Docstoc

DIACAP_Scorecard_SAAR_Template

Document Sample
DIACAP_Scorecard_SAAR_Template Powered By Docstoc
					  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAG008 V0019910    I    The antivirus signature file
                         age exceeds 7 days.




DTAM001 V0006453    I    The McAfee VirusScan
                         Control Panel parameters
                         are not configured as
                         required.
DTAM002 V0006467    II   The McAfee VirusScan on
                         access scan parameter for
                         Boot sectors is incorrect.
DTAM003 V0006468    II   The McAfee VirusScan on
                         access scan parameter for
                         floppy disks is incorrect.
DTAM004 V0006469    II   The McAfee VirusScan
                         message dialog parameters
                         are not configured as
                         required.
DTAM005 V0006470    II   The McAfee VirusScan
                         remove messages
                         parameters are not
                         configured as required.
DTAM006 V0006471    II   The McAfee VirusScan
                         Clean Infected file parameter
                         is not configured as required.

DTAM007 V0006472    II   The McAfee VirusScan
                         delete infected file parameter
                         is not configured as required.

DTAM008 V0006473    II   The McAfee VirusScan
                         quarantine parameter is not
                         configured as required.
DTAM009 V0006474    II   The McAfee VirusScan
                         Control Panel log parameter
                         is not configured as required.

DTAM010 V0006475    II   The McAfee VirusScan limit
                         log size parameter is not
                         configured as required.
DTAM011 V0006476    II   The McAfee VirusScan log
                         session parameter is not
                         configured as required.
DTAM012 V0006478    II   The McAfee VirusScan log
                         summary parameter is not
                         configured as required.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAM013 V0006583    II   The McAfee VirusScan log
                         encrypted files parameter is
                         not configured as required.

DTAM014 V0006584    II   The McAfee VirusScan log
                         user name parameter is not
                         configured as required.
DTAM016 V0006585    II   The McAfee VirusScan
                         autoupdate parameters are
                         not configured as required.
DTAM021 V0006586    II   The McAfee VirusScan
                         Exchange scanner is not
                         enabled.
DTAM022 V0006587    II   The McAfee VirusScan find
                         unknown programs email
                         parameter is not configured
                         as required.
DTAM023 V0006588    II   The McAfee VirusScan find
                         unknown macro virus email
                         parameter is not configured
                         as required.
DTAM026 V0006589    II   The McAfee VirusScan scan
                         inside archives email
                         parameter is not configured
                         as required.
DTAM027 V0006590    II   The McAfee VirusScan
                         decode MIME email
                         parameter is not configured
                         as required.
DTAM028 V0006591    II   The McAfee VirusScan scan
                         e-mail message body email
                         parameter is not configured
                         as required.
DTAM029 V0006592    II   The McAfee VirusScan
                         allowed actions email
                         parameter is not configured
                         as required.
DTAM030 V0006593    II   The McAfee VirusScan
                         action prompt email
                         parameter is not configured
                         as required.
DTAM033 V0006594    II   The McAfee VirusScan
                         return reply email parameter
                         is not configured as required.

DTAM034 V0006595    II   The McAfee VirusScan
                         prompt message email
                         parameter is not configured
                         as required.
DTAM035 V0006596    II   The McAfee VirusScan log
                         to file email parameter is not
                         configured as required.
  PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DTAM036 V0006597    II   The McAfee VirusScan limit
                         log size email parameter is
                         not configured as required.

DTAM037 V0006598    II   The McAfee VirusScan log
                         content email parameter is
                         not configured as required.
DTAM038 V0014651    II   He McAfee VirusScan
                         detects unwanted programs
                         email parameter is not
                         configured as required.

DTAM039 V0014652    II   The McAfee VirusScan
                         unwanted programs action
                         email parameter is not
                         configured as required.
DTAM045 V0006599    II   The McAfee VirusScan fixed
                         disk and running processes
                         are not configured as
                         required.
DTAM046 V0006600    II   The McAfee VirusScan
                         include subfolders
                         parameter is not configured
                         as required.
DTAM047 V0006601    II   The McAfee VirusScan
                         include boot sectors
                         parameter is not configured
                         as required.
DTAM048 V0006602    II   The McAfee VirusScan scan
                         all files parameter is not
                         configured as required.
DTAM050 V0006604    II   The McAfee VirusScan
                         exclusions parameter is not
                         configured as required.
DTAM052 V0006611    II   The McAfee VirusScan scan
                         archives parameter is not
                         configured as required.
DTAM053 V0006612    II   The McAfee VirusScan
                         decode MIME encoded files
                         parameter is not configured
                         as required.
DTAM054 V0006614    II   The McAfee VirusScan find
                         unknown programs
                         parameter is not configured
                         as required.
DTAM055 V0006615    II   The McAfee VirusScan find
                         unknown macro viruses
                         parameter is not configured
                         as required.
DTAM056 V0006616    II   The McAfee VirusScan
                         action for Virus parameter is
                         not configured as required.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAM057 V0006617    II   The McAfee VirusScan
                         secondary action for virus
                         parameter is not configured
                         as required.
DTAM058 V0014654    II   The McAfee VirusScan
                         check for unwanted
                         programs parameter is not
                         configured as required.
DTAM059 V0006618    II   The McAfee VirusScan log
                         to file parameter is not
                         configured as required.
DTAM060 V0006620    II   The McAfee VirusScan log
                         file limit parameter is not
                         configured as required.
DTAM061 V0006621    II   The McAfee VirusScan log
                         session settings parameter
                         is not configured as required.

DTAM062 V0006624    II   The McAfee VirusScan log
                         session summary parameter
                         is not configured as required.

DTAM063 V0006625    II   The McAfee VirusScan
                         failure on encrypted files
                         parameter is not configured
                         as required.
DTAM064 V0006626    II   The McAfee VirusScan log
                         user name is not configured
                         as required.
DTAM070 V0006627    II   The McAfee VirusScan
                         schedule is not configured
                         as required.
DTAM090 V0014618    II   The McAfee VirusScan on
                         access scan parameter for
                         scipt scan is incorrect.
DTAM091 V0014619    II   The McAfee VirusScan on
                         access scan parameter for
                         connection blocking is
                         incorrect.
DTAM092 V0014620    II   The McAfee VirusScan on
                         access scan parameter for
                         connection blocking time is
                         incorrect.
DTAM093 V0014621    II   The McAfee VirusScan on
                         access scan parameter for
                         blocking unwanted programs
                         is incorrect.
DTAM100 V0014622    II   The McAfee VirusScan scan
                         default values for processes
                         are not configured as
                         required.
  PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DTAM101 V0014623    II   The McAfee VirusScan scan
                         when writing to disk is not
                         configured as required.

DTAM102 V0014624    II   The McAfee VirusScan scan
                         when reading parameter is
                         not configured as required.

DTAM103 V0014625    II   The McAfee VirusScan scan
                         all files parameter is not
                         configured as required.
DTAM104 V0014626    II   The McAfee VirusScan
                         heuristics program viruses
                         parameter is not configured
                         as required.
DTAM105 V0014627    II   The McAfee VirusScan
                         heuristics macro viruses
                         parameter is not configured
                         as required.
DTAM106 V0014628    II   The McAfee VirusScan scan
                         inside archives parameter is
                         not configured as required.

DTAM107 V0014629    II   The McAfee VirusScan scan
                         MIME files parameter is not
                         configured as required.

DTAM110 V0014630    II   The McAfee VirusScan
                         process primary action
                         parameter is not configured
                         as required.
DTAM111 V0014631    II   The McAfee VirusScan
                         process secondary action
                         parameter is not configured
                         as required.
DTAM112 V0014633    II   The McAfee VirusScan log
                         user name parameter is not
                         configured as required.
DTAM130 V0014657    II   The McAfee VirusScan
                         buffer overflow protection is
                         not configured as required.
DTAM131 V0014658    II   The McAfee VirusScan
                         buffer overflow protection
                         mode is not configured as
                         required.
DTAM132 V0014659    II   The McAfee VirusScan
                         buffer overflow message
                         parameter is not configured
                         as required.
DTAM133 V0014660    II   The McAfee VirusScan
                         buffer overflow log
                         parameter is not configured
                         as required.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAM134 V0014661    II   The McAfee VirusScan log
                         size limitation parameters
                         are not configured as
                         required.
DTAM135 V0014662    II   The McAfee VirusScan
                         detection of Spyware is not
                         configured as required.
DTAM136 V0014663    II   The McAfee VirusScan
                         detection of Adware is not
                         configured as required.
DTAS002 V0006359    II   The Symantec Antivirus is
                         not configured to restart for
                         configuration changes.


DTAS003 V0006360    I    The Symantec Antivirus
                         autoprotect parameter is
                         incorrect.


DTAS004 V0006361    II   The Symantec Antivirus auto
                         protect-All Files configuration
                         is incorrect.


DTAS006 V0006362    II   The Symantec Antivirus
                         display message parameter
                         is incorrect.


DTAS007 V0006363    II   The Symantec Antivirus
                         exclude files configuration is
                         incorrect.


DTAS012 V0006368    II   The Symantec Antivirus
                         autoprotect read parameter
                         is incorrect.


DTAS013 V0006369    II   The Symantec Antivirus
                         AutoProtect parameter for
                         backup options is incorrect.


DTAS014 V0006370    II   The Symantec Antivirus
                         AutoProtect parameter for
                         autoenabler is incorrect.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAS015 V0006371    II   The Symantec Antivirus
                         AutoProtect parameter for
                         floppies is incorrect.


DTAS016 V0006372    II   The Symantec Antivirus
                         AutoProtect parameter for
                         Boot virus is incorrect.


DTAS017 V0006374    II   The Symantec Antivirus
                         AutoProtect parameter for
                         check floppy at shutdown is
                         incorrect.

DTAS020 V0006375    II   The Symantec Antivirus
                         email parameter for Boot
                         sectors is incorrect.


DTAS021 V0006376    II   The Symantec Antivirus
                         email client parameter for all
                         files is incorrect.


DTAS029 V0006383    II   The Symantec Antivirus
                         email client parameter for
                         compressed files is incorrect.


DTAS030 V0006384    II   The Symantec AntiVirus CE
                         History Options parameters
                         are not configured as
                         required.

DTAS031 V0006385    II   The Symantec Antivirus is
                         not scheduled to autoupdate.



DTAS032 V0006386    II   There is no Symantec
                         Antivirus Scheduled Scans
                         or Startup Scans task
                         configured to scan local
                         drive(s) at least weekly.
DTAS037 V0006387    II   The Symantec Antivirus
                         weekly scan parameter for
                         all files is incorrect.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAS040 V0006388    II   The Symantec Antivirus
                         weekly scan parameter for
                         memory enabled is incorrect.


DTAS041 V0006389    II   The Symantec Antivirus
                         weekly scan parameter for
                         messages is incorrect.


DTAS042 V0006390    II   The Symantec Antivirus
                         weekly scan parameter for
                         exclude files is incorrect.


DTAS047 V0006395    II   The Symantec Antivirus
                         weekly scan parameter for
                         compressed files is incorrect.


DTAS048 V0006396    II   The Symantec Antivirus
                         weekly scan parameter for
                         backup files is incorrect.


DTAS050 V0006397    II   The Symantec Antivirus
                         weekly scan parameter for
                         scan lock is incorrect.


DTAS060 V0014477    II   The Symantec Antivirus
                         autoprotect parameter for
                         Block Security Risks is
                         incorrect.

DTAS061 V0014481    II   The Symantec Antivirus
                         autoprotect parameter for
                         scan for security risks is
                         incorrect.

DTAS062 V0014482    II   The Symantec Antivirus
                         autoprotect parameter for
                         Delete Infected Files on
                         Creation is incorrect.

DTAS063 V0014591    II   The Symantec AntiVirus
                         Auto-Protect parameter for
                         Threat Tracer is incorrect.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAS064 V0014592    II   The Symantec Antivirus
                         autoprotect parameter for
                         Bloodhound technology is
                         incorrect.

DTAS065 V0014593    II   The Symantec Antivirus
                         autoprotect parameter for
                         Heuristics Level is incorrect.


DTAS066 V0014594    II   The Symantec Antivirus
                         autoprotect parameter for
                         macro virus first action is
                         incorrect.

DTAS067 V0014595    II   The Symantec Antivirus
                         autoprotect parameter for
                         macro virus second action is
                         incorrect.

DTAS068 V0014596    II   The Symantec Antivirus
                         autoprotect parameter for
                         non-macro first action virus
                         is incorrect.

DTAS069 V0014597    II   The Symantec Antivirus
                         autoprotect parameter for
                         check non-macro second
                         action is incorrect.

DTAS070 V0014598    II   The Symantec Antivirus
                         autoprotect parameter for
                         Security Risks first action is
                         incorrect.

DTAS071 V0014600    II   The Symantec Antivirus
                         autoprotect parameter for
                         Security Risks Second
                         Action is incorrect.

DTAS080 V0014601    II   The Symantec Antivirus
                         email client for notification
                         into the email is incorrect.


DTAS081 V0014602    II   The Symantec Antivirus
                         autoprotect email parameter
                         for macro virus first action is
                         incorrect.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAS082 V0014603    II   The Symantec Antivirus
                         autoprotect email parameter
                         for macro virus second
                         action is incorrect.

DTAS083 V0014604    II   The Symantec Antivirus
                         autoprotect email parameter
                         for non-macro first action
                         virus is incorrect.

DTAS084 V0014605    II   The Symantec Antivirus
                         autoprotect email parameter
                         for check non-macro second
                         action is incorrect.

DTAS085 V0014606    II   The Symantec Antivirus
                         autoprotect email parameter
                         for Security Risks first action
                         is incorrect.

DTAS086 V0014607    II   The Symantec Antivirus
                         Auto-Protect parameter for
                         Email Security Risks Second
                         Action is incorrect.

DTAS091 V0014609    II   The Symantec Antivirus
                         weekly scan parameter for
                         scanning load points is
                         incorrect.

DTAS092 V0014610    II   The Symantec Antivirus
                         weekly scan parameter for
                         well knowns before others is
                         incorrect.

DTAS093 V0014611    II   The Symantec Antivirus
                         weekly scan parameter for
                         macro virus first action is
                         incorrect.

DTAS094 V0014612    II   The Symantec Antivirus
                         weekly scan parameter for
                         macro virus second action is
                         incorrect.

DTAS095 V0014613    II   The Symantec Antivirus
                         weekly scan parameter for
                         non-macro first action virus
                         is incorrect.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAS096 V0014615    II   The Symantec Antivirus
                         Auto-Protect parameter for
                         check non-macro second
                         action is incorrect.

DTAS097 V0014616    II   The Symantec Antivirus
                         weekly scan parameter for
                         Security Risks first action is
                         incorrect.

DTAS098 V0014617    II   The Symantec Antivirus
                         weekly scan parameter for
                         Security Risks second action
                         is incorrect.

DTSG001 V0014678    I    AntiSpyware software is not
                         installed or not configured for
                         on access and on demand
                         detection.
DTSG002 V0014679    I    The Antispyware software is
                         not at a vendor supported
                         level.
DTSG003 V0014680    II   A migration plan does not
                         exist for Antispyware
                         software that is scheduled to
                         go non-support by the
                         vendor.
DTSG004 V0014682    II   The Antispyware software
                         does not have the latest
                         maintenance rollup of
                         software update applied
DTSG005 V0014684    II   The Antispyware software is
                         not configured to download
                         updates from a trusted
                         source.
DTSG006 V0014700    II   The Antispyware
                         definition/signature files are
                         not automatically set to be
                         updated at least weekly.
DTSG007 V0014701    I    The Antispyware signature
                         files are older than 7 days.
DTSG008 V0014702    II   Beta or non-production
                         Antispyware
                         definitions/signature files are
                         being used on a production
                         machine.
DTSG009 V0014704    I    The Antispyware software
                         does not start on-access
                         protection automatically
                         when the machine is booted.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTSG010 V0014706    II   The Antispyware software is
                         not configured to perform a
                         scan of local hard drives at
                         least weekly.
DTSG011 V0014708    II   The Antispyware scheduled
                         scan is not configured to
                         scan memory and drives
                         (with an indepth scan option).

DTSG012 V0014709    II   The Antispyware, when
                         running in on access mode,
                         is not configured to inform
                         the user (or report or report
                         to a central monitoring
                         console) when malicious
                         activity or spyware is found.

DTSG013 V0014710    II   The Antispyware, when
                         running in a scheduled scan,
                         is not configured to inform
                         the user (or report to a
                         central monitoring console)
                         when malicious activity or
                         spyware is found.
DTSG014 V0014711    II   The Antispyware, when
                         running in on-demand mode,
                         is not configured to inform
                         the user (or report to a
                         central monitoring console)
                         when malicious activity or
                         spyware is found.
DTSG015 V0014712   III   The Antispyware software is
                         not configured to maintain
                         logs for at least 30 days.

DTSG016 V0014713   III   The Antispyware software is
                         not configured to maintain
                         logs for at least 30 days.

DTSG017 V0014714   III   The Antispyware software is
                         included in the incident
                         response procedures both
                         for the user and the site.
    Section

McAfee Local
Client, McAfee
Managed Client,
Symantec
Managed Client,
Symantec Local
Client


McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client


McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Spyware



Spyware


Spyware




Spyware



Spyware



Spyware



Spyware

Spyware




Spyware
   Section

Spyware



Spyware




Spyware




Spyware




Spyware




Spyware



Spyware



Spyware
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
APP2010 V0006197 II The Program Manager will
                    ensure an SSP is
                    established to describe the
                    technical, administrative,
                    and procedural IA program
                    and policies governing the
                    DoD information system,
                    and identifying all IA
                    personnel and specific IA
                    requirements and objectives.

APP2020 V0016773     II    The Program Manager will
                           provide an Application
                           Configuration Guide to the
                           application hosting providers
                           to include a list of all
                           potential hosting enclaves
                           and connection rules and
                           requirements.
APP2040 V0006145     II    If the application contains
                           classified data, the Program
                           Manager will ensure a
                           Security Classification Guide
                           exists containing data
                           elements and their
                           classification.
APP2050 V0016775     II    The Program Manager will
                           ensure the system has been
                           assigned specific MAC and
                           confidentiality levels.

APP2060 V0016776     II    The Program Manager will
                           ensure the development
                           team follows a set of coding
                           standards.
APP2070 V0006170     III   The Program Manager and
                           designer will ensure any IA,
                           or IA enabled, products used
                           by the application are NIAP
                           approved or in the NIAP
                           approval process.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 25 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
APP2080 V0016777 II The Program Manager will
                    ensure COTS IA and IA
                    enabled products, comply
                    with NSA endorsed
                    robustness protection
                    profiles.
APP2090 V0016778 II The Program Manager will
                    document and obtain DAA
                    risk acceptance for all open
                    source, public domain,
                    shareware, freeware, and
                    other software
                    products/libraries with no
                    warranty and no source
                    code review capability, but
                    are required for mission
                    accomplishment.

APP2100 V0006169     II   The Program Manager and
                          designer will ensure the
                          application design complies
                          with the DoD Ports and
                          Protocols guidance.

APP2110 V0016779     II   The Program Manager and
                          designer will ensure the
                          application is registered with
                          the DoD Ports and Protocols
                          Database.
APP2120 V0016780     II   The Program Manager will
                          ensure all levels of program
                          management, designers,
                          developers, and testers
                          receive the appropriate
                          security training pertaining to
                          their job function.
APP2130 V0016781     II   The Program Manager will
                          ensure a vulnerability
                          management process is in
                          place to include ensuring a
                          mechanism is in place to
                          notify users, and users are
                          provided with a means of
                          obtaining security updates
                          for the application.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  26 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes
APP2135 V0021519  I The Program Manager will
                    ensure all products are
                    supported by the vendor or
                    the development team.
APP2140 V0016782 II The Program Manager will
                    ensure a security incident
                    response process for the
                    application is established
                    that defines reportable
                    incidents and outlines a
                    standard operating
                    procedure for incident
                    response to include
                    Information Operations
                    Condition (INFOCON).
APP2150 V0016783 II The Program Manager will
                    ensure procedures are
                    implemented to assure
                    physical handling and
                    storage of information is in
                    accordance with the data's
                    sensitivity.
APP2160 V0006198 II The Program Manager and
                    IAO will ensure development
                    systems, build systems, test
                    systems, and all
                    components comply with all
                    appropriate DoD STIGS,
                    NSA guides, and all
                    applicable DoD policies. The
                    Test Manager will ensure
                    both client and server
                    machines are STIG
                    compliant.

APP3010 V0007013     II   The designer will create and
                          update the Design
                          Document for each release
                          of the application.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               27 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes
APP3020 V0006148 II The designer will ensure
                    threat models are
                    documented and reviewed
                    for each application release
                    and updated as required by
                    design and functionality
                    changes or new threats are
                    discovered.
APP3050 V0006149 II The designer will ensure the
                    application does not contain
                    source code that is never
                    invoked during operation,
                    except for software
                    components and libraries
                    from approved third-party
                    products.
APP3060 V0006150 II The Designer will ensure the
                    application does not store
                    configuration and control
                    files in the same directory as
                    user data.
APP3070 V0016784 II The designer will ensure the
                    user interface services are
                    physically or logically
                    separated from data storage
                    and management services.

APP3080 V0006157     II   The designer will ensure the
                          application does not contain
                          invalid URL or path
                          references.
APP3100 V0006163     II   The Designer will ensure the
                          application removes
                          temporary storage of files
                          and cookies when the
                          application is terminated.
APP3110 V0016786     II   The designer will ensure the
                          application installs with
                          unnecessary functionality
                          disabled by default.
APP3120 V0006166     II   The designer will ensure the
                          application is not subject to
                          error handling vulnerabilities.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  28 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
APP3130 V0016787  I The designer will ensure the
                    application follows the
                    secure failure design
                    principle.
APP3140 V0006167 II The designer will ensure
                    application initialization,
                    shutdown, and aborts are
                    designed to keep the
                    application in a secure state.

APP3150 V0006137     II   The designer will ensure the
                          application uses the Federal
                          Information Processing
                          Standard (FIPS) 140-2,
                          validated cryptographic
                          modules and random
                          number generator if the
                          application implements
                          encryption, key exchange,
                          digital signature, and hash
                          functionality.

APP3170 V0016788     II   The designer will ensure the
                          application uses encryption
                          to implement key exchange
                          and authenticate endpoints
                          prior to establishing a
                          communication channel for
                          key exchange.

APP3180 V0016789     II   The designer will ensure
                          private keys are accessible
                          only to administrative users.

APP3190 V0016790     II   The designer will ensure the
                          application does not connect
                          to a database using
                          administrative credentials or
                          other privileged database
                          accounts.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                29 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes
APP3200 V0016791 III The designer will ensure
                     transaction based
                     applications implement
                     transaction rollback and
                     transaction journaling.
APP3210 V0006135  II The designer will ensure the
                     appropriate cryptography is
                     used to protect stored DoD
                     information if required by the
                     information owner.

APP3220 V0016792     II   The designer will ensure
                          sensitive data held in
                          memory is cryptographically
                          protected when not in use, if
                          required by the information
                          owner, and classified data
                          held in memory is always
                          cryptographically protected
                          when not in use.

APP3230 V0016793     II   The designer will ensure the
                          application properly clears or
                          overwrites all memory
                          blocks used to process
                          sensitive data, if required by
                          the information owner, and
                          clears or overwrites all
                          memory blocks used for
                          classified data.

APP3240 V0006142     II   The designer will ensure all
                          access authorizations to
                          data are revoked prior to
                          initial assignment, allocation
                          or reallocation to an unused
                          state.
APP3250 V0006136      I   The designer will ensure
                          data transmitted through a
                          commercial or wireless
                          network is protected using
                          an appropriate form of
                          cryptography.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 30 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes
APP3260 V0016794 II The designer will ensure the
                    application uses
                    mechanisms assuring the
                    integrity of all transmitted
                    information (including labels
                    and security parameters).

APP3270 V0006146      I   The designer will ensure the
                          application has the capability
                          to mark sensitive/classified
                          output when required.

APP3280 V0006127     II   The designer will ensure
                          applications requiring user
                          authentication are PK-
                          enabled and are designed
                          and implemented to support
                          hardware tokens (e.g., CAC
                          for NIPRNet).
APP3290 V0006128     II   The designer and IAO will
                          ensure PK-enabled
                          applications are designed
                          and implemented to use
                          approved credentials
                          authorized under the DoD
                          PKI program.
APP3300 V0006168     II   The designer will ensure
                          applications requiring server
                          authentication are PK-
                          enabled.
APP3305 V0006129      I   The designer will ensure the
                          application using PKI
                          validates certificates for
                          expiration, confirms origin is
                          from a DoD authorized CA,
                          and verifies the certificate
                          has not been revoked by
                          CRL or OCSP, and CRL
                          cache (if used) is updated at
                          least daily.
APP3310 V0016795      I   The designer will ensure the
                          application does not display
                          account passwords as clear
                          text.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 31 of 1257
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement             Vulnerability   Status   Finding Notes
APP3320 V0006130 II The designer will ensure the
                    application has the capability
                    to require account
                    passwords that conform to
                    DoD policy.
APP3330 V0016796  I The designer will ensure the
                    application transmits
                    account passwords in an
                    approved encrypted format.
APP3340 V0016797  I The designer will ensure the
                    application stores account
                    passwords in an approved
                    encrypted format.
APP3350 V0006156  I The designer will ensure the
                    application does not contain
                    embedded authentication
                    data.
APP3360 V0016798 II The designer will ensure the
                    application protects access
                    to authentication data by
                    restricting access to
                    authorized users and
                    services.
APP3370 V0016799 II The designer will ensure the
                    application installs with
                    unnecessary accounts
                    disabled, or deleted, by
                    default.
APP3380 V0006131 II The designer will ensure the
                    application prevents the
                    creation of duplicate
                    accounts.
APP3390 V0016800  I The designer will ensure
                    users' accounts are locked
                    after three consecutive
                    unsuccessful logon attempts
                    within one hour.
APP3400 V0016801 II The designer will ensure
                    locked users' accounts can
                    only be unlocked by the
                    application administrator.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           32 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
APP3405 V0016785  I The designer will ensure the
                    application supports
                    detection and/or prevention
                    of communication session
                    hijacking.
APP3410 V0006144 II The designer will ensure the
                    application provides a
                    capability to limit the number
                    of logon sessions per user
                    and per application.

APP3415 V0016802     II   The designer will ensure the
                          application provides a
                          capability to automatically
                          terminate a session and log
                          out after a system defined
                          session idle time limit is
                          exceeded.
APP3420 V0006155     II   The designer will ensure the
                          application provides a
                          capability to terminate a
                          session and log out.
APP3430 V0006153      I   The designer will ensure the
                          application removes
                          authentication credentials on
                          client computers after a
                          session terminates.
APP3440 V0006152     II   The designer will ensure the
                          application is capable of
                          displaying a customizable
                          click-through banner at
                          logon which prevents further
                          activity on the information
                          system unless and until the
                          user executes a positive
                          action to manifest
                          agreement by clicking on a
                          box indicating "OK."




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                33 of 1257
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement           Vulnerability   Status   Finding Notes
APP3450 V0016803 II The designer and IAO will
                    ensure application resources
                    are protected with
                    permission sets which allow
                    only an application
                    administrator to modify
                    application resource
                    configuration files.
APP3460 V0016804  I The designer will ensure the
                    application does not rely
                    solely on a resource name to
                    control access to a resource.

APP3470 V0006154     II   The designer will ensure the
                          application is organized by
                          functionality and roles to
                          support the assignment of
                          specific roles to specific
                          application functions.

APP3480 V0006141      I   The designer will ensure
                          access control mechanisms
                          exist to ensure data is
                          accessed and changed only
                          by authorized personnel.

APP3500 V0006143     II   The designer will ensure the
                          application executes with no
                          more privileges than
                          necessary for proper
                          operation.
APP3510 V0006164      I   The designer will ensure the
                          application validates all input.

APP3530 V0016806     II   The designer will ensure the
                          web application assigns the
                          character set on all web
                          pages.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        34 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes
APP3540 V0016807 I The designer will ensure the
                   application is not vulnerable
                   to SQL Injection, uses
                   prepared or parameterized
                   statements, does not use
                   concatenation or
                   replacement to build SQL
                   queries, and does not
                   directly access the tables in
                   a database.

APP3550 V0016808      I   The designer will ensure the
                          application is not vulnerable
                          to integer arithmetic issues.

APP3560 V0016809      I   The designer will ensure the
                          application does not contain
                          format string vulnerabilities.

APP3570 V0016810      I   The designer will ensure the
                          application does not allow
                          command injection.
APP3580 V0016811      I   The designer will ensure the
                          application does not have
                          cross site scripting (XSS)
                          vulnerabilities.
APP3585 V0021500     II   The designer will ensure the
                          application does not have
                          CSRF vulnerabilities.
APP3590 V0006165      I   The designer will ensure the
                          application does not have
                          buffer overflows, use
                          functions known to be
                          vulnerable to buffer
                          overflows, and does not use
                          signed values for memory
                          allocation where permitted
                          by the programming
                          language.
APP3600 V0016812     II   The designer will ensure the
                          application has no canonical
                          representation vulnerabilities.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  35 of 1257
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
APP3610 V0016813 I The designer will ensure the
                   application does not use
                   hidden fields to control user
                   access privileges or as a
                   part of a security mechanism.

APP3620 V0016814     II    The designer will ensure the
                           application does not disclose
                           unnecessary information to
                           users.
APP3630 V0016815     II    The designer will ensure the
                           application is not vulnerable
                           to race conditions.

APP3640 V0016816     II    The designer will ensure the
                           application supports the
                           creation of transaction logs
                           for access and changes to
                           the data.
APP3650 V0006139     III   The designer will ensure the
                           application has a capability
                           to notify an administrator
                           when audit logs are nearing
                           capacity as specified in the
                           system documentation.

APP3660 V0016817     III   The designer will ensure the
                           application has a capability
                           to notify the user of
                           important login information.

APP3670 V0016818     II    The designer will ensure the
                           application has a capability
                           to display the user's time
                           and date of the last change
                           in data content.
APP3680 V0006138     II    The designer will ensure the
                           application design includes
                           audits on all access to need-
                           to-know information and key
                           application events.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       36 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
APP3690 V0006140 II The designer and IAO will
                    ensure the audit trail is
                    readable only by the
                    application and auditors and
                    protected against
                    modification and deletion by
                    unauthorized individuals.
APP3700 V0006159 II The designer will ensure
                    unsigned Category 1A
                    mobile code is not used in
                    the application in
                    accordance with DoD policy.

