0017887     II   The ePO server does have                                               McAfee ePO
                         the user timeout parameter                                             Server
                         set properly.
H30780 V0017888     II   The HBSS console is using                                              McAfee ePO
                         tabbed browsing.                                                       Remote
                                                                                                Console

H30780 V0017888     II   The HBSS console is using                                              McAfee ePO
                         tabbed browsing.                                                       Server
H30800 V0017889     II   The HBSS has vendor site                                               McAfee ePO
                         supplied data dashboards in                                            Server
                         use.
H30820 V0017890     II   The HBSS dashboard refresh                                             McAfee ePO
                         rate is not set properly.                                              Server




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              372 of 1220
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
 PDI    VMSID CAT         Requirement          Vulnerability   Status   Finding Notes      Section
H35500 V0017891 II The ePO component is not in                                          McAfee
                   enforcement mode.                                                    Infocon
                                                                                        Asset
                                                                                        Tracking,
                                                                                        McAfee ePO
                                                                                        Agent,
                                                                                        McAfee
                                                                                        Host
                                                                                        Intrusion
                                                                                        Protection
                                                                                        Module,
                                                                                        McAfee
                                                                                        Rogue
                                                                                        System
                                                                                        Sensor
H36110 V0017892     II   The HIPS error reporting                                       McAfee
                         feature is enabled.                                            Host
                                                                                        Intrusion
                                                                                        Protection
                                                                                        Module
H36210 V0017893     II   The HIPS IPS Engines are                                       McAfee
                         not active.                                                    Host
                                                                                        Intrusion
                                                                                        Protection
                                                                                        Module
H36665 V0017894     II   The HIPS policy does not                                       McAfee ePO
                         include the signature for                                      Server
                         protection of ePO Server
                         Agent Keystore.
H36666 V0017895     II   The HIPS policy does not                                       McAfee ePO
                         include the signature for                                      Server
                         protection of Protect Product
                         Folders.
H41100 V0017896     II   EPO application accounts                                       McAfee ePO
                         are not using Windows                                          Server
                         authentication.
H41110 V0017897     II   EPO accounts are set up                                        McAfee ePO
                         with shared Windows                                            Server
                         accounts.
H50260 V0017898     II   Application Report Header is                                   McAfee ePO
                         not configured correctly.                                      Server
H62100 V0017899     II   HBSS Event Logs are not                                        McAfee ePO
                         being retained for at least                                    Server
                         one year.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      373 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
 PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes     Section
H39200 V0019885 II Policy Auditor has not been                                            McAfee ePO
                   installed.                                                             Agent




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        374 of 1220
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement                 Vulnerability       Status   Finding Notes Systems Components
                                                                                                           Affected  Affected
R3-6[4]                Low A process (e.g., an NSC,           An administrator
                           service, or application) that is   will not be able to
                           invoked by a user, shall be        distinguish
                           associated with the identifier     between entities
                           (e.g., userID) of that user.       that are accessing
                           When the invoked process           the system. The
                           invokes another process, the       system will not
                           invoked process shall be           provide enough
                           associated with the identifier     information to
                           of the invoking process.           facilitate after
                           Autonomous processes (i.e.,        incident audits, or
                           processes running without          investigations.
                           user invocation, such as print
                           spoolers, database
                           management servers,
                           translation process monitors,
                           etc.) shall be associated with
                           a system defined unique
                           identification code (e.g.,
                           system ownership).



R3-17[42]             Medi The access point shall
                      um perform the entire user
                           authentication procedure
                           even if the user-ID that is
                           entered is not valid.
R3-18[43]             Medi The error feedback
                      um generated by the access
                           point after the user
                           authentication procedure,
                           shall provide no information
                           other than “invalid,” i.e., it
                           shall not reveal which part of
                           the user-entered information
                           (user-ID and/or
                           authenticator) is incorrect.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   375 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement               Vulnerability     Status   Finding Notes Systems Components
                                                                                                       Affected  Affected
R3-25[13]             Medi Access points that provide a
                      um login service shall not
                           prevent a user from choosing
                           (e.g., unknowingly) a
                           password that is already
                           associated with another user-
                           ID. (Otherwise, an existing
                           password may be divulged.)

R3-26[14]             High The NE/FS/NS shall store
                           passwords in a one-way
                           encrypted form.
R3-30[18]             Medi The NE/FS/NS shall provide       The system is
                      um a mechanism for a password         vulnerable to
                           to be user changeable. This      unauthorized
                           mechanism shall require re-      access and
                           authentication of user           masquerading. At
                           identity.                        the time that the
                                                            password is
                                                            issued, both the
                                                            user and the
                                                            issuing authority
                                                            know the user
                                                            name and
                                                            password. The
                                                            issuing authority
                                                            could masquerade
                                                            as the user and
                                                            perform malicious
                                                            acts on the
                                                            system.

R3-61[236]            Medi An SS7 Signaling Transfer
                      um Point (STP) shall provide
                           gateway screening
                           capabilities for operations
                           and services functions and
                           for all types of messages.
R3-62[237]            Medi An NGN Signaling Gateway
                      um (SGW) shall provide gateway
                           screening capabilities for
                           operations and services
                           functions and for all types of
                           messages.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               376 of 1220
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement                Vulnerability       Status   Finding Notes Systems Components
                                                                                                          Affected  Affected
CR3-65[240]           Medi NE/FS/NSs that support
                      um remote network management
                           applications and/or critical
                           network services shall
                           provide data integrity
                           services to enable the
                           access point to determine if
                           all received messages
                           /operations requests have
                           been modified since being
                           sent from an authorized
                           entity.
CR3-69[244]           Low NE/FS/NSs that support
                           remote network management
                           applications and/or critical
                           network services shall
                           provide support for message
                           replay detection services to
                           enable the NSC to detect
                           message replay attacks.

R3-87[55]              Low If the NE/FS/NS belongs to        The system is
                           class A, the following shall be   vulnerable to
                           displayed upon successful         unauthorized
                           access to the NE/FS/NS:           access. An
                           1.The date and time (and          adversary could
                           location identifier, when         access the system
                           available) of the user‟s last     using
                           successful access to the          compromised
                           NE/FS/NS. 2.The number of         credentials without
                           unsuccessful attempts by          the user knowing
                           that user-ID to gain system       that his account
                           access to the NE/FS/NS            has been
                           (e.g., mis-typed password)        compromised. The
                           since the last successful         system is also
                           access by that user-ID.           vulnerable to an
                                                             adversary
                                                             guessing account
                                                             information in an
                                                             attempt to gain
                                                             access.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  377 of 1220
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement                 Vulnerability       Status   Finding Notes Systems Components
                                                                                                           Affected  Affected
R3-119[83]            Medi The security log and its           The system may
                      um control mechanisms shall             be vulnerable to
                           survive system restarts (e.g.,     an attacker
                           via reloading).                    performing
                                                              undetectable
                                                              malicious acts.
R3-127[101]            Low The NE/FS/NS shall have the
                           capability to protect data
                           integrity by performing
                           integrity checks and/or data
                           update such as: 1. Proper
                           rule checking on data update.
                           2. Adequate alert messages
                           (e.g.,“Do you really mean
                           it?”) in response to potentially
                           damaging commands before
                           executing them, so that
                           involuntary human errors
                           may be reduced. 3. Proper
                           handling of duplicate/multiple
                           inputs. 4. Checking return
                           status. 5. Checking
                           intermediate results. 6.
                           Checking inputs for
                           reasonable values.

R3-129[97]             Low The NE/FS/NS shall provide         If the system has
                           mechanisms to monitor              a problem that
                           NE/FS/NS resources and             affects the secure
                           their availability (e.g.,          operation of the
                           overflow indication, lost          system, it could go
                           messages, buffer queues).          unnoticed and
                                                              eventually cause a
                                                              denial of service.


R3-130[98]             Low The NE/FS/NS shall provide
                           mechanisms to detect
                           communication errors
                           (relevant to the NE/FS/NS)
                           above a specifiable
                           threshold.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   378 of 1220
   ____ Checklist _V_R_ (<date>)                                                   <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement                  Vulnerability        Status   Finding Notes Systems Components
                                                                                                             Affected  Affected
R3-145[112]           Low Display all users currently          The system may
                          logged on, where the word            be vulnerable to
                          user is used in a broad sense        unauthorized use
                          as elsewhere in this                 since an
                          document.                            administrator
                                                               would not be able
                                                               to verify who was
                                                               using the system.

R3-156[123]           Medi The following security              The system will
                      um/L parameters shall not be hard-       not be able to
                       ow coded (i.e., they shall be           adjust to future,
                           specifiable/assignable and          more stringent
                           adjustable by an appropriate        requirements.
                           administrator using
                           operations-related
                           messages): 1. Password
                           Aging Interval, i.e., the length
                           of time the password will
                           remain valid after being
                           updated. 2.The interval (or
                           equivalent) during which an
                           expired password of a user
                           shall be denied being
                           selected again as a new
                           password by the same user
                           (to prevent “password
                           flipping”). 3.The events that
                           may trigger alarms (e.g.,
                           failed login attempts), the
                           levels of alarms (e.g., critical,
                           major, minor), the type of
                           notification (e.g., beep and/or
                           message), and the routing of
                           the alarm (e.g., specific port).
                           4.The duration of channel
                           lock-out, which occurs when
                           the threshold on the number
                           of incorrect logins is
                           exceeded. 5.A customized
                           advisory warning banner that




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                     379 of 1220
    ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement                Vulnerability    Status   Finding Notes Systems Components
                                                                                                       Affected  Affected
CR3-                   Low For an NE/FS/NS that is           The system is
158[125]                   required to provide a             vulnerable to
                           notification to users requiring   password
                           them to change their              guessing and
                           passwords, the mechanism          password hacking
                           to accomplish this shall not      scripts.
                           be hard-coded (i.e., it shall
                           be specifiable/assignable and
                           adjustable by an appropriate
                           administrator using
                           operations-related
                           messages). The following are
                           examples of alternative ways
                           to accomplish this: *
                           Adjusting the early warning
                           period” (i.e., how early shall
                           the user be notified before
                           the password expiration). *
                           Adjusting the "grace period”
                           (i.e., the period over which an
                           expired password is still
                           accepted by the NE/FS/NS).
                           * Adjusting the subsequent
                           number of logins that will be
                           allowed after password
                           expiration.