APP3710 V0006161     II   The designer will ensure
                          signed Category 1A and
                          Category 2 mobile code
                          signature is validated before
                          executing.
APP3720 V0006160     II   The designer will ensure
                          unsigned Category 2 mobile
                          code executing in a
                          constrained environment has
                          no access to local system
                          and network resources.

APP3730 V0006162     II   The designer will ensure
                          uncategorized or emerging
                          mobile code is not used in
                          applications.
APP3740 V0006158     II   The designer will ensure the
                          application only embeds
                          mobile code in e-mail which
                          does not execute
                          automatically when the user
                          opens the e-mail body or
                          attachment.
APP3750 V0016819     II   The designer will ensure
                          development of new mobile
                          code includes measures to
                          mitigate the risks identified.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 37 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                     Vulnerability   Status   Finding Notes
APP3760 V0019689 II The designer will ensure
                    web services are designed
                    and implemented to
                    recognize and react to the
                    attack patterns associated
                    with application-level DoS
                    attacks.
APP3770 V0019690 II The designer will ensure the
                    web service design includes
                    redundancy of critical
                    functions.
APP3780 V0019691 II The designer will ensure
                    web service design of critical
                    functions is implemented
                    using different algorithms to
                    prevent similar attacks from
                    forming a complete
                    application level DoS.

APP3790 V0019692     II   The designer will ensure
                          web services are designed
                          to prioritize requests to
                          increase availability of the
                          system.
APP3800 V0019693     II   The designer will ensure
                          execution flow diagrams are
                          created and used to mitigate
                          deadlock and recursion
                          issues.
APP3810 V0021498      I   The designer will ensure the
                          application is not vulnerable
                          to XML Injection.
APP3820 V0019695      I   The designer will ensure
                          web services provide a
                          mechanism for detecting
                          resubmitted SOAP
                          messages.
APP3830 V0019696     II   The designer and IAO will
                          ensure digital signatures
                          exist on UDDI registry
                          entries to verify the publisher.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   38 of 1257
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement             Vulnerability   Status   Finding Notes
APP3840 V0019697 II The designer and IAO will
                    ensure UDDI versions are
                    used supporting digital
                    signatures of registry entries.

APP3850 V0019698     II   The designer and IAO will
                          ensure UDDI publishing is
                          restricted to authenticated
                          users.
APP3860 V0019701     II   The designer will ensure
                          SOAP messages requiring
                          integrity, sign the following
                          message elements: -
                          Message ID -Service
                          Request -Timestamp -SAML
                          Assertion (optionally
                          included in messages)

APP3870 V0019702      I   The designer will ensure
                          when using WS-Security,
                          messages use timestamps
                          with creation and expiration
                          times.
APP3880 V0019703      I   The designer will ensure
                          validity periods are verified
                          on all messages using WS-
                          Security or SAML assertions.

APP3890 V0019704     II   The designer shall ensure
                          each unique asserting party
                          provides unique assertion ID
                          references for each SAML
                          assertion.
APP3900 V0019705     II   The designer shall ensure
                          encrypted assertions, or
                          equivalent confidentiality
                          protections, when assertion
                          data is passed through an
                          intermediary, and
                          confidentiality of the
                          assertion data is required to
                          pass through the
                          intermediary.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          39 of 1257
   ____ Checklist _V_R_ (<date>)                                 <Test> - TN <Ticket Number>
  PDI    VMSID CAT        Requirement           Vulnerability   Status   Finding Notes
APP3910 V0022028 I The designer shall use the
                   <NotBefore> and
                   <NotOnOrAfter> when using
                   the <SubjectConfirmation>
                   element in a SAML assertion.


APP3920 V0022029      I   The designer shall use both
                          the <NotBefore> and
                          <NotOnOrAfter> elements or
                          <OneTimeUse> element
                          when using the
                          <Conditions> element in a
                          SAML assertion.
APP3930 V0022032     II   The designer shall ensure if
                          a OneTimeUse element is
                          used in an assertion, there is
                          only one used in the
                          Conditions element portion
                          of an assertion.
APP3940 V0022030     II   The designer will ensure the
                          asserting party uses FIPS
                          approved random numbers
                          in the generation of
                          SessionIndex in the SAML
                          element AuthnStatement.

APP3950 V0022031     II   The designer shall ensure
                          messages are encrypted
                          when the SessionIndex is
                          tied to privacy data.
APP3960 V0019706     II   The designer will ensure the
                          application is compliant with
                          all DoD IT Standards
                          Registry (DISR) IPv6 profiles.

APP3970 V0019707     II   The designer will ensure
                          supporting application
                          services and interfaces have
                          been designed, or upgraded
                          for, IPv6 transport.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      40 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
APP3980 V0019708 II The designer will ensure the
                    application is compliant with
                    IPv6 multicast addressing
                    and features an IPv6
                    network configuration
                    options as defined in RFC
                    4038.
APP3990 V0019709 II The designer will ensure the
                    application is compliant with
                    the IPv6 addressing scheme
                    as defined in RFC 1884.

APP4010 V0016820     III   The Release Manager will
                           ensure the access privileges
                           to the configuration
                           management (CM)
                           repository are reviewed
                           every 3 months.
APP4030 V0016822     II    The Release Manager will
                           develop an SCM plan
                           describing the configuration
                           control and change
                           management process of
                           objects developed and the
                           roles and responsibilities of
                           the organization.

APP4040 V0016823     II    The Release Manager will
                           establish a Configuration
                           Control Board (CCB), that
                           meets at least every release
                           cycle, for managing the CM
                           process.
APP5010 V0016824     III   The Test Manager will
                           ensure at least one tester is
                           designated to test for
                           security flaws in addition to
                           functional testing.
APP5030 V0006147     II    The Test Manager will
                           ensure the application does
                           not modify data files outside
                           the scope of the application.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 41 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes
APP5040 V0016825 II The Test Manager will
                    ensure the changes to the
                    application are assessed for
                    IA and accreditation impact
                    prior to implementation.

APP5050 V0016826     II    The Test Manager will
                           ensure tests plans and
                           procedures are created and
                           executed prior to each
                           release of the application or
                           updates to system patches.

APP5060 V0016827     II    The Test Manager will
                           ensure test procedures are
                           created and at least annually
                           executed to ensure system
                           initialization, shutdown, and
                           aborts are configured to
                           ensure the system remains
                           in a secure state.

APP5070 V0016828     III   The Test Manager will
                           ensure code coverage
                           statistics are maintained for
                           each release of the
                           application.
APP5080 V0016829     II    The Test Manager will
                           ensure a code review is
                           performed before the
                           application is released.
APP5090 V0016830     II    The Test Manager will
                           ensure flaws found during a
                           code review are tracked in a
                           defect tracking system.
APP5100 V0016831     III   The Test Manager will
                           ensure fuzz testing is
                           included in the test plans
                           and procedures and
                           performed for each
                           application release based on
                           application exposure.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 42 of 1257
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes
APP5110 V0016832 II The Test Manager will
                    ensure security flaws are
                    fixed or addressed in the
                    project plan.
APP6010 V0016833 II The IAO will ensure if an
                    application is designated
                    critical, the application is not
                    hosted on a general purpose
                    machine.
APP6020 V0016834 II The IAO shall ensure if a
                    DoD STIG or NSA guide is
                    not available, a third-party
                    product will be configured by
                    the following in descending
                    order as available: 1)
                    commercially accepted
                    practices, (2) independent
                    testing results, or (3) vendor
                    literature.

APP6030 V0006151      II    The IAO will ensure
                            unnecessary services are
                            disabled or removed.
APP6040 V0016835      II    The IAO will ensure at least
                            one application administrator
                            has registered to receive
                            update notifications, or
                            security alerts, when
                            automated alerts are
                            available.

APP6050 V0016836      II    The IAO will ensure the
                            system and installed
                            applications have current
                            patches, security updates,
                            and configuration settings.
APP6060 V0016837       I    The IAO will ensure the
                            application is
                            decommissioned when
                            maintenance or support is
                            no longer available.
APP6070 V0016838      III   Procedures are not in place
                            to notify users when an
                            application is
                            decommissioned.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  43 of 1257
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
APP6080 V0016839  II The IAO will ensure
                     protections against DoS
                     attacks are implemented.
APP6090 V0016840 III The IAO will ensure the
                     system alerts an
                     administrator when low
                     resource conditions are
                     encountered.
APP6100 V0006174  II The IAO will ensure
                     production database exports
                     have database
                     administration credentials
                     and sensitive data removed
                     before releasing the export.
APP6110 V0016841 III The IAO will review audit
                     trails periodically based on
                     system documentation
                     recommendations or
                     immediately upon system
                     security events.
APP6120 V0016842  II The IAO will report all
                     suspected violations of IA
                     policies in accordance with
                     DoD information system IA
                     procedures.
APP6130 V0016843 III The IAO will ensure, for
                     classified systems,
                     application audit trails are
                     continuously and
                     automatically monitored, and
                     alerts are provided
                     immediately when unusual
                     or inappropriate activity is
                     detected.
APP6140 V0006173  II The IAO will ensure
                     application audit trails are
                     retained for at least 1 year
                     for applications without
                     SAMI data, and 5 years for
                     applications including SAMI
                     data.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          44 of 1257
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
APP6160 V0006171 II The IAO will ensure recovery
                    procedures and technical
                    system features exist so
                    recovery is performed in a
                    secure and verifiable
                    manner. The IAO will
                    document circumstances
                    inhibiting a trusted recovery.

APP6170 V0016844     II   The IAO will ensure back-up
                          copies of the application
                          software are stored in a fire-
                          rated container and not
                          collocated with operational
                          software.

APP6180 V0016845     II   The IAO will ensure
                          procedures are in place to
                          assure the appropriate
                          physical and technical
                          protection of the backup and
                          restoration of the application.

APP6190 V0006172     II   The IAO will ensure data
                          backup is performed at
                          required intervals in
                          accordance with DoD policy.

APP6200 V0016846     II   The IAO will ensure a
                          disaster recovery plan exists
                          in accordance with DoD
                          policy based on the Mission
                          Assurance Category (MAC).

APP6210 V0016847     II   The IAO will ensure an
                          account management
                          process is implemented,
                          verifying only authorized
                          users can gain access to the
                          application, and individual
                          accounts designated as
                          inactive, suspended, or
                          terminated are promptly
                          removed.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         45 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement                Vulnerability   Status   Finding Notes
APP6220 V0016848   I The IAO will ensure
                     passwords generated for
                     users are not predictable
                     and comply with the
                     organization's password
                     policy.
APP6230 V0016849  II The IAO will ensure the
                     application's users do not
                     use shared accounts.
APP6240 V0006132 III The IAO will ensure all user
                     accounts are disabled which
                     are authorized to have
                     access to the application but
                     have not authenticated
                     within the past 90 days.

APP6250 V0006133     II   The IAO will ensure
                          unnecessary built-in
                          application accounts are
                          disabled.
APP6260 V0006134      I   The IAO will ensure default
                          passwords are changed.
APP6270 V0016850     II   The IAO will ensure
                          connections between DoD
                          enclaves and the Internet or
                          other public or commercial
                          wide area networks require a
                          DMZ.
APP6280 V0019687      I   The IAO will ensure web
                          servers are on logically
                          separate network segments
                          from the application and
                          database servers if it is a
                          tiered application.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               46 of 1257
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
APP6290 V0019688  I The designer and the IAO
                    will ensure physical
                    operating system separation
                    and physical application
                    separation is employed
                    between servers of different
                    data types in the web tier of
                    Increment 1/Phase 1
                    deployment of the DoD DMZ
                    for Internet-facing
                    applications.
APP6300 V0019694 II The IAO will ensure an XML
                    firewall is deployed to
                    protect web services.
APP6310 V0019699 II The IAO will ensure web
                    service inquiries to UDDI
                    provide read-only access to
                    the registry to anonymous
                    users.
APP6320 V0019700 II The IAO will ensure if the
                    UDDI registry contains
                    sensitive information and
                    read access to the UDDI
                    registry is granted only to
                    authenticated users.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          47 of 1257
Application Services Checklist V1R1.1 (21 Sep 06)                       <Test> - TN <Ticket Number>


  PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
APS0110 V0006199 II Application server does not
                    utilize a Public Key
                    Infrastructure (PKI).
APS0130 V0006200  I The application server or a
                    served application does not
                    verify the following when
                    presented with a PKI
                    certificate:1. Revoked
                    certificate 2. Invalid
                    certificate 3. Improperly
                    signed certificate Application
                    Server/ApplicationName(s):

APS0140 V0006202       II   Passwords are not
                            encrypted at logon.
                            Passwords are not required
                            to meet complexity
                            requirements. Passwords
                            are not changeable by the
                            user. Accounts are not
                            protected by lockout on
                            failed logon attempts.

APS0210 V0006203       II   The following default
                            usernames and passwords
                            have not been modified from
                            their default values:
APS0320 V0006205       II   Sensitive data tis not
                            encrypted with NIST-
                            validated or NSA-approved
                            cryptography.
APS0350 V0006208       II   The application server is not
                            configured to encrypt
                            sensitive data in transit.




Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                  48 of 1257
Application Services Checklist V1R1.1 (21 Sep 06)                       <Test> - TN <Ticket Number>


  PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes
APS0410 V0006209 II Auditing is not enabled for
                    the application server.
                    Auditing is not configured to
                    include logon events.
                    Auditing is not configured to
                    include attempts to access
                    security files. Auditing is not
                    configured to include actions
                    taken in response to failed l

APS0510 V0006210       II   The application server
                            administrator role has been
                            assigned to unauthorized
                            personnel.
APS0530 V0006212       II   If session time limits are
                            enforced by applications or
                            other mean external to the
                            application server, then this
                            check is NA. If the
                            applications are dependent
                            on the application server to
                            employ session time limits
                            and this is not configured to
                            a limit of 24 hours or less.

APS0540 V0012304       II   The application server
                            serves data of different
                            classification levels to
                            different audiences. The
                            application server does not
                            provide protection through
                            separation to applications
                            serving data of different
                            sensitivity to different
                            audiences.




Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                  49 of 1257
Application Services Checklist V1R1.1 (21 Sep 06)                       <Test> - TN <Ticket Number>


  PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
APS0560 V0012322 II External interfaces are
                    defined on the application
                    server that are not identified
                    in the functional architecture
                    for the applcation. Protection
                    mechanisms configured for
                    the interface are not
                    sufficient for the data being
                    exchanged.

APS0570 V0012308       II   Hyperlinks are not approved
                            prior to incorporation in the
                            application server content.

APS0590 V0012310       II   The web page does not
                            identify content obtained
                            from remote systems.
APS0615 V0012312       II   Application server software
                            and data are not located in
                            separate directories.
APS0630 V0012323       I    The application server
                            software is not a supported
                            version.
APS0640 V0012313       II   A migration plan to upgrade
                            from an unsupported version
                            does not exist.

APS0670 V0012316       II   A baseline of the application
                            server software directories
                            and files is not maintained.

APS0720 V0012319       II   A public WebLogic Platform
                            server is not installed in a
                            DMZ.
APS0730 V0006220       II   The application services is
                            not addressed in a disaster
                            recovery plan.
APS0740 V0006221       II   The application server
                            software and data is not
                            included in the site or
                            system backup strategy.


Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                  50 of 1257
Application Services Checklist V1R1.1 (21 Sep 06)                     <Test> - TN <Ticket Number>


  PDI    VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
ASG0520 V0006211 II The application server
                    process runs with privileges
                    not necessary for proper
                    operation.
ASG0540 V0006213 II A classification guide does
                    not exist for the application.
ASG0550 V0006214 II The application does not
                    mark printed and displayed
                    output with appropriate
                    classification labels.
ASG0750 V0006222 II A process does not exist to
                    ensure application server log
                    files are retained for at least
                    one year.
ASG0760 V0006223 II Application server does not
                    have an assigned IAO or
                    IAM.
ASJ0120 V0006201 II Application server utilizes
                    unapproved DOD PKI
                    certificates.
ASJ0330 V0006206 II Java file permissions are not
                    adequately restrictive.
ASJ0840 V0011810 II Java cryptography is
                    inadequate implementing
                    poor entropy.
AST0310 V0006204 II Sensitive application data is
                    not adequately protected at
                    rest.
AST0340 V0006207 II OS level file permissions are
                    not adequately restrictive.

AST0560 V0006215       I    Application Security
                            Manager is not turned on.
AST0580 V0006216       II   Shutdown restriction‟s
                            default password has not
                            been changed.
AST0610 V0006217       II   Application server default
                            content has not been
                            removed.
AST0710 V0006218       I    Application server may be
                            controlled from outside the
                            enclave.

Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                51 of 1257
Application Services Checklist V1R1.1 (21 Sep 06)              <Test> - TN <Ticket Number>


  PDI    VMSID CAT            Requirement          Vulnerability   Status   Finding Notes
AST0720 V0006219 II Java socket permissions are
                    inadequate.
AST0820 V0006225 II Admin and Manager Web
                    Applications are not
                    adequately restrictive.
AST0830 V0011828 II Application server‟s directory
                    listing is enabled.




Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                         52 of 1257
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBF003 V0017988    I    Installed version of Firefox
                         unsupported.
DTBF010 V0015982    II   The Firefox SSLV2
                         parameter is configured to
                         allow use of SSL 2.0.
DTBF020 V0015767    II   Firefox is configured to allow
                         use of SSL 3.0.
DTBF030 V0015983    II   Firefox is not configured to
                         allow use of TLS 1.0.
DTBF050 V0015768    II   FireFox is not configured to
                         ask which certificate to
                         present to a web site when a
                         certificate is required.
DTBF100 V0015770    II   Firefox automatically
                         executes or downloads
                         MIME types which are not
                         authorized for auto-download.

DTBF105 V0015771    II   Network shell protocol is
                         enabled in FireFox.
DTBF110 V0015772    II   Firefox not configured to
                         prompt user before
                         download and opening for
                         required file types.
DTBF120 V0015773    II   FireFox plug-in for ActiveX
                         controls is installed.
DTBF130 V0015989    II   Firefox is not configured to
                         provide warnings when a
                         user switches from a secure
                         (SSL-enabled) to a non-
                         secure page.
DTBF140 V0015774    II   Firefox formfill assistance
                         option is disabled.
DTBF150 V0015775    II   Firefox is configured to
                         autofill passwords.
DTBF160 V0015776    II   FireFox is configured to use
                         a password store with or
                         without a master password.

DTBF170 V0015777    II   Firefox does not clear
                         cookies upon closing.
DTBF180 V0015778    II   FireFox is not configured to
                         block pop-up windows.
DTBF181 V0015779    II   FireFox is configured to
                         allow JavaScript to move or
                         resize windows.
DTBF182 V0015985    II   Firefox is configured to allow
                         JavaScript to raise or lower
                         windows.
DTBF183 V0015986    II   Firefox is configured to allow
                         JavaScript to disable or
                         replace context menus.
  PDI      VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTBF184 V0015987      II   Firefox is configured to allow
                           JavaScript to hide or change
                           the status bar.
DTBF185 V0015988      II   Firefox is configured to allow
                           JavaScript to change the
                           status bar text.
DTBG003 V0006227      I    The installed version of IE is
                           at an unsupported version.

DTBG007 V0006317      II   IE is not capable to use 128-
                           bit encryption.
DTBG010 V0006318      II   The DOD Root Certificate is
                           not installed.
DTBI001   V0006228    II   The IE home page is not set
                           to blank, a local file, or a
                           trusted site.
DTBI002   V0006229    II   IE Local zone security
                           parameter is set incorrectly.

DTBI003   V0006230    II   The IE Trusted sites zone
                           security parameter is set
                           incorrectly.
DTBI004   V0006231    II   The IE Internet zone security
                           parameter is set incorrectly.

DTBI005   V0006232    II   The IE Restricted sites zone
                           security parameter is set
                           incorrectly.
DTBI006   V0006233    II   The IE Local zone includes
                           parameter is not set correctly.

DTBI007   V0006234    II   The IE third party cookies
                           parameter is not set correctly.

DTBI010   V0017296    II   Prevent performance of First
                           Run Customize settings is
                           not enabled.
DTBI011   V0007006    II   The IE search parameter is
                           not set correctly.
DTBI012   V0006236    II   The IE signature checking
                           parameter is not set correctly.

DTBI013   V0006237    II   The IE save encrypted
                           pages to disk parameter is
                           not set correctly.
DTBI014   V0006238    II   The IE SSL/TLS parameter
                           is not set correctly.
DTBI015   V0006239    II   The IE warning of invalid
                           certificates parameter is not
                           set correctly
DTBI016   V0006240    II   The IE changing zones
                           parameter is not set correctly.
  PDI      VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTBI017   V0006241    II   The IE form redirect
                           parameter is not set correctly.

DTBI021   V0006242    II   Users can change the
                           advanced settings in IE.
DTBI022   V0006243    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Internet Zone.
DTBI023   V0006244    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the
                           Internet Zone.
DTBI024   V0006245    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Internet
                           Zone.
DTBI025   V0016879    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Lockdown Zone.
DTBI026   V0006246    II   The Script ActiveX controls
                           marked safe for scripting
                           property is not set properly
                           for the Internet Zone.
DTBI030   V0006248    II   The Font download control is
                           not set properly for the
                           Internet Zone.
DTBI031   V0006249    II   The Java Permissions is not
                           set properly for the Internet
                           Zone.
DTBI032   V0006250    II   The Access data sources
                           across domains is not set
                           properly for the Internet
                           Zone.
DTBI034   V0006251    II   The Display mixed content is
                           not set properly for the
                           Internet Zone.
DTBI035   V0006252    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Internet
                           Zone.
DTBI036   V0006253    II   The Allow Drag and drop or
                           copy and paste files is not
                           set properly for the Internet
                           Zone.
DTBI037   V0006254    II   The Installation of desktop
                           items is not set properly for
                           the Internet Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI038   V0006255    II   The Launching programs
                           and files in IFRAME are not
                           set properly for the Internet
                           Zone.
DTBI039   V0006256    II   The Navigate sub-frames
                           across different domains is
                           not set properly for the
                           Internet Zone.
DTBI040   V0006257    II   The Software channel
                           permissions is not set
                           properly for the Internet
                           Zone.
DTBI041   V0006258    II   The Submit non-encrypted
                           form data is not set properly
                           for the Internet Zone.

DTBI042   V0006259    II   The Userdata persistence is
                           not set properly for the
                           Internet Zone.
DTBI044   V0006260    II   The Allow paste operations
                           via script is not set properly
                           for the Internet Zone.

DTBI045   V0006261    II   The Scripting of Java applets
                           is not set properly for the
                           Internet Zone.
DTBI046   V0006262    II   The user Authentication -
                           Logon is not set properly for
                           the Internet Zone.
DTBI052   V0006263    II   The Download signed
                           ActiveX controls property is
                           not set properly for the Local
                           Zone.
DTBI053   V0006264    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the Local
                           Zone.
DTBI054   V0006265    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Local Zone.

DTBI056   V0006266    II   The Script ActiveX controls
                           marked safe for scripting
                           property is not set properly
                           for the Local Zone.
DTBI061   V0006267    II   The Java Permissions is not
                           set properly for the Local
                           Zone.
DTBI062   V0006268    II   The Access data sources
                           across domains is not set
                           properly for the Local Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI065   V0006271    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Local Zone.
DTBI067   V0006272    II   The Installation of desktop
                           items is not set properly for
                           the Local Zone.
DTBI068   V0006273    II   The Launching programs
                           and files in IFRAME is not
                           set properly for the Local
                           Zone.
DTBI070   V0006274    II   The Software channel
                           permissions is not set
                           properly for the Local Zone.
DTBI074   V0006275    II   The Allow paste operations
                           via script is not set properly
                           for the Local Zone.
DTBI076   V0006276    II   The User Authentication -
                           Logon is not set properly for
                           the Local Zone.
DTBI082   V0006277    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Trusted Sites Zone.
DTBI083   V0006278    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the
                           Trusted Sites Zone.
DTBI084   V0006279    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Trusted Sites
                           Zone.
DTBI086   V0006280    II   The ActiveX controls marked
                           safe for scripting property is
                           not set properly for the
                           Trusted Sites Zone.
DTBI091   V0006281    II   The Java Permissions is not
                           set properly for the Trusted
                           Sites Zone.
DTBI092   V0006282    II   The Access data sources
                           across domains is not set
                           properly for the Trusted Sites
                           Zone.
DTBI095   V0006283    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Trusted Sites
                           Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI097   V0006284    II   The Installation of desktop
                           items is not set properly for
                           the Trusted Sites Zone.
DTBI098   V0006285    II   The Launching programs
                           and files in IFRAME is not
                           set properly for the Trusted
                           Sites Zone.
DTBI100   V0006286    II   The Software channel
                           permissions is not set
                           properly for the Trusted Sites
                           Zone.
DTBI1010 V0022687     II   Internet Explorer Processes
                           Restrict ActiveX Install
                           (Explorer) property is
                           properly set.
DTBI1020 V0022688     II   Internet Explorer Processes
                           Restrict ActiveX Install
                           (IExplorer) property is
                           properly set.
DTBI104   V0006287    II   The Allow paste operations
                           via script is not set properly
                           for the Trusted Sites Zone.

DTBI106   V0006288    II   The User Authentication -
                           Logon is not set properly for
                           the Trusted Sites Zone.
DTBI112   V0006289    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Restricted Sites Zone.
DTBI113   V0006290    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the
                           Restricted Sites Zone.
DTBI114   V0006291    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Restricted
                           Sites Zone.
DTBI115   V0006292    II   Run ActiveX controls and
                           plug-ins property is not set
                           properly for the Restricted
                           Sites Zone.
DTBI116   V0006293    II   The Script ActiveX controls
                           marked safe for scripting
                           property is not set properly
                           for the Restricted Sites Zone.

DTBI119   V0006294    II   The File download control is
                           not set properly for the
                           Restricted Sites Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI120   V0006295    II   The Font download control is
                           not set properly for the
                           Restricted Sites Zone.
DTBI121   V0007007    II   The Java Permissions is not
                           set properly for the
                           Restricted Sites Zone.
DTBI122   V0006297    II   The Access data sources
                           across domains is not set
                           properly for the Restricted
                           Sites Zone.
DTBI123   V0006298    II   The Allow META REFRESH
                           is not set properly for the
                           Restricted Sites Zone.

DTBI124   V0006299    II   The Display mixed content is
                           not set properly for the
                           Restricted Sites Zone.
DTBI125   V0006300    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Restricted
                           Sites Zone.
DTBI126   V0006301    II   The Drag and drop or copy
                           and paste files is not set
                           properly for the Restricted
                           Sites Zone.
DTBI127   V0006302    II   The Installation of desktop
                           items is not set properly for
                           the Restricted Sites Zone.

DTBI128   V0006303    II   The Launching programs
                           and files in IFRAME is not
                           set properly for the
                           Restricted Sites Zone.
DTBI129   V0006304    II   The Navigate windows and
                           frames across different
                           domains are not set properly
                           for the Restricted Sites Zone.

DTBI130   V0006305    II   The Software channel
                           permissions is not set
                           properly for the Restricted
                           Sites Zone.
DTBI131   V0006306    II   The Submit non-encrypted
                           form data is not set properly
                           for the Restricted Sites Zone.

DTBI132   V0006307    II   The Userdata persistence is
                           not set properly for the
                           Restricted Sites Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI133   V0006308    II   The Active scripting is not
                           set properly for the
                           Restricted Sites Zone.
DTBI134   V0006309    II   The Allow paste operations
                           via script is not set properly
                           for the Restricted Sites Zone.

DTBI135   V0006310    II   The Scripting of Java applets
                           is not set properly for the
                           Restricted Sites Zone.

DTBI136   V0006311    II   The User Authentication -
                           Logon is not set properly for
                           the Restricted Sites Zone.

DTBI137   V0003433   III   Internet Explorer is
                           configured to notify users
                           when programs are modified
                           through the software
                           distribution channel.

DTBI140   V0006319    II   The Error Reporting tool for
                           IE is installed or enabled.
DTBI150   V0006312    II   The Microsoft Java VM is
                           installed.
DTBI151   V0006313    II   The Cipher setting for DES
                           56/56 is not set properly.
DTBI152   V0006314    II   The Cipher setting for Null is
                           not set properly.
DTBI153   V0006315    II   The Cipher setting for Triple
                           DES is not set properly.

DTBI160   V0006316    II   The Hash setting for SHA is
                           not set properly.
DTBI300   V0021887    II   Disable Configuring History -
                           History setting is not set to
                           40 days.
DTBI305   V0015490    II   Automatic configuration of
                           Internet Explorer is not
                           disabled.
DTBI310   V0015491    II   Showing the splash screen
                           is not disabled.
DTBI315   V0015492    II   Prevent participation in the
                           Customer Experience
                           Improvement Program is not
                           disabled.
DTBI316   V0003431    II   Internet Explorer is
                           configured to allow
                           Automatic Install of
                           components.
DTBI317   V0003432    II   Internet Explorer is
                           configured to automatically
                           check for updates.
  PDI      VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

DTBI318   V0003429    II   Internet Explorer is
                           configured to allow users to
                           add/delete sites.
DTBI319   V0003428    II   Internet Explorer is
                           configured to allow users to
                           change policies.
DTBI320   V0003427    II   Internet Explorer is not
                           configured to require
                           consistent security zone
                           settings to all users.
DTBI325   V0015494    II   Turn off the Security Settings
                           Check feature is not disabled.

DTBI330   V0015495    II   Turn off Managing Phishing
                           filter is not disabled.
DTBI340   V0015497    II   Allow active content from
                           CDs to run on user
                           machines is not disabled.
DTBI350   V0015499    II   Allow software to run or
                           install even if the signature is
                           invalid is not disabled.
DTBI355   V0015500    II   Allow third-party browser
                           extensions are not disabled.

DTBI360   V0015501    II   Automatically check for
                           Internet Explorer updates
                           are not disabled.
DTBI365   V0015502    II   Check for server certificate
                           revocation is not enabled.
DTBI367   V0003430   III   Internet Explorer is not
                           configured to disable making
                           Proxy Settings Per Machine.

DTBI370   V0015503    II   Check for signatures on
                           downloaded programs is not
                           enabled.
DTBI375   V0015504    II   Intranet Sites: Include all
                           network paths (UNCs) are
                           disabled.
DTBI385   V0015507    II   Allow script-initiated windows
                           without size or position
                           constraints for Internet Zone
                           is not disabled.

DTBI390   V0015508    II   Allow script-initiated windows
                           without size or position
                           constraints for Restricted
                           Sites Zone is not disabled.

DTBI395   V0015509    II   Allow Scriptlets are not
                           disabled.
  PDI      VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTBI415   V0015513    II   Automatic prompting for file
                           downloads is not enabled.

DTBI425   V0015515    II   Java permissions for my
                           computer are not disabled.
DTBI430   V0015516    II   Java permissions for my
                           computer group policy are
                           not disabled.
DTBI435   V0015517    II   Java permissions for group
                           policy for Local Intranet Zone
                           are not disabled.
DTBI440   V0015518    II   Java permissions for group
                           policy for Trusted Sites Zone
                           are not disabled.
DTBI445   V0015519    II   Java permissions for group
                           policy for Internet Zone are
                           not disabled.
DTBI450   V0015520    II   Java permissions for group
                           policy for Restricted Sites
                           Zone are not disabled.
DTBI455   V0015521    II   Loose XAML files for Internet
                           Zone are not disabled.

DTBI460   V0015522    II   Loose XAML files for
                           Restricted Sites Zone are
                           not disabled.
DTBI465   V0015523    II   Open files based on content,
                           not file extension for Internet
                           Zone is not disabled.

DTBI470   V0015524    II   Open files based on content,
                           not file extension for
                           Restricted Sites Zone is not
                           disabled.
DTBI475   V0015525    II   Turn Off First-Run Opt-In for
                           Internet Zone is not disabled.

DTBI480   V0015526    II   Turn Off First-Run Opt-In for
                           Restricted Sites Zone is not
                           disabled.
DTBI485   V0015527    II   Turn on Protected Mode
                           Internet Zone is not enabled.

DTBI490   V0015528    II   Turn on Protected Mode for
                           Restricted Sites Zone is not
                           enabled.
DTBI495   V0015529    II   Use Pop-up Blocker for
                           Internet Zone is not enabled.

DTBI500   V0015530    II   Use Pop-up Blocker for
                           Restricted Sites Zone is not
                           enabled.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI515   V0015533    II   Web sites in less privileged
                           Web content zones can
                           navigate into Internet Zone is
                           not disabled.

DTBI520   V0015534    II   Web sites in less privileged
                           Web content zones can
                           navigate into Restricted
                           Sites Zone is not disabled.

DTBI575   V0015545    II   Allow binary and script
                           behaviors are not disabled.
DTBI580   V0015546    II   Automatic prompting for file
                           downloads is not enabled.

DTBI590   V0015548    II   Internet Explorer Processes
                           for MIME handling is not
                           enabled. (Reserved)

DTBI592   V0015565    II   Internet Explorer Processes
                           for MIME handling is not
                           enabled. (Explorer)

DTBI594   V0015566    II   Internet Explorer Processes
                           for MIME handling is not
                           enabled. (IExplore)

DTBI595   V0015549    II   Internet Explorer Processes
                           for MIME sniffing is not
                           enabled. (Reserved)

DTBI596   V0015603    II   Internet Explorer Processes
                           for MIME sniffing is not
                           enabled. (Explorer)

DTBI597   V0015604    II   Internet Explorer Processes
                           for MIME sniffing is not
                           enabled. (IExplore)

DTBI599   V0015568    II   Internet Explorer Processes
                           for MK protocol is not
                           enabled. (Reserved)
DTBI600   V0015550    II   Internet Explorer Processes
                           for MK protocol is not
                           enabled. (Explorer)
DTBI605   V0015551    II   Internet Explorer Processes
                           for MK protocol is not
                           enabled. (IExplore)
DTBI610   V0015552    II   Internet Explorer Processes
                           for Zone Elevation is not
                           enabled. (Reserved)
  PDI      VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DTBI612   V0015569    II   Internet Explorer Processes
                           for Zone Elevation is not
                           enabled. (Explorer)

DTBI614   V0015570    II   Internet Explorer Processes
                           for Zone Elevation is not
                           enabled. (IExplore)

DTBI630   V0015556    II   Internet Explorer Processes
                           for Download prompt is not
                           enabled. (Reserved)

DTBI635   V0015557    II   Internet Explorer Processes
                           for Download prompt is not
                           enabled. (Explorer)

DTBI640   V0015558    II   Internet Explorer Processes
                           for Download prompt is not
                           enabled. (IExplore)

DTBI645   V0015559    II   Internet Explorer Processes
                           for restricting pop-up
                           windows is not enabled.
                           (Reserved)
DTBI647   V0015571    II   Internet Explorer Processes
                           for restricting pop-up
                           windows is not enabled.
                           (Explorer)
DTBI649   V0015572    II   Internet Explorer Processes
                           for restricting pop-up
                           windows is not enabled.
                           (IExplorer)
DTBI650   V0015560    II   Run .NET Framework-reliant
                           components not signed with
                           Authenticode are not
                           disabled.
DTBI655   V0015561    II   Run .NET Framework-reliant
                           components signed with
                           Authenticode are not
                           disabled.
DTBI670   V0015562    II   Scripting of Java applets is
                           not disabled.
DTBI675   V0015563    II   Turn off changing the URL to
                           be displayed for checking
                           updates to Internet Explorer
                           and Internet Tools is not
                           disabled.

DTBI680   V0015564    II   Turn off configuring the
                           update check interval is not
                           disabled.
DTBI685   V0015573    II   Configure Outlook Express
                           is not disabled.
  PDI      VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DTBI690   V0015574    II   Disable AutoComplete for
                           forms is not enabled.
DTBI695   V0015575    II   Disable external branding of
                           Internet Explorer is not
                           enabled.
DTBI697   V0014245   III   Internet Explorer - Do not
                           allow users to enable or
                           disable add-ons.
DTBI705   V0015577    II   Disable the Reset Web
                           Settings feature is not
                           enabled.
DTBI715   V0015579    II   Turn off Crash Detection is
                           not enabled.
DTBI720   V0015580    II   Turn off page transitions is
                           not enabled.
DTBI725   V0015581    II   Turn on the auto-complete
                           feature for user names and
                           passwords on forms are not
                           disabled.
DTBI730   V0015582    II   Turn on the Internet
                           Connection Wizard Auto
                           Detect is not disabled.
DTBI740   V0022108    II   Turn off Managing
                           SmartScreen Filter property
                           is not properly set.
DTBI750   V0022147   III   Include updated Web site
                           lists from Microsoft is
                           disabled.
DTBI760   V0022148    II   Delete Browsing History on
                           exit is disabled.
DTBI770   V0022149    II   Prevent Deleting Web sites
                           that the User has Visited is
                           enabled.
DTBI780   V0022150    II   Turn off InPrivate Browsing
                           is enabled.
DTBI800   V0022152    II   Allow scripting of Internet
                           Explorer web browser
                           control property is set
                           (Internet Zone).
DTBI810   V0022153    II   Include local directory path
                           when uploading files to a
                           server property is properly
                           set.
DTBI820   V0022154    II   Launching programs and
                           unsafe files property is
                           properly set (Internet Zone).
DTBI830   V0022155    II   Only allow approved
                           domains to use ActiveX
                           controls without prompt
                           property is properly set
                           (Internet Zone).
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI840   V0022156    II   Turn on Cross-Site Scripting
                           (XSS) Filter property is
                           properly set (Internet Zone).

DTBI850   V0022157    II   Allow scripting of Internet
                           Explorer web browser
                           control property is properly
                           configured (Restricted Sites
                           Zone).
DTBI860   V0022158    II   Include local directory path
                           when uploading files to a
                           server is properly set
                           (Restricted Sites Zone).
DTBI870   V0022159    II   Launching programs and
                           unsafe files property is
                           properly set (Restricted Sites
                           Zone).
DTBI880   V0022160    II   Only allow approved
                           domains to use ActiveX
                           controls without prompt
                           property is properly set
                           (Restricted Sites Zone).
DTBI890   V0022161    II   Turn on Cross-Site Scripting
                           (XSS) Filter property is
                           properly set (Restricted Sites
                           Zone).
DTBI900   V0022171    II   Internet Explorer Processes
                           Restrict ActiveX Install
                           (Reserved) property is
                           properly set.
DTBI910   V0022634    II   Allow status bar updates via
                           script (Internet Zone)
                           property is properly set.
DTBI920   V0022635    II   Run .NET Framework-reliant
                           components not signed with
                           Authenticode (Internet Zone)
                           property is properly set.

DTBI930   V0022636    II   Run .NET Framework-reliant
                           components signed with
                           Authenticode (Internet Zone)
                           property is properly set.

DTBI940   V0022637    II   Allow Scriptlets (Restricted
                           Sites Zone) property is
                           properly set.
DTBI950   V0022638    II   Allow status bar updates via
                           script (Restricted Sites Zone)
                           property is properly set.
    Section

Firefox

Firefox


Firefox

Firefox

Firefox



Firefox




Firefox

Firefox



Firefox

Firefox




Firefox

Firefox

Firefox



Firefox

Firefox

Firefox


Firefox


Firefox
      Section

Firefox


Firefox


IE6


IE6

IE7, IE6, Firefox

IE6


IE6


IE6


IE6


IE6


IE6


IE6


IE8, IE7


IE6

IE6


IE6


IE6

IE6


IE6
      Section

IE6


IE6

IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6



IE6



IE8, IE7, IE6


IE8, IE7, IE6


IE8, IE7, IE6



IE6


IE6




IE8, IE7, IE6



IE8, IE7, IE6
      Section

IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6



IE6



IE8, IE7, IE6


IE8, IE7, IE6



IE6


IE8, IE7, IE6


IE6



IE6



IE6




IE6



IE8, IE7, IE6


IE6
      Section

IE6




IE6


IE6



IE6


IE6


IE6


IE6



IE6



IE6




IE6



IE8, IE7, IE6


IE6



IE6
      Section

IE6


IE6



IE6



IE8



IE8



IE6



IE6


IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6
      Section

IE8, IE7, IE6


IE8, IE7, IE6


IE8, IE7, IE6



IE8, IE7, IE6



IE6


IE6




IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6



IE6



IE8, IE7, IE6
      Section

IE8, IE7, IE6


IE8, IE7, IE6



IE6



IE8, IE7, IE6



IE6




IE6

IE6

IE6

IE6

IE6


IE6

IE8, IE7


IE8, IE7


IE8, IE7

IE8, IE7



IE8, IE7, IE6



IE8, IE7, IE6
    Section

IE8, IE7, IE6


IE8, IE7, IE6


IE8, IE7, IE6



IE8, IE7


IE8, IE7

IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7

IE8, IE7, IE6



IE8, IE7


IE8, IE7


IE8, IE7




IE8, IE7




IE8, IE7
    Section

IE8, IE7


IE8, IE7

IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7



IE8, IE7



IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7
    Section

IE8, IE7




IE8, IE7




IE8, IE7

IE8, IE7


IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7
    Section

IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7

IE8, IE7




IE8, IE7


IE8, IE7
      Section

IE8, IE7

IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7

IE8, IE7

IE8, IE7



IE8, IE7


IE8


IE8


IE8

IE8


IE8

IE8



IE8



IE8


IE8
      Section

IE8



IE8




IE8



IE8



IE8




IE8



IE8



IE8


IE8




IE8




IE8


IE8
    PDI      VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes
BTS-IAP-    V0014344 II The IAP ingress and egress
100                     filters bound to all interfaces
                        are not the most current as
                        directed by JTF-GNO.

BTS-IAP-    V0014345    II   JTF-GNO instructions on
110                          implementing exceptions to
                             the IAP filters are not
                             followed.
BTS-IPv6-   V0014352    II   IPv6 is enabled on
100                          unauthorized interfaces.
BTS-IPv6-   V0014357    II   IPv6 traffic is tunneled using
110                          other method than IPv4 or
                             GRE encapsulation.
BTS-IPv6-   V0014359    II   IPv6 is enabled on
120                          unauthorized 6to4 and 6to4
                             relay router interfaces.
BTS-IPv6-   V0014360    II   6to4 router is accepting
130                          native IPv6 packets without
                             access to a 6to4 relay router.

BTS-IPv6-   V0014361    II   6to4 relay router accepts
140                          IPv6 packets from IPv6
                             network with a destination
                             prefix other than 2002::/16.
BTS-IPv6-   V0014362    II   6to4 router is configured to
150                          accept tunneled IPv6 traffic
                             from undocumented sources.

BTS-IPv6-   V0014363    II   6to4 relay router is
160                          configured to accept
                             tunneled IPv6 traffic from
                             undocumented sources.
BTS-IPv6-   V0014364    II   6PE router at the backbone
170                          edge is not configured to
                             tunnel all IPv6 traffic using
                             MPLS encapsulation.

BTS-IPv6-   V0014365    II   IPv6 is enabled on
180                          unauthorized 6PE router
                             interfaces.
BTS-IPv6-   V0014366    II   CE-facing interfaces on the
190                          6PE router accepts MPLS
                             traffic.
BTS-      V0012652      II   Protocol Independent
MCAST-010                    Multicast (PIM) is not
                             disabled on all interfaces
                             that are not required to
                             support multicast routing.
   PDI     VMSID CAT             Requirement         Vulnerability   Status   Finding Notes
BTS-      V0014342 III PIM neighbor filter is not
MCAST-015              bound to interfaces that have
                       PIM enabled.
BTS-      V0012653 III The PIM router‟s receive
MCAST-020              path or interface filter does
                       not validate the source
                       address for all traffic
                       destined to the “all PIM
                       routers” address
                       (224.0.0.13).
BTS-      V0012654 III Customer-facing interfaces
MCAST-030              on the PIM router and does
                       not block inbound and
                       outbound administratively-
                       scoped multicast traffic.
BTS-      V0014343 III Customer-facing interfaces
MCAST-035              do not block inbound and
                       outbound Auto-RP discovery
                       and announcement
                       messages.
BTS-      V0012655 III PIM router accepts BSR
MCAST-040              messages.
BTS-      V0012656 III RP router is not configured
MCAST-050              to limit the multicast
                       forwarding cache to ensure
                       that its resources are not
                       saturated managing an
                       overwhelming number of
                       PIM and MSDP SA entries.
BTS-      V0012657 III The RP router peering with
MCAST-060              customer PIM-SM routers
                       has not been configured with
                       a PIM import policy to block
                       join and registration
                       messages for reserved,
                       Martian, single-source
                       multicast (SSM), and any
                       other undesirable multicast
                       groups as well as any Bogon
                       source addresses.
BTS-      V0012659 II The Multicast Source
MCAST-070              Discovery Protocol (MSDP)
                       router's receive path or
                       interface filter is not
                       configured to only accept
                       MSDP packets from known
                       MSDP peers.
BTS-      V0012660  I MSDP packets received by
MCAST-080              an MSDP router are not
                       authenticated using MD5
                       passwords.
   PDI     VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes
BTS-      V0012383 II MD5 passwords used for
MCAST-090              MSDP sessions with each
                       peering customer network
                       are not unique.
BTS-      V0012661 III The MSDP router peering
MCAST-100              with customer MSDP routers
                       has not been configured with
                       an import policy to block
                       source-active (SA) multicast
                       advertisements for reserved,
                       Martian, single-source
                       multicast (SSM), and any
                       other undesirable multicast
                       groups as well as any SA
                       messages with Bogon
                       source addresses.

BTS-      V0012662    III   An export policy has not
MCAST-110                   been configured on the
                            MSDP router to avoid global
                            visibility of multicast (S,G)
                            states local to the IP core.

BTS-      V0012663    III   The MSDP cache table is
MCAST-120                   not configured to limit the SA
                            count globally, as well as on
                            a per-peer and a per-source
                            basis.
BTS-      V0012388     II   Each VPN customer is not
MCAST-130                   assigned a unique Default-
                            MDT to keep its multicast
                            data and control traffic
                            separate from global as well
                            as other customers‟
                            multicast traffic.
BTS-      V0012389     II   Each VPN customer is not
MCAST-140                   assigned a unique pool of
                            Data-MDTs to keep its
                            multicast data traffic
                            separate from global as well
                            as other customers‟
                            multicast traffic.
BTS-      V0012392    III   Group addresses are not
MCAST-150                   assigned for both Default-
                            MDT and Data-MDTs is from
                            the Administratively Scoped
                            IP Multicast range as defined
                            in RFC 2365.
BTS-MGMT- V0012394     I    All network devices are not
010                         located in a secure room
                            with limited access.
    PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
BTS-MGMT- V0012674 II Login warning banner is not
030                   configured on the network
                      device.
BTS-MGMT- V0012675  I Access to the network
040                   component does not require
                      an account identifier and
                      password.
BTS-MGMT- V0012676  I Default and backdoor
050                   accounts have not been
                      removed.
BTS-MGMT- V0012677 II Expired or unauthorized
060                   accounts are not removed
                      from device.
BTS-MGMT- V0012678 II Each system administrator is
070                   not assigned an individual
                      account and password for
                      the purpose of administrative
                      access. CAVEAT: If
                      documented in the SSAA,
                      group accounts can be used
                      for network management
                      workstations located in a
                      controlled access area.

BTS-MGMT- V0012679     II   Accounts are not assigned
075                         the lowest privilege level that
                            allows system administrators
                            and engineers to perform
                            their duties.

BTS-MGMT- V0012396    III   A formal process for
080                         granting, creating, deleting,
                            and distributing accounts is
                            not implemented or the
                            process does not include an
                            authorization form and a
                            registration authority to
                            ensure that only authorized
                            users are gaining
                            management access to
                            network devices.
BTS-MGMT- V0012398    III   A log is not maintained that
085                         records the creation,
                            deletion, and distribution of
                            all accounts.
BTS-MGMT- V0012680     II   More than one emergency
090                         account is configured or the
                            account does not default to
                            the lowest authorization level.
    PDI    VMSID CAT            Requirement                    Vulnerability   Status   Finding Notes
BTS-MGMT- V0012399 III The emergency account log
095                    is not reviewed periodically
                       to ensure emergency
                       accounts are changed at
                       regular intervals and are not
                       compromised in any way.

BTS-MGMT- V0012699      II   Username and passwords of
096                          all emergency accounts are
                             not stored in a sealed
                             envelope kept in a safe or on
                             file server attached to the
                             classified network.
BTS-MGMT- V0012681      I    The network device is not
100                          password protected.
BTS-MGMT- V0012401      I    Passwords are not set up
105                          and maintained in
                             accordance with DODI
                             8500.2 IAIA-1 and IAIA-2.
BTS-MGMT- V0012682      I    Default manufacturer
110                          passwords are not removed
                             or changed from the device.

BTS-MGMT- V0012402      II   Passwords are not
120                          encrypted both for storage
                             and for transmission.
BTS-MGMT- V0012683      II   An authentication server is
130                          not being used to
                             authenticate all users prior to
                             acquiring administrative
                             access to the device.
BTS-MGMT- V0012698      II   The authentication server is
135                          not compliant with the
                             security requirements
                             specified in the appropriate
                             operating system STIG.
BTS-MGMT- V0012684      II   Two-factor authentication is
140                          not used to authenticate all
                             users prior to acquiring
                             administrative access to the
                             device.
BTS-MGMT- V0012685     III   Two or more authentication
145                          servers are not configured to
                             support user authentication
                             for administrative access to
                             the device.

BTS-MGMT- V0014374     III   The key configured on the
150                          authentication server used
                             for communication with
                             clients is not unique.
    PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
BTS-MGMT- V0012405  I Keys are not set up and
160                   maintained in accordance
                      with DODI 8500.2 IAIA-1 and
                      IAIA-2.
BTS-MGMT- V0012406 II A key management policy is
165                   not implemented to include
                      key generation, distribution,
                      storage, usage, lifetime
                      duration, and destruction of
                      all keys used for encryption
                      within the backbone
                      infrastructure.
BTS-MGMT- V0012408 II Key lifetime exceeds 180
170                   days for Type 3 encryptors
                      or 30 days for Type 1
                      encryptors.
BTS-MGMT- V0012686  I Key chains are used and
175                   there is no key exists within
                      the chain that is configured
                      with a lifetime of infinite, or
                      the lifetime key is not
                      changed 7 days after the
                      rotating keys have expired
                      and have been redefined.

BTS-MGMT- V0012411      II   All backbone network
190                          components were not IAVM
                             compliant prior to connecting
                             the component to the
                             backbone network.
BTS-MGMT- V0012412     III   IAVM notices are not
200                          responded to within the
                             specified time period.
BTS-MGMT- V0012747      I    Unsupported network
210                          components are being used
                             within the backbone network
                             infrastructure.
BTS-MGMT- V0012687      II   Software or firmware
220                          versions are not upgraded
                             on all network components
                             as directed by the PMO.
BTS-MGMT- V0012754     III   Documented procedures are
230                          not used for upgrading or
                             deploying new approved
                             software.
BTS-MGMT- V0012418     III   Testing procedures for new
240                          or upgraded hardware or
                             software are not maintained.
    PDI    VMSID CAT            Requirement                    Vulnerability   Status   Finding Notes
BTS-MGMT- V0012419 III Baseline configurations for
250                    all network components are
                       not maintained with
                       incremental backups.
BTS-MGMT- V0012420 III File servers used for network
260                    element configuration
                       management are not located
                       on the out-of-band network
                       or are not restricted to
                       authorized personnel.
                       Caveat: File servers used for
                       classified network element
                       configuration management
                       are not required to be
                       accessed via an out-of-band
                       network.

BTS-MGMT- V0012421     II    OSS LAN is not configured
270                          IAW the Network
                             Infrastructure STIG.
BTS-MGMT- V0012422     II    OSS servers and
280                          workstations are not
                             configured IAW the
                             appropriate OS STIG.
BTS-MGMT- V0012423     I     The OOBM network (DCN)
290                          is not configured IAW with
                             the Network Infrastructure
                             STIG.
BTS-MGMT- V0012424     II    Dial-up connections for
300                          managing network elements
                             do not use FIPS 140-2
                             compliant encryption to
                             protect information in transit.

BTS-MGMT- V0012688     II    Management dial-up
310                          connections are not
                             authenticated using two-
                             factor authentication.
BTS-MGMT- V0012691     III   Communication server is not
320                          configured to use CHAP
                             authentication to authorized
                             users prior to allowing the
                             PPP connection.

BTS-MGMT- V0014375     III   Communication server is not
325                          configured to use CHAP
                             authentication or to enable
                             callback to authorized phone
                             numbers prior to allowing the
                             PPP connection.
    PDI    VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes
BTS-MGMT- V0012692 II The network element is not
330                   configured to timeout an idle
                      user session to 15 minutes
                      or less.
BTS-MGMT- V0012693 II In-band management
340                   connection to the device is
                      not encrypted using FIPS
                      140-2 compliant
                      cryptography.
BTS-MGMT- V0012694 II OOBM interfaces or console
350                   port that is connected to a
                      terminal access server is not
                      used to connect to the DCN.
                      CAVEAT: If OOBM
                      interfaces are not available
                      for a layer-3 device, this
                      finding can be downgraded
                      to a Category III if the device
                      is configured to ensure
                      management traffic and
                      route advertisements does
                      not leak from the
                      management network into
                      the transit network and vise
                      versa using interface filters
                      and route policies.

BTS-MGMT- V0014376      II   A modem is connected to
355                          the network component
BTS-MGMT- V0012425     III   Optical link used for the
360                          Optical Supervisory Channel
                             (OSC) exceeds 20 spans or
                             there is not a DCN
                             connection at the near and
                             far end OTS terminals.
    PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
BTS-MGMT- V0012695 I SNMP Version 3 Security
370                  Model (both SHA packet
                     authentication and DES
                     encryption of the PDU) is not
                     used across the entire
                     network infrastructure.
                     CAVEAT: If Version 1 or
                     Version 2 is being used with
                     all of the appropriate patches
                     to mitigate the known
                     security vulnerabilities, this
                     finding can be downgraded
                     to a Category II. If Version 1
                     or Version 2 is being used
                     with all of the appropriate
                     patches and the PMO has
                     developed a migration plan
                     to implement the Version 3
                     Security Model, this finding
                     can be downgraded to a
                     Category III.

BTS-MGMT- V0012696     I     SNMP community strings
380                          are not changed from the
                             default values and
                             usernames do not match any
                             other password values.
BTS-MGMT- V0012697     II    Different community names
390                          or usernames are not used
                             for read-only access and
                             read-write access.Write
                             access was enabled without
                             approval by the IAO.

BTS-MGMT- V0012426     III   There is no standard
400                          operating procedure (SOP)
                             for managing SNMP
                             community strings and
                             usernames to include the
                             following: - Community string
                             and username expiration
                             period. - Community string
                             and username creation will
                             comply with the password
                             requirements outlined in
                             Section 5.2.3 Passwords. -
                             SNMP community string and
                             username distribution
                             including determination of
                             membership
    PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
BTS-MGMT- V0012664 III A centralized syslog server is
410                    not deployed and configured
                       to store all syslog messages
                       for a minimum of 30 days
                       and then stored offline for
                       one year.

BTS-MGMT- V0012665     III   The syslog sever is not
420                          configured to collect syslog
                             messages from levels 0
                             through 6 at a minimum.

BTS-MGMT- V0012666     III   The syslog sever is not
430                          configured to accept
                             messages from only
                             authorized devices and
                             administrative access from
                             trusted management
                             workstations by restricting
                             access via source IP
                             address and destination port.

BTS-MGMT- V0014377     III   The syslog server is
440                          connected to a network that
                             is not the management
                             network.
BTS-MGMT- V0014378      II   The syslog server is not
450                          configured IAW the
                             respective OS STIG.
BTS-MGMT- V0014379     III   An HIDS is not implemented
460                          on the syslog server to
                             provide access control for
                             the syslog data as well as
                             provide the necessary
                             protection against
                             unauthorized user and
                             service access.
BTS-MGMT- V0012427      II   A COOP is not developed or
510                          is not maintained or the
                             COOP is not being exercised
                             periodically to provide
                             continuous operational
                             services of the backbone
                             network. At a minimum, the
                             COOP must be exercised
                             semi-annually for MAC I
                             networks and annually for
                             MAC II and III networks.
    PDI    VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes
BTS-MGMT- V0012428 II The COOP plan does not
520                   include the identification,
                      procurement, inventory,
                      storage, and deployment for
                      all critical spare
                      partsspecifically those parts
                      that can service single points
                      of failure.
BTS-MGMT- V0012430 II The COOP plan does not
530                   establish procedures for a
                      smooth transition of mission
                      essential backbone network
                      functions to include
                      management, operation, and
                      monitoring.

BTS-MPLS- V0012638     I     Not all CE-facing interfaces
010                          on a PE router, providing
                             MPLS VPN services, are
                             bound to a VRF.
BTS-MPLS- V0012639     II    CE-facing interface, on a PE
020                          router providing MPLS VPN
                             services, is configured to
                             accept MPLS traffic.

BTS-MPLS- V0012640     III   A route policy has not been
030                          implemented to ensure
                             routes contained within any
                             VRF used for PE-CE links
                             are not advertised to any
                             customer networks.

BTS-MPLS-   V0012431   I     A unique RD is not assigned
040                          for each VPN.
BTS-MPLS-   V0012641   I     Incorrect RDs are configured
050                          for some VRFs.
BTS-MPLS-   V0012642   I     VRFs are not bound to the
060                          proper CE-facing interface.
BTS-MPLS-   V0012643   I     Incorrect RT is configured
070                          for VRF.
BTS-MPLS-   V0012432   II    Junior engineers who are not
080                          trained in the design of
                             MPLS VPN networks are
                             authorized to configure VRF
                             information including RT and
                             RD and their associated
                             import and export route
                             policies.
    PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
BTS-MPLS- V0014338 II PE-ASBR-facing interfaces
085                   are not bound to a VRF for a
                      VRF-to-VRF implementation
                      on the PE-ASBR router.

BTS-MPLS- V0014339    III   PE-ASBR-facing interfaces
086                         on a PE-ASBR are
                            configured to accept MPLS
                            traffic for a VRF-to-VRF
                            implementation.
BTS-MPLS- V0014340    II    PE-ASBR-facing interfaces
087                         for a VRF-to-VRF
                            implementation are not
                            bound to the correct VPN.
BTS-MPLS- V0012644    III   Route-target filtering are not
090                         configured to only import and
                            export those route
                            advertisements with RTs that
                            represent the inter-AS VPNs
                            provisioned by the AS.

BTS-MPLS- V0012645    III   The PE-ASBR leaks IPv4
100                         routes to the adjacent AS
                            across the MP-eBGP
                            connection
BTS-MPLS- V0014341    II    Multi-hop eBGP
110                         redistribution of labeled VPN-
                            IPv4 routes between source
                            and destination ASes is used
                            to implement inter-AS VPN
                            connectivity.
BTS-MSPP- V0012670    III   The MSPP does not log
010                         system events, circuit
                            provisioning, user actions,
                            and configuration changes.
BTS-MSPP- V0012433    II    A daily review of the MSPP
020                         audit data is not conducted
                            by the system administrator
                            or qualified personnel to
                            determine if attempted
                            attacks or inappropriate
                            activity has occurred.

BTS-MSPP- V0012434    III   The MSPP audit logs are not
030                         backed up on a weekly basis
                            or are not retained for at
                            least one year.
BTS-MSPP- V0012671    III   The MSPP is not configured
040                         to synchronize its clock with
                            a trusted stratum-1 SNTP
                            server.
    PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
BTS-MSPP- V0012672 II Unused MSPP interfaces are
050                   not set to out of service
                      when not providing service.
BTS-OPTI- V0012435  I SONET components are not
010                   installed in controlled areas
                      that restrict access to only
                      authorized personnel.

BTS-OPTI-   V0012436   II    A semi-annual security
020                          analysis of a sample (20% or
                             more) of the SONET
                             components is not
                             conducted and documented.

BTS-OPTI-   V0012667   II    SONET payload scrambling
030                          is not enabled using a self-
                             synchronous scrambler (1 +
                             X 43) applied to all backbone
                             facing PoS interfaces of all
                             PE routers as well as all P
                             router and ADM PoS
                             interfaces.

BTS-OPTI-   V0012437   II    An attack detection method
040                          such as Wideband Power
                             Detection, Optical Spectral
                             Analysis, Pilot Tone, or
                             Optical Time Domain
                             Reflectometry is not used
                             globally to detect and locate
                             attacks.
BTS-OPTI-   V0012438   II    Optical monitoring is not
050                          implemented at all service
                             delivery nodes.
BTS-OPTI-   V0012439   III   Additional monitoring points
060                          are not installed at regular
                             intervals within the spans of
                             the service delivery nodes.