R3-167[134]            Low When an NE/FS/NS needs to
                           be restarted, default user-IDs
                           and passwords, previously
                           modified by an administrator,
                           shall not revert back to the
                           vendor-delivered default user-
                           IDs and passwords.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               380 of 1220
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
IM0010 V0015437 III No policy prohibiting peer-to-
                    peer applications or software
                    exists
IM0020 V0015398  I Peer-to-peer applications are
                    used for instant messaging

IM0030 V0015436     I    Publicly hosted instant
                         messaging applications are
                         being used for instant
                         messaging.
IM0040 V0015401     I    Instant messaging servers
                         are not located behind a
                         firewall
IM0050 V0015402     II   Instant messaging clients
                         connect to unapproved
                         instant messaging servers.
IM0060 V0015403     II   Instant messaging gateway
                         servers are not located in the
                         DMZ.
IM0070 V0015404     I    Instant messaging system
                         communicates or interacts
                         with public servers.
IM0080 V0015405     II   Instant messaging traffic is
                         not encrypted
IM0090 V0015438     II   Instant messaging clients are
                         not using DoD certificate
                         authority.
IM0100 V0015439     II   Instant messaging services
                         not required are enabled.
                         Required services will be
                         documented with the IAO/SA.

IM0110 V0015440    III   There is no topology diagram
                         of the instant messaging
                         system.
IM0130 V0015441    III   Instant messaging username
                         policy does not exist.

IM0140 V0015442    III   Instant messaging
                         usernames are not in
                         accordance with the
                         username policy.
IM0150 V0015443     II   Instant messaging system is
                         not linked to a directory
                         service.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          381 of 1220
    ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
IM0160 V0015444 III There are no documented
                    procedures for adding and
                    deleting instant messaging
                    users.
IM0170 V0015445  II User passwords are not in
                    accordance with DoD
                    password policy.
IM0180 V0015446  II System administrator
                    passwords are not in
                    accordance with DoD
                    password policy.
IM0190 V0015406  II Instant messaging system
                    stored passwords are not
                    encrypted.
IM0200 V0015447  II Anonymous and guest users
                    are enabled.
IM0210 V0015448  II Unsuccessful logon attempts
                    is not configured to three with
                    an account lockout of 15
                    minutes or until it is
                    unlocked.
IM0220 V0015449  II Instant messaging system
                    does not log user events.
IM0230 V0015450  II Instant messaging system
                    does not log system events.

IM0240 V0015451     II    Instant messaging system
                          does not log virtual meeting
                          entries and exits.
IM0250 V0015452     II    Instant messaging system
                          does not log virtual meeting
                          tools.
IM0310 V0015453     II    Instant messaging system
                          logs are not stored offline for
                          a year.
IM0320 V0015454     III   No centralized syslog server
                          is deployed for the instant
                          messaging system.
IM0330 V0015455     II    Instant messaging system
                          logs are not restricted to
                          authorized users only. These
                          authorized users will be
                          documented.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           382 of 1220
    ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
IM0340 V0015735  II Instant messaging system
                    logs are not reviewed.
IM0350 V0015457  II No warning banner
                    configured on instant
                    messaging system.
IM0360 V0015458  II Instant messaging servers
                    are not configured according
                    to the operating system
                    STIG.
IM0370 V0015459  II Instant messaging system
                    databases are not configured
                    according to the Database
                    STIG.
IM0380 V0015396 III The IAO/SA does not
                    subscribe to instant
                    messaging system patches
                    or update notices.
IM0390 V0015461  II Instant messaging servers
                    and clients are not configured
                    with the latest patches and
                    updates.
IM0400 V0015462  II Remote administration to
                    instant messaging servers is
                    not restricted to authorized IP
                    addresses.
IM0410 V0015463  II Remote administration traffic
                    is not encrypted.
IM0420 V0015464  II Instant messaging servers do
                    not have antivirus or Host
                    Based IDS.
IM0430 V0015407  II Instant messaging servers
                    are not located in a controlled
                    access area.
IM0440 V0015408  II Instant messaging system is
                    not configured in accordance
                    with the PPS CAL. The ports,
                    protocols, and services for
                    the instant messaging
                    system are not documented
                    with the IAO/SA.

IM0450 V0015465     III   The instant messaging
                          system is not registered in
                          the Ports and Protocols
                          Registration system.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           383 of 1220
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes
IM0460 V0015466 II The instant messaging
                   system is not registered in
                   VMS.
IM0470 V0015467 II Instant messaging system is
                   not configured to product
                   specific checklist.
IM0500 V0015468  I No antivirus software is
                   installed on instant
                   messaging client computers.

IM0510 V0015469    II    IM community
                         announcements are not
                         restricted to authorized users
                         only.
IM0520 V0015470    III   No policy prohibiting IM file
                         sharing exists.
IM0530 V0015471    II    IM file sharing is enabled.
IM0560 V0015472    II    IM server ports are open that
                         are not required for
                         operation. Ports that are
                         required for operation are not
                         documented with the IAO/SA.

IM0570 V0015473    II    Unapproved IM client
                         software used on IM network.
                         Approved IM client software
                         is not documented with the
                         IAO/SA.
IM0580 V0015474    II    Common IM domain names
                         are not blocked at enclave
                         perimeter.
IM0590 V0015475    III   No IM user policy exists
                         outlining the acceptable
                         behavior and consequences
                         for violation of the policy.
IM0600 V0015476    III   No IM instruction presented
                         to all users outlining known
                         IM risks and possible ways to
                         mitigate these risks.
IM0700 V0015477    II    Virtual spaces or rooms are
                         not restricted to authorized
                         users.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 384 of 1220
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
IM0710 V0015478 II Virtual spaces and rooms are
                   not labeled according to the
                   classification assignment
                   (unclassified, FOUO,
                   classified).
IM0720 V0015479 II Virtual meeting data is not
                   labeled in accordance to the
                   classification of the virtual
                   space or room (unclassified,
                   FOUO, or classified).

IM0730 V0015480    II    Virtual meeting tools are not
                         disabled if not required for
                         virtual meeting.
IM0740 V0015481    II    Uninvited users are able to
                         participate in virtual
                         meetings.
IM0750 V0015482    II    Virtual meetings do not
                         require passwords.
IM0800 V0015483    III   Virtual meeting application
                         sharing tools are not
                         restricted to authorized
                         users.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        385 of 1220
    ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
     PDI      VMSID    CAT           Requirement           Vulnerability   Status   Finding Notes      Section
5.3.5.3.1                 I The system shall support                                                System
                            dual IPv4 and IPv6 stacks as                                            Requirements
                            described in RFC 4213.
                            NOTE: The tunnel
                            requirements are only
                            associated with appliances
                            that provide IP routing
                            functions (e.g., routers). The
                            primary intent of these
                            requirements is to (1) require
                            dual stacks on all UC
                            appliances and (2) allow dual
                            stacks and tunneling on
                            routers.
5.3.5.3.1.1               I If the system supports                                                  System
                            routing functions, the system                                           Requirements
                            shall support the manual
                            tunnel requirements as
                            described in RFC 4213.
5.3.5.3.2                II The system shall support the                                            System
                            IPv6 format as described in                                             Requirements
                            RFC 2460 and updated by
                            RFC 5095.
5.3.5.3.3               III The system shall support the                                            System
                            transmission of IPv6 packets                                            Requirements
                            over Ethernet networks using
                            the frame format defined in
                            RFC 2464. NOTE: This
                            requirement does not
                            mandate that the remaining
                            sections of RFC 2464 have
                            to be implemented.

5.3.5.3.1.4              I   The system shall support                                               MTU
                             Path Maximum Transmission
                             Unit (MTU) Discovery (RFC
                             1981).




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                             386 of 1220
    ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
     PDI        VMSID   CAT         Requirement          Vulnerability   Status   Finding Notes     Section
5.3.5.3.1.5              II The system shall support a                                            MTU
                            minimum MTU of 1280 bytes
                            (RFC 2460 and updated by
                            RFC 5095). NOTE: Guidance
                            on MTU requirements and
                            settings can be found in UCR
                            2008, Section 5.3.3.10.1.2
                            Layer 2- Data Link Layer.

5.3.5.3.1.6              II   If Path MTU Discovery is                                            MTU
                              used and a “Packet Too Big”
                              message is received
                              requesting a next-hop MTU
                              that is less than the IPv6
                              minimum link MTU, the
                              system shall ignore the
                              request for the smaller MTU
                              and shall include a fragment
                              header in the packet.NOTE:
                              This is to mitigate an attack
                              where the path MTU is
                              adequate, but the Packet Too
                              Big messages are used to
                              make the packet so small it is
                              inefficient.