BTS-OPTI-   V0012441   I     OTDR scans are not
070                          performed on all new fiber
                             spans before being placed in
                             production. Maintenance
                             scans are not performed
                             every six months.
    PDI      VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes
BTS-OPTI-   V0012668 II OSPF is being used by
080                     ODXCs to determine the
                        optimum path for
                        dynamically provisioning a
                        circuit as well as for in-band
                        management routing without
                        MD5 authentication of the
                        link-state advertisements.

BTS-OPTI-   V0012669    II    LDP is being used on the
090                           control plane by ODXCs to
                              establish a circuit with
                              dynamic provisioning without
                              MD5 authentication.
BTS-OPTI-   V0012442    II    MD5 keys used for routing
100                           protocol authentication are
                              not changed every 180 days.

BTS-OPTI-   V0012443    I     The ITF and OTN facilities
110                           used for ULH connections is
                              not secured because 1) the
                              facility is not in a
                              government-controlled area
                              that allows access to only
                              authorized personnel using 2-
                              factor authentication, or 2)
                              access to the facility is not
                              monitored and limited to
                              essential and authorized
                              personnel, or 3) a visitor log
                              is not maintained.
BTS-OPTI-   V0012444    III   Diverse routes into and out
120                           of ITF and OTN facilities are
                              not engineered to reduce
                              risk of breaks to both fiber
                              segments residing in same
                              bundle, conduit, or right-of-
                              way.
BTS-OPTI-   V0012445    III   ULH connections are not
130                           created using carrier grade
                              transmission equipment
                              placed at Government
                              owned locations in order to
                              minimize the placement of
                              optical equipment in
                              commercial facilities.
    PDI      VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
BTS-OPTI-   V0012446 II Secured storage cabinets
140                     requiring 2-factor
                        authentication for access are
                        not used at ITFs to house
                        the fiber optic equipment and
                        have locking cabinet doors.

BTS-OPTI-   V0012447   III   Locking cabinet doors used
150                          at the ITFs are not equipped
                             with alarm sensors that
                             activate when doors are
                             opened or they do not report
                             to the GNSC or TNC within
                             its operating area via OOB in-
                             network circuits.

BTS-OPTI-   V0012448    I    Traffic traversing OCONUS
160                          DISN Core segments is not
                             bulk encrypted using NIST
                             certified Type III encryptors.

BTS-OPTI-   V0012449    I    SONET/SDH bulk encryptors
170                          are not deployed using Path
                             level encryption with Path
                             headers passed in the clear
                             wherever leased bandwidth
                             from commercial carriers is
                             used for transport.


BTS-OPTI-   V0012450    I    SONET/SDH bulk encryptors
180                          are not deployed using Line
                             level encryption with both
                             Section and Line overhead
                             encrypted wherever dark
                             fiber is used for transport.

BTS-OPTI-   V0012451    II   A COMSEC custodian is not
190                          assigned to manage the
                             SONET/SDH bulk encryption
                             devices and keys.

BTS-QoS-    V0012647    II   QoS policies is not
010                          configured on the PE router
                             to ensure all customer traffic
                             receives forwarding
                             treatment as specified in the
                             SLA.
    PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
BTS-QoS-   V0012648 III Traffic that is not in
030                     compliance with the
                        approved DSCP
                        classification is not placed
                        into the Scavenger class.
BTS-QoS-   V0012649 III Traffic not in compliance
040                     with the customer‟s SLA is
                        not placed into the
                        Scavenger class.
BTS-QoS-   V0012650 III QoS policing is not
050                     configured on to validate the
                        use of classes reserved for
                        premium traffic and either
                        mark down or rate limit traffic
                        according to customer
                        projections and SLAs prior to
                        entering the core.

BTS-QoS-   V0012651    III   QoS policing has not been
060                          configured on PE router that
                             will mark down out-of-profile
                             traffic into the Scavenger
                             class.
BTS-QoS-   V0012727    II    QoS policies are not
070                          configured to ensure the
                             necessary congestion
                             management is
                             implemented. This will
                             include classifying all traffic
                             and defining queues with
                             appropriate service levels to
                             accommodate the different
                             traffic classes.
BTS-RAS-   V0014346    III   AAA server is not used to
100                          authenticate the subscriber‟s
                             LNS prior to establishing an
                             L2TP tunnel with the LNS.

BTS-RAS-   V0014347     I    AAA server configuration
110                          does not correctly map
                             domain names to the
                             appropriate VPN.
BTS-RAS-   V0014349    II    The AAA server does not
120                          proxy the challenge
                             response message to the
                             appropriate VPN‟s AAA
                             server to authenticate the
                             user.
    PDI     VMSID CAT             Requirement              Vulnerability   Status   Finding Notes
BTS-RAS-   V0014350 III The RAS, NAS, or LAC
130                     device is not configured to
                        use CHAP authentication to
                        provide a challenge query to
                        the client prior to initiating
                        the L2TP connection to
                        validate the domain name
                        and user.
BTS-RAS-   V0014351 II AAA server is not used to
140                     validate the client‟s domain
                        name, username, and
                        password to the PPP
                        authentication challenge
                        prior to initiating the L2TP
                        connection.
BTS-RTR-   V0012559 II Neighbor authentication with
010                     MD5, SHA-1, or IPSec is not
                        implemented for all routing
                        protocols with all peer
                        routers within the same
                        autonomous system as well
                        as between autonomous
                        systems.
BTS-RTR-   V0014770 II MPLS signaling protocols
015                     deployed to build LSP
                        tunnels are not using a
                        secured hashing algorithm
                        such as MD5 or SHA-1for
                        neighbor or message
                        authentication.
BTS-RTR-   V0012646 II The eBGP router does not
020                     have a unique key for each
                        eBGP neighbor that it peers
                        with.
BTS-RTR-   V0012452 II MD5 keys used for routing
030                     protocol authentication are
                        not changed every 180 days.

BTS-RTR-   V0012560    I   Key chains are being used
040                        and there is no infinite key
                           exists within the chain. The
                           lifetime key is not changed
                           seven days after the rotating
                           keys expire and are
                           redefined.
    PDI     VMSID CAT          Requirement                Vulnerability   Status   Finding Notes
BTS-RTR-   V0012561 II The eBGP router is not
050                    configured to reject inbound
                       route advertisements for any
                       Bogon prefixes and any
                       prefixes belonging to the IP
                       core.

BTS-RTR-   V0014316   II   The eBGP router is not
055                        configured to reject inbound
                           route advertisements for for
                           any IPv6 prefixes unless the
                           prefixes are received from a
                           customer network and 6PE
                           is implemented to transport
                           those prefixes across the
                           backbone using MP-iBGP.


BTS-RTR-   V0012562   II   The eBGP router is not
060                        configured to reject inbound
                           route advertisements from a
                           CE router for prefixes that
                           are not allocated to that
                           customer.

BTS-RTR-   V0012563   II   BGP is not configured to
070                        filter outbound route
                           advertisements for prefixes
                           that are not allocated to or
                           belong to any GIG IP
                           customers.
BTS-RTR-   V0014317   II   The eBGP router is not
075                        configured to reject
                           outbound route
                           advertisements for for any
                           IPv6 prefixes unless the
                           prefixes are for a customer
                           network supported by a 6PE
                           deployment.
BTS-RTR-   V0012564   II   BGP is not configured to
080                        filter outbound route
                           advertisements belonging to
                           the IP core.
BTS-RTR-   V0012565   II   The eBGP router is not
100                        configured to reject inbound
                           route advertisements with an
                           originating AS that does not
                           belong to the specific
                           customer.
    PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
BTS-RTR-   V0012566 III ASBR is not configured to
110                     deny updates received from
                        eBGP peers that do not list
                        their AS number as the first
                        AS in the AS_PATH attribute.

BTS-RTR-   V0012567   III   Graded damping algorithms
120                         are not used to penalize
                            longer prefixes (> /20) more
                            than shorter prefixes.

BTS-RTR-   V0012568    II   BGP is not configured to use
130                         the maximum prefixes
                            feature to protect against
                            route table flooding and
                            prefix de-aggregation
                            attacks.
BTS-RTR-   V0012569   III   BGP is not configured to limit
140                         the prefix size on any route
                            advertisement to /24 or the
                            least significant prefixes
                            issued to the customer.

BTS-RTR-   V0012570   III   BGP is not configured to use
150                         Generalized TTL Security
                            Mechanism (GTSM) to
                            mitigate risks associated
                            with a control plane DoS
                            attack.
BTS-RTR-   V0014318   III   Routers with RSVP-TE
152                         enabled do not have
                            message pacing configured
                            to adjust maximum burst and
                            maximum number of RSVP
                            messages to an output
                            queue based on the link
                            speed and input queue size
                            of adjacent core routers.


BTS-RTR-   V0012571   III   The router‟s loopback
155                         address is not used as the
                            router ID for OSPF, IS-IS,
                            iBGP, LDP, and MPLS-TE
                            configurations.
BTS-RTR-   V0012573    II   URPF strict mode is not
160                         enabled on all customer-
                            facing interfaces.
    PDI     VMSID CAT            Requirement          Vulnerability   Status   Finding Notes
BTS-RTR-   V0012574 II A filter is not implemented to
170                    block inbound packets with
                       source Bogon address
                       prefixes.
BTS-RTR-   V0012575  I A filter is not implemented to
180                    block inbound packets
                       destined to the IP core
                       infrastructure address space.

BTS-RTR-   V0012576    I     A receive-path filter or
190                          ingress filter bound to all
                             interfaces is not
                             implemented to restrict all
                             traffic destined to the router.

BTS-RTR-   V0014319    III   A receive-path filter is not
195                          implemented to restrict all
                             traffic destined to the router.

BTS-RTR-   V0012579    II    Management plane traffic
200                          destined for the router is not
                             restricted to only authorized
                             network management
                             stations.
BTS-RTR-   V0012580    II    BGP connections are not
210                          restricted to known IP
                             addresses of BGP routers
                             from the same or trusted AS.

BTS-RTR-   V0012581    III   NTP traffic is not restricted
220                          to only authorized NTP
                             servers.
BTS-RTR-   V0012582    II    The router‟s receive path
230                          filter does not drop all
                             fragmented ICMP packets.
BTS-RTR-   V0012583    II    The maximum wait interval
240                          for establishing a TCP
                             connection request to the
                             router is not set to ten
                             seconds or less, or a method
                             to ratelimit TCP SYN traffic
                             destined to the router has
                             not been implemented.

BTS-RTR-   V0012586    II    CEF is not enabled on Cisco
250                          router.
BTS-RTR-   V0012585    II    IPv4 packets with Option
260                          Type = 131 or 137 are not
                             blocked or IP source routing
                             is not disabled.
    PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes
BTS-RTR-   V0014320 II IPv6 packets that include a
265                     Routing Header with Routing
                        Type 0 are not blocked or IP
                        source routing is not
                        disabled.
BTS-RTR-   V0012587 III IP directed broadcast is not
270                     disabled on all router
                        interfaces.
BTS-RTR-   V0012589 II IP redirects is not disabled
280                     on all router interfaces.
BTS-RTR-   V0012590 II ICMP mask replies is not
290                     disabled on all router
                        interfaces.
BTS-RTR-   V0012591 II ICMP unreachables are not
300                     disabled on all customer-
                        facing interface interfaces.
                        Note: This requirement does
                        not force the router to block
                        ICMP Destination
                        Unreachable messages type
                        3, code 4 meaning
                        “Fragmentation Needed and
                        Don't Fragment was Set”
                        and, therefore, will not
                        disrupt Path MTU Discovery
                        as specified in RFC 1191.
                        Black-hole filtering enables
                        traffic destined for a
                        particular IP address to be
                        forwarded to an pseudo-
                        interface where it is
                        discarded. The address of
                        the pseudo-interface is
                        called Null0. The interface is
                        always live but can never
                        forward or receive traffic.
                        Hence, when a route is
                        pointed to the Null0
                        interface, traffic sent to that
                        destination is dropped.

BTS-RTR-   V0012592    III   Inactive interfaces are not
310                          disabled. CAVEAT: Inactive
                             physical interfaces or
                             subinterfaces that are
                             preconfigured for planned
                             access circuits that will soon
                             become active is permitted,
                             provided that a description is
                             defined for each interface.
    PDI     VMSID CAT              Requirement                 Vulnerability   Status   Finding Notes
BTS-RTR-   V0014321 III There is no filter that denies
315                     all traffic applied to all
                        inactive interfaces.
BTS-RTR-   V0012593 III Two or more authentication
320                     servers are not defined for
                        the purpose of granting
                        administrative access.
BTS-RTR-   V0012594 III The router is not configured
330                     to use AAA tiered
                        authorization groups for
                        management authentication.

BTS-RTR-   V0014322    III   Passwords are configured
340                          on line interfaces (VTY,
                             console, auxiliary, and
                             asynchronous lines).
BTS-RTR-   V0012601    II    Individual accounts with
350                          username and password are
                             not being used to access the
                             router.
BTS-RTR-   V0012602    II    Accounts are not assigned
360                          the lowest privilege level that
                             allows them to perform their
                             duties.
BTS-RTR-   V0012609     I    Passwords are not
370                          encrypted using MD5 or
                             SHA-1 hash algorithm.
BTS-RTR-   V0012606    II    Inactive accounts exist on
380                          the authentication server or
                             router.
BTS-RTR-   V0012607    II    More than one local
390                          emergency account is
                             configured on the router, or
                             the emergency account is
                             not at the lowest privilege
                             level.
BTS-RTR-   V0012453    II    There are no procedures to
395                          securely control the creation,
                             storage, deletion, and
                             distribution of local
                             emergency user accounts.
BTS-RTR-   V0012454    III   A log is not being maintained
400                          to record the creation,
                             change, deletion, and
                             release of all emergency
                             accounts.
    PDI     VMSID CAT            Requirement                    Vulnerability   Status   Finding Notes
BTS-RTR-   V0012455 III The emergency account log
405                     is not being reviewed
                        periodically to ensure
                        emergency accounts are
                        changed at regular intervals
                        and are not compromised in
                        any way.
BTS-RTR-   V0012610 III A password is not required
410                     to gain access to the router's
                        diagnostics port.
BTS-RTR-   V0012615 III CDP is not disabled on all
420                     external interfaces on all
                        Cisco PE and ASBR routers.

BTS-RTR-   V0012616    III   The router is not configured
430                          to send periodic TCP
                             keepalive messages to
                             connection end points if
                             telnet is being used for
                             administrative access.
BTS-RTR-   V0014323    II    Logging is not enabled on
440                          the router.
BTS-RTR-   V0012618    III   The router is not configured
450                          to log severity levels 0
                             through 6 events and send
                             all log data to a syslog server.

BTS-RTR-   V0014324    III   Router is not configured to
460                          send all log data to a syslog
                             server.
BTS-RTR-   V0012617    III   The router is not configured
470                          to log all denied packets.
BTS-RTR-   V0014325    III   The router is not configured
480                          to log all denied packets.
BTS-RTR-   V0014326    III   Configuration changes that
485                          identify the time, the
                             command, and the
                             administrator that executed
                             the command are not logged.

BTS-RTR-   V0012619    III   Two or more NTP servers
490                          are not defined on the router
                             to synchronize its time.

BTS-RTR-   V0012620    II    The router is configured to
500                          function as an NTP server.
BTS-RTR-               II    The router is not configured
510                          to use MD5 to authenticate
                             the time source.
    PDI     VMSID CAT            Requirement               Vulnerability   Status   Finding Notes
BTS-RTR-   V0012622 III The router is not configured
520                     to use its loopback address
                        as the source address when
                        originating TACACS+ or
                        RADIUS traffic.

BTS-RTR-   V0014327   III   The router is not configured
521                         to use its loopback address
                            as the source address when
                            originating syslog traffic.

BTS-RTR-   V0014328   III   The router is not configured
522                         to use its loopback address
                            as the source address when
                            originating NTP traffic.

BTS-RTR-   V0014329   III   The router is not configured
523                         to use its loopback address
                            as the source address when
                            originating SNMP traffic.

BTS-RTR-   V0014330   III   The router is not configured
524                         to use its loopback address
                            as the source address when
                            originating NetFlow traffic.

BTS-RTR-   V0014331   III   The router is not configured
525                         to use its loopback address
                            as the source address when
                            originating TFTP or FTP
                            traffic.
BTS-RTR-   V0014332   III   The router is not configured
526                         to use its loopback address
                            as the source address when
                            originating SSH traffic.

BTS-RTR-   V0014333   III   The router is not configured
527                         to use its loopback address
                            as the source address when
                            originating MSDP traffic.

BTS-RTR-   V0014334   III   The router is not configured
528                         to use its loopback address
                            as the source address for
                            iBGP peering sessions.

BTS-RTR-   V0014335   III   The router is not configured
529                         to use its loopback address
                            as the source addressfor
                            LDP peering sessions.
    PDI     VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes
BTS-RTR-   V0012623 II The latest operating system
530                     as directed by the PMO is
                        not implemented on the
                        router.
BTS-RTR-   V0012730 II The latest operating system
530                     as directed by the PMO is
                        not implemented on the
                        router.
BTS-RTR-   V0012624 III Finger service is not
540                     disabled.
BTS-RTR-   V0012625 III TCP and UDP small servers
550                     are not disabled.
BTS-RTR-   V0012626 III PAD services are not
560                     disabled.
BTS-RTR-   V0012627 III Identification support is not
570                     disabled.
BTS-RTR-   V0012628 II BSD r-command services
580                     are not disabled.
BTS-RTR-   V0012629 II FTP server is enabled.
590
BTS-RTR-   V0014336    II    TFTP server is not disabled.
595
BTS-RTR-   V0012630    III   DHCP server is enabled.
600
BTS-RTR-   V0012631    II    HTTP server is enabled.
610
BTS-RTR-   V0012632    III   Bootp server is enabled.
620
BTS-RTR-   V0012634    II    Configuration auto-loading is
630                          not disabled.
BTS-RTR-   V0012635    III   The router is configured as a
640                          client resolver and DNS
                             servers are not defined.
BTS-RTR-   V0012636    II    Proxy ARP is not disabled.
650
BTS-RTR-   V0012637    II    Gratuitous ARP is not
660                          disabled.
BTS-RTR-   V0014337    II    URPF strict mode is not
900                          enabled on CE routers‟ PE-
                             facing interfaces.
    PDI     VMSID CAT             Requirement         Vulnerability   Status   Finding Notes
BTS-SDN-   V0012456  I The facility used to house
010                    SDN equipment is not
                       secured 1) because the
                       facility is not in a
                       government-controlled area
                       that allow access to only
                       authorized personnel using 2-
                       factor authentication, or 2)
                       access to the facility is not
                       monitored and limited to
                       essential and authorized
                       personnel, or 3) a visitor log
                       is not maintained.
BTS-SDN-   V0012457 II A connection approval
020                    process to be used when
                       provisioning GIG services to
                       DoD customers is not
                       implemented or enforced.
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
DG0001 V0005658  I Vendor supported software
                   is evaluated and patched
                   against newly found
                   vulnerabilities.
DG0002 V0004758 II An upgrade/migration plan
                   should be developed to
                   address an unsupported
                   DBMS software version.
DG0003 V0005659 II The latest security patches
                   should be installed.
DG0005 V0006756 II Only necessary privileges to
                   the host system should be
                   granted to DBA OS accounts.

DG0007 V0006767     II    The database should be
                          secured in accordance with
                          DoD, vendor and/or
                          commercially accepted
                          practices where applicable.
DG0009 V0015608     II    Access to DBMS software
                          files and directories should
                          not be granted to
                          unauthorized users.
DG0010 V0002420     III   Database executable and
                          configuration files should be
                          monitored for unauthorized
                          modifications.
DG0011 V0003726     III   Configuration management
                          procedures should be
                          defined and implemented for
                          database software
                          modifications.
DG0012 V0004754     II    Database software
                          directories including DBMS
                          configuration files are stored
                          in dedicated directories
                          separate from the host OS
                          and other applications.

DG0013 V0015126     II    Database backup
                          procedures should be
                          defined, documented and
                          implemented.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      133 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement                Vulnerability   Status   Finding Notes
DG0014 V0015609  II Default demonstration and
                    sample database objects
                    and applications should be
                    removed.
DG0016 V0003728 III Unused database
                    components, database
                    application software and
                    database objects should be
                    removed from the DBMS
                    system.
DG0017 V0003803  II A production DBMS
                    installation should not
                    coexist on the same DBMS
                    host with other, non-
                    production DBMS
                    installations.
DG0019 V0003805 III Application software should
                    be owned by a Software
                    Application account.

DG0020 V0015129     II   Backup and recovery
                         procedures should be
                         developed, documented,
                         implemented and
                         periodically tested.
DG0021 V0003806     II   A baseline of database
                         application software should
                         be documented and
                         maintained.
DG0025 V0015610     II   DBMS should use NIST
                         FIPS 140-2, validated
                         cryptography.
DG0029 V0005685     II   Required auditing
                         parameters for database
                         auditing should be set.
DG0030 V0002507     II   Audit trail data should be
                         retained for one year.
DG0031 V0015133     II   Transaction logs should be
                         periodically reviewed for
                         unauthorized modification of
                         data. Users should be
                         notified of time and date of
                         the last change in data
                         content.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              134 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes
DG0032 V0005686 II Audit records should be
                   restricted to authorized
                   individuals.
DG0040 V0002422 II The DBMS software
                   installation account should
                   be restricted to authorized
                   users.
DG0041 V0015110 II Use of the DBMS installation
                   account should be logged.

DG0042 V0015111     II    Use of the DBMS software
                          installation account should
                          be restricted to DBMS
                          software installation,
                          upgrade and maintenance
                          actions.
DG0050 V0002423     II    Database software,
                          applications and
                          configuration files should be
                          monitored to discover
                          unauthorized changes.
DG0051 V0003808     II    Database job/batch queues
                          should be reviewed regularly
                          to detect unauthorized
                          database job submissions.

DG0052 V0003807     II    All applications that access
                          the database should be
                          logged in the DBMS audit
                          trail where available.

DG0053 V0003809     II    A single database
                          connection configuration file
                          should not be used to
                          configure all database
                          clients.
DG0054 V0015611     III   The audit logs should be
                          periodically monitored to
                          discover DBMS access
                          using unauthorized
                          applications.
DG0064 V0015120     II    DBMS backup and
                          restoration files should be
                          protected from unauthorized
                          access.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                135 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
DG0065 V0003810 II DBMS authentication should
                   require use of a DoD PKI
                   certificate.
DG0066 V0003811 II Procedures for establishing
                   temporary passwords that
                   meet DoD password
                   requirements for new
                   accounts should be defined,
                   documented and
                   implemented.
DG0067 V0003812  I Database account
                   passwords should be stored
                   in encoded or encrypted
                   format whether stored in
                   database objects, external
                   host files, environment
                   variables or any other
                   storage locations.
DG0068 V0003813 II DBMS tools or applications
                   that echo or require a
                   password entry in clear text
                   should be protected from
                   password display.

DG0069 V0015140     II   Procedures and restrictions
                         for import of production data
                         to development databases
                         should be documented,
                         implemented and followed.

DG0072 V0015612     II   Database password
                         changes by users should be
                         limited to one change within
                         24 hours where supported
                         by the DBMS.
DG0076 V0003819     II   Sensitive information from
                         production database exports
                         should be modified after
                         import to a development
                         database.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               136 of 1257
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
DG0077 V0003820  II Production databases
                    should be protected from
                    unauthorized access by
                    developers on shared
                    production/development host
                    systems.
DG0078 V0015613  II Each database user,
                    application or process
                    should have an individually
                    assigned account.
DG0083 V0015102  II Automated notification of
                    suspicious activity detected
                    in the audit trail should be
                    implemented.
DG0084 V0015614 III The DBMS should be
                    configured to clear residual
                    data from memory, data
                    objects and files, and other
                    storage locations.
DG0085 V0015615  II The DBA role should not be
                    assigned excessive or
                    unauthorized privileges.
DG0088 V0015112 III The DBMS should be
                    periodically tested for
                    vulnerability management
                    and IA compliance.
DG0090 V0015131  II Sensitive information stored
                    in the database should be
                    protected by encryption.

DG0092 V0015132     II    Database data files
                          containing sensitive
                          information should be
                          encrypted.
DG0093 V0003825     II    Remote adminstrative
                          connections to the database
                          should be encrypted.

DG0095 V0003827     II    Audit trail data should be
                          reviewed daily or more
                          frequently.
DG0096 V0015138     III   The DBMS IA policies and
                          procedures should be
                          reviewed annually or more
                          frequently.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       137 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
DG0097 V0015139 II Plans and procedures for
                   testing DBMS installations,
                   upgrades, and patches
                   should be defined and
                   followed prior to production
                   implementation.

DG0098 V0015617     II    Access to external objects
                          should be disabled if not
                          required and authorized.
DG0099 V0015618     II    Access to external DBMS
                          executables should be
                          disabled or restricted.
DG0101 V0015620     II    OS accounts used to
                          execute external procedures
                          should be assigned
                          minimum privileges.

DG0102 V0015141     II    DBMS processes or
                          services should run under
                          custom, dedicated OS
                          accounts.
DG0103 V0015621     II    The DBMS listener should
                          restrict database access by
                          network address.
DG0104 V0015622     III   DBMS service identification
                          should be unique and clearly
                          identifies the service.

DG0107 V0015144     II    Sensitive data is stored in
                          the database and should be
                          identified in the System
                          Security Plan and AIS
                          Functional Architecture
                          documentation.
DG0108 V0015145     III   The DBMS restoration
                          priority should be assigned.
DG0109 V0015146     II    The DBMS should not be
                          operated without
                          authorization on a host
                          system supporting other
                          application services.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               138 of 1257
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement           Vulnerability   Status   Finding Notes
DG0110 V0015179 II The DBMS should not share
                   a host supporting an
                   independent security service.

DG0111 V0015147     II   The DBMS data files,
                         transaction logs and audit
                         files should be stored in
                         dedicated directories or disk
                         partitions separate from
                         software or other application
                         files.
DG0112 V0015623     II   DBMS system data files
                         should be stored in
                         dedicated disk directories.
DG0113 V0015624     II   DBMS data files should be
                         dedicated to support
                         individual applications.
DG0114 V0015119     II   DBMS files critical for DBMS
                         recovery should be stored
                         on RAID or other high-
                         availability storage devices.

DG0115 V0015625     II   Recovery procedures and
                         technical system features
                         exist to ensure that recovery
                         is done in a secure and
                         verifiable manner.

DG0116 V0015626     II   Database privileged role
                         assignments should be
                         restricted to IAO-authorized
                         DBMS accounts.

DG0118 V0015127     II   The IAM should review
                         changes to DBA role
                         assignments.
DG0123 V0015631     II   Access to DBMS system
                         tables and other
                         configuration or metadata
                         should be restricted to DBAs.

DG0124 V0015632     II   Use of DBA accounts should
                         be restricted to
                         administrative activities.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       139 of 1257
   ____ Checklist _V_R_ (<date>)                                               <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                       Vulnerability   Status   Finding Notes
DG0126 V0015633 II Password reuse should be
                   prevented where supported
                   by the DBMS.
DG0128 V0015635  I DBMS default accounts
                   should be assigned custom
                   passwords.
DG0129 V0015636  I Passwords should be
                   encrypted when transmitted
                   across the network.

DG0130 V0015637     II    DBMS passwords should not
                          be stored in compiled,
                          encoded or encrypted batch
                          jobs or compiled, encoded or
                          encrypted application source
                          code.
DG0131 V0015638     III   DBMS default account
                          names should be changed.
DG0134 V0015640     II    Concurrent connections to
                          the DBMS should be limited
                          and controlled.
DG0140 V0015643     II    Access to DBMS security
                          should be audited.
DG0141 V0015644     II    Attempts to bypass access
                          controls should be audited.

DG0142 V0015645     II    Changes to configuration
                          options should be audited.
DG0145 V0015646     II    Audit records should contain
                          required information.

DG0146 V0015647     II    Audit records should include
                          the reason for blacklisting or
                          disabling DBMS connections
                          or accounts.

DG0151 V0015648     II    Access to the DBMS should
                          be restricted to static, default
                          network ports.

DG0152 V0015148     II    DBMS network
                          communications should
                          comply with PPS usage
                          restrictions.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   140 of 1257
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
DG0153 V0015149 III DBA roles assignments
                    should be assigned and
                    authorized by the IAO.
DG0154 V0015150 III The DBMS requires a
                    System Security Plan
                    containing all required
                    information.
DG0155 V0015649  II The DBMS should have
                    configured all applicable
                    settings to use trusted files,
                    functions, features, or other
                    components during startup,
                    shutdown, aborts, or other
                    unplanned interruptions.

DG0156 V0015650     III   The IAO for the DBMS
                          should be assigned and
                          authorized by the IAM.
DG0157 V0015651      II   Remote DBMS
                          administration should be
                          documented and authorized
                          or disabled.
DG0158 V0015652      II   DBMS remote administration
                          should be audited.

DG0159 V0015118      II   Remote administrative
                          access to the database
                          should be monitored by the
                          IAO or IAM.
DG0160 V0015653     III   The DBMS should limit failed
                          logins within a specified time
                          period.
DG0161 V0015103      II   An automated tool that
                          monitors audit data and
                          immediately reports
                          suspicious activity should be
                          employed for the DBMS.
DG0167 V0015104      I    Sensitive data served by the
                          DBMS should be protected
                          by encryption when
                          transmitted across the
                          network.
DG0170 V0015655      II   DBMS transaction journaling
                          should be enabled.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 141 of 1257
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
DG0171 V0015656 II The DBMS should not have
                   a connection defined to
                   access or be accessed by a
                   DBMS at a different
                   classification level.
DG0175 V0015116 II The DBMS host platform
                   and other dependent
                   applications should be
                   configured in compliance
                   with applicable STIG
                   requirements.
DG0176 V0015117 II The DBMS audit logs should
                   be included in backup
                   operations.
DG0179 V0015658 II The DBMS warning banner
                   should meet DoD policy
                   requirements.
DG0186 V0015122 II The database should not be
                   directly accessible from
                   public or unauthorized
                   networks.
DG0187 V0015121 II DBMS software libraries
                   should be periodically
                   backed up.
DG0190 V0015154 II Credentials stored and used
                   by the DBMS to access
                   remote databases or
                   applications should be
                   authorized and restricted to
                   authorized users.
DG0192 V0015660 II Remote database or other
                   external access should use
                   fully-qualified names.
DG0194 V0015108 II Privileges assigned to
                   developers on shared
                   production and development
                   DBMS hosts and the DBMS
                   should be monitored every
                   three months or more
                   frequently for unauthorized
                   changes.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        142 of 1257
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement         Vulnerability   Status   Finding Notes
DG0195 V0015109 II DBMS production
                   application and data
                   directories should be
                   protected from developers
                   on shared
                   production/development
                   DBMS host systems.
DG0198 V0015662 II Remote administration of the
                   DBMS should be restricted
                   to known, dedicated and
                   encrypted network
                   addresses and ports.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      143 of 1257
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0001 V0005658    I    Vendor supported software
                        is evaluated and patched
                        against newly found
                        vulnerabilities.