5.3.5.3.2.7              II   The system shall not use the                                        Flow Label
                              Flow Label field as described
                              in RFC 2460.
5.3.5.3.2.7.1            II   The system shall be capable                                         Flow Label
                              of setting the Flow Label field
                              to zero when originating a
                              packet.
5.3.5.3.2.7.2            II   The system shall not modify                                         Flow Label
                              the Flow Label field when
                              forwarding packets.
5.3.5.3.2.7.3            II   The system shall be capable                                         Flow Label
                              of ignoring the Flow Label
                              field when receiving packets.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                           387 of 1220
    ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
     PDI        VMSID   CAT         Requirement          Vulnerability   Status   Finding Notes      Section
5.3.5.3.3.8              II The system shall support the                                          Address
                            IPv6 Addressing Architecture
                            as described in RFC
                            4291.NOTE: The use of
                            “IPv4 Mapped” addresses
                            “on-the-wire” is discouraged
                            due to security risks raised
                            by inherent ambiguities.

5.3.5.3.4.10             II   If Dynamic Host                                                     DHCP
                              Configuration Protocol
                              (DHCP) is supported within
                              an IPv6 system, it shall be
                              implemented in accordance
                              with the DHCP for IPv6
                              (DHCPv6) as described in
                              RFC 3315.NOTE 1: UCR
                              2008, Section 5.4,
                              Information Assurance,
                              requires that the voice or
                              video DHCP servers are not
                              to be located on the same
                              physical appliance as the
                              voice or video LAN switches
                              and routers in accordance
                              with the Security Technical
                              Implementation Guides
                              (STIGs). Also, the VoIP STIG
                              requires (in VoIP 0082)
                              separate DHCP servers for
                              (1) the phone system in the
                              phone VLAN(s) and (2) the
                              data devices (PCs) in the
                              data VLAN(s). NOTE 2:
                              There is no requirement that
                              separate DHCP servers be
                              used for IPv4 and for IPv6.

5.3.5.3.4.10.            II   If the system is a DHCPv6                                           DHCP
1                             client, the system shall
                              discard any messages that
                              contain options that are not
                              allowed, which are specified
                              in Section 15 of RFC 3315.


    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                           388 of 1220
    ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
     PDI        VMSID   CAT         Requirement            Vulnerability   Status   Finding Notes     Section
5.3.5.3.4.10.            II The system shall support                                                DHCP
2                           DHCPv6 as described in
                            RFC 3315. NOTE: The
                            following subtended
                            requirements are predicated
                            upon an implementation of
                            DHCPv6 for the end
                            instrument. It is not expected
                            that other UC appliances will
                            use DHCPv6.

5.3.5.3.4.10.            II   If the system is a DHCPv6                                             DHCP
2.1                           client,and the first
                              Retransmission Timeout has
                              elapsed since the client sent
                              the Solicit message and the
                              client has received an
                              Advertise message(s),but the
                              Advertise message(s) does
                              not have a preference value
                              of 255, the client shall
                              continue with a client-initiated
                              message exchange by
                              sending a Request message.


5.3.5.3.4.10.            II   If the system is a DHCPv6                                             DHCP
2.2                           client and the DHCPv6
                              message exchange fails, it
                              shall restart the
                              reconfiguration process after
                              receiving user input, system
                              restart, attachment to a new
                              link, a system configurable
                              timer, or a user defined
                              external event occurs. NOTE:
                              The intent is to ensure that
                              the DHCP client continues to
                              restart the configuration
                              process periodically until it
                              succeeds.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                             389 of 1220
    ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
     PDI        VMSID   CAT           Requirement           Vulnerability   Status   Finding Notes     Section
5.3.5.3.4.10.            II If the system is a DHCPv6                                                DHCP
2.3                         client and it sends an
                            Information-Request
                            message,it shall include a
                            Client Identifier option to
                            allow it to be authenticated to
                            the DHCPv6 server.
5.3.5.3.4.10.            II If the system is a DHCPv6                                                DHCP
2.4                         client, it shall perform
                            duplicate address detection
                            upon receipt of an address
                            from the DHCPv6 server
                            prior to transmitting packets
                            using that address for itself.

5.3.5.3.4.10.            II   If the system is a DHCPv6                                              DHCP
2.5                           client, it shall log all
                              reconfigure events.
5.3.5.3.4.10.            II   If the system supports                                                 DHCP
3                             DHCPv6 and uses
                              authentication, it shall
                              discard unauthenticated
                              DHCPv6 messages from UC
                              systems and log the event.
                              NOTE: This requirement
                              assumes authentication is
                              used as described in RFC
                              3118 (and extended in RFC
                              3315) but does not require
                              authentication.

5.3.5.3.5.11             II   The system shall support                                               Neighbor
                              Neighbor Discovery for IPv6                                            Discovery
                              as described in RFC 2461
                              and RFC 4861 (FY2010).
5.3.5.3.5.11.            II   The system shall not set the                                           Neighbor
1                             override flag bit in the                                               Discovery
                              neighbor advertisement
                              message for solicited
                              advertisements for anycast
                              addresses or solicited proxy
                              advertisements.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                              390 of 1220
    ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
     PDI        VMSID   CAT         Requirement          Vulnerability   Status   Finding Notes       Section
5.3.5.3.5.11.            II The system shall set the                                              Neighbor
2                           override flag bit in the                                              Discovery
                            neighbor advertisement
                            message to “1” if the
                            message is not an anycast
                            address or a unicast address
                            for which the system is
                            providing proxy service.

5.3.5.3.5.11.            II   If a valid neighbor                                                 Neighbor
3                             advertisement is received by                                        Discovery
                              the system and the system
                              neighbor cache does not
                              contain the target‟s entry, the
                              advertisement shall be
                              silently discarded.

5.3.5.3.5.11.            II   If a valid neighbor                                                 Neighbor
4                             advertisement is received by                                        Discovery
                              the system and the system
                              neighbor cache entry is in the
                              INCOMPLETE state when
                              the advertisement is received
                              and the link layer has
                              addresses and no target link-
                              layer option is included, the
                              system shall silently discard
                              the received advertisement.


5.3.5.3.5.11.            II   If address resolution fails on                                      Neighbor
5                             a neighboring address, the                                          Discovery
                              entry shall be deleted from
                              the system‟s neighbor cache.

5.3.5.3.5.1.1            II   The system shall support the                                        Redirect
1.6                           ability to configure the                                            Messages
                              system to ignore redirect
                              messages.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                           391 of 1220
    ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
     PDI        VMSID   CAT           Requirement           Vulnerability   Status   Finding Notes      Section
5.3.5.3.5.1.1            II The system shall only accept                                             Redirect
1.7                         redirect messages from the                                               Messages
                            same router as is currently
                            being used for that
                            destination. NOTE: The
                            intent of this requirement is
                            that if a node is sending its
                            packets destined for location
                            A to router X, that it can only
                            accept a redirect message
                            from router X for packets
                            destined for location A to be
                            sent to router Z.

5.3.5.3.5.1.1            II   If redirect messages are                                               Redirect
1.7.1                         allowed, the system shall                                              Messages
                              update its destination cache
                              in accordance with the
                              validated redirect message.

5.3.5.3.5.1.1            II   If the valid redirect message                                          Redirect
1.7.2                         is allowed and no entry exists                                         Messages
                              in the destination cache, the
                              system shall create an entry.

5.3.5.3.5.2.1            II   If the system sends router                                             Router
1.8                           advertisements, the system                                             Advertisments
                              shall inspect valid router
                              advertisements sent by other
                              routers and verify that the
                              routers are advertising
                              consistent information on a
                              link and shall log any
                              inconsistent router
                              advertisements.
5.3.5.3.5.2.1            II   The system shall prefer                                                Router
1.8.1                         routers that are reachable                                             Advertisments
                              over routers whose
                              reachability is suspect or
                              unknown.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                              392 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement          Vulnerability   Status   Finding Notes      Section
5.3.5.3.5.2.1            II If the system sends router                                             Router
1.9                         advertisements, the system                                             Advertisments
                            shall include the MTU value
                            in the router advertisement
                            message for all links in
                            accordance with RFC 2461
                            and RFC 4861 (FY2010).
5.3.5.3.6.12             II If the system supports                                                 Stateless
                            stateless IP address                                                   Address
                            autoconfiguration, the system                                          Autoconfigurati
                            shall support IPv6 Stateless                                           on and Manual
                            Address Auto-Configuration                                             Address
                            (SLAAC) for interfaces                                                 Assignment
                            supporting UC functions in
                            accordance with RFC 2462
                            and RFC 4862 (FY2010).

5.3.5.3.6.12.            II   The system shall have a                                              Stateless
1                             configurable parameter that                                          Address
                              allows the “managed address                                          Autoconfigurati
                              configuration” flag and the                                          on and Manual
                              “other stateful configuration”                                       Address
                              flag to always be set and not                                        Assignment
                              perform stateless
                              autoconfiguration. NOTE:
                              The objective of this
                              requirement is to prevent a
                              system from using stateless
                              auto configuration.

5.3.5.3.6.12.            II   The system shall support                                             Stateless
2                             manual assignment of IPv6                                            Address
                              addresses.                                                           Autoconfigurati
                                                                                                   on and Manual
                                                                                                   Address
                                                                                                   Assignment
5.3.5.3.6.12.            II   The system shall support                                             Stateless
3                             stateful autoconfiguration                                           Address
                              (i.e., ManagedFlag=TRUE).                                            Autoconfigurati
                              NOTE: This requirement is                                            on and Manual
                              associated with the earlier                                          Address
                              requirement for the EI to                                            Assignment
                              support DHCPv6.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            393 of 1220
    ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
     PDI        VMSID   CAT           Requirement        Vulnerability   Status   Finding Notes       Section
5.3.5.3.6.12.            II If the system sends router                                            Stateless
3.1                         advertisements, the system                                            Address
                            shall default to using the                                            Autoconfigurati
                            “managed address                                                      on and Manual
                            configuration” flag and the                                           Address
                            “other stateful flag” set to                                          Assignment
                            TRUE in their router
                            advertisements when stateful
                            autoconfiguration is
                            implemented.
5.3.5.3.6.12.            II If the system supports a                                              Stateless
4                           subtended appliance behind                                            Address
                            it, the system shall ensure                                           Autoconfigurati
                            that the IP address                                                   on and Manual
                            assignment process of the                                             Address
                            subtended appliance is                                                Assignment
                            transparent to the UC
                            components of the system
                            and does not cause the
                            system to attempt to change
                            its IP address. NOTE: An
                            example is a PC that is
                            connected to the LAN
                            through the hub or switch
                            interface on a phone. The
                            address assignment process
                            of the PC should be
                            transparent to the EI and
                            should not cause the phone
                            to attempt to change its IP
                            address.
5.3.5.3.6.12.            II If the system supports IPv6                                           Stateless
5                           SLAAC, the system shall                                               Address
                            have a configurable                                                   Autoconfigurati
                            parameter that allows the                                             on and Manual
                            function to be enabled and                                            Address
                            disabled.                                                             Assignment




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                           394 of 1220
    ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement            Vulnerability   Status   Finding Notes       Section
5.3.5.3.6.12.            II If the system supports                                                   Stateless
6                           SLAAC and security                                                       Address
                            constraints prohibit the use of                                          Autoconfigurati
                            hardware identifiers as part                                             on and Manual
                            of interface addresses                                                   Address
                            generated using SLAAC,                                                   Assignment
                            IPsec capable systems shall
                            support privacy extensions
                            for stateless address
                            autoconfiguration as defined
                            in RFC 4941 - Privacy
                            Extensions for Stateless
                            Address Autoconfiguration in
                            IPv6.
5.3.5.3.6.12.            II If the system supports                                                   Stateless
7                           stateless IP address                                                     Address
                            autoconfiguration, the system                                            Autoconfigurati
                            shall support a configurable                                             on and Manual
                            parameter to enable or                                                   Address
                            disable manual configuration                                             Assignment
                            of the site-local and Global
                            addresses (i.e., disable the
                            “Creation of Global and Site-
                            Local Addresses” as
                            described in Section 5.5 of
                            RFC 2462).
5.3.5.3.6.12.            II All IPv6 nodes shall support                                             Stateless
8                           link-local address                                                       Address
                            configuration, and the                                                   Autoconfigurati
                            Duplicate Address Detection                                              on and Manual
                            (DAD) shall not be disabled                                              Address
                            in accordance with RFC 2462                                              Assignment
                            and RFC 4862 (FY2010).

5.3.5.3.7.14             II   The system shall support the                                           Internet Control
                              Internet Control Message                                               Message
                              Protocol for IPv6 (ICMPv6)                                             Protocol
                              as described in RFC 4443.                                              (ICMP)

5.3.5.3.7.14.            II   The system shall have a                                                Internet Control
1                             configurable rate limiting                                             Message
                              parameter for rate limiting the                                        Protocol
                              forwarding of ICMP                                                     (ICMP)
                              messages.


    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                              395 of 1220
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
     PDI        VMSID   CAT           Requirement            Vulnerability   Status   Finding Notes       Section
5.3.5.3.7.14.            II The system shall support the                                              Internet Control
2                           capability to enable or                                                   Message
                            disable the ability of the                                                Protocol
                            system to generate a                                                      (ICMP)
                            Destination Unreachable
                            message in response to a
                            packet that cannot be
                            delivered to its destination for
                            reasons other than
                            congestion.
5.3.5.3.7.14.            II The system shall support the                                              Internet Control
3                           enabling or disabling of the                                              Message
                            ability to send an Echo Reply                                             Protocol
                            message in response to an                                                 (ICMP)
                            Echo Request message sent
                            to an IPv6 multicast/anycast
                            address. NOTE: The number
                            of responses may be traffic
                            conditioned to limit the effect
                            of a denial of service attack.


5.3.5.3.7.14.            II   The system shall validate                                               Internet Control
4                             ICMPv6 messages, using the                                              Message
                              information contained in the                                            Protocol
                              payload, prior to acting on                                             (ICMP)
                              them.
5.3.5.3.8.15             II   If the system supports                                                  Routing
                              routing functions, the system                                           Functions
                              shall support the Open
                              Shortest Path First (OSPF)
                              for IPv6 as described in RFC
                              2740.
5.3.5.3.8.15.            II   If the system supports                                                  Routing
1                             routing functions, the system                                           Functions
                              shall support securing OSPF
                              with Internet Protocol
                              Security (IPSec) as
                              described for other IPSec
                              instances in UCR 2008,
                              Section 5.4, Information
                              Assurance.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                               396 of 1220
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement             Vulnerability   Status   Finding Notes      Section
5.3.5.3.8.15.            II If the system supports                                                    Routing
2                           routing functions, the system                                             Functions
                            shall support router-to-router
                            integrity using the IP
                            Authentication Header with
                            HMAC-SHA1-128 as
                            described in RFC 4302.
5.3.5.3.8.16             II If the system acts as a CE                                                Routing
                            router, the system shall                                                  Functions
                            support the use of Border
                            Gateway Protocol (BGP) as
                            described in RFC 1772 and
                            4271
5.3.5.3.8.16.            II If the system acts as a                                                   Routing
1                           customer edge router, the                                                 Functions
                            system shall support the use
                            of BGP-4 multiprotocol
                            extensions for IPv6 Inter-
                            Domain routing (RFC 2545).
                            NOTE: The requirement to
                            support BGP-4 is in UCR
                            2008, Section 5.3.3, Wide
                            Area Network General
                            System Requirements.
5.3.5.3.8.17             II If the system acts as a CE                                                Routing
                            router, the system shall                                                  Functions
                            support multiprotocol
                            extensions for BGP-4 RFC
                            2858 and RFC 4760
                            (FY2010). NOTE: The
                            requirement to support BGP-
                            4 is in UCR 2008, Section
                            5.3.3, Wide Area Network
                            General System
                            Requirements.
5.3.5.3.8.18             II If the system acts as a CE                                                Routing
                            router, the system shall                                                  Functions
                            support the Generic Routing
                            Encapsulation (GRE) as
                            described in RFC 2784.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                               397 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI       VMSID   CAT          Requirement           Vulnerability   Status   Finding Notes      Section
5.3.5.3.8.19            II If the system acts as a CE                                              Routing
                           router, the system shall                                                Functions
                           support the Generic Packet
                           Tunneling in IPv6
                           Specification as described in
                           RFC 2473. NOTE: Tunneling
                           is provided for data
                           applications and is not
                           needed as part of the VVoIP
                           architecture.
5.3.5.3.8.20            II If the system supports                                                  Routing
                           routing functions, the system                                           Functions
                           shall support the Multicast
                           Listener Discovery (MLD)
                           process as described in RFC
                           2710 and extended in RFC
                           3810. NOTE: The FY 2008
                           VVoIP design does not utilize
                           multicast, but routers
                           supporting VVoIP also
                           support data applications that
                           may utilize multicast. A
                           softphone will have non-
                           routing functions that require
                           MLDv2.

5.3.5.3.8.21             II   The system shall support                                             Routing
                              MLD as described in RFC                                              Functions
                              2710. NOTE: This
                              requirement was added in
                              order to ensure that Neighbor
                              Discovery multicast
                              requirements are met.
                              Routers are not included in
                              this requirement since they
                              have to meet RFC 2710 in
                              the preceding requirement.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            398 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement          Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22             II If the system uses IPSec, the                                          IP Security
                            system shall support the
                            Security Architecture for the
                            IP RFC 2401 and RFC 4301
                            (FY2010). In FY2008, RFC
                            2401 (and its related RFCs)
                            is the Threshold requirement
                            as described in UCR 2008,
                            Section 5.4, Information
                            Assurance. In addition, the
                            interfaces required to use
                            IPSec are defined in UCR
                            2008, Section 5.4,
                            Information Assurance.

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
1                             system shall support binding
                              of a security association (SA)
                              with a particular context.

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
2                             system shall be capable of
                              disabling the BYPASS IPSec
                              processing choice. NOTE:
                              The intent of this requirement
                              is to ensure that no packets
                              are transmitted unless they
                              are protected by IPSec.

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
3                             system shall not support the
                              mixing of IPv4 and IPv6 in a
                              security association.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            399 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement          Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If RFC 4301 is supported, the                                          IP Security
4                           system‟s security association
                            database (SAD) cache shall
                            have a method to uniquely
                            identify a SAD entry. NOTE:
                            The concern is that a single
                            SAD entry will be associated
                            with multiple security
                            associations. RFC 4301,
                            Section 4.4.2, describes a
                            scenario where this could
                            occur.