DG0002 V0004758    II   An upgrade/migration plan
                        should be developed to
                        address an unsupported
                        DBMS software version.
DG0003 V0005659    II   The latest security patches
                        should be installed.




DG0004 V0005683    II   Application object owner
                        accounts should be disabled
                        when not performing
                        installation or maintenance
                        actions.
DG0005 V0006756    II   Only necessary privileges to
                        the host system should be
                        granted to DBA OS accounts.



DG0007 V0006767    II   The database should be
                        secured in accordance with
                        DoD, vendor and
                        commercially accepted
                        practices where applicable.

DG0008 V0015607    II   Application objects should
                        be owned by accounts
                        authorized for ownership.
DG0009 V0015608    II   Access to DBMS software
                        files and directories should
                        not be granted to
                        unauthorized users.


DG0010 V0002420   III   Database executable and
                        configuration files should be
                        monitored for unauthorized
                        modifications.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DG0011 V0003726   III   Configuration management
                        procedures should be
                        defined and implemented for
                        database software
                        modifications.

DG0012 V0004754    II   Database data files should
                        not be stored in the same
                        logical storage partition as
                        database application
                        software.

DG0013 V0015126    II   Database backup
                        procedures should be
                        defined, documented and
                        implemented.


DG0014 V0015609    II   Default demonstration and
                        sample database objects
                        and applications should be
                        removed.
DG0015 V0003727   III   Database applications
                        should be restricted from
                        using static DDL statements
                        to modify the application
                        schema.
DG0016 V0003728   III   Unused database
                        components, database
                        application software and
                        database objects should be
                        removed from the DBMS
                        system.
DG0017 V0003803    II   System resources and
                        database identifiers should
                        be clearly separated and
                        defined.


DG0019 V0003805   III   Application software should
                        be owned by a Software
                        Application account.



DG0020 V0015129    II   Backup and recovery
                        procedures should be
                        developed, documented,
                        implemented and
                        periodically tested.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0021 V0003806    II   A baseline of database
                        application software should
                        be documented and
                        maintained.


DG0025 V0015610    II   DBMS should use NIST
                        FIPS 140-2, validated
                        cryptography.



DG0029 V0005685    II   Required auditing
                        parameters for database
                        auditing should be set.
DG0030 V0002507    II   Audit trail data should be
                        retained for one year.
DG0031 V0015133    II   Transaction logs should be
                        periodically reviewed for
                        unauthorized modification of
                        data. Users should be
                        notified of time and date of
                        the last change in data
                        content.
DG0032 V0005686    II   Audit records should be
                        restricted to authorized
                        individuals.
DG0040 V0002422    II   The DBMS software
                        installation account should
                        be restricted to authorized
                        users.


DG0041 V0015110    II   Use of the DBMS installation
                        account should be logged.




DG0042 V0015111    II   Use of the DBMS software
                        installation account should
                        be restricted to DBMS
                        software installation,
                        upgrade and maintenance
                        actions.
DG0050 V0002423    II   Database software,
                        applications and
                        configuration files should be
                        monitored to discover
                        unauthorized changes.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0051 V0003808    II   Database job/batch queues
                        should be reviewed regularly
                        to detect unauthorized
                        database job submissions.


DG0052 V0003807    II   All applications that access
                        the database should be
                        logged in the DBMS audit
                        trail where available.


DG0053 V0003809    II   A single database
                        connection configuration file
                        should not be used to
                        configure all database clients.


DG0054 V0015611   III   The audit logs should be
                        periodically monitored to
                        discover DBMS access
                        using unauthorized
                        applications.

DG0060 V0002424    II   All database non-interactive,
                        n-tier connection, and
                        shared accounts that exist
                        should be documented and
                        approved by the IAO.

DG0063 V0015107    II   DBMS privileges to restore
                        database data or other
                        DBMS configurations,
                        features or objects should be
                        restricted to authorized
                        DBMS accounts.
DG0064 V0015120    II   DBMS backup and
                        restoration files should be
                        protected from unauthorized
                        access.


DG0065 V0003810    II   DBMS authentication should
                        require use of a DoD PKI
                        certificate.
DG0066 V0003811    II   Procedures for establishing
                        temporary passwords that
                        meet DoD password
                        requirements for new
                        accounts should be defined,
                        documented and
                        implemented.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0067 V0003812    I    Database passwords used
                        by batch and job processes
                        should be stored in
                        encrypted format.


DG0068 V0003813    II   DBMS tools or applications
                        that echo or require a
                        password entry in clear text
                        should be protected from
                        password display.

DG0069 V0015140    II   Procedures and restrictions
                        for import of production data
                        to development databases
                        should be documented,
                        implemented and followed.

DG0070 V0002508    II   Unauthorized user accounts
                        should not exist.
DG0071 V0003815    II   New passwords should be
                        required to differ from old
                        passwords by more than four
                        characters.
DG0073 V0003817    II   Database accounts should
                        not specify account lock
                        times less than the site-
                        approved minimum.
DG0074 V0015130    II   Unapproved inactive or
                        expired database accounts
                        should not be found on the
                        database.
DG0075 V0003818    II   Unauthorized database links
                        should not be defined and
                        active.
DG0076 V0003819    II   Sensitive information from
                        production database exports
                        should be modified after
                        import to a development
                        database.
DG0077 V0003820    II   Production databases should
                        be protected from
                        unauthorized access by
                        developers on shared
                        production/development host
                        systems.
DG0078 V0015613    II   Each database user,
                        application or process
                        should have an individually
                        assigned account.
DG0079 V0015152    II   DBMS login accounts
                        require passwords to meet
                        complexity requirements.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DG0080 V0003821    II   Application user privilege
                        assignment should be
                        reviewed monthly or more
                        frequently to ensure
                        compliance with least
                        privilege and documented
                        policy.
DG0083 V0015102    II   Automated notification of
                        suspicious activity detected
                        in the audit trail should be
                        implemented.


DG0085 V0015615    II   The DBA role should not be
                        assigned excessive or
                        unauthorized privileges.
DG0086 V0015106    II   DBA roles should be
                        periodically monitored to
                        detect assignment of
                        unauthorized or excess
                        privileges.

DG0087 V0015616   III   Sensitive data should be
                        labeled.
DG0088 V0015112   III   The DBMS should be
                        periodically tested for
                        vulnerability management
                        and IA compliance.


DG0089 V0015114   III   Developers should not be
                        assigned excessive
                        privileges on production
                        databases.
DG0090 V0015131    II   Sensitive information stored
                        in the database should be
                        protected by encryption.



DG0091 V0003823   III   Custom and GOTS
                        application source code
                        stored in the database
                        should be protected with
                        encryption or encoding.
DG0092 V0015132    II   Database data files
                        containing sensitive
                        information should be
                        encrypted.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DG0093 V0003825    II   Remote adminstrative
                        connections to the database
                        should be encrypted.



DG0095 V0003827    II   Audit trail data should be
                        reviewed daily or more
                        frequently.



DG0096 V0015138   III   The DBMS IA policies and
                        procedures should be
                        reviewed annually or more
                        frequently.


DG0097 V0015139    II   Plans and procedures for
                        testing DBMS installations,
                        upgrades, and patches
                        should be defined and
                        followed prior to production
                        implementation.

DG0098 V0015617    II   Access to external objects
                        should be disabled if not
                        required and authorized.
DG0099 V0015618    II   Access to external DBMS
                        executables should be
                        disabled or restricted.



DG0100 V0015619    II   Replication accounts should
                        not be granted DBA
                        privileges.
DG0101 V0015620    II   OS accounts used to
                        execute external procedures
                        should be assigned
                        minimum privileges.


DG0102 V0015141    II   DBMS processes or services
                        should run under custom,
                        dedicated OS accounts.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0103 V0015621    II   The DBMS listener should
                        restrict database access by
                        network address.



DG0104 V0015622   III   DBMS service identification
                        should be unique and clearly
                        identifies the service.



DG0105 V0015128    II   DBMS application user roles
                        should not be assigned
                        unauthorized privileges.

DG0106 V0015143    II   Database data encryption
                        controls should be
                        configured in accordance
                        with application
                        requirements.

DG0107 V0015144    II   Sensitive data is stored in
                        the database and should be
                        identified in the System
                        Security Plan and AIS
                        Functional Architecture
                        documentation.
DG0108 V0015145   III   The DBMS restoration
                        priority should be assigned.




DG0109 V0015146    II   The DBMS should not be
                        operated without
                        authorization on a host
                        system supporting other
                        application services.

DG0110 V0015179    II   The DBMS should not share
                        a host supporting an
                        independent security service.



DG0111 V0015147    II   The DBMS data files,
                        transaction logs and audit
                        files should be stored in
                        dedicated directories or disk
                        partitions separate from
                        software or other application
                        files.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0112 V0015623    II   DBMS system data files
                        should be stored in
                        dedicated disk directories.
DG0113 V0015624    II   DBMS data files should be
                        dedicated to support
                        individual applications.
DG0115 V0015625    II   Recovery procedures and
                        technical system features
                        exist to ensure that recovery
                        is done in a secure and
                        verifiable manner.

DG0116 V0015626    II   Database privileged role
                        assignments should be
                        restricted to IAO-authorized
                        DBMS accounts.

DG0117 V0015627    II   Administrative privileges
                        should be assigned to
                        database accounts via
                        database roles.
DG0118 V0015127    II   The IAM should review
                        changes to DBA role
                        assignments.



DG0119 V0015628    II   DBMS application users
                        should not be granted
                        administrative privileges to
                        the DBMS.
DG0120 V0015105    II   Unauthorized access to
                        external database objects
                        should be removed from
                        application user roles.


DG0121 V0015629    II   Application users privileges
                        should be restricted to
                        assignment using application
                        user roles.
DG0122 V0015630    II   Access to sensitive data
                        should be restricted to
                        authorized users identified
                        by the Information Owner.
DG0123 V0015631    II   Access to DBMS system
                        tables and other
                        configuration or metadata
                        should be restricted to DBAs.

DG0124 V0015632    II   Use of DBA accounts should
                        be restricted to
                        administrative activities.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DG0125 V0015153    II   DBMS account passwords
                        should be set to expire every
                        60 days or more frequently.

DG0126 V0015633    II   Password reuse should be
                        prevented where supported
                        by the DBMS.
DG0127 V0015634    II   DBMS account passwords
                        should not be set to easily
                        guessed words or values.
DG0128 V0015635    I    DBMS default accounts
                        should be assigned custom
                        passwords.
DG0129 V0015636    I    Passwords should be
                        encrypted when transmitted
                        across the network.



DG0130 V0015637    II   DBMS passwords used by
                        batch jobs or executables
                        should not be stored in the
                        job or executable files.
DG0133 V0015639    II   Unlimited account lock times
                        should be specified for
                        locked accounts.
DG0135 V0015641    II   Users should be alerted
                        upon login of previous
                        successful connections or
                        unsuccessful attempts to
                        access their account.
DG0138 V0015642    II   Access grants to sensitive
                        data should be restricted to
                        authorized user roles.
DG0140 V0015643    II   Access to DBMS security
                        should be audited.




DG0141 V0015644    II   Attempts to bypass access
                        controls should be audited.

DG0142 V0015645    II   Changes to configuration
                        options should be audited.
DG0145 V0015646    II   Audit records should contain
                        required information.

DG0146 V0015647    II   Audit records should include
                        the reason for blacklisting or
                        disabling DBMS connections
                        or accounts.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0152 V0015148    II   DBMS network
                        communications should
                        comply with PPS usage
                        restrictions.


DG0153 V0015149   III   DBA roles assignments
                        should be assigned and
                        authorized by the IAO.
DG0154 V0015150   III   The DBMS requires a
                        System Security Plan
                        containing all required
                        information.


DG0155 V0015649    II   The DBMS should verify
                        trustworthiness of data and
                        configuration files at startup.



DG0157 V0015651    II   Remote DBMS
                        administration should be
                        documented and authorized
                        or disabled.


DG0158 V0015652    II   DBMS remote administration
                        should be audited.




DG0159 V0015118    II   Remote administrative
                        access to the database
                        should be monitored by the
                        IAO or IAM.


DG0161 V0015103    II   An automated tool that
                        monitors audit data and
                        immediately reports
                        suspicious activity should be
                        employed for the DBMS.

DG0165 V0015654    II   DBMS symmetric keys
                        should be protected in
                        accordance with NSA or
                        NIST-approved key
                        management technology or
                        processes.
 PDI    VMSID     CAT          Requirement             Vulnerability   Status   Finding Notes

DG0166 V0015142    II   Asymmetric keys should use
                        DoD PKI Certificates and be
                        protected in accordance with
                        NIST (unclassified data) or
                        NSA (classified data)
                        approved key management
                        and processes.

DG0167 V0015104    I    Sensitive data served by the
                        DBMS should be protected
                        by encryption when
                        transmitted across the
                        network.

DG0171 V0015656    II   The DBMS should not have
                        a connection defined to
                        access or be accessed by a
                        DBMS at a different
                        classification level.

DG0172 V0015657    II   Changes to DBMS security
                        labels should be audited.

DG0175 V0015116    II   The DBMS host platform
                        and other dependent
                        applications should be
                        configured in compliance
                        with applicable STIG
                        requirements.
DG0176 V0015117    II   The DBMS audit logs should
                        be included in backup
                        operations.



DG0179 V0015658    II   The DBMS warning banner
                        should meet DoD policy
                        requirements.



DG0186 V0015122    II   The database should not be
                        directly accessible from
                        public or unauthorized
                        networks.


DG0187 V0015121    II   DBMS software libraries
                        should be periodically
                        backed up.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0190 V0015154    II   Credentials stored and used
                        by the DBMS to access
                        remote databases or
                        applications should be
                        authorized and restricted to
                        authorized users.
DG0191 V0015659    II   Credentials used to access
                        remote databases should be
                        protected by encryption and
                        restricted to authorized users.


DG0192 V0015660    II   Remote database or other
                        external access should use
                        fully-qualified names.
DG0194 V0015108    II   Privileges assigned to
                        developers on shared
                        production and development
                        DBMS hosts and the DBMS
                        should be monitored every
                        three months or more
                        frequently for unauthorized
                        changes.
DG0195 V0015109    II   DBMS production application
                        and data directories should
                        be protected from
                        developers on shared
                        production/development
                        DBMS host systems.

DG0198 V0015662    II   Remote administration of the
                        DBMS should be restricted
                        to known, dedicated and
                        encrypted network
                        addresses and ports.

DO0120 V0003842    II   The Oracle software
                        installation account should
                        not be granted excessive
                        host system privileges.


DO0140 V0002511    II   Access to the Oracle SYS
                        and SYSTEM accounts
                        should be restricted to
                        authorized DBAs.
DO0145 V0003845   III   OS DBA group membership
                        should be restricted to
                        authorized accounts.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DO0155 V0003846    II   Only authorized system
                        accounts should have the
                        SYSTEM tablespace
                        specified as the default
                        tablespace.
DO0157 V0003847   III   Database application user
                        accounts should be denied
                        storage usage for object
                        creation within the database.

DO0190 V0002515    II   The audit table should be
                        owned by SYS or SYSTEM.

DO0210 V0002516    II   Access to default accounts
                        used to support replication
                        should be restricted to
                        authorized DBAs.

DO0220 V0002517    II   Oracle instance names
                        should not contain Oracle
                        version numbers.
DO0221 V0003848   III   The Oracle SID should not
                        be the default SID.
DO0231 V0003849    II   Application owner accounts
                        should have a dedicated
                        application tablespace.

DO0233 V0015747    II   The directory assigned to the
                        DIAGNOSTIC_DEST
                        parameter should be
                        protected from unauthorized
                        access.
DO0234 V0003850    II   The directory assigned to the
                        AUDIT_FILE_DEST
                        parameter should be
                        protected from unauthorized
                        access.
DO0235 V0003851    II   The directory assigned to the
                        USER_DUMP_DEST
                        parameter should be
                        protected from unauthorized
                        access.
DO0236 V0003852    II   The directory assigned to the
                        BACKGROUND_DUMP_DE
                        ST parameter should be
                        protected from unauthorized
                        access.

DO0237 V0003853    II   The directory assigned to the
                        CORE_DUMP_DEST
                        parameter should be
                        protected from unauthorized
                        access.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DO0238 V0003854    II   The directories assigned to
                        the LOG_ARCHIVE_DEST*
                        parameters should be
                        protected from unauthorized
                        access.

DO0240 V0002519   III   The Oracle OS_ROLES
                        parameter should be set to
                        FALSE.
DO0243 V0003857    II   The Oracle
                        _TRACE_FILES_PUBLIC
                        parameter if present should
                        be set to FALSE.
DO0250 V0002520    II   Fixed user and public
                        database links should be
                        authorized for use.
DO0260 V0002521    II   A minimum of two Oracle
                        control files should be
                        defined and configured to be
                        stored on separate, archived
                        physical disks or archived
                        partitions on a RAID device.

DO0270 V0002522    II   A minimum of two Oracle
                        redo log groups/files should
                        be defined and configured to
                        be stored on separate,
                        archived physical disks or
                        archived directories on a
                        RAID device.

DO0286 V0003862    II   The Oracle
                        INBOUND_CONNECT_TIME
                        OUT and
                        SQLNET.INBOUND_CONNE
                        CT_TIMEOUT parameters
                        should be set to a value
                        greater than 0.
DO0287 V0003863    II   The Oracle
                        SQLNET.EXPIRE_TIME
                        parameter should be set to a
                        value greater than 0.


DO0320 V0003437    II   Application role permissions
                        should not be assigned to
                        the Oracle PUBLIC role.

DO0340 V0003438    II   Oracle application
                        administration roles should
                        be disabled if not required
                        and authorized.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DO0350 V0003439    II   Oracle system privileges
                        should not be directly
                        assigned to unauthorized
                        accounts.
DO0360 V0003440    II   Connections by mid-tier web
                        and application systems to
                        the Oracle DBMS should be
                        protected, encrypted and
                        authenticated according to
                        database, web, application,
                        enclave and network
                        requirements.

DO0420 V0003865   III   The XDB Protocol server
                        should be uninstalled if not
                        required and authorized for
                        use.
DO0430 V0003866   III   The Oracle Management
                        Agent should be uninstalled
                        if not required and
                        authorized or is installed on
                        a database accessible from
                        the Internet.

DO3440 V0002527    II   The DBA role should not be
                        granted to unauthorized user
                        accounts.
DO3447 V0002531   III   The Oracle
                        OS_AUTHENT_PREFIX
                        parameter should be
                        changed from the default
                        value of OPS$.
DO3451 V0002533    II   The Oracle WITH GRANT
                        OPTION privilege should not
                        be granted to non-DBA or
                        non-Application
                        administrator user accounts.

DO3475 V0002539    II   Execute permission should
                        be revoked from PUBLIC for
                        restricted Oracle packages.

DO3536 V0002552    II   The IDLE_TIME profile
                        parameter should be set for
                        Oracle profiles IAW DoD
                        policy.
DO3538 V0002554    I    The Oracle
                        REMOTE_OS_AUTHENT
                        parameter should be set to
                        FALSE.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DO3539 V0002555    I    The Oracle
                        REMOTE_OS_ROLES
                        parameter should be set to
                        FALSE.
DO3540 V0002556    II   The Oracle
                        SQL92_SECURITY
                        parameter should be set to
                        TRUE.
DO3546 V0002558    II   The Oracle
                        REMOTE_LOGIN_PASSWO
                        RDFILE parameter should
                        be set to EXCLUSIVE or
                        NONE.
DO3609 V0002561    II   System privileges granted
                        using the WITH ADMIN
                        OPTION should not be
                        granted to unauthorized user
                        accounts.
DO3610 V0002562    II   Required object auditing
                        should be configured.
DO3612 V0002564    II   System Privileges should not
                        be granted to PUBLIC.
DO3622 V0002574    II   Oracle roles granted using
                        the WITH ADMIN OPTION
                        should not be granted to
                        unauthorized accounts.
DO3630 V0002608    I    The Oracle Listener should
                        be configured to require
                        administration authentication.



DO3685 V0002586   III   The Oracle
                        O7_DICTIONARY_ACCESSI
                        BILITY parameter should be
                        set to FALSE.
DO3686 V0002587    I    Oracle accounts should not
                        have permission to view the
                        table SYS.LINK$ which
                        contain unencrypted
                        database link passwords.
DO3689 V0002589    II   Object permissions granted
                        to PUBLIC should be
                        restricted.
DO3696 V0002593    II   The Oracle
                        RESOURCE_LIMIT
                        parameter should be set to
                        TRUE.
DO3847 V0002607    II   Oracle passwords should not
                        be stored unencrypted in the
                        spoolmain.log file.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DO5037 V0002612    II   Oracle SQLNet and listener
                        log files should not be
                        accessible to unauthorized
                        users.


DO6740 V0003497    II   The Oracle Listener
                        ADMIN_RESTRICTIONS
                        parameter if present should
                        be set to ON.


DO6746 V0016031   III   The Oracle listener.ora file
                        should specify IP addresses
                        rather than host names to
                        identify hosts.


DO6747 V0016032    II   Remote administration
                        should be disabled for the
                        Oracle connection manager.



DO6748 V0016033    II   Case sensitivity for
                        passwords should be
                        enabled.
DO6749 V0016035    II   The Oracle
                        SEC_MAX_FAILED_LOGIN_
                        ATTEMPTS parameter
                        should be set to an IAO-
                        approved value between 1
                        and 3.
DO6750 V0016053    II   The Oracle
                        SEC_PROTOCOL_ERROR_
                        FURTHER_ACTION
                        parameter should be set to a
                        value of DELAY or DROP.
DO6751 V0016057    II   The SQLNet
                        SQLNET.ALLOWED_LOGO
                        N_VERSION parameter
                        should be set to a value of
                        10 or higher.
DO6752 V0016054    II   The Oracle
                        SEC_PROTOCOL_ERROR_
                        TRACE_ACTION parameter
                        should not be set to NONE.

DO6753 V0016055    II   Oracle Application Express
                        or Oracle HTML DB should
                        not be installed on a
                        production database.
 PDI    VMSID     CAT          Requirement          Vulnerability   Status   Finding Notes

DO6754 V0016056    II   Oracle Configuration
                        Manager should not remain
                        installed on a production
                        system.
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
     Section

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB


Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB




Oracle 9i DB




Oracle 9i DB
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation




Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB




Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 11g
Installation

Oracle 11g
Installation




Oracle 11g
Installation



Oracle 10g
Installation, Oracle
11g Installation


Oracle 11g
Installation



Oracle 10g
Installation, Oracle
11g Installation
      Section

Oracle 10g
Installation, Oracle
11g Installation
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement                   Vulnerability   Status   Finding Notes      Section
DG0001 V0005658 I Vendor supported software                                                       SQL7
                  is evaluated and patched                                                        Installation,
                  against newly found                                                             SQL8 2000
                  vulnerabilities.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0002 V0004758     II   An upgrade/migration plan                                                SQL7
                         should be developed to                                                   Installation,
                         address an unsupported                                                   SQL8 2000
                         DBMS software version.                                                   Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0003 V0005659     II   The latest security patches                                              SQL7
                         should be installed.                                                     Installation,
                                                                                                  SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0004 V0005683     II   Application object owner                                                 SQL7
                         accounts should be disabled                                              Database,
                         when not performing                                                      SQL8 2000
                         installation or maintenance                                              Database,
                         actions.                                                                 SQL9 2005
                                                                                                  Database


DG0005 V0006756     II   Only necessary privileges to                                             SQL7
                         the host system should be                                                Installation,
                         granted to DBA OS accounts.                                              SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              182 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes      Section
DG0007 V0006767 II The database should be                                                           SQL7
                   secured in accordance with                                                       Installation,
                   DoD, vendor and/or                                                               SQL8 2000
                   commercially accepted                                                            Installation,
                   practices where applicable.                                                      SQL9 2005
                                                                                                    Installation


DG0008 V0015607     II    Application objects should                                                SQL7
                          be owned by accounts                                                      Database,
                          authorized for ownership.                                                 SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database


DG0009 V0015608     II    Access to DBMS software                                                   SQL7
                          files and directories should                                              Installation,
                          not be granted to                                                         SQL8 2000
                          unauthorized users.                                                       Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation


DG0010 V0002420     III   Database executable and                                                   SQL7
                          configuration files should be                                             Installation,
                          monitored for unauthorized                                                SQL8 2000
                          modifications.                                                            Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation


DG0011 V0003726     III   Configuration management                                                  SQL7
                          procedures should be                                                      Installation,
                          defined and implemented for                                               SQL8 2000
                          database software                                                         Installation,
                          modifications.                                                            SQL9 2005
                                                                                                    Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                183 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes      Section
DG0012 V0004754 II Database software                                                              SQL7
                   directories including DBMS                                                     Installation,
                   configuration files are stored                                                 SQL8 2000
                   in dedicated directories                                                       Installation,
                   separate from the host OS                                                      SQL9 2005
                   and other applications.                                                        Installation


DG0013 V0015126     II    Database backup                                                         SQL7
                          procedures should be                                                    Installation,
                          defined, documented and                                                 SQL8 2000
                          implemented.                                                            Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0014 V0015609     II    Default demonstration and                                               SQL7
                          sample database objects                                                 Installation,
                          and applications should be                                              SQL8 2000
                          removed.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0015 V0003727     III   Database applications                                                   SQL7
                          should be restricted from                                               Database,
                          using static DDL statements                                             SQL8 2000
                          to modify the application                                               Database,
                          schema.                                                                 SQL9 2005
                                                                                                  Database


DG0016 V0003728     III   Unused database                                                         SQL7
                          components, database                                                    Installation,
                          application software and                                                SQL8 2000
                          database objects should be                                              Installation,
                          removed from the DBMS                                                   SQL9 2005
                          system.                                                                 Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              184 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes      Section
DG0017 V0003803 II A production DBMS                                                              SQL7
                   installation should not                                                        Installation,
                   coexist on the same DBMS                                                       SQL8 2000
                   host with other, non-                                                          Installation,
                   production DBMS                                                                SQL9 2005
                   installations.                                                                 Installation


DG0019 V0003805     III   Application software should                                             SQL7
                          be owned by a Software                                                  Installation,
                          Application account.                                                    SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0020 V0015129     II    Backup and recovery                                                     SQL7
                          procedures should be                                                    Installation,
                          developed, documented,                                                  SQL8 2000
                          implemented and                                                         Installation,
                          periodically tested.                                                    SQL9 2005
                                                                                                  Installation


DG0021 V0003806     II    A baseline of database                                                  SQL7
                          application software should                                             Installation,
                          be documented and                                                       SQL8 2000
                          maintained.                                                             Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0025 V0015610     II    DBMS should use NIST                                                    SQL7
                          FIPS 140-2, validated                                                   Installation,
                          cryptography.                                                           SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              185 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes      Section
DG0029 V0005685 II Required auditing                                                              SQL8 2000
                   parameters for database                                                        Installation,
                   auditing should be set.                                                        SQL9 2005
                                                                                                  Installation


DG0030 V0002507     II   Audit trail data should be                                               SQL7
                         retained for one year.                                                   Installation,
                                                                                                  SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0031 V0015133     II   Transaction logs should be                                               SQL7
                         periodically reviewed for                                                Installation,
                         unauthorized modification of                                             SQL8 2000
                         data. Users should be                                                    Installation,
                         notified of time and date of                                             SQL9 2005
                         the last change in data                                                  Installation
                         content.

DG0032 V0005686     II   Audit records should be                                                  SQL7
                         restricted to authorized                                                 Installation,
                         individuals.                                                             SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0040 V0002422     II   The DBMS software                                                        SQL7
                         installation account should                                              Installation,
                         be restricted to authorized                                              SQL8 2000
                         users.                                                                   Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              186 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DG0041 V0015110 II Use of the DBMS installation                                                    SQL7
                   account should be logged.                                                       Installation,
                                                                                                   SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0042 V0015111     II   Use of the DBMS software                                                  SQL7
                         installation account should                                               Installation,
                         be restricted to DBMS                                                     SQL8 2000
                         software installation,                                                    Installation,
                         upgrade and maintenance                                                   SQL9 2005
                         actions.                                                                  Installation


DG0050 V0002423     II   Database software,                                                        SQL7
                         applications and                                                          Installation,
                         configuration files should be                                             SQL8 2000
                         monitored to discover                                                     Installation,
                         unauthorized changes.                                                     SQL9 2005
                                                                                                   Installation


DG0051 V0003808     II   Database job/batch queues                                                 SQL7
                         should be reviewed regularly                                              Installation,
                         to detect unauthorized                                                    SQL8 2000
                         database job submissions.                                                 Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0052 V0003807     II   All applications that access                                              SQL7
                         the database should be                                                    Installation,
                         logged in the DBMS audit                                                  SQL8 2000
                         trail where available.                                                    Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               187 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DG0054 V0015611 III The audit logs should be                                                       SQL7
                    periodically monitored to                                                      Installation,
                    discover DBMS access                                                           SQL8 2000
                    using unauthorized                                                             Installation,
                    applications.                                                                  SQL9 2005
                                                                                                   Installation


DG0060 V0002424     II   All database non-interactive,                                             SQL7
                         n-tier connection, and                                                    Installation,
                         shared accounts that exist                                                SQL8 2000
                         should be documented and                                                  Installation,
                         approved by the IAO.                                                      SQL9 2005
                                                                                                   Installation


DG0063 V0015107     II   DBMS privileges to restore                                                SQL7
                         database data or other                                                    Installation,
                         DBMS configurations,                                                      SQL8 2000
                         features or objects should be                                             Installation,
                         restricted to authorized                                                  SQL9 2005
                         DBMS accounts.                                                            Installation


DG0064 V0015120     II   DBMS backup and                                                           SQL7
                         restoration files should be                                               Installation,
                         protected from unauthorized                                               SQL8 2000
                         access.                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0065 V0003810     II   DBMS authentication should                                                SQL7
                         require use of a DoD PKI                                                  Installation,
                         certificate.                                                              SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               188 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement                    Vulnerability   Status   Finding Notes      Section
DG0066 V0003811 II Procedures for establishing                                                     SQL7
                   temporary passwords that                                                        Installation,
                   meet DoD password                                                               SQL8 2000
                   requirements for new                                                            Installation,
                   accounts should be defined,                                                     SQL9 2005
                   documented and                                                                  Installation
                   implemented.