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
5                             system shall be capable of
                              correlating the Differentiated
                              Services Code Point (DSCP)
                              for a VVoIP stream to the
                              security association in
                              accordance with UCR 2008,
                              Section 5.3.2, Assured
                              Services Requirements and
                              Section 5.3.3, Network
                              Infrastructure End-to-End
                              Performance Requirements,
                              plain text DSCP plan. For a
                              more detailed description of
                              the requirement, please see
                              Section 4-1 of RFC 4301 -
                              Security Architecture for the
                              Internet Protocol.

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
6                             system shall implement
                              IPSec to operate with both
                              integrity and confidentiality.
5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
7                             system shall be capable of
                              enabling and disabling the
                              ability of the system to send
                              an ICMP message informing
                              the sender that an outbound
                              packet was discarded.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            400 of 1220
    ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement               Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If an ICMP outbound packet                                                  IP Security
7.1                         message is allowed, the
                            system shall be capable of
                            rate limiting the transmission
                            of ICMP responses

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                             IP Security
8                             system shall be capable of
                              enabling or disabling the
                              propagation of the Explicit
                              Congestion Notification
                              (ECN) bits.
5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                             IP Security
9                             system‟s Security Policy
                              Database (SPD) shall have a
                              nominal, final entry that
                              discards anything
                              unmatched.
5.3.5.3.9.22.            II   If RFC 4301 is supported,                                                 IP Security
10                            and the system receives a
                              packet that does not match
                              any SPD cache entries and
                              the system determines it
                              should be discarded, the
                              system shall log the event
                              and include the date/time,
                              Security Parameter Index
                              (SPI) if available, IPSec
                              protocol if available, source
                              and destination of the packet,
                              and any other selector values
                              of the packet.

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                             IP Security
11                            system should include a
                              management control to allow
                              an administrator to enable or
                              disable the ability of the
                              system to send an Internet
                              Key Exchange (IKE)
                              notification of an
                              INVALID_SELECTORS.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                 401 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI        VMSID   CAT         Requirement           Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If RFC 4301 is supported, the                                          IP Security
12                          system shall support the
                            Encapsulating Security
                            Payload (ESP) Protocol in
                            accordance with RFC 4303.
5.3.5.3.9.22.            II If RFC 4303 is supported, the                                          IP Security
12.1                        system shall be capable of
                            enabling anti-replay.

5.3.5.3.9.22.            II   If RFC 4303 is supported, the                                        IP Security
12.2                          system shall check as its first
                              check after a packet has
                              been matched to its SA
                              whether the packet contains
                              a Sequence Number that
                              does not duplicate the
                              Sequence Number of any
                              other packet received during
                              the life of the sec.

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
13                            system shall support the
                              cryptographic algorithms as
                              defined in RFC 4308 for
                              Suite Virtual Private Network
                              (VPN)-B.
5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
13.1                          system shall support the use
                              of AES-CBC with 128-bits
                              keys for encryption.

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
13.2                          system shall support the use
                              of HMAC-SHA1-96 for
                              (Threshold) and AES-XCBC-
                              MAC-96 (FY2010).




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            402 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI        VMSID   CAT           Requirement         Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If RFC 4301 is supported, the                                          IP Security
14                          system shall support IKE
                            Version 1 (IKEv1)
                            (Threshold) as defined in
                            RFC 2409, and IKE Version
                            2 (IKEv2) (FY2010) as
                            defined in RFC 4306. NOTE:
                            Internet Key Exchange
                            version 1 (IKEv1)
                            requirements are found in
                            UCR 2008, Section 5.4,
                            Information Assurance.
5.3.5.3.9.22.            II If the system supports IKEv2,                                          IP Security
14.1                        it shall be capable of
                            configuring the maximum
                            User Datagram Protocol
                            (UDP) message size.
5.3.5.3.9.22.            II If IKEv2 is supported, the                                             IP Security
14.2                        system shall support the use
                            of the ID_IPv6_ADDR and
                            ID_IPV4_ADDR Identification
                            Type.
5.3.5.3.9.22.            II If the system supports IKEv2,                                          IP Security
14.3                        the system shall be capable
                            of ignoring subsequent SA
                            setup response messages
                            after the receipt of a valid
                            response.

5.3.5.3.9.22.            II   If the system supports IKEv2,                                        IP Security
14.4                          the system shall be capable
                              of sending a Delete payload
                              to the other end of the
                              security association.
5.3.5.3.9.22.            II   If the system supports IKEv2,                                        IP Security
14.5                          the system shall reject initial
                              IKE messages unless they
                              contain a Notify payload of
                              type COOKIE.
5.3.5.3.9.22.            II   If the system supports IKEv2,                                        IP Security
14.6                          the system shall close a SA
                              instead of rekeying when its
                              lifetime expires if there has
                              been no traffic since the last
                              rekey.

    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            403 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement          Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If the system supports IKEv2,                                          IP Security
14.7                        the system shall not use the
                            Extensible Authentication
                            Protocol (EAP) method for
                            IKE authentication.

5.3.5.3.9.22.            II   If the system supports IKEv2,                                        IP Security
14.8                          the system shall limit the
                              frequency to which it
                              responds to messages on
                              UDP port 500 or 4500 when
                              outside the context of a
                              security association known to
                              it.
5.3.5.3.9.22.            II   If the system supports IKEv2,                                        IP Security
14.9                          the system shall not support
                              temporary IP addresses or
                              respond to such requests.

5.3.5.3.9.22.            II   If the system supports IKEv2,                                        IP Security
14.10                         the system shall support the
                              IKEv2 cryptographic
                              algorithms defined in RFC
                              4307.
5.3.5.3.9.22.            II   If the system supports IKEv2,                                        IP Security
14.11                         the system shall support the
                              VPN-B Suite as defined in
                              RFC 4308 and RFC 4869
                              (FY2010).
5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
15                            system shall support
                              extensions to the Internet IP
                              Security Domain of
                              Interpretation for the Internet
                              Security Association and Key
                              Management Protocol
                              (ISAKMP) as defined in RFC
                              2407.

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
16                            system shall support the
                              ISAKMP as defined in RFC
                              2408.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            404 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement          Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If the system supports the                                             IP Security
17                          IPsec Authentication Header
                            Mode, the system shall
                            support the IP Authentication
                            Header (AH) as defined in
                            RFC 4302.
5.3.5.3.9.22.            II If RFC 4301 is supported, the                                          IP Security
18                          system shall support manual
                            keying of IPSec.
5.3.5.3.9.22.            II If RFC 4301 is supported, the                                          IP Security
19                          system shall support the ESP
                            and AH cryptographic
                            algorithm implementation
                            requirements as defined in
                            RFC 4305 and RFC 4835
                            (FY2010).

5.3.5.3.9.22.            II   If RFC 4301 is supported, the                                        IP Security
21                            system shall support the
                              IKEv1 security algorithms as
                              defined in RFC 4109.

5.3.5.3.10.2             II   The system shall comply with                                         Network
3                             the Management Information                                           Management
                              Base (MIB) for IPv6 textual
                              conventions and general
                              group as defined in RFC
                              4293. NOTE: The
                              requirements to support
                              SNMPv3 are found in UCR
                              2008, Section 5.3.2.17.3.1.5,
                              SNMP Version 2 and Version
                              3 Format Alarm messages,
                              and UCR 2008, Section 5.4,
                              Information Assurance.

5.3.5.3.10.2             II   If the system performs                                               Network
3.1                           routing functions, the system                                        Management
                              shall support the SNMP
                              management framework as
                              described in RFC 3411.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            405 of 1220
    ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
     PDI       VMSID   CAT          Requirement          Vulnerability   Status   Finding Notes      Section
5.3.5.3.10.2            II If the system performs                                                 Network
3.2                        routing functions, the system                                          Management
                           shall support SNMP
                           message processing and
                           dispatching as described in
                           RFC 3412.
5.3.5.3.10.2            II If the system performs                                                 Network
3.3                        routing functions, the system                                          Management
                           shall support the SNMP
                           applications as described in
                           RFC 3413.
5.3.5.3.10.2            II The system shall support the                                           Network
4                          ICMPv6 MIBs as defined in                                              Management
                           RFC 4293.
5.3.5.3.10.2            II The system shall support the                                           Network
5                          Transmission Control                                                   Management
                           Protocol (TCP) MIBs as
                           defined in RFC 4022.
5.3.5.3.10.2            II The system shall support the                                           Network
6                          UDP MIBs as defined in RFC                                             Management
                           4113.
5.3.5.3.10.2            II If the system performs                                                 Network
7                          routing functions, the system                                          Management
                           shall support IP tunnel MIBs
                           as described in RFC 4087.

5.3.5.3.10.2             II   If the system performs                                              Network
8                             routing functions, the system                                       Management
                              shall support the IP
                              Forwarding MIB as defined in
                              RFC 4292.
5.3.5.3.10.2             II   If the system supports mobile                                       Network
9                             users, the system shall                                             Management
                              support the Mobile IP
                              Management MIBs as
                              described in RFC 4295.
5.3.5.3.10.3             II   If the system supports SNMP                                         Network
1                             and IPsec, the system shall                                         Management
                              support the IPsec security
                              policy database as described
                              in RFC 4807.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                           406 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI       VMSID   CAT          Requirement           Vulnerability   Status   Finding Notes      Section
5.3.5.3.10.3            II If the system uses Uniform                                              Network
2                          Resource Identifiers (URIs),                                            Management
                           the system shall use the URI
                           syntax described in RFC
                           3986.
5.3.5.3.10.3            II If the system uses the                                                  Network
3                          Domain Name System                                                      Management
                           (DNS), the system shall
                           conform to RFC 3596 for
                           DNS queries. NOTE: DNS is
                           primarily used for NM
                           applications.
5.3.5.3.12.3            II The system shall forward                                                IP Version
7                          packets using the same IP                                               Negotiation
                           version as the version in the
                           received packet.NOTE: If the
                           packet was received as an
                           IPv6 packet, the appliance
                           will forward it as an IPv6
                           packet. If the packet was
                           received as an IPv4 packet,
                           the appliance will forward the
                           packet as an IPv4 packet.
                           This requirement is primarily
                           associated with the signaling
                           packets to ensure that
                           translation does not occur.
                           REMINDER: This
                           requirement may be waived
                           from FY2008 to FY2012 in
                           order to support IPv4 or IPv6
                           only EIs.