DG0067 V0003812     I    Database account                                                          SQL7
                         passwords should be stored                                                Installation,
                         in encoded or encrypted                                                   SQL8 2000
                         format whether stored in                                                  Installation,
                         database objects, external                                                SQL9 2005
                         host files, environment                                                   Installation
                         variables or any other
                         storage locations.
DG0068 V0003813     II   DBMS tools or applications                                                SQL7
                         that echo or require a                                                    Installation,
                         password entry in clear text                                              SQL8 2000
                         should be protected from                                                  Installation,
                         password display.                                                         SQL9 2005
                                                                                                   Installation


DG0069 V0015140     II   Procedures and restrictions                                               SQL7
                         for import of production data                                             Installation,
                         to development databases                                                  SQL8 2000
                         should be documented,                                                     Installation,
                         implemented and followed.                                                 SQL9 2005
                                                                                                   Installation


DG0070 V0002508     II   Unauthorized user accounts                                                SQL7
                         should not exist.                                                         Installation,
                                                                                                   SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               189 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes      Section
DG0071 V0003815 II New passwords should be                                                        SQL7
                   required to differ from old                                                    Installation,
                   passwords by more than                                                         SQL8 2000
                   four characters.                                                               Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0072 V0015612     II   Database password                                                        SQL7
                         changes by users should be                                               Installation,
                         limited to one change within                                             SQL8 2000
                         24 hours where supported                                                 Installation,
                         by the DBMS.                                                             SQL9 2005
                                                                                                  Installation


DG0073 V0003817     II   Database accounts should                                                 SQL7
                         not specify account lock                                                 Database,
                         times less than the site-                                                SQL8 2000
                         approved minimum.                                                        Database,
                                                                                                  SQL9 2005
                                                                                                  Database


DG0074 V0015130     II   Unapproved inactive or                                                   SQL7
                         expired database accounts                                                Installation,
                         should not be found on the                                               SQL8 2000
                         database.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0075 V0003818     II   Unauthorized database links                                              SQL7
                         should not be defined and                                                Installation,
                         active.                                                                  SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              190 of 1257
   ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                 Vulnerability   Status   Finding Notes      Section
DG0076 V0003819 II Sensitive information from                                                    SQL7
                   production database exports                                                   Installation,
                   should be modified after                                                      SQL8 2000
                   import to a development                                                       Installation,
                   database.                                                                     SQL9 2005
                                                                                                 Installation


DG0077 V0003820     II   Production databases                                                    SQL7
                         should be protected from                                                Installation,
                         unauthorized access by                                                  SQL8 2000
                         developers on shared                                                    Installation,
                         production/development host                                             SQL9 2005
                         systems.                                                                Installation


DG0078 V0015613     II   Each database user,                                                     SQL7
                         application or process                                                  Installation,
                         should have an individually                                             SQL8 2000
                         assigned account.                                                       Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation


DG0079 V0015152     II   DBMS login accounts                                                     SQL8 2000
                         require passwords to meet                                               Installation,
                         complexity requirements.                                                SQL9 2005
                                                                                                 Installation


DG0080 V0003821     II   Application user privilege                                              SQL7
                         assignment should be                                                    Installation,
                         reviewed monthly or more                                                SQL8 2000
                         frequently to ensure                                                    Installation,
                         compliance with least                                                   SQL9 2005
                         privilege and documented                                                Installation
                         policy.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                             191 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DG0083 V0015102 II Automated notification of                                                       SQL7
                   suspicious activity detected                                                    Installation,
                   in the audit trail should be                                                    SQL8 2000
                   implemented.                                                                    Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0084 V0015614     III   The DBMS should be                                                       SQL9 2005
                          configured to clear residual                                             Installation
                          data from memory, data
                          objects and files, and other
                          storage locations.
DG0085 V0015615     II    The DBA role should not be                                               SQL7
                          assigned excessive or                                                    Installation,
                          unauthorized privileges.                                                 SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0086 V0015106     II    DBA roles should be                                                      SQL7
                          periodically monitored to                                                Installation,
                          detect assignment of                                                     SQL8 2000
                          unauthorized or excess                                                   Installation,
                          privileges.                                                              SQL9 2005
                                                                                                   Installation


DG0087 V0015616     III   Sensitive data should be                                                 SQL9 2005
                          labeled.                                                                 Installation

DG0088 V0015112     III   The DBMS should be                                                       SQL7
                          periodically tested for                                                  Installation,
                          vulnerability management                                                 SQL8 2000
                          and IA compliance.                                                       Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               192 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes      Section
DG0089 V0015114 III Developers should not be                                                       SQL7
                    assigned excessive                                                             Installation,
                    privileges on production                                                       SQL8 2000
                    databases.                                                                     Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0090 V0015131     II    Sensitive information stored                                             SQL7
                          in the database should be                                                Installation,
                          protected by encryption.                                                 SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0091 V0003823     III   Custom and GOTS                                                          SQL7
                          application source code                                                  Database,
                          stored in the database                                                   SQL8 2000
                          should be protected with                                                 Database,
                          encryption or encoding.                                                  SQL9 2005
                                                                                                   Database


DG0092 V0015132     II    Database data files                                                      SQL7
                          containing sensitive                                                     Installation,
                          information should be                                                    SQL8 2000
                          encrypted.                                                               Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0093 V0003825     II    Remote adminstrative                                                     SQL7
                          connections to the database                                              Installation,
                          should be encrypted.                                                     SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               193 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DG0095 V0003827 II Audit trail data should be                                                      SQL7
                   reviewed daily or more                                                          Installation,
                   frequently.                                                                     SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0096 V0015138     III   The DBMS IA policies and                                                 SQL7
                          procedures should be                                                     Installation,
                          reviewed annually or more                                                SQL8 2000
                          frequently.                                                              Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0097 V0015139     II    Plans and procedures for                                                 SQL7
                          testing DBMS installations,                                              Installation,
                          upgrades, and patches                                                    SQL8 2000
                          should be defined and                                                    Installation,
                          followed prior to production                                             SQL9 2005
                          implementation.                                                          Installation


DG0098 V0015617     II    Access to external objects                                               SQL7
                          should be disabled if not                                                Installation,
                          required and authorized.                                                 SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0099 V0015618     II    Access to external DBMS                                                  SQL7
                          executables should be                                                    Installation,
                          disabled or restricted.                                                  SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               194 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DG0100 V0015619 II Replication accounts should                                                     SQL7
                   not be granted DBA                                                              Installation,
                   privileges.                                                                     SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0101 V0015620     II    OS accounts used to                                                      SQL7
                          execute external procedures                                              Installation,
                          should be assigned                                                       SQL8 2000
                          minimum privileges.                                                      Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0102 V0015141     II    DBMS processes or                                                        SQL7
                          services should run under                                                Installation,
                          custom, dedicated OS                                                     SQL8 2000
                          accounts.                                                                Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0104 V0015622     III   DBMS service identification                                              SQL7
                          should be unique and clearly                                             Installation,
                          identifies the service.                                                  SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0105 V0015128     II    DBMS application user roles                                              SQL7
                          should not be assigned                                                   Database,
                          unauthorized privileges.                                                 SQL8 2000
                                                                                                   Database,
                                                                                                   SQL9 2005
                                                                                                   Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               195 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes      Section
DG0106 V0015143 II Database data encryption                                                         SQL7
                   controls should be                                                               Installation,
                   configured in accordance                                                         SQL8 2000
                   with application                                                                 Installation,
                   requirements.                                                                    SQL9 2005
                                                                                                    Installation


DG0107 V0015144     II    Sensitive data is stored in                                               SQL7
                          the database and should be                                                Installation,
                          identified in the System                                                  SQL8 2000
                          Security Plan and AIS                                                     Installation,
                          Functional Architecture                                                   SQL9 2005
                          documentation.                                                            Installation


DG0108 V0015145     III   The DBMS restoration                                                      SQL7
                          priority should be assigned.                                              Installation,
                                                                                                    SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation


DG0109 V0015146     II    The DBMS should not be                                                    SQL7
                          operated without                                                          Installation,
                          authorization on a host                                                   SQL8 2000
                          system supporting other                                                   Installation,
                          application services.                                                     SQL9 2005
                                                                                                    Installation


DG0110 V0015179     II    The DBMS should not share                                                 SQL7
                          a host supporting an                                                      Installation,
                          independent security service.                                             SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                196 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DG0111 V0015147 II The DBMS data files,                                                            SQL7
                   transaction logs and audit                                                      Installation,
                   files should be stored in                                                       SQL8 2000
                   dedicated directories or disk                                                   Installation,
                   partitions separate from                                                        SQL9 2005
                   software or other application                                                   Installation
                   files.

DG0114 V0015119     II   DBMS files critical for DBMS                                              SQL7
                         recovery should be stored                                                 Installation,
                         on RAID or other high-                                                    SQL8 2000
                         availability storage devices.                                             Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0115 V0015625     II   Recovery procedures and                                                   SQL7
                         technical system features                                                 Installation,
                         exist to ensure that recovery                                             SQL8 2000
                         is done in a secure and                                                   Installation,
                         verifiable manner.                                                        SQL9 2005
                                                                                                   Installation


DG0116 V0015626     II   Database privileged role                                                  SQL7
                         assignments should be                                                     Installation,
                         restricted to IAO-authorized                                              SQL8 2000
                         DBMS accounts.                                                            Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0117 V0015627     II   Administrative privileges                                                 SQL7
                         should be assigned to                                                     Installation,
                         database accounts via                                                     SQL8 2000
                         database roles.                                                           Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               197 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement                   Vulnerability   Status   Finding Notes      Section
DG0118 V0015127 II The IAM should review                                                          SQL7
                   changes to DBA role                                                            Installation,
                   assignments.                                                                   SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0119 V0015628     II   DBMS application users                                                   SQL7
                         should not be granted                                                    Installation,
                         administrative privileges to                                             SQL8 2000
                         the DBMS.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0120 V0015105     II   Unauthorized access to                                                   SQL7
                         external database objects                                                Installation,
                         should be removed from                                                   SQL8 2000
                         application user roles.                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0121 V0015629     II   Application users privileges                                             SQL7
                         should be restricted to                                                  Database,
                         assignment using application                                             SQL8 2000
                         user roles.                                                              Database,
                                                                                                  SQL9 2005
                                                                                                  Database


DG0122 V0015630     II   Access to sensitive data                                                 SQL7
                         should be restricted to                                                  Database,
                         authorized users identified                                              SQL8 2000
                         by the Information Owner.                                                Database,
                                                                                                  SQL9 2005
                                                                                                  Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              198 of 1257
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement           Vulnerability   Status   Finding Notes      Section
DG0123 V0015631 II Access to DBMS system                                                   SQL7
                   tables and other                                                        Installation,
                   configuration or metadata                                               SQL8 2000
                   should be restricted to DBAs.                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DG0124 V0015632     II   Use of DBA accounts should                                        SQL7
                         be restricted to                                                  Installation,
                         administrative activities.                                        SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DG0125 V0015153     II   DBMS account passwords                                            SQL9 2005
                         should be set to expire every                                     Installation
                         60 days or more frequently.

DG0127 V0015634     II   DBMS account passwords                                            SQL7
                         should not be set to easily                                       Installation,
                         guessed words or values.                                          SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DG0128 V0015635     I    DBMS default accounts                                             SQL7
                         should be assigned custom                                         Installation,
                         passwords.                                                        SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DG0129 V0015636     I    Passwords should be                                               SQL7
                         encrypted when transmitted                                        Installation,
                         across the network.                                               SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       199 of 1257
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement          Vulnerability   Status   Finding Notes      Section
DG0130 V0015637 II DBMS passwords should not                                              SQL7
                   be stored in compiled,                                                 Installation,
                   encoded or encrypted batch                                             SQL8 2000
                   jobs or compiled, encoded or                                           Installation,
                   encrypted application source                                           SQL9 2005
                   code.                                                                  Installation


DG0131 V0015638     III   DBMS default account                                            SQL9 2005
                          names should be changed.                                        Installation

DG0133 V0015639     II    Unlimited account lock times                                    SQL7
                          should be specified for                                         Installation,
                          locked accounts.                                                SQL8 2000
                                                                                          Installation,
                                                                                          SQL9 2005
                                                                                          Installation


DG0138 V0015642     II    Access grants to sensitive                                      SQL7
                          data should be restricted to                                    Database,
                          authorized user roles.                                          SQL8 2000
                                                                                          Database,
                                                                                          SQL9 2005
                                                                                          Database


DG0140 V0015643     II    Access to DBMS security                                         SQL7
                          should be audited.                                              Installation,
                                                                                          SQL8 2000
                                                                                          Installation,
                                                                                          SQL9 2005
                                                                                          Installation


DG0141 V0015644     II    Attempts to bypass access                                       SQL7
                          controls should be audited.                                     Installation,
                                                                                          SQL8 2000
                                                                                          Installation,
                                                                                          SQL9 2005
                                                                                          Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      200 of 1257
   ____ Checklist _V_R_ (<date>)                                               <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                       Vulnerability   Status   Finding Notes      Section
DG0142 V0015645 II Changes to configuration                                                            SQL9 2005
                   options should be audited.                                                          Installation

DG0145 V0015646     II    Audit records should contain                                                 SQL8 2000
                          required information.                                                        Installation,
                                                                                                       SQL9 2005
                                                                                                       Installation


DG0151 V0015648     II    Access to the DBMS should                                                    SQL9 2005
                          be restricted to static, default                                             Installation
                          network ports.

DG0152 V0015148     II    DBMS network                                                                 SQL7
                          communications should                                                        Installation,
                          comply with PPS usage                                                        SQL8 2000
                          restrictions.                                                                Installation,
                                                                                                       SQL9 2005
                                                                                                       Installation


DG0153 V0015149     III   DBA roles assignments                                                        SQL7
                          should be assigned and                                                       Installation,
                          authorized by the IAO.                                                       SQL8 2000
                                                                                                       Installation,
                                                                                                       SQL9 2005
                                                                                                       Installation


DG0154 V0015150     III   The DBMS requires a                                                          SQL7
                          System Security Plan                                                         Installation,
                          containing all required                                                      SQL8 2000
                          information.                                                                 Installation,
                                                                                                       SQL9 2005
                                                                                                       Installation


DG0155 V0015649     II    The DBMS should have                                                         SQL7
                          configured all applicable                                                    Installation,
                          settings to use trusted files,                                               SQL8 2000
                          functions, features, or other                                                Installation,
                          components during startup,                                                   SQL9 2005
                          shutdown, aborts, or other                                                   Installation
                          unplanned interruptions.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   201 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DG0157 V0015651 II Remote DBMS                                                                     SQL7
                   administration should be                                                        Installation,
                   documented and authorized                                                       SQL8 2000
                   or disabled.                                                                    Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0158 V0015652     II   DBMS remote administration                                                SQL7
                         should be audited.                                                        Installation,
                                                                                                   SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0159 V0015118     II   Remote administrative                                                     SQL7
                         access to the database                                                    Installation,
                         should be monitored by the                                                SQL8 2000
                         IAO or IAM.                                                               Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0161 V0015103     II   An automated tool that                                                    SQL7
                         monitors audit data and                                                   Installation,
                         immediately reports                                                       SQL8 2000
                         suspicious activity should be                                             Installation,
                         employed for the DBMS.                                                    SQL9 2005
                                                                                                   Installation


DG0165 V0015654     II   DBMS symmetric keys                                                       SQL9 2005
                         should be protected in                                                    Database
                         accordance with NSA or
                         NIST-approved key
                         management technology or
                         processes.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               202 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes     Section
DG0166 V0015142 II Asymmetric keys should use                                                     SQL9 2005
                   DoD PKI Certificates and be                                                    Database
                   protected in accordance with
                   NIST (unclassified data) or
                   NSA (classified data)
                   approved key management
                   and processes.

DG0167 V0015104     I    Sensitive data served by the                                             SQL7
                         DBMS should be protected                                                 Installation,
                         by encryption when                                                       SQL8 2000
                         transmitted across the                                                   Installation,
                         network.                                                                 SQL9 2005
                                                                                                  Installation


DG0171 V0015656     II   The DBMS should not have                                                 SQL7
                         a connection defined to                                                  Installation,
                         access or be accessed by a                                               SQL8 2000
                         DBMS at a different                                                      Installation,
                         classification level.                                                    SQL9 2005
                                                                                                  Installation


DG0172 V0015657     II   Changes to DBMS security                                                 SQL9 2005
                         labels should be audited.                                                Database

DG0175 V0015116     II   The DBMS host platform                                                   SQL7
                         and other dependent                                                      Installation,
                         applications should be                                                   SQL8 2000
                         configured in compliance                                                 Installation,
                         with applicable STIG                                                     SQL9 2005
                         requirements.                                                            Installation


DG0176 V0015117     II   The DBMS audit logs should                                               SQL7
                         be included in backup                                                    Installation,
                         operations.                                                              SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              203 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement                   Vulnerability   Status   Finding Notes      Section
DG0179 V0015658 II The DBMS warning banner                                                        SQL7
                   should meet DoD policy                                                         Installation,
                   requirements.                                                                  SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0186 V0015122     II   The database should not be                                               SQL7
                         directly accessible from                                                 Installation,
                         public or unauthorized                                                   SQL8 2000
                         networks.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0187 V0015121     II   DBMS software libraries                                                  SQL7
                         should be periodically                                                   Installation,
                         backed up.                                                               SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0190 V0015154     II   Credentials stored and used                                              SQL7
                         by the DBMS to access                                                    Installation,
                         remote databases or                                                      SQL8 2000
                         applications should be                                                   Installation,
                         authorized and restricted to                                             SQL9 2005
                         authorized users.                                                        Installation


DG0194 V0015108     II   Privileges assigned to                                                   SQL7
                         developers on shared                                                     Installation,
                         production and development                                               SQL8 2000
                         DBMS hosts and the DBMS                                                  Installation,
                         should be monitored every                                                SQL9 2005
                         three months or more                                                     Installation
                         frequently for unauthorized
                         changes.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              204 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes      Section
DG0195 V0015109 II DBMS production                                                                SQL7
                   application and data                                                           Installation,
                   directories should be                                                          SQL8 2000
                   protected from developers                                                      Installation,
                   on shared                                                                      SQL9 2005
                   production/development                                                         Installation
                   DBMS host systems.

DG0198 V0015662     II   Remote administration of the                                             SQL7
                         DBMS should be restricted                                                Installation,
                         to known, dedicated and                                                  SQL8 2000
                         encrypted network                                                        Installation,
                         addresses and ports.                                                     SQL9 2005
                                                                                                  Installation


DM0510 V0002426     II   C2 Audit mode should be                                                  SQL8 2000
                         enabled or custom audit                                                  Installation,
                         traces defined.                                                          SQL9 2005
                                                                                                  Installation


DM0530 V0002427     II   Fixed Server roles should                                                SQL7
                         have only authorized users                                               Installation,
                         or groups assigned as                                                    SQL8 2000
                         members.                                                                 Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DM0531 V0015151     II   Fixed Database roles should                                              SQL7
                         have only authorized users                                               Database,
                         or groups as members.                                                    SQL8 2000
                                                                                                  Database,
                                                                                                  SQL9 2005
                                                                                                  Database


DM0660 V0002436     II   MS SQL Server Instance                                                   SQL8 2000
                         name should not incude a                                                 Installation,
                         SQL Server or other                                                      SQL9 2005
                         software version number.                                                 Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              205 of 1257
   ____ Checklist _V_R_ (<date>)                                <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement         Vulnerability   Status   Finding Notes      Section
DM0900 V0003335 II SQL Mail, SQL Mail                                                   SQL7
                   Extended Stored Procedures                                           Installation,
                   (XPs) and Database Mail                                              SQL8 2000
                   XPs are required and                                                 Installation,
                   enabled.                                                             SQL9 2005
                                                                                        Installation


DM0901 V0003336     II   SQL Server Agent email                                         SQL7
                         notification usage if enabled                                  Installation,
                         should be documented and                                       SQL8 2000
                         approved by the IAO.                                           Installation,
                                                                                        SQL9 2005
                                                                                        Installation


DM0919 V0015170     II   SQL Server services should                                     SQL7
                         be assigned least privileges                                   Installation,
                         on the SQL Server Windows                                      SQL8 2000
                         host.                                                          Installation,
                                                                                        SQL9 2005
                                                                                        Installation


DM0920 V0003832     II   A Windows OS DBA group                                         SQL7
                         should exist.                                                  Installation,
                                                                                        SQL8 2000
                                                                                        Installation,
                                                                                        SQL9 2005
                                                                                        Installation


DM0921 V0003833     II   Windows OS DBA group                                           SQL7
                         should contain only                                            Installation,
                         authorized users.                                              SQL8 2000
                                                                                        Installation,
                                                                                        SQL9 2005
                                                                                        Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                    206 of 1257
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes      Section
DM0924 V0003835 II The SQL Server service                                                  SQL7
                   should use a least-privileged                                           Installation,
                   local or domain user account.                                           SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DM0927 V0003838     II   SQL Server registry keys                                          SQL7
                         should be properly secured.                                       Installation,
                                                                                           SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DM0928 V0015169     II   The SQL Server services                                           SQL7
                         should not be assigned                                            Installation,
                         excessive user rights.                                            SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DM0929 V0015134     II   The Integration Services                                          SQL9 2005
                         service account should not                                        Installation
                         be assigned excess host
                         system privileges.
DM0933 V0015155     II   The SQL Server Agent                                              SQL7
                         service account should not                                        Installation,
                         be assigned excess user                                           SQL8 2000
                         rights.                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DM1709 V0002451     II   The guest user account                                            SQL7
                         should be disabled.                                               Database,
                                                                                           SQL8 2000
                                                                                           Database,
                                                                                           SQL9 2005
                                                                                           Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       207 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes     Section
DM1715 V0002457 II Object permission                                                                SQL7
                   assignments should be                                                            Database,
                   authorized.                                                                      SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database


DM1749 V0002458     II   Permissions on system                                                      SQL7
                         tables should be restricted to                                             Database,
                         authorized accounts.                                                       SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database


DM1757 V0002460     II   Direct access to system                                                    SQL7
                         table updates should be                                                    Installation,
                         disabled.                                                                  SQL8 2000
                                                                                                    Installation

DM1758 V0002461     I    Extended stored procedure                                                  SQL7
                         xp_cmdshell should be                                                      Installation,
                         restricted to authorized                                                   SQL8 2000
                         accounts.                                                                  Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation


DM1760 V0002463     II   DDL permissions should be                                                  SQL7
                         granted only to authorized                                                 Database,
                         accounts.                                                                  SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database


DM1761 V0002464     II   Execute stored procedures                                                  SQL7
                         at startup, if enabled, should                                             Installation,
                         have a custom audit trace                                                  SQL8 2000
                         defined.                                                                   Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                208 of 1257
   ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                Vulnerability   Status   Finding Notes      Section
DM2095 V0002472 II OLE Automation extended                                                       SQL7
                   stored procedures should be                                                   Installation,
                   restricted to sysadmin                                                        SQL8 2000
                   access.                                                                       Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation


DM2119 V0002473     II   Registry extended stored                                                SQL7
                         procedures should be                                                    Installation,
                         restricted to sysadmin                                                  SQL8 2000
                         access.                                                                 Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation


DM2142 V0002485     II   Remote access should be                                                 SQL7
                         disabled if not authorized.                                             Installation,
                                                                                                 SQL8 2000
                                                                                                 Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation


DM3566 V0002487     II   SQL Server authentication                                               SQL7
                         mode should be set to                                                   Installation,
                         Windows authentication                                                  SQL8 2000
                         mode or Mixed mode.                                                     Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation


DM3763 V0002488     II   SQL Server Agent CmdExec                                                SQL7
                         or ActiveScripting jobs                                                 Installation,
                         should be restricted to                                                 SQL8 2000
                         sysadmins.                                                              Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                             209 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DM3930 V0015137 II Error log retention shoud be                                                    SQL7
                   set to meet log retention                                                       Installation,
                   policy.                                                                         SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DM5144 V0002498     II   Permissions using the WITH                                                SQL7
                         GRANT OPTION should be                                                    Database,
                         granted only to DBA or                                                    SQL8 2000
                         application administrator                                                 Database,
                         accounts.                                                                 SQL9 2005
                                                                                                   Database


DM5267 V0002500     II   Trace Rollover should be                                                  SQL8 2000
                         enabled for audit traces that                                             Installation,
                         have a maximum trace file                                                 SQL9 2005
                         size.                                                                     Installation


DM6015 V0015124     II   The Named Pipes network                                                   SQL7
                         protocol should be                                                        Installation,
                         documented and approved if                                                SQL8 2000
                         enabled.                                                                  Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DM6030 V0015176     II   SQL Server event                                                          SQL7
                         forwarding, if enabled,                                                   Installation,
                         should be operational.                                                    SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DM6045 V0015125     II   Only authorized users                                                     SQL9 2005
                         should be assigned                                                        Installation
                         permissions to SQL Server
                         Agent proxies.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               210 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DM6065 V0015113 II SQL Server replications                                                         SQL9 2005
                   agents should be run under                                                      Installation
                   separate and dedicated OS
                   accounts.
DM6070 V0015178 II Replication databases                                                           SQL7
                   should have authorized                                                          Installation,
                   db_owner role members.                                                          SQL8 2000
                   The replication monitor role                                                    Installation,
                   should have authorized                                                          SQL9 2005
                   members.                                                                        Installation


DM6075 V0015182     II   Replication snapshot folders                                              SQL9 2005
                         should be protected from                                                  Installation
                         unauthorized access.
DM6085 V0015183     II   The Analysis Services ad                                                  SQL9 2005
                         hoc data mining queries                                                   Installation
                         configuration option should
                         be disabled if not required.
DM6086 V0015184     II   Analysis Services                                                         SQL9 2005
                         Anonymous Connections                                                     Installation
                         should be disabled.
DM6087 V0015204     II   Analysis Services Links to                                                SQL9 2005
                         Objects should be disabled if                                             Installation
                         not required.
DM6088 V0015186     II   Analysis Services Links                                                   SQL9 2005
                         From Objects should be                                                    Installation
                         disabled if not required.
DM6099 V0015181     II   Analysis Services user-                                                   SQL9 2005
                         defined COM functions                                                     Installation
                         should be disabled if not
                         required.
DM6101 V0015188     I    Analysis Services Required                                                SQL9 2005
                         Protection Level should be                                                Installation
                         set to 1.
DM6103 V0015190     II   Analysis Services Security                                                SQL9 2005
                         Package List should be                                                    Installation
                         disabled if not required.
DM6108 V0015193     II   The Analysis Services                                                     SQL9 2005
                         server role should be                                                     Installation
                         restricted to authorized
                         users.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               211 of 1257
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement            Vulnerability   Status   Finding Notes      Section
DM6109 V0015194  II Only authorized accounts                                                 SQL9 2005
                    should be assigned to one or                                             Installation
                    more Analysis Services
                    database roles.
DM6120 V0015199 III Reporting Services Web                                                   SQL9 2005
                    service requests and HTTP                                                Installation
                    access should be disabled if
                    not required.
DM6121 V0015205 III Reporting Services                                                       SQL9 2005
                    scheduled events and report                                              Installation
                    delivery should be disabled if
                    not required.
DM6122 V0015203  II Reporting Services Windows                                               SQL9 2005
                    Integrated Security should                                               Installation
                    be disabled.

DM6123 V0015202     III   Use of Command Language                                            SQL9 2005
                          Runtime objects should be                                          Installation
                          disabled if not required.

DM6126 V0015206     II    Only authorized XML Web                                            SQL9 2005
                          Service endpoints should be                                        Installation
                          configured on the server.
DM6128 V0015165     II    Only authorized service                                            SQL9 2005
                          broker endpoints should be                                         Installation
                          configured on the server.
DM6130 V0015198     II    The Web Assistant                                                  SQL9 2005
                          procedures configuration                                           Installation
                          option should be disabled if
                          not required.
DM6140 V0015197     II    Dedicated accounts should                                          SQL9 2005
                          be designated for SQL                                              Installation
                          Server Agent proxies.
DM6145 V0015196     II    Only authorized SQL Server                                         SQL9 2005
                          proxies should be assigned                                         Installation
                          access to subsystems.

DM6150 V0015201     II    Cross database ownership                                           SQL9 2005
                          chaining, if required, should                                      Installation
                          be documented and
                          authorized by the IAO.
DM6155 V0015187     II    Linked server providers                                            SQL9 2005
                          should not allow ad hoc                                            Installation
                          access.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         212 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DM6160 V0015166 II Database Engine Ad Hoc                                                          SQL9 2005
                   distributed queries should be                                                   Installation
                   disabled.
DM6175 V0015159 II The Database Master key                                                         SQL9 2005
                   encryption password should                                                      Database
                   meet DoD password
                   complexity requirements.

DM6179 V0015161     II   The Database Master Key                                                   SQL9 2005
                         should be encrypted by the                                                Database
                         Service Master Key where
                         required.
DM6180 V0015162     II   Database Master Key                                                       SQL9 2005
                         passwords shoud not be                                                    Database
                         stored in credentials within
                         the database.
DM6183 V0015168     II   Symmetric keys should use                                                 SQL9 2005
                         a master key, certificate, or                                             Database
                         asymmetric key to encrypt
                         the key.
DM6184 V0015164     II   Asymmetric keys should be                                                 SQL9 2005
                         derived from DoD PKI                                                      Database
                         certificates.
DM6185 V0015185     II   Asymmetric private key                                                    SQL9 2005
                         encryption should use an                                                  Database
                         authorized encryption type.
DM6188 V0015177     II   The Service Master Key                                                    SQL9 2005
                         should be backed up, stored                                               Database
                         offline and off site.
DM6189 V0015167     II   The data directory should                                                 SQL7
                         specify a dedicated disk                                                  Installation,
                         partition and restricted                                                  SQL8 2000
                         access.                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DM6193 V0015180     II   Only authorized users                                                     SQL9 2005
                         should be granted access to                                               Installation
                         Analysis Services data
                         sources.
DM6195 V0015173     II   Database TRUSTWORTHY                                                      SQL9 2005
                         status should be authorized                                               Installation
                         and documented or set to off.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               213 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes     Section
DM6196 V0015172 II Object permissions should                                                      SQL7
                   not be assigned to PUBLIC                                                      Database,
                   or GUEST.                                                                      SQL8 2000
                                                                                                  Database,
                                                                                                  SQL9 2005
                                                                                                  Database


DM6197 V0015171     II   Predefined roles should not                                              SQL7
                         be assigned to GUEST.                                                    Database,
                                                                                                  SQL8 2000
                                                                                                  Database

DM6198 V0015210     II   The Agent XPs option                                                     SQL9 2005
                         should be set to disabled if                                             Installation
                         not required.
DM6199 V0015211     II   The SMO and DMO SPs                                                      SQL9 2005
                         option should be set to                                                  Installation
                         disabled if not required.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              214 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI    VMSID CAT             Requirement               Vulnerability   Status   Finding Notes Section
DNS0100 V0013032 II  A name server is not
                     protected by equivalent or
                     better physical access
                     controls than the clients it
                     supports.
DNS0110 V0013034 II  The DNS log archival
                     requirements do not meet or
                     exceed the log archival
                     requirements of the
                     operating system on which
                     the DNS software resides.
DNS0115 V0013035 II  DNS logs are not reviewed
                     daily or a real-time log
                     analysis or network
                     management tool is not
                     employed to immediately
                     alert an administrator of
                     critical DNS system
                     messages.
DNS0120 V0013036 III A list of personnel
                     authorized to administer
                     each zone and name server
                     is not maintained.
DNS0125 V0013314 II  A zone or name server does
                     not have a backup
                     administrator.
DNS0130 V0013037 III A patch and DNS software
                     upgrade log; to include the
                     identity of the administrator,
                     date and time each patch or
                     upgrade was implemented,
                     is not maintained.

DNS0135 V0013038 II      Operating procedures do not
                         require that DNS
                         configuration, keys, zones,
                         and resource record data
                         are backed up on any day
                         on which there are changes.

DNS0140 V0013039 II      Configuration change logs
                         and justification for changes
                         are not maintained.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              215 of 1257
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes Section
DNS0145 V0013040 II Written procedures for the
                    replacement of
                    cryptographic keys used to
                    secure DNS transactions do
                    not exist.
DNS0150 V0013041 II The IAO has not established
                    written procedures for the
                    process of updating zone
                    records, who is authorized to
                    submit and approve update
                    requests, how the DNS
                    administrator verifies the
                    identity of the person from
                    whom he/she received the
                    request, and how the DNS
                    administrator documents any
                    changes made.

DNS0160 V0013050 III     The DNS architecture is not
                         documented to include
                         specific roles for each DNS
                         server, the security controls
                         in place, and what networks
                         are able to query each
                         server.
DNS0170 V0013313 II      The underlying operating
                         system of the DNS server is
                         not in compliance with the
                         appropriate OS STIG.
DNS0175 V0013051 I       The DNS server software is
                         either installed on or enabled
                         on an operating system that
                         is no longer supported by
                         the vendor.
DNS0185 V0013053 III     The contents of zones are
                         not reviewed at least
                         annually.
DNS0190 V0013052 III     The SA has not subscribed
                         to ISC's mailing list "bind
                         announce" for updates on
                         vulnerabilities and software
                         notifications.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       216 of 1257
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement           Vulnerability   Status   Finding Notes Section
DNS0200 V0013042 I An authoritative master
                   name server does not have
                   at least one and preferably
                   two or more active slave
                   servers for each of its zones.
                   The slave server does not
                   reside on a separate host.

DNS0205 V0013043 I       Name servers authoritative
                         for a zone are not located on
                         separate network segments
                         if the hosts records
                         described in the zone are
                         themselves located across
                         more than one network
                         segment.
DNS0210 V0013044 II      A zone includes hosts
                         located in more than one
                         building or site, yet at least
                         one of the authoritative
                         name servers supporting the
                         zone is not as
                         geographically and
                         topologically distributed as
                         the most remote host.
DNS0215 V0013045 III     Private IP space is used
                         within an Enclave without
                         the use of split DNS to
                         prevent private IPs from
                         leaking into the public DNS
                         system.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       217 of 1257
    ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI    VMSID CAT              Requirement           Vulnerability   Status   Finding Notes Section
DNS0220 V0013046 III The DNS database
                     administrator has not
                     documented the owner of
                     each zone (or group of
                     related records) and the date
                     the zone was created, last
                     modified, or verified. This
                     documentation will
                     preferably reside in the zone
                     file itself through comments,
                     but if this is not feasible, the
                     DNS database administrator
                     will maintain a separate
                     database for this purpose.

DNS0400 V0013047 II       The name server software
                          on production name servers
                          is not BIND, Windows 2000
                          or later DNS, or alternatives
                          with equivalent security
                          functionality, configured in a
                          manner to satisfy the
                          general security
                          requirements listed in the
                          STIG. The only currently
                          approved alternative is
                          CISCO CSS DNS.

DNS0402 V0014763 I        The name server software
                          on production name servers
                          is not BIND, Windows 2000
                          or later DNS, or alternatives
                          with equivalent vendor
                          support, configured in a
                          manner to satisfy the
                          general security
                          requirements listed in the
                          STIG. The only currently
                          approved alternative is
                          CISCO CSS DNS.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           218 of 1257
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes Section
DNS0405 V0013048 II  Hosts outside an enclave
                     can directly query or request
                     a zone transfer from a name
                     server that resides on the
                     internal network (i.e., not in
                     a DMZ).
EN540   V0004027 II  Servers do not employ Host
                     Based Intrusion Detection
                     (HIDS).
DNS0225 V0004467 III Record owners will validate
                     their zones no less than
                     annually. The DNS database
                     administrator will remove all
                     zone records that have not
                     been validated in over a year.

DNS0230 V0004468 III     Resource records for a host
                         in a zone file are included
                         and their fully qualified
                         domain name should reside
                         in another zone. The
                         exception is a glue record or
                         CNAME record supporting a
                         system migration.

DNS0235 V0004469 III     Zone-spanning CNAME
                         records, that point to a zone
                         with lesser security, are
                         active for more than six
                         months.
DNS0240 V0004470 I       The DNS database
                         administrator has not
                         ensured each NS record in a
                         zone file points to an active
                         name server authoritative for
                         the domain specified in that
                         record.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         219 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes Section
DNS0415 V0004473 II DNS software does not run
                    on dedicated (running only
                    those services required for
                    DNS) hardware. The only
                    currently accepted exception
                    of this requirement is
                    Windows 2000/2003 DNS,
                    which must run on a domain
                    controller that is integrated
                    with Active Directory
                    services.

DNS0420 V0004475 II      Permissions on files
                         containing DNS encryption
                         keys are inadequate.
DNS0425 V0004476 II      Users and/or processes
                         other than the DNS software
                         account and/or the DNS
                         database administrator have
                         edit/write access to the zone
                         database files.

DNS0430 V0004477 II      Users or processes other
                         than the DNS software
                         administrator and the DNS
                         software account have read
                         access to the DNS software
                         configuration files and/or
                         users other than the DNS
                         software administrator have
                         write access to these files.

DNS0435 V0004478 II      The name server's IP
                         address is NOT statically
                         defined and configured
                         locally on the server. The
                         name server has a DHCP
                         address.
DNS0440 V0004479 II      An integrity checking tool is
                         not installed or not
                         monitoring for modifications
                         to the root.hints and
                         named.conf files.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              220 of 1257
   ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement               Vulnerability   Status   Finding Notes Section
DNS0450 V0004481 I  Dynamic updates are not
                    cryptographically
                    authenticated.
DNS0455 V0004482 I  The DNS software
                    administrator will configure
                    each master/slave server
                    supporting a zone to
                    cryptographically
                    authenticate zone transfers.
DNS0460 V0004483 II A zone master server does
                    not limit zone transfers to a
                    list of active slave name
                    servers authoritative for that
                    zone.
DNS0470 V0004485 II A name server is not
                    configured to only accept
                    notifications of zone
                    changes from a host
                    authoritative for that zone.
DNS0475 V0004486 II Recursion is not prohibited
                    on an authoritative name
                    server.
DNS0480 V0004487 II A caching name server does
                    not restrict recursive queries
                    to only the IP addresses and
                    IP address ranges of known
                    supported clients.

DNS0482 V0012774 II      The forwarding configuration
                         of DNS servers allows the
                         forwarding of queries to
                         servers controlled by
                         organizations outside of the
                         U.S. Government.

DNS0485 V0004488 I       The DNS software does not
                         log, at a minimum, success
                         and failure of starting and
                         stopping of the name server
                         service daemon, zone
                         transfers, zone update
                         notifications, and dynamic
                         updates.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                             221 of 1257
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement            Vulnerability   Status   Finding Notes Section
DNS0490 V0004489 II The DNS software
                    administrator has not
                    configured the DNS software
                    to send all log data to either
                    the system logging facility
                    (e.g., UNIX syslog or
                    Windows Application Event
                    Log) or an alternative
                    logging facility with security
                    configuration equivalent to or
                    more restrictive than the
                    system logging facility.

DNS0495 V0004490 III     Entries in the name server
                         logs do not contain
                         timestamps and severity
                         information.
DNS0500 V0004491 I       Valid root name servers do
                         not appear in the local root
                         zone file. G and H root
                         servers, at a minimum, do
                         not appear in the local root
                         zone files.
DNS0505 V0004492 III     The DNS software
                         administrator has not
                         removed the root hints file
                         on an authoritative name
                         server in order for it to
                         resolve only those records
                         for which it is authoritative,
                         and ensure that all other
                         queries are refused.
DNS4600 V0014756 III     The DNS administrator will
                         ensure non-routeable IPv6
                         link-local scope addresses
                         are not configured in any
                         zone. Such addresses begin
                         with the prefixes of "FE8",
                         "FE9", "FEA", or "FEB".

DNS4610 V0014757 III     AAAA addresses are
                         configured on a host that is
                         not IPv6 aware.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        222 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement                Vulnerability   Status   Finding Notes Section
DNS0250 V0012440 III A new TSIG key is not
                     generated and utilized for
                     each type of transaction.
                     (STIG has "new" and VMS
                     has "unique")
DNS0445 V0004480 II  A cryptographic key used to
                     secure DNS transactions
                     has been utilized on a name
                     server for more than one
                     year.
DNS0705 V0004493 III The DNS software
                     administrator has not utilized
                     at least 160-bit HMAC-SHA1
                     keys if available.

DNS0710 V0004494 II      A TSIG key is not in its own
                         dedicated file.
DNS0715 V0004511 II      A BIND name server is not
                         configured to accept control
                         messages only when the
                         control messages are
                         cryptographically
                         authenticated and sent from
                         an explicitly defined list of
                         DNS administrator
                         workstations.

DNS0720 V0004495 II      A unique TSIG key is not
                         utilized for communication
                         between name servers
                         sharing zone information.
DNS4620 V0014758 II      The DNS software
                         administrator will ensure the
                         named.conf options
                         statement does not include
                         the option "listen-on-v6 {
                         any; };" when an IPv6
                         interface is not configured
                         and enabled.
DNS4640 V0014759 III     The DNS administrator,
                         when implementing
                         DNSSEC, will create and
                         maintain separate key-pairs
                         for key signing and zone
                         signing.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              223 of 1257
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement                Vulnerability   Status   Finding Notes Section
DNS4650 V0014760 III The DNSSEC algorithm for
                     digital signatures is not
                     RSASHA1.
DNS4660 V0014761 III The DNSSEC key signing
                     key is not at least 2048 bits.

DNS4670 V0014762 III     The DNSSEC key signing
                         key does not have a
                         minimum roll over period of
                         one year.
DNS4680 V0014764 III     The DNSSEC zone signing
                         key size is not at least 1024
                         bits.
DNS4690 V0014765 III     The DNSSEC zone signing
                         key minimum roll over period
                         is not at least 60 days.

DNS4700 V0014766 I       The DNSSEC private key file
                         permissions are not owned
                         by the DNS administrator or
                         the permissions are not set
                         to a minimum of 600.

DNS4710 V0014767 II      DNSSEC is not enabled for
                         signing files between name
                         servers with DNSSEC
                         capabilities.
DNS4440 V0003617 III     BIND is not configured to
                         run as a dedicated non-
                         privileged user account.
                         BIND is running as a root
                         user.
DNS4445 V0012967 III     The SA has not configured
                         BIND in a chroot(ed)
                         directory structure.
DNS4450 V0003618 II      A UNIX or UNIX-based
                         name server is running
                         unnecessary
                         daemon/services and/or is
                         configured to start an
                         unnecessary daemon,
                         service, or program upon
                         boot up.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              224 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes Section
DNS4460 V0003619 III It is possible to obtain a
                     command shell by logging
                     on to the DNS user account.

DNS4470 V0003620 II      Permissions on critical UNIX
                         name server files are not as
                         restrictive as required.

DNS4480 V0012966 II      Inadequate file permissions
                         on BIND name servers.
DNS4720 V0024996 I       DNS is using a statically
                         configured source port.
DNS4730 V0024997 II      BIND recursive servers
                         disable query randomization.

DNS4530 V0003621 II      ISC BIND is not configured
                         to run as a dedicated non-
                         privileged service user
                         account.
DNS4540 V0003622 III     The ISC BIND service user
                         is a member of a group other
                         than Everyone and
                         Authenticated Users.
DNS4550 V0003623 III     The ISC BIND service does
                         not have the appropriate
                         user rights required for the
                         proper configuration and
                         security of ISC BIND.
DNS4570 V0003624 II      The appropriate encryption
                         software is not correctly
                         installed and configured on
                         Windows ISC BIND name
                         servers and it is required
                         that in-band remote
                         management be performed
                         from hosts outside the
                         enclave in which the name
                         server resides.
DNS4590 V0003626 II      The ownership and
                         permissions on all Windows
                         ISC BIND name servers are
                         not as restrictive as required.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                225 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes Section
DNS0260 V0012479 II Computer accounts for
                    DHCP servers are members
                    of the DNSUpdateProxy
                    group.
DNS0805 V0004501 I  The DHCP server service is
                    not disabled on any
                    Windows 2000/2003 DNS
                    server that supports
                    dynamic updates.
DNS0810 V0004502 I  Zone transfers are not
                    prohibited or a VPN solution
                    is not implemented that
                    requires cryptographic
                    authentication of
                    communicating devices and
                    is used exclusively by name
                    servers authoritative for the
                    zone.

DNS0815 V0004503 II      Forwarders on an
                         authoritative Windows
                         2000/2003 DNS server are
                         not disabled.
DNS0825 V0004505 I       WINS lookups is not
                         prohibited on a Windows
                         2000/2003 DNS server.
DNS4580 V0003625 II      Shares other than the
                         default administrative shares
                         are enabled on a name
                         server.
DNS4630 V0014768 II      The IPv6 protocol is installed
                         and the server is only
                         configured to respond to
                         IPv4 A records.
DNS0900 V0004506 III     The shared secret in the
                         APP session(s) was not a
                         randomly generated 32
                         character text string.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               226 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes Section
DNS0905 V0004507 II  The Cisco CSS DNS is
                     utilized to host the
                     organizations authoritative
                     records and DISA
                     Computing Services does
                     not support that host in its
                     csd.disa.mil domain and
                     associated high-availability
                     server infrastructure.
DNS0910 V0004508 III Zones are delegated with
                     the CSS DNS.
DNS0915 V0004512 I   CSS DNS does not
                     cryptographically
                     authenticate APP sessions.

DNS0920 V0004509 III     The CSS DNS does not
                         transmit APP session data
                         over an out-ofband network
                         if one is available.
DNS0925 V0004510 II      Forwarders are not disabled
                         on the CSS DNS.
DNS0225 V0004467 III     DNS database
                         administrators with the
                         assistance of record owners
                         will validate the zone records
                         annually. The DNS database
                         administrator will remove all
                         zone records that are not
                         validated each year.

DNS0235 V0004469 III     Zone-spanning CNAME
                         records, that point to a zone
                         with lesser security, are
                         active for more than six
                         months.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               227 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
APPNET00 V0007022 II The File IO permission
01                   allows an application to
                     access system files directly.

APPNET00 V0007023      II   The Isolated Storage
03                          permission is used to allow
                            applications to store
                            temporary data to a local
                            user data store.
APPNET00 V0007024      II   The User Interface
04                          Permission for windowing
                            controls access to user
                            interface windows.
APPNET00 V0007025      II   The User Interface
05                          Permission for clipboard
                            controls application access
                            to clipboards used by the
                            user or other applications.

APPNET00 V0007026      II   The Reflection permission
06                          controls an application's
                            discovery of other system
                            resources and applications.
APPNET00 V0007027      II   The Printing permission
07                          controls application access
                            to system printing resources.

APPNET00 V0007028      II   The DNS permission
08                          controls application access
                            to DNS resources available
                            to the host system.

APPNET00 V0007029      II   The Socket Access
09                          permission controls
                            application access to
                            network ports defined on the
                            host system.
APPNET00 V0007030      II   The Web Access permission
10                          controls application access
                            to HTTP requests to
                            designated URLs or the
                            configuration of HTTP
                            settings.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                228 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
APPNET00 V0007031 II The Message Queue
11                   permission controls
                     application access to
                     communications across the
                     network.
APPNET00 V0007033 II The Service Controller
12                   permission controls
                     application access to the
                     control of Windows services.

APPNET00 V0007034      II   The Database permissions
13                          control application access to
                            databases defined on the
                            host system.
APPNET00 V0007035      II   The Security permission
14                          Extend Infrastructure
                            controls application access
                            to message processing.

APPNET00 V0007037      II   The Security permission
15                          Enable Remoting
                            Configuration defines the
                            communication channels
                            available to an application.
APPNET00 V0007038      II   The Security permission
16                          Enable Serialization
                            Formatter controls access to
                            serialized data. Serialized
                            data is data formatted into a
                            series of bits for storing or
                            transmitting.

APPNET00 V0007039      II   The Security permission
17                          Enable Thread Control is
                            used to control application
                            access to abort, suspend, or
                            resume its threads.
APPNET00 V0007040      II   The Security permission
18                          Allow Principal control
                            controls application access
                            to Windows user information.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                229 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
APPNET00 V0007041 II The Security permission
19                   Enable Assembly Execution
                     allows applications to
                     execute.
APPNET00 V0007042 II The Security permission
20                   Skip Verification controls the
                     execution of code that is
                     verified as being type safe.

APPNET00 V0007043      II   The Security permission
21                          Allow Calls to Unmanaged
                            Assemblies controls
                            application access to
                            applications not managed by
                            the .Net Framework.
APPNET00 V0007044      II   The Security permission
22                          Allow Policy Control controls
                            application access to it's the
                            current security policy
                            configuration.

APPNET00 V0007045      II   The Security permission
23                          Allow Domain Policy
                            controls defines application
                            access to its own application
                            domain security policy.

APPNET00 V0007046      II   The Security permission
24                          Allow Evidence Control is
                            used to control an
                            application's access to
                            supply or modify evidence
                            used to determine access to
                            system resources.
APPNET00 V0007048      II   The Security permission
25                          Assert any Permission that
                            Has Been Granted controls
                            application access to
                            permissions assigned to any
                            code in the assembly that
                            called it.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 230 of 1257
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
APPNET00 V0007049 II The Performance Counter
26                   permission controls
                     application access to system
                     performance monitoring
                     resources.
APPNET00 V0007051 II The Environment Variables
27                   permission controls
                     application access to system
                     environment variables and to
                     other system resource
                     names.
APPNET00 V0007052 II The Event Log permission
28                   controls application access
                     to event log resources
                     defined on the system.

APPNET00 V0007053      II   The Registry permission
29                          controls application access
                            to the Windows registry.

APPNET00 V0007054      II   The Directory Services
30                          permission controls
                            application access to the
                            system Directory Service
                            resources.
APPNET00 V0007055      II   The Strong Name
31                          Membership Condition
                            establishes the requirement
                            for all code defined in the
                            group to be configured with
                            a Strong Name. Strong
                            Name verification should not
                            be omitted in a production
                            environment.

APPNET00 V0007056      II   The First Match Code Group
32                          is used to control the depth
                            to which a branch of the
                            code group tree is traversed
                            when assigning membership
                            to assemblies.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      231 of 1257
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
   PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
APPNET00 V0007057 II The File Code Groups and
33                   Net Code Groups are used
                     to establish directory access
                     and web site connections
                     respectively by the
                     application.
APPNET00 V0007058 II The Level Final Code Group
35                   Attribute prevents
                     permission sets farther down
                     in the Code Group hierarchy
                     from being applied to the
                     assembly.
APPNET00 V0007059 II The Zone Membership
41                   Condition determines policy
                     level based on the URL zone
                     of the application origin.

APPNET00 V0007060      I    The use of the CAS policy
45                          can be enabled or disabled
                            on the system.
APPNET00 V0007061      II   The Windows system may
46                          be configured to allow use of
                            certificates that are
                            designated as being for test
                            use.
APPNET00 V0007062      II   The Windows system may
47                          be configured to check the
                            application for use of expired
                            certificates.
APPNET00 V0007063      II   The Publisher Member
48                          Condition requires member
                            code to be certified using
                            certificates originating from a
                            trusted source.
APPNET00 V0007064      II   This checks the setting that
49                          determines whether
                            certificates are checked for
                            revocation status.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       232 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
APPNET00 V0007065 II The settings reviewed in this
50                   check determine the
                     handling of certificates with
                     differing unknown statuses
                     due to temporary
                     unavailability of a certificate
                     verification service. For
                     example, certificate
                     verification that is dependent
                     on real-time access to a
                     certificate status server
                     could be unavailable due to
                     a break in network
                     communications.

APPNET00 V0007066      II    This Windows setting
51                           determines whether the
                             system requires certificates
                             to be time stamped to verify
                             the certificate is current.

APPNET00 V0007067      II    The Strong Name
52                           Membership condition
                             requires that member
                             assemblies be defined with
                             Strong Names.
APPNET00 V0007068      III   The use of duplicate code
54                           group names within a level
                             of the CAS policy can lead to
                             mis-assignment of
                             permissions.
APPNET00 V0007069      II    CAS Policy and CAS Policy
55                           Configuration files are
                             required for a complete
                             system baseline and
                             disaster recovery event.
APPNET00 V0007070      II    The typefilterlevel="Full"
60                           attribute allows unfiltered
                             code to access system
                             resources.
APPNET00 V0018395      II    Verify the installed .Net
61                           Frameworks are still
                             supported by Microsoft.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 233 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI    VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes
DRSN1001 V0004661 III An IAO must be appointed in
                      writing.
DRSN1002 V0004669 III There must be a separation
                      of duties between the
                      Special Security Officer
                      (SSO) and the Information
                      Assurance Officer

DRSN1003 V0004681      III   DRSN Collateral switch
                             nodes must be located in an
                             approved TS exclusion area.

DRSN1004               II    A facility housing DRSN end
                             terminals or instruments
                             must be certified and
                             approved for operations at
                             the highest classification of
                             the instrument.

DRSN1005               III   No policy and/or procedure
                             is defined and enforced that
                             provides for inspection of
                             unattended facilities upon
                             entry and/or there is no
                             procedure for providing
                             granular documentation of
                             the inspection and/or there
                             is no defined reporting
                             procedures for detected
                             incidents.
DRSN1006               III   No means of detection or
                             reporting of physical
                             tampering has been
                             provided for equipment
                             cabinets and/or devices.
DRSN1007               III   The IAO must conduct
                             and/or document self-
                             inspections of the DRSN
                             components at least semi-
                             annually for security risks.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 234 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                       <Test> - TN <Ticket Number>
   PDI      VMSID    CAT          Requirement                 Vulnerability   Status   Finding Notes
DRSN1008              II Facilities housing DRSN
                         switches and/or peripheral
                         and OAM&P/NM systems
                         have NO access controls or
                         they are improperly used.

DRSN1009               II    There is no personnel
                             security program defined,
                             documented, and/or enforced

DRSN1010               II    Personnel working on and in
                             areas housing DRSN
                             switches as well as
                             peripheral and OAM&P/NM
                             systems must possess a
                             current security clearance
                             appropriate to the area.
DRSN1011               II    Personnel physical access
                             to facilities housing DRSN
                             switches, peripheral, and
                             OAM&P/NM systems must
                             be properly controlled.
DRSN1012 V0004615      II    A non-disclosure agreement
                             (NDA) required for access to
                             classified information must
                             be on file.
DRSN1014               II    All personnel supporting a
                             DRSN switch must be
                             briefed (or “read on”)
                             regarding the security
                             requirements relating to all
                             missions supported by the
                             switch.
DRSN1015 V0004660      III   Personnel accessing the
                             DRSN must possess the
                             appropriate need-to-know.
DRSN1016 V0004677      II    Visit Authorization Letters
                             must be on file for contractor
                             personnel.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  235 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                     <Test> - TN <Ticket Number>
   PDI      VMSID    CAT          Requirement               Vulnerability   Status   Finding Notes
DRSN1017              II Contractor personnel
                         performing hardware or
                         software installation or
                         maintenance, must possess
                         a verified individual
                         clearance and need-to-know
                         or are not escorted

DRSN1018               II   Cleaning crews must be
                            properly cleared for the
                            area(s) to be cleaned and/or
                            perform janitorial services
                            during normal working hours.

DRSN1019 V0004676      II   Users must have their status
                            and affiliation displayed as
                            part of their e-mail address.

DRSN1020               II   Temporary Foreign/Local
                            National personnel must be
                            properly supervised or
                            escorted.
DRSN1021               II   Foreign/Local National
                            personnel hired by a
                            base/post/camp/station for
                            the purpose of operating or
                            performing OAM&P / NM
                            functions on DRSN switches
                            and subsystems must be
                            properly cleared.
DRSN1022               II   Foreign/Local National
                            personnel must not have
                            duties or access privileges
                            that exceed those allowed
                            by DoDI 8500.2 E3.4.8.
DRSN1023 V0004616      I    Foreign National access to
                            DRSN must be approved in
                            writing by the DoD
                            Component Head IAW DoD,
                            DOS, and DCI policies.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                236 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                     <Test> - TN <Ticket Number>
   PDI      VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes
DRSN1024            I DRSN terminals accessible
                      by properly cleared non-U.S.
                      citizens, authorized for
                      unsupervised access, must
                      be assigned “foreign-
                      access” SALs.
DRSN1025           II Allied or foreign national
                      personnel authorized for
                      unsupervised access to
                      network terminals must be
                      authorized in writing by the
                      commander who is
                      responsible for the network
                      terminals.
DRSN1026 V0004668 III Site personnel must receive
                      the proper security training.

DRSN1027               II    Site personnel must receive
                             the proper security training
                             and/or be familiar with the
                             documents located in the
                             security library.

DRSN1028 V0004675      II    Authorized personnel must
                             be assigned an appropriate
                             ADP Access Level.
DRSN1029 V0004618      II    Personnel with IA
                             responsibilities must be
                             trained and certified.
DRSN1030               III   The IAO must maintain an
                             up-to-date IA policy and
                             information library.
DRSN1031               II    Users of classified
                             communications systems
                             must verify the clearance
                             and need-to-know of the
                             distant parties with whom
                             they communicate.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                237 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement               Vulnerability   Status   Finding Notes
DRSN1032             II Personnel authorized
                        uncontrolled access to the
                        physical area in which
                        classified communications
                        systems, are located,
                        mustensure only authorized
                        persons access the
                        equipment.
DRSN1033              I Foreign nationals who are
                        authorized for unsupervised
                        access to classified
                        communications systems,
                        located in U.S.-controlled
                        areas, must be properly
                        cleared.
DRSN1035             II A DRSN Approved Products
                        List (APL) must be
                        implemented/maintained
                        and/or must test systems for
                        IO and IA.

DRSN1036              II    A DRSN system in operation
                            must be listed on the DRSN
                            APL or in the process of
                            being tested.
DRSN1037              III   All applicable STIGs and
                            deployment limitations must
                            be applied to installed
                            systems.
DRSN1038              III   A DRSN system must be
                            implemented as APL listed
                            using the configuration that
                            was approved and for the
                            approved purpose.
DRSN1039              III   DSN/DRSN APL, NIAP
                            CCEVS, and/or FIPS CMVP
                            listing must be considered
                            for products being
                            considered for procurement,
                            installation, or upgrade and
                            connection to the DISN.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                238 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI      VMSID    CAT           Requirement               Vulnerability   Status   Finding Notes
DRSN1040               I Interfaces to DRSN RED
                          switch must be properly
                          approved by OSD, JS,
                          and/or DRSN PMO
                          appropriate in accordance
                          with CJCSI 6215.01B.
DRSN1041              III Ongoing “compliance with all
                          applicable STIGs and
                          checklists” requirements and
                          validation measures must be
                          included in RFPs,
                          specifications, and contracts
                          for procured or leased
                          systems or services.

DRSN1042               III   Support for C&A
                             requirements must be
                             included in RFPs,
                             specifications, and contracts
                             for procured systems.

DRSN1043               III   Vendor testing and approval
                             of STIG or checklist or IAVM
                             required security patches
                             and other configuration
                             changes must be included in
                             RFPs, specifications, and
                             contracts for support of
                             procured systems.

DRSN1044               III   Commercially contracted
                             (leased or procured)
                             systems and services must
                             comply with all applicable
                             STIGs
DRSN1045 V0004674       I    The local switch site must be
                             accredited.
DRSN1046 V0004665      III   A formal system security
                             baseline must exist.
DRSN1047               II    Security related SOPs have
                             must be established and
                             followed.
DRSN1048 V0004666      II    A site specific SSAA must
                             exist.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 239 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement              Vulnerability   Status   Finding Notes
DRSN1049             II Deviations from program
                        directed or published
                        standard system baseline
                        security configurations must
                        be approved
DRSN1051             II PMO must maintain overall
                        site/system/network
                        documentation and topology
                        diagrams and must include
                        all site level documentation.