5.3.5.3.12.3             II   The system shall use the                                             IP Version
8                             Alternative Network Address                                          Negotiation
                              Types (ANAT) semantics for
                              the Session Description
                              Protocol (SDP) in
                              accordance with RFC 4091
                              when establishing media
                              streams from dual stacked
                              appliances for AS-SIP
                              signaled sessions.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            407 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI       VMSID   CAT         Requirement            Vulnerability   Status   Finding Notes       Section
5.3.5.3.12.3            II The system shall place the                                              IP Version
8.2                        SDP-ANAT option-tag in a                                                Negotiation
                           required header field when
                           using ANAT semantics in
                           accordance with RFC 4092.
5.3.5.3.12.3            II Dual stacked systems shall                                              IP Version
8.3                        include the IPv4 and IPv6                                               Negotiation
                           addresses within the SDP of
                           the SIP INVITE message
                           when the INVITE contains
                           the SDP.
5.3.5.3.13.4            II The system shall be able to                                             AS-SIP IPv6
5                          provide topology hiding (e.g.,                                          Unique
                           NAT) for IPv6 packets in the                                            Requirements
                           manner described in UCR
                           2008 Section 5.4, Information
                           Assurance.
5.3.5.3.13.4            II The system shall support                                                AS-SIP IPv6
6                          default address selection for                                           Unique
                           IPv6 as defined in RFC 3484                                             Requirements
                           (except for Section 2.1).

5.3.5.3.13.4             II   If the system supports                                               Miscellaneous
7                             Remote Authentication Dial                                           Requirements
                              In User Service (RADIUS)
                              authentication, the system
                              shall support RADIUS in the
                              manner defined in RFC 3162.

5.3.5.3.14.4             II   If the system supports Mobile                                        Miscellaneous
8                             IP version 6 (MIPv6), the                                            Requirements
                              system shall provide mobility
                              support as defined in RFC
                              3775.
5.3.5.3.14.4             II   If the system acts as a home                                         Miscellaneous
8.1                           agent, the system shall                                              Requirements
                              provide mobility support as
                              defined in RFC 3775.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            408 of 1220
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI       VMSID   CAT          Requirement           Vulnerability   Status   Finding Notes      Section
5.3.5.3.14.4            II If the system supports Mobile                                           Miscellaneous
9                          IP version 6 (MIPv6), the                                               Requirements
                           system shall provide a
                           secure manner to signal
                           between mobile nodes and
                           home agents in manner
                           described in RFC 3776 and
                           RFC 4877 (FY2010).
5.3.5.3.14.5            II If the system supports                                                  Miscellaneous
1                          network mobility (NEMO), the                                            Requirements
                           system shall support the
                           function as defined in RFC
                           3963.
5.3.5.3.14.5            II The systems shall support                                               Miscellaneous
2                          Differentiated Services as                                              Requirements
                           Described in RFC 2474 and
                           RFC 5072 (FY 2010) for a
                           voice and video stream to the
                           security association in
                           accordance with UCR 2008,
                           Section 5.3.2, Assured
                           Services Requirements and
                           UCR 2008, Section 5.3.3,
                           Network Infrastructure End-to-
                           End Performance
                           Requirements, plain text
                           DSCP plan.
5.3.5.3.14.5            II If the system acts as an IPv6                                           Miscellaneous
3                          tunnel broker, the system                                               Requirements
                           shall support the function in
                           the manner defined in RFC
                           3053.
5.3.5.3.14.5            II If the system supports                                                  Miscellaneous
4                          roaming (as defined within                                              Requirements
                           RFC 4282), the system shall
                           support this function as
                           described by RFC 4282.
5.3.5.3.14.5            II If the system supports the                                              Miscellaneous
5                          Point-to-Point Protocol                                                 Requirements
                           (PPP), the system shall
                           support PPP as described in
                           RFC 2472.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            409 of 1220
   PDI    VMSID CAT             Requirement             Vulnerability   Status   Finding Notes
ISA0-056 V0021620 III ISA Server Administrator role
                      must be assigned or
                      authorized by the IAO.
ISA2-001 V0021629 II The ISA server must not be
                      deployed on a Single
                      Network Adapter Template.
ISA2-007 V0021653 II The ISA Servers must have
                      appropriate web filters
                      enabled.
ISA2-010 V0021651 II The ISA Server must have
                      UDP fragment blocking
                      disabled.
ISA2-013 V0021652 II ISA server must have Syn
                      Flood and DOS attack
                      prevention enabled plus
                      associated logging.
ISA2-023 V0021648 II The ISA System Policy must
                      restrict Active Directory traffic
                      to specific Domain
                      Controllers.
ISA2-025 V0021640 II Non-Microsoft authentication
                      traffic from the ISA server
                      must not be allowed.

ISA2-026 V0021670     II    Certification Revocation
                            Checking must be performed
                            and use specific
                            configurations.
ISA2-027 V0021641     II    Remote Management traffic
                            to the ISA server must be
                            disabled.
ISA2-028 V0021642     II    PING to the ISA server must
                            be disabled.
ISA2-029 V0021643     II    Remote MS Monitoring traffic
                            to the ISA server must be
                            disabled.
ISA2-030 V0021644     II    SMTP traffic from the ISA
                            server must be disabled.
ISA2-031 V0021635     II    Error Reporting to Microsoft
                            must be disabled.
ISA2-032 V0021639     II    DHCP traffic from the ISA
                            server must not be allowed.
ISA2-035 V0021664     II    The ISA server must have a
                            valid DoD SSL certificate for
                            OWA.
ISA2-038 V0021634     III   Unneeded ISA Server
                            application filters must be
                            disabled.
ISA2-040 V0021676     II    Unneeded VPN services
                            must be disabled.
   PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
ISA2-041 V0021675 II Unneeded Cache services
                     must be disabled.
ISA2-042 V0021677 II ISA services must be
                     restricted to specific service
                     accounts.
ISA2-056 V0021647 II ISA Server must have a
                     specific domain scope
                     defined.
ISA2-135 V0021671 II The OWA Web Listener must
                     require only SSL
                     connections.
ISA2-171 V0021654 II OWA Web Listener must
                     require only Client Certificate
                     Authentication.
ISA2-175 V0021649 II OWA Listeners in the DoD
                     must trust only DoD Root
                     Certificate Authorities.
ISA2-204 V0021632 II ISA Rule must use IP
                     addresses for applications.
ISA2-220 V0021650 II The OWA firewall rule must
                     be restricted to authenticated
                     users.
ISA2-241 V0021646 II The OWA firewall rule must
                     require Kerberos Constrained
                     Delegation (KCD) to enable
                     CAC authentication.

ISA2-247 V0021655    II    ISA Server must restrict each
                           firewall rule to one published
                           application such as OWA.

ISA2-833 V0021645    II    ISA Server's Microsoft
                           Customer Experience
                           Improvement Program
                           Participation must be
                           disabled.
ISA2-855 V0021656    II    Failsafe shutdown must be
                           configured for low disk space
                           condition.
ISA2-882 V0021680    II    The ISA Server must be
                           monitored for Invalid
                           Certificate Usage.
ISA2-884 V0021666    III   The ISA Server must be
                           monitored for Certificates
                           nearing their expiration date.

ISA2-886 V0021665    II    The ISA Server must be
                           monitored for failed Kerberos
                           Credential Delegation.
   PDI    VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
ISA2-890 V0021631 II ISA firewall rules must have
                     logging enabled.
ISA2-892 V0021669 II The ISA Server must be
                     monitored for Log Storage
                     Failure.
ISA2-894 V0021668 II The ISA Server must be
                     monitored for Logging failure.

ISA2-896 V0021667    II   The ISA Server must be
                          monitored for Available Free
                          Disk Space
ISA3-002 V0021618    II   ISA-Unique security
                          requirements, such as
                          Interface Model, server role,
                          and protected assets must be
                          documented.
ISA3-005 V0021626    II   The ISA Backup and
                          Recovery strategy must be
                          documented and must be
                          tested according to the
                          INFOCON schedule.
ISA3-006 V0021625    II   Audit Logs must be included
                          in Backups.
ISA3-007 V0021622    II   ISA Recovery Data must be
                          restricted to Administrators
                          and Backup/Recovery
                          processes.
ISA3-009 V0021672    II   Access to ISA configuration
                          data must be restricted to ISA
                          Server Administrator role.

ISA3-010 V0021627    II   Software Critical Copies for
                          ISA Services must be backed
                          up and available for restore
                          action.
ISA3-015 V0021617    II   Procedural Reviews for ISA
                          Services must be done
                          annually.
ISA3-041 V0021679    I    The ISA Server must utilize
                          file-and-web Antivirus
                          software.
ISA3-045 V0021619    II   Configuration Management
                          (CM) procedures must be
                          implemented for ISA
                          services.
ISA3-050 V0021621    II   ISA services must be
                          documented in the System
                          Security Plan.
   PDI    VMSID CAT          Requirement             Vulnerability   Status   Finding Notes
ISA3-058 V0021662 II The ISA software must be
                     monitored for change
                     compliant with INFOCON
                     frequency.
ISA3-071 V0021624 II ISA audit records must be
                     retained for at least one year.

ISA3-079 V0021623    II   Automated tools must be
                          available for review and
                          reporting on ISA Services
                          audit records.
ISA3-108 V0021661    II   ISA services must be
                          configured to use PPSM-
                          compliant ports and
                          protocols.
ISA3-112 V0021674    II   The ISA External interface
                          must have only TCPIP
                          protocol installed.
ISA3-150 V0021678    II   ISA audit trails must be
                          protected against
                          unauthorized access.
ISA3-169 V0021673    II   ISA Server interfaces must
                          not have IPv6 protocol
                          installed.
ISA3-815 V0021658    II   The ISA Application must be
                          installed on a dedicated
                          partition separate from
                          Security functions or other
                          applications.
ISA3-821 V0021660    II   The ISA logs or audit data
                          must be on a separate
                          partition from the ISA
                          application.
ISA3-825 V0021659    II   The ISA Configuration
                          Storage Server must be
                          installed on a separate
                          computer.
ISA3-858 V0021663    II   The ISA software baseline
                          must exist to be used for
                          scan comparisons.
  Section
ISA 2006
OWA Proxy

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server


ISA 2006
Server


ISA 2006
Server


ISA 2006
Server


ISA 2006
Server

ISA 2006
Server
ISA 2006
Server

ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server

ISA 2006
Server

ISA 2006
Server
  Section
ISA 2006
Server
ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server
ISA 2006
Server

ISA 2006
Server



ISA 2006
Server


ISA 2006
Server



ISA 2006
Server

ISA 2006
Server

ISA 2006
Server


ISA 2006
Server
  Section
ISA 2006
Server
ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
OWA Proxy



ISA 2006
OWA Proxy



ISA 2006
OWA Proxy
ISA 2006
OWA Proxy


ISA 2006
Server


ISA 2006
OWA Proxy


ISA 2006
OWA Proxy

ISA 2006
Server

ISA 2006
OWA Proxy


ISA 2006
OWA Proxy
  Section
ISA 2006
Server


ISA 2006
OWA Proxy

ISA 2006
OWA Proxy


ISA 2006
Server


ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server



ISA 2006
Server


ISA 2006
Server


ISA 2006
Server
   PDI     VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

NET0090   V0008046    II   The IAO/NSO will maintain a
                           current drawing of the site‟s
                           network topology that
                           includes all external and
                           internal links, subnets, and all
                           network equipment.
NET0130   V0008047    II   The IAO/NSO will ensure that
                           all external connections are
                           validated and approved by
                           the CAP and DAA, SNAP or
                           CAO requirements have
                           been met, and MOA and
                           MOU is established between
                           enclaves, prior to
                           connections.

NET0135   V0008048    II   The IAO/NSO will review all
                           connection requirements on a
                           semi-annual basis to ensure
                           the need remains current, as
                           well as evaluate all
                           undocumented network
                           connections discovered
                           during inspections.
NET0140   V0008049   III   The IAO/NSO will ensure the
                           connection between the
                           CSU/DSU and the local
                           exchange carrier‟s (LEC)
                           data service jack (i.e.,
                           demarc) is in a secured
                           environment.
NET0141   V0008050   III   The IAO/NSO will ensure the
                           network management
                           modems connected to all
                           Channel Service Units
                           (CSUs)/Data Service Units
                           (DSUs) are disabled or
                           disconnected when not in
                           use.
NET0160   V0008051    I    The IAM will ensure that
                           written approval is obtained
                           from the GIG Waiver Panel
                           or the Office of the DoD Chief
                           Information Officer (DoD
                           CIO) prior to establishing an
                           ISP connection.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET0162   V0004622    I    The IAO/NSO will ensure
                           premise router interfaces that
                           connect to an AG (i.e., ISP)
                           are configured with an
                           ingress ACL that only permits
                           packets with destination
                           addresses within the site‟s
                           address space.


NET0164   V0004623    I    The IAO/NSO will ensure the
                           premise router does not have
                           a routing protocol session
                           with a peer router belonging
                           to an AS (Autonomous
                           System) of the AG service
                           provider. A static route is the
                           only acceptable route to an
                           AG.

NET0166   V0004624   III   The IAO/NSO will ensure the
                           AG network service provider
                           IP addresses are not
                           redistributed into or
                           advertised to the NIPRNet or
                           any router belonging to any
                           other Autonomous System
                           (AS) i.e. to another AG
                           device in another AS.

NET0167   V0014632    II   The IAO/NSO will ensure the
                           route to the AG network
                           adheres to the PPS CAL
                           boundary 13 and 14 policies
                           and is in compliance with all
                           perimeter filtering defined in
                           the perimeter and router
                           sections of the Network
                           STIG.

NET0168   V0014634    II   If the site has a non-DoD
                           external connection
                           (Approved Gateway), the
                           IAO/NSO will ensure that the
                           external NIDS is located
                           between the site‟s Approved
                           Gateway (Service Delivery
                           Router) and the premise
                           router.
   PDI     VMSID     CAT          Requirement             Vulnerability   Status   Finding Notes

NET0170   V0008052    II   The IAO/NSO will ensure that
                           no backdoor connections
                           exist between the site‟s
                           secured private network and
                           the Internet, NIPRNet,
                           SIPRNet, or other external
                           networks unless approved by
                           the DAA.
NET0180   V0002990    II   The IAO/NSO will ensure all
                           public address ranges used
                           on the NIPRNet are properly
                           registered with the .MIL
                           Network Information Center
                           (NIC).
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0185   V0003157    II   The IAO/NSO will ensure that
                           all addresses used within the
                           site's SIPRNet infrastructure
                           are authorized .smil.mil or
                           .sgov.gov addresses that
                           have been registered and
                           assigned to the activity.
                           RFC1918 addresses are not
                           permitted.




NET0190   V0003005   III   The IAO/NSO will ensure that
                           workstation clients' real IPv4
                           addresses are not revealed
                           to the public by implementing
                           NAT on the firewall or the
                           router.




NET0198   V0008099   III   The IAO/NSO will ensure that
                           the DHCP server is
                           configured to log hostnames
                           or MAC addresses for all
                           clients, and all logs are
                           stored online for 30 days and
                           offline for one year.

NET0199   V0008100   III   The IAO/NSO will ensure that
                           any DHCP server used within
                           SIPRNet infrastructure is
                           configured with a lease
                           duration time of 30 days or
                           more.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET0210   V0008054    II   The IAO/NSO will ensure that
                           all network devices (i.e., IDS,
                           routers, RAS, NAS, firewalls,
                           etc.) are located in a secure
                           room with limited access.

NET0230   V0003012    I    The IAO/NSO will ensure all
                           communications devices are
                           password protected.
NET0240   V0003143    I    The IAO/NSO will ensure all
                           default manufacturer
                           passwords are changed.




NET0260   V0008055    II   The IAO/NSO will ensure all
                           passwords are created and
                           maintained in accordance
                           with the rules outlined in
                           DODI 8500.2, IAIA-1, and
                           IAIA-2.
                           http://www.dtic.mil/whs/directi
                           ves/corres/html/85002.htm.

NET0270   V0008056    II   The IAO/NSO will record the
                           locally configured passwords
                           used on communications
                           devices and store them in a
                           secured manner.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0340   V0003013    II   An approved DoD login
                           banner is not used on the
                           device.




NET0345   V0008065    II   The IAO will ensure only
                           firewalls that have been
                           evaluated and validated
                           against NIAP existing profiles
                           are placed in the network
                           infrastructure.
NET0346   V0014638    II   The IAO/NSO will ensure that
                           DMZ Architecture is
                           implemented, providing
                           boundary protection for
                           classified and sensitive
                           architectures that
                           interconnect enclaves.
NET0347   V0014639   III   The IAO will ensure the
                           Accreditation documentation
                           (e.g. SSAA) will be updated
                           to reflect the installation or
                           modification of the site‟s
                           firewall.

NET0348   V0014640    II   The IAO will ensure publicly
                           accessible servers (i.e., web
                           servers) are placed in an
                           enclave DMZ.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0351   V0008066    II   The IAO/NSO will ensure,
                           when protecting the
                           boundaries of a network, the
                           firewall is placed between the
                           private network and the
                           perimeter router and the
                           DMZ.
NET0355   V0014641    II   The IAO/NSO will ensure,
                           when protecting the
                           boundaries of a network, the
                           firewall and IDS are separate
                           components or the physical
                           integrated device has
                           separate hardware
                           components (i.e., CPU,
                           memory, etc) for the firewall
                           and IDS.
NET0365   V0014642    I    The IAO will ensure the
                           enclave is protected by
                           providing a firewall that
                           provides full packet
                           awareness as provided by
                           application-level gateways,
                           hybrid firewalls or a non
                           application-level firewall
                           solution using an application-
                           proxy gateway.
NET0366   V0014643    II   The SA will configure the
                           firewall for the minimum
                           content and protocol
                           inspection requirements.
NET0369   V0011796    I    The IAO will ensure the
                           Enclave perimeter is
                           protected via deny by default
                           policy implemented at the
                           perimeter router or at the
                           firewall. This does not negate
                           the firewall requirement.

NET0375   V0003156    II   The IAO/NSO will ensure that
                           the firewall is configured to
                           protect the network against
                           denial of service attacks such
                           as Ping of Death, TCP SYN
                           floods, etc.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET0377   V0003054    II   The FA will ensure the
                           firewall will not utilize any
                           services or capabilities other
                           than firewall software (e.g.,
                           DNS servers, e-mail client
                           servers, ftp servers, web
                           servers, etc.), and if these
                           services are part of the
                           standard firewall suite, they
                           will be either uninstalled or
                           disabled.
NET0379   V0004619    II   The FA will ensure that if the
                           firewall product operates on
                           an OS platform, the host
                           must be STIG compliant prior
                           to the installation of the
                           firewall product.

NET0380   V0014644    II   The IAO will ensure the
                           firewall shall reject requests
                           for access or services where
                           the source address received
                           by the firewall specifies a
                           loopback address.

NET0384   V0008067   III   The FA will subscribe to the
                           vendor's vulnerability mailing
                           list to be made aware of
                           required upgrades and
                           patches.
NET0386   V0014646   III   The firewall or IDS will
                           immediately alert the
                           administrators by displaying a
                           message at the remote
                           administrative console,
                           generate an alarm or alert,
                           and page or send an
                           electronic message if the
                           audit trail exceeds 75 %
                           percentage or more of
                           storage capacity.
NET0388   V0014647   III   The FA will have a procedure
                           in place to dump logs when
                           they reach 75% capacity to a
                           syslog server.
NET0390   V0003176    II   The IAO/NSO will ensure the
                           IDS or firewall is configured
                           to alert the administrator of a
                           potential attack or system
                           failure.
   PDI     VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

NET0391   V0014648    II   The IAO/NSO will ensure the
                           firewall provides critical alert
                           message levels to the FA
                           regardless of whether an
                           administrator is logged in.

NET0392   V0014649    II   The IAO/NSO will ensure the
                           message is displayed at the
                           remote console if an
                           administrator is already
                           logged in, or when an
                           administrator logs in if the
                           alarm message has not been
                           acknowledged
NET0395   V0014653   III   The IAO/NSO will ensure the
                           alarm message identifying
                           the potential security violation
                           makes accessible the audit
                           record contents associated
                           with the event(s).

NET0396   V0014655   III   The IAO/NSO will ensure an
                           alert will remain written on the
                           consoles until acknowledged
                           by an administrator.

NET0398   V0014656   III   The IAO/NSO will ensure an
                           acknowledgement message
                           identifying a reference to the
                           potential security violation is
                           logged and it contains a
                           notice that it has been
                           acknowledged, the time of
                           the acknowledgement and
                           the user identifier that
                           acknowledged the alarm, at
                           the remote administrator
                           session that received the
                           alarm.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET0400   V0003034    II   The router administrator will
                           ensure neighbor
                           authentication with IPSec AH
                           or MD5 Signatures are
                           implemented for interior
                           routing protocols with all peer
                           routers within the same or
                           between Autonomous
                           Systems (AS).




NET0408   V0014665    II   The router administrator will
                           ensure neighbor
                           authentication with MD5 or
                           IPSec is implemented for all
                           BGP routing protocols with all
                           peer routers within the same
                           or between autonomous
                           systems (AS).




NET0410   V0003035    II   The router administrator will
                           restrict BGP connections to
                           known IP addresses of
                           neighbor routers from trusted
                           Autonomous Systems.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0412   V0014666    II   If multiple eBGP peers are
                           defined in the network, the
                           IAO will ensure all eBGP
                           neighbor authentications are
                           configured with unique
                           passwords when TCP MD5
                           Signature option is
                           implemented


NET0420   V0008058    II   The IAO/NSO will ensure a
                           key management policy has
                           been implemented to include
                           key generation, distribution,
                           storage, usage, lifetime
                           duration, and destruction of
                           all keys used for encryption.

NET0422   V0014667   III   The IAO/NSO will ensure a
                           rotating key does not have a
                           duration exceeding 180 days.




NET0425   V0007009    I    The IAO/NSO will ensure the
                           lifetime of a MD5 Key
                           expiration is set to never
                           expire. The lifetime of the
                           MD5 key will be configured
                           as infinite for route
                           authentication, if supported
                           by the current approved
                           router software version. Note:
                           Only Enhanced Interior
                           Gateway Routing Protocol
                           (EIGRP), and Routing
                           Information Protocol (RIP)
                           Version 2 use key chains.
   PDI     VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

NET0430   V0014720    II   The IAO/NSO will ensure two
                           authentication servers are
                           deployed to provide
                           authentication for
                           administrative access to all
                           network devices.
NET0431   V0014721   III   The IAO/NSO will ensure all
                           AAA authentication services
                           are configured to use two-
                           factor authentication during
                           normal operation.

NET0432   V0014722   III   The IAO/NSO will ensure the
                           device is configured to use
                           AAA tiered authorization
                           groups for management
                           authentication.

NET0433   V0015432    II   The IAO/NSO will ensure an
                           authentication method list is
                           applied to all interfaces via an
                           explicit definition or by use of
                           default key word.




NET0434   V0015433    II   The IAO/NSO will ensure the
                           AAA authentication method
                           implements user
                           authentication.
NET0435   V0017906    II   The AAA servers are not
                           connected to the
                           management network.
NET0436   V0017843    II   The AAA server is not
                           compliant with respective OS
                           STIG.
NET0437   V0017844   III   The AAA server is not
                           configured with a unique key
                           to be used for communication
                           (i.e. RADIUS, TACACS+)
                           with any client requesting
                           authentication services.

NET0438   V0017845    II   An HIDS has not been
                           implemented on the AAA
                           server
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0440   V0003966    II   The IAO/NSO will ensure
                           when an authentication
                           server is used for
                           administrative access to the
                           device, only one account or
                           console account is defined
                           locally for use in an
                           emergency (i.e.,
                           authentication server or
                           connection to the device is
                           down).




NET0441   V0015434    I    The IAO/NSO will ensure the
                           emergency account defaults
                           to the lowest authorization
                           level and the password is in a
                           locked safe.




NET0445   V0014723    II   To ensure the proper
                           authorized network
                           administrator is the only one
                           who can access the device,
                           the IAO/NSO will ensure
                           device management is
                           restricted by two-factor
                           authentication (e.g., SecurID,
                           DoD PKI, or alternate token
                           logon).
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0460   V0003056    I    The IAO/NSO will ensure
                           each user accessing the
                           device locally have their own
                           account with username and
                           password.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET0465   V0003057    II   The IAO/NSO will ensure all
                           user accounts are assigned
                           the lowest privilege level that
                           allows them to perform their
                           duties.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0470   V0003058    II   The IAO/NSO will
                           immediately have accounts
                           removed from the
                           authentication server or
                           device, which are no longer
                           required.




NET0580   V0004583   III   The router administrator will
                           ensure a password is
                           required to gain access to the
                           router's diagnostics port.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0600   V0003062    I    The administrator will ensure
                           passwords are not viewable
                           when displaying the
                           configuration.




NET0700   V0003160    II   The administrator will
                           implement a current
                           supported operating system
                           with all IAVMs addressed.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0710   V0003077   III   The router administrator will
                           ensure CDP is disabled on all
                           active external interfaces on
                           Cisco premise routers.
NET0720   V0003078   III   The router administrator will
                           ensure TCP & UDP small
                           servers are disabled.




NET0722   V0005614   III   The router administrator will
                           ensure PAD services are
                           disabled unless approved by
                           the DAA.




NET0724   V0005615   III   The router administrator will
                           ensure TCP Keep-Alives for
                           Telnet Session are enabled.




NET0726   V0005616   III   The router administrator will
                           ensure identification support
                           is not enabled.




NET0728   V0005617   III   The router administrator will
                           ensure DHCP Services are
                           disabled on premise routers.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0730   V0003079   III   The router administrator will
                           ensure Finger is disabled.




NET0740   V0003085    II   The router administrator will
                           ensure HTTP servers are
                           disabled.




NET0742   V0014668    II   The router administrator will
                           ensure FTP server is
                           disabled.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0744   V0014669    II   The router administrator will
                           ensure BSD r command
                           services are disabled.




NET0750   V0003086   III   The router administrator will
                           ensure Bootp server is
                           disabled.




NET0760   V0003080    II   The administrator will ensure
                           configuration auto-loading is
                           disabled.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0770   V0003081    II   The router administrator will
                           ensure IP source routing is
                           disabled.




NET0780   V0003082    II   The router administrator will
                           ensure IP Proxy ARP is
                           disabled on all external
                           interfaces.
NET0781   V0005618    II   The router administrator will
                           ensure Gratuitous ARP is
                           disabled.




NET0790   V0003083   III   The router administrator will
                           ensure IP directed broadcast
                           is disabled on all router
                           interfaces.




NET0800   V0003084    II   The router administrator will
                           ensure ICMP unreachable
                           notifications, mask replies,
                           and redirects are disabled on
                           all external interfaces of the
                           premise router.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET0809   V0017853   III   The NTP server is not
                           configured to restrict received
                           messages to only authorized
                           clients and peers determined
                           by their IP address.

NET0810   V0017860   III   Two NTP servers have not
                           been deployed in the
                           management network.
NET0812   V0023747   III   The IAO/NSO will ensure all