DRSN1052              II    IAVM notices must be
                            responded to within the time
                            period specified within the
                            notice.
DRSN1053              II    IAVMs must be addressed
                            using RTS system vendor
                            approved or provided
                            patches.
DRSN1054              II    DRSN assets must be
                            registered in a VMS and/or
                            DISA owned assets are not
                            registered in the DISA VMS

DRSN1055              III   DRSN SAs must be
                            registered in the DISA or
                            similar VMS as the assets
                            for which they are
                            responsible are.
DRSN1056              III   Systems/devices must be
                            IAVM compliant before
                            connection to the network
DRSN1057              II    The PMO has no or has a
                            deficient configuration
                            management process.
DRSN1058              II    DRSN IAO must be involved
                            in the configuration
                            management process and/or
                            does not ensure adherence
                            to the security requirements
                            of the STIG(s).




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                240 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement               Vulnerability   Status   Finding Notes
DRSN1059             III The NOCs and IAOs must
                         be aware of the
                         configuration management
                         process and/or must adhere
                         to the documented process.

DRSN1060              II   Testing procedures for all
                           new or upgraded hardware
                           and software have not been
                           created and/or are not
                           maintained
DRSN1061              II   Site staff does not verify
                           and/or record the identity of
                           individuals installing or
                           modifying a device or
                           software.
DRSN1063              II   Public domain software
                           products are in use.
DRSN1064              II   A standard software or OS
                           release version must be
                           tested and designated for
                           use on all similar systems
DRSN1065              II   All similar devices are NOT
                           deployed or upgraded to the
                           most current tested and
                           certified software versions
                           as directed by the PMO.

DRSN1066              II   The latest software loads
                           and patches are NOT
                           applied to all systems to
                           take advantage of security
                           enhancements.
DRSN1067              II   Installed maintenance and/or
                           security patches are not
                           tested and/or approved

DRSN1068              II   System software has been
                           upgraded to a major new
                           software version that has
                           NOT been tested, certified,
                           and placed on the
                           DSN/DRSN APL before
                           installatioN.


  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                241 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                   <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement             Vulnerability   Status   Finding Notes
DRSN1069              II Baseline configurations for
                         all similar systems and
                         devices in the network are
                         not tested, certified,
                         identified, documented,
                         and/or maintained by the
                         PMO.
DRSN1070             III The appropriate current /
                         standard PMO approved
                         baseline configuration is not
                         used on all systems and
                         devices
DRSN1071             III The current and previous
                         device configurations are not
                         “backed up” and/or are not
                         stored in a secured location
                         that is not collocated with
                         the system/device.

DRSN1072              III   A network-addressing plan
                            that addresses logical
                            address grouping to
                            enhance routing and
                            flexibility has not been
                            developed, documented,
                            maintained, and/or enforced
                            by the PMO.
DRSN1073              III   The current approved
                            network addressing plan is
                            not implemented.
DRSN1074              III   A naming convention for all
                            network devices has not
                            been developed,
                            documented, maintained,
                            and/or enforced.
DRSN1075              III   Network devices are not
                            named in accordance with
                            the documented and
                            approved naming convention.

DRSN1076              III   The DNS names of network
                            devices are not coordinated
                            with the device names.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                               242 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN1077             II No procedures are in place
                        and/or followed that ensure
                        the integrity of master copies
                        of all operational software,
                        operational backup files,
                        audit information and current
                        hardware/firmware
                        configuration data.

DRSN1078              II    System configurations and
                            data for all devices are not
                            backed up at a minimum on
                            a weekly basis and/or
                            backups are not properly
                            stored.
DRSN1079              III   A COOP/Disaster recovery
                            plan has not been
                            developed, documented,
                            tested, periodically
                            exercised, and/or maintained.

DRSN1080              III   No software
                            upgrade/deployment
                            procedure has been defined
                            and/or do not include testing
                            and validation of the
                            upgrade.
DRSN1081              III   Upgrade procedures are not
                            referenced in change
                            management documentation.

DRSN1082              II    Up-to-date back-up media is
                            not available prior to
                            software or configuration
                            modification
DRSN1083              III   Current operating and saved
                            configurations are NOT
                            synchronized locally within
                            one hour of configuration
                            changes




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                            243 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                 <Test> - TN <Ticket Number>
   PDI      VMSID    CAT         Requirement            Vulnerability   Status   Finding Notes
DRSN1084              II Configurations are not
                         backed up to a different local
                         system, or offline, one hour
                         following software or
                         configuration modification.

DRSN1085               I    DRSN links and trunks are
                            NOT encrypted using NSA-
                            approved cryptographic
                            interface configurations
                            approved by the PMO.
DRSN1086               I    Unencrypted DRSN lines,
                            links, and trunks (i.e., those
                            carrying classified red
                            signals), are NOT protected
                            by a PDS or SDS
DRSN1088               I    Distribution System(s)
                            (PDSs) are NOT inspected
                            and/or certified as required,
                            initially, periodically, and
                            when modified, by the
                            appropriate designated
                            Certified TEMPEST
                            Technical Authority (CTTA).
DRSN1089               I    COMSEC keying material is
                            not properly handled or
                            stored IAW NSTISSI 4010
                            and/or DoD component
                            directives.
DRSN1090 V0004672      I    COMSEC material is not
                            being stored in a GSA
                            approved container.
DRSN1091               II   COMSEC Keying Material is
                            not changed in accordance
                            with the approved schedule.

DRSN1092               II   COMSEC Keying Materials
                            are not properly managed

DRSN1094               II   Encryption software used to
                            protect sensitive information
                            (not classified) is not Federal
                            Information Processing
                            Standard (FIPS) 140-2
                            validated.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                            244 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes
DRSN1095 V0004680 I Instruments located in local
                    commanders quarters
                    operate at SCI level and are
                    not limited to TS or Secret.

DRSN1096                I    DRSN information not
                             properly classified and/or
                             handled IAW established
                             policies
DRSN1097 V0004683      II    Documents associated with
                             DRSN switches are not
                             properly classified and/or
                             class marked (labeled).

DRSN1098 V0004685      II    Systems, devices, terminals,
                             and/or storage devices are
                             not properly marked with the
                             highest security level of the
                             information being stored,
                             displayed, or processed.

DRSN1099                I    DRSN information not
                             properly classified and/or
                             handled IAW established
                             policies.
DRSN1101               II    No SOP exists or is followed
                             that ensures all suspected or
                             actual security compromises
                             are properly reported to all
                             appropriate authorities,
                             investigated, and repaired
                             IAW DRSN and national
                             security policy.

DRSN2001               III   A DoD Voice/Video/RTS
                             system or device is NOT
                             configured in substantial
                             compliance with all
                             applicable STIGs or the
                             appropriate STIGs have not
                             been applied to the fullest
                             extent possible.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 245 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI     VMSID    CAT            Requirement             Vulnerability   Status   Finding Notes
DRSN2002              II Critical systems,
                         subsystems, and/or
                         components share the
                         general use data network.
DRSN2003              II Critical DRSN/RTS
                         servers/devices are not
                         dedicated to their main
                         purpose and contain
                         applications not required for
                         the critical operations.
DRSN2004             III Unused device connections
                         or physical ports on
                         backbone communications
                         devices such as routers,
                         ATM switches, and other
                         network elements, are not
                         disabled or removed.

DRSN2005              III   Unused network access
                            device connections or
                            physical ports are not
                            appropriately secured from
                            unauthorized use
DRSN2006              II    An unclassified speaker
                            system is improperly
                            designed/implemented such
                            that speakers located in
                            classified areas can pick up
                            classified conversations and
                            transmit them out of the
                            classified area.
DRSN2007              II    Voice/Video/RTS devices
                            located in SCIFs do not
                            prevent on-hook audio pick-
                            up and/or do not have a
                            speakerphone feature
                            disabled or are not
                            implemented in accordance
                            with DCID 6/9 or TSG
                            Standard 2.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                246 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                  <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement             Vulnerability   Status   Finding Notes
DRSN2008             II A classified speaker system
                        is improperly
                        designed/implemented such
                        that speakers located in
                        classified areas can pick up
                        classified conversations and
                        transmit them, or broadcast
                        the carried classified
                        information out of the
                        classified area.
DRSN2009             II No policy for speakerphones
                        on classified systems

DRSN2010              II   A policy is NOT in place
                           and/or enforced regarding
                           the placement and use of
                           speakerphones connected to
                           secure telephone systems
                           (e.g., the DRSN) that are
                           located SCIFs.
DRSN2011              I    A policy is NOT in place
                           and/or enforced regarding
                           the placement and use of
                           speakerphones connected to
                           secure telephone systems
                           (e.g., the DRSN) that are
                           located SCIFs.
DRSN2101              II   The out-of-band or direct
                           connection method for
                           system device management
                           is not used.
DRSN2102              II   An OOB management
                           network is not dedicated to
                           device management.
DRSN2104              II   System management access
                           (in-band or OOB) does not
                           enforce DoD policy for role
                           based access, two-factor
                           authentication, encrypted
                           sessions, and/or auditing.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                              247 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                   <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement              Vulnerability   Status   Finding Notes
DRSN2105             II Network management traffic
                        and/or session login is NOT
                        encrypted, or is not using
                        FIPS 140-2 validated crypto
                        modules.
DRSN2106             II The use of in-band
                        management is NOT limited
                        to emergency situations,
                        and/or is not approved and
                        documented on a case by
                        case basis.
DRSN2107             II The use of in-band
                        management is NOT
                        restricted to a limited
                        number of authorized IP
                        addresses (10 or less).
DRSN2108             II Idle connections DO NOT
                        disconnect in 15 min.
DRSN2109             II The component is not
                        configured to be unavailable
                        for 60 seconds after 3
                        consecutive failed logon
                        attempts.
DRSN2110             II A Management network
                        DOES NOT comply with the
                        Enclave and/or Network
                        Infrastructure STIGs.

DRSN2111              I    Access to systems or
                           devices and/or management
                           networks is granted to non-
                           government employees or
                           contractors that is not
                           controlled or monitored.

DRSN2112              II   OOB management routers
                           and terminal servers DO
                           NOT limit the source of any
                           management connection to
                           authorized source addresses.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                               248 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN2113             II OOB management routers
                        and terminal servers DO
                        NOT maintain separation
                        between the management
                        and production networks.
DRSN2115              I Unapproved modems are
                        used against policy for
                        management of DRSN
                        switches, assets, and/or
                        communications devices.
DRSN2116             II Modems do not comply with
                        the requirements for user
                        authentication and access to
                        connected devices,
                        management access, and
                        encryption.
DRSN2117             II Modem authentication dose
                        not use a separate
                        authentication server located
                        within the extended enclave
                        and/or encryption is not used.

DRSN2118              II   Modems are not physically
                           protected to prevent
                           unauthorized device
                           changes.
DRSN2119              II   A detailed listing of all
                           modems is not being
                           maintained.
DRSN2120              II   Unauthorized modems are
                           installed.
DRSN2121              II   Modem phone lines are not
                           restricted and configured to
                           their mission required
                           purpose (i.e. inward/outward
                           dial only).
DRSN2122              II   Modem phone lines are not
                           restricted to single-line
                           operation
DRSN2123              II   The option of Automatic
                           Number Identification (ANI)
                           is available but not being
                           used.
DRSN2125              I    SSH version 1, or version 1
                           compatibility mode is used

  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                            249 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)               <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement         Vulnerability   Status   Finding Notes
DRSN2126              II A vulnerable version of SSH
                         is in use
DRSN2127               I SNMP V1 or V2 has been
                         enabled on the network
                         infrastructure. SNMP V3 has
                         been enabled on the
                         network infrastructure
                         without the V3 User-based
                         Security Model
                         authentication and privacy.
DRSN2128              II A standard operating
                         procedure for SNMP
                         community string
                         management is not establish
                         and/or maintained
DRSN2129             III Both privileged and non-
                         privileged SNMP modes are
                         used on all devices SNMP
                         but different community
                         names are not used for read-
                         only access and read-write
                         access.
DRSN2130              II NM servers and/or NM
                         systems do not restrict
                         access to them from
                         authorized IP addresses
DRSN2131               I SNMP community strings
                         are not changed from the
                         default values.
DRSN2133              II The finger service is not
                         disabled
DRSN2134               I HTTP, and/or TELNET, is
                         not disabled or secured
DRSN2136              II TFTP usage is not justified
                         and/or documented
DRSN2138              II FTP username and
                         password are NOT
                         configured
DRSN2139              II Encryption protocols are
                         used to transmit traffic
                         directly to a host a host
                         based but a host intrusion
                         detection (HID) system is
                         not in use.


  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                           250 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                  <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement            Vulnerability   Status   Finding Notes
DRSN2140              II VPN traffic bypasses the
                         Network IDS
DRSN2150              II FTP user IDs do not expire
                         and/or passwords are not
                         changed every 90 days.
DRSN2151               I FTP or Telnet is used with a
                         userid (UID)/password that
                         has administrative or root
                         privileges.
DRSN2152             III “Anonymous” FTP is used
                         within the enclave.
DRSN2153               I Remote control software is
                         used to allow access to
                         systems, servers, or network
                         devices from non-DoD non-
                         secure networks outside the
                         enclave.
DRSN2154               I Unrestricted remote control
                         access to DoD systems,
                         servers, or network devices
                         is permitted or is in use.
DRSN2155              II Remote control software is
                         not properly secured and or
                         is not DAA approved
DRSN2157              II A properly worded Login
                         Banner is not used on all
                         management access ports
                         and/or OAM&P/NM
                         workstations.
DRSN2201               I Administrative/management
                         ports on a device or system
                         does not use the strongest
                         password method available
                         on the device

DRSN2202              II   Access to all management
                           system workstations and
                           administrative / management
                           ports is NOT remotely
                           authenticated




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                              251 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)               <Test> - TN <Ticket Number>
   PDI      VMSID    CAT          Requirement         Vulnerability   Status   Finding Notes
DRSN2204              III Strong two-factor
                          authentication is NOT used
                          to access all management
                          system workstations and
                          administrative / management
                          ports on all devices or
                          systems.
DRSN2205               I Default accounts/passwords,
                          and manufacturer backdoor
                          accounts have not been
                          removed or changed prior to
                          connection to the network.


DRSN2207 V0004658      II    Switch personnel are not
                             assigned individual userids
                             and passwords.
DRSN2208             II-III- Shared user/SA accounts
                       IV are used and not
                             documented.
DRSN2209               III Passwords must meet
                             complexity requirements.
DRSN2210                II The option to use passwords
                             that are randomly generated
                             by the DSN/DRSN
                             component is available but
                             not being used.

DRSN2211               II   Users/SAs are not required
                            to change their password
                            during their first session
                            logon or following a reset.
DRSN2212 V0004663      II   Passwords are not changed
                            every 90 days, after
                            departure of personnel, and
                            after suspected compromise.

DRSN2213               II   Users/SA are permitted to
                            change their passwords at
                            an interval of less than 24
                            hours without ISSO/IAO
                            intervention.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          252 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                       <Test> - TN <Ticket Number>
   PDI      VMSID    CAT           Requirement                Vulnerability   Status   Finding Notes
DRSN2214              III Password reuse/history is
                          not set to 8 or greater of the
                          previous passwords used.

DRSN2215               III   User/SA accounts are not
                             disabled after 35 days of
                             inactivity.
DRSN2216               II    A users/SAs account is not
                             automatically disabled after
                             three notifications of
                             password expiration.
DRSN2217                I    User/SA passwords can be
                             retrieved and viewed in clear
                             text by another user/SA.

DRSN2218                I    Users‟/SA‟s passwords are
                             displayed in the clear when
                             logging into the
                             system/device.
DRSN2219               II    Passwords are viewable in
                             the clear in configuration
                             files viewable online or in
                             offline storage
DRSN2220                I    Password lists are not
                             encrypted when stored on
                             management workstations or
                             systems that manage device
                             login for a SA (single sign-on
                             systems etc) or on the
                             system/device itself

DRSN2221               II    All system administrative
                             and maintenance user
                             accounts are not
                             documented and/or stored in
                             a secure or controlled
                             manner (e.g., in a safe).
DRSN2222 V0004662      II    The ISSO/IAO has not
                             recorded the passwords of
                             high level users (ADMIN)
                             used on DSN/DRSN
                             components and stored
                             them in a secure or
                             controlled manner.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  253 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI     VMSID    CAT         Requirement                Vulnerability   Status   Finding Notes
DRSN2223             II User names and passwords
                        must be encrypted when
                        logging into system devices
                        remotely across a network.

DRSN2225              II    Un-needed device
                            management accounts have
                            not been removed or
                            disabled.
DRSN2226              II    More than 2 emergency
                            accounts are configured on
                            a device.
DRSN2227              II    Local emergency usernames
                            and passwords are not
                            stored in a locked container
                            (safe) at the NOC or access
                            to the container is not
                            controlled and/or logged.

DRSN2228              II    Local emergency accounts
                            are use to access devices
                            under non emergency
                            conditions.
DRSN2229              II    Local emergency
                            management accounts are
                            not changed and
                            documented following use.
DRSN2230              II    A device is capable of
                            encrypting the local
                            emergency password,
                            however this feature is not
                            being used.
DRSN2231              II    Roll Based DAC not
                            employed or availavle
DRSN2232              II    System administrative and
                            maintenance users are
                            assigned accounts with
                            privileges that are not
                            commensurate with their
                            assigned responsibilities.
DRSN2233              III   Unauthorized SAs have the
                            ability to access stored
                            configuration files




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                254 of 1257
    DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI       VMSIDCAT            Requirement                Vulnerability   Status   Finding Notes
DRSN2234           III The option to restrict user
                       access based on duty hours
                       is available but is not being
                       utilized.
DRSN2235 V0004664   II An audit trail is not being
                       maintained for all access
                       requests to DRSN RED
                       switch operating information,
                       control functions, and
                       software.
DRSN2236            II System auditing does not
                       capture all events that are
                       required to be recorded
DRSN2237            II System auditing does not
                       capture all information
                       required to be recorded for
                       each event
DRSN2238           III A centralized audit server is
                       not used to collect audit
                       records from system and
                       network devices
DRSN2239           III The audit collection server is
                       not restricted by IP address
                       and can accept/poll devices
                       that are not with in its scope

DRSN2240               II   Audit data files and
                            directories are readable by
                            personnel NOT authorized
                            by the IAO.
DRSN2241               II   Audit logs not
                            stored/archived per policy.
                            i.e., 90 days online and 9
                            months offline for a total of
                            12 months
DRSN2242               II   Audit logs are not reviewed
                            daily or completely
DRSN2350               I    RED/BLACK isolation is not
                            maintained between red and
                            black switch nodes or their
                            management systems




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                255 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)            <Test> - TN <Ticket Number>
   PDI    VMSID CAT         Requirement            Vulnerability   Status   Finding Notes
DRSN2351 V0004682 I RED and BLACK distribution
                    systems do not maintaining
                    required separation/isolation.

DRSN2352               I    RED switch network
                            originated audio is not
                            encrypted on an unclassified
                            network before the crypto
                            equipment enters secure
                            mode.
DRSN2353               I    The RED/BLACK mgmt.
                            LAN is not properly protected

DRSN2354               II   BLACK switch
                            implementations are not
                            approved in writing by the
                            local commander.
DRSN2358               I    DRSN consoles and/or
                            terminals do not maintain
                            RED/BLACK isolation.
DRSN2359 V0004684      I    There is no fail-safe design
                            of the red/black interface in
                            place to preclude switching
                            from operating in both black
                            and red modes
                            simultaneously.
DRSN2360               I    DRSN Console operator
                            intervention not implemented
                            per policy.
DRSN2361 V0004670      I    Switch subscriber terminals
                            are configured for automatic
                            answering.
DRSN2362               II   Interfaces configured for
                            auto-answer are not
                            approved by the appropriate
                            DAA and the DRSN PMO
                            and/or are not certified for IO
                            and IA under DoDI 8100.3.

DRSN2363               II   Speaker(s) or
                            speakerphone(s) are not
                            approved by all parties as
                            required.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       256 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI      VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
DRSN2364           I External device(s) used with
                      a DRSN RED switch user
                      instrument is not configured
                      to operate at the security
                      level of its associated
                      terminal, and/or is not
                      approved by the appropriate
                      DAA.
DRSN2365 V0004678  I DRSN phones are enabled
                      when not under the
                      immediate control of cleared
                      personnel.
DRSN2366           I RED Switch must permit
                      instrument disablement for
                      when appropriately cleared
                      personnel do not man them.

DRSN2367               I    Each DRSN Terminal does
                            not have unique enable code.

DRSN2368 V0004673      I    DRSN terminal enable
                            codes are not changed
                            every 90 days, or when
                            there is a suspected
                            compromise, or when an
                            instrument and/or
                            Subscriber Directory
                            Number (SDN) is reassigned
                            to another user.
DRSN2369               I    Enable codes are not treated
                            as classified SECRET

DRSN2370 V0004673      I    Subscriber terminals do not
                            have labels affixed showing
                            highest security level
                            authorized for the instrument.

DRSN2372               II   PushTo-Talk (PTT) handsets
                            have been removed without
                            DAA approval and/or there is
                            no procedure for maintaining
                            the secure integrity of the
                            instrument.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 257 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN2373              I Participants of ongoing
                        conferences established
                        through DRSN RED
                        Switches are NOT informed
                        of a change in the
                        classification, SCI character,
                        or foreign access of the
                        conference.
DRSN2375             II Recording equipment is not
                        approved by the DRSN PMO
                        and/or as applicable, by the
                        DAA/INSCI if installed in a
                        SCIF.
DRSN2376             II No SOP for the handling of
                        call or conference
                        recordings exists and/or is
                        not followed to ensure their
                        proper handling, storage,
                        dissemination, and/or
                        destruction.
DRSN2377             II Recordings of calls and/or
                        conferences are not handled
                        per the SOP that details
                        their proper handling,
                        storage, dissemination,
                        and/or destruction.

DRSN2383              I   A “Barge in Tone” and visual
                          indication is not provided to
                          all parties in a call when the
                          security level of the call is
                          downgraded or upgraded
                          during normal calls or during
                          call forwarding, call transfer,
                          and when adding or deleting
                          conferees to/from a
                          conference call.

DRSN2384              I   DRSN RED switch
                          Terminals must display
                          proper classification level or
                          SAL of terminals with which
                          they communicate.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                            258 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement                 Vulnerability   Status   Finding Notes
DRSN2385             I A DRSN Terminal does not
                        properly display the self-
                        authenticating security level
                        of the call or conference in
                        progress, and/or does not
                        properly display the identity
                        data of the distant terminal
                        or identify the network
                        and/or equipment type
                        associated with the distant
                        party and/or when a
                        conference call is in
                        progress.
DRSN2371             I Manual Override of Security
                        Features is permitted and/or
                        is not audited

DRSN2386              II   A DRSN RED telephone that
                           is enabled for Flash, Flash-
                           Override, and Flash-
                           Override-Override
                           precedence is not
                           documented as having Joint
                           Staff approval.
DRSN2387              II   Documentation on SAL
                           assignments for the DRSN
                           switch and its access lines is
                           not maintained and/or
                           available for inspection.
DRSN2388              II   The approved and
                           documented SAL
                           assignments are not those
                           implemented on the switch.
DRSN2389              II   A cryptographic-interface
                           that is in addition to the
                           primary trunk interface has
                           not been reported to the
                           DRSN PMO and/or identified
                           on the configuration listing of
                           the accreditation package,
                           and/or the documentation is
                           not available for inspection.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                  259 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)                     <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement                Vulnerability   Status   Finding Notes
DRSN2390             II Insufficient quantity -
                        cryptographic-interface
                        (STU-III/R, STE-R, etc) per
                        SAL or SALs improperly
                        assigned.
DRSN2400             II A VoIP/VoSIP security
                        architecture is missing or is
                        inadequate and/or does not
                        comply with all applicable
                        STIGs.
DRSN2401             II WAN based VoIP/VoSIP
                        service core equipment is
                        not in a dedicated enclave
                        that can be protected.
DRSN2402             II WAN based VoIP/VoSIP
                        service delivery is not
                        redundant in core equipment
                        or delivery circuits.

DRSN2403              II   A WAN based VoIP/VoSIP
                           service provider‟s
                           customer‟s VoIP/VoSIP
                           enclave is not properly
                           implemented or protected.
DRSN2404              II   WAN based VoIP/VoSIP
                           implementation does not
                           utilize out of band
                           management methods or
                           networks.
DRSN2405              II   VoIP/VoSIP implementation
                           is not substantially compliant
                           with all applicable OS and
                           application STIGs.

DRSN2406              II   The VoIP/VoSIP
                           implementation has not been
                           tested and certified in
                           compliance with DoDI
                           8100.3 requirements, and
                           not placed on the DRSN
                           APL.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                 260 of 1257
   DoD Defense Red Switch Network Checklist (28 Mar 06)             <Test> - TN <Ticket Number>
   PDI     VMSID    CAT         Requirement         Vulnerability   Status   Finding Notes
DRSN2407             II Inter-enclave VoIP/VoSIP
                        communications is used as
                        the primary C2
                        communications system




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                         261 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes Section
DS00.0100 V0008527 III There is no policy to ensure                                                  AD,
                       that changes to the directory                                                 Generic
                       schema are subject to a
                       configuration management
                       process.
DS00.0110 V0008550  II For a directory service used                                                   AD,
                       by e-mail components                                                           Generic
                       (server or client), the
                       contractor abbreviation (ctr)
                       or country code (for foreign
                       nationals) is not maintained
                       for the *DoD* e-mail address
                       and display name attributes.

DS00.0120 V0008316      I    Directory service data files                                             AD,
                             do not have proper access                                                Generic
                             permissions.
DS00.0130 V0002370      I    Directory service data                                                   AD,
                             objects do not have proper                                               Generic
                             access permissions.
DS00.0140 V0004243     II    Directory service data                                                   AD,
                             objects do not have proper                                               Generic
                             audit settings.
DS00.0150 V0008322     II    A time synchronization tool                                              AD,
                             is not implemented on the                                                Generic
                             directory server.
DS00.0151 V0008324     III   The time synchronization                                                 AD,
                             tool does not log changes to                                             Generic
                             the time source.
DS00.0160 V0002369     II    Directory data is not backed                                             AD,
                             up on a daily or weekly basis.                                           Generic




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  262 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI      VMSID    CAT            Requirement              Vulnerability   Status   Finding Notes Section
DS00.1100             III Note: At this time there is a                                             Generic
                          Common Criteria Protection
                          Profile for directory products
                          titled, “US Government
                          Directory Protection Profile
                          For Medium Robustness
                          Environments”. However,
                          there are no products that
                          have been evaluated for
                          conformance to this
                          Protection Profile. Therefore
                          this check is not currently
                          active.

DS00.1120 V0008530     III   Appropriate documentation                                               AD,
                             is not maintained for each                                              Generic
                             cross-directory
                             authentication configuration.

DS00.1130 V0014834     II    An encryption, signing, or                                              Generic
                             other cryptographic
                             algorithm used in a directory
                             server application is not
                             FIPS 140-2, validated.

DS00.1140 V0008522     II    A directory service                                                     AD,
                             implementation that spans                                               Generic
                             enclave boundaries does not
                             use a VPN to protect
                             directory network traffic.
DS00.1150 V0008320     II    Directory program or                                                    AD,
                             configuration files do not                                              Generic
                             have proper access
                             permissions.
DS00.1155 V0014775     II    Directory server software                                               Generic
                             files are not monitored for
                             unauthorized modifications.
DS00.1160 V0014836      I    A non-vendor supported                                                  Generic
                             directory server product
                             release is in use.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 263 of 1257
    ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes Section
DS00.1165 V0014776  II A migration plan has not                                               Generic
                       been developed to remove
                       or upgrade a directory server
                       product for which vendor
                       security patch support is
                       soon being or already has
                       been dropped.
DS00.1170 V0014779 III The directory server product                                            Generic
                       is not documented in the
                       CCB and C&A software
                       inventory or the inventory
                       backup copy is not subject
                       to adequate physical
                       protections.
DS00.1180 V0008326  II A directory server supporting                                           AD,
                       (directly or indirectly) system                                         Generic
                       access or resource
                       authorization is not running
                       on a machine dedicated to
                       that function. The same host
                       is running an application
                       such as a database server,
                       e mail server, e mail client,
                       web server, or DHCP server.

DS00.1190 V0008317     II   The directory server data                                          AD,
                            files are located on the same                                      Generic
                            logical partition as data files
                            owned by users.
DS00.2100 V0014838     II   The directory server is not                                        AD,
                            configured or is not capable                                       Generic
                            of supporting version 3 of
                            the LDAP protocol.

DS00.2110 V0014813     II   Passwords used with or                                             Generic
                            stored in the directory do not
                            adhere to complexity
                            requirements for length or
                            composition according to the
                            parameters of the DoD
                            policy currently in effect.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           264 of 1257
    ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes Section
DS00.2115 V0014814  II Passwords used with or                                                      Generic
                       stored in the directory do not
                       expire, or a history of
                       previously used passwords
                       is not kept according to the
                       parameters of the DoD
                       policy currently in effect.
DS00.2120 V0014815   I Factory set, default, or                                                     Generic
                       standard passwords are
                       defined in the directory.
DS00.2121 V0014805 III Factory set, default, or                                                     Generic
                       standard accounts or groups
                       that could be renamed or
                       removed are defined in the
                       directory.
DS00.2130 V0014816   I Passwords stored in the                                                      Generic
                       directory are not encrypted.
DS00.2140 V0014820   I PKI certificates used in a                                                   AD,
                       directory service are not                                                    Generic
                       issued by the DoD PKI or an
                       approved External
                       Certificate Authority (ECA).
DS00.3130 V0014798   I Directory data (outside the                                                  AD,
                       root DSE) of a non-public                                                    Generic
                       directory can be read
                       through anonymous access.

DS00.3131 V0014797     III   The root DSE of a non-                                                 Generic
                             public directory can be read
                             through anonymous access.

DS00.3140 V0014799      I    Update access to the                                                   Generic
                             directory schema is not
                             restricted to appropriate
                             accounts.
DS00.3150 V0014807     III   The number of accounts is                                              Generic
                             excessive or documentation
                             does not exist for the
                             accounts that are assigned
                             proxy authorization
                             permission.
DS00.3170 V0014800     III   Tools are not installed to                                             Generic
                             support reviewing audit data
                             from a directory server.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                265 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes Section
DS00.3175 V0014790 III Audit data from a directory                                                  Generic
                       server is not backed up at
                       least weekly on external
                       media or on a system other
                       than where the server
                       executes.
DS00.3180 V0014791 III Audit data from a directory                                                   Generic
                       server is not retained for at
                       least one year.
DS00.3185 V0014804  II Directory server audit data                                                   Generic
                       files do not have proper
                       access permissions.
DS00.3190 V0014810  II The number of accounts is                                                     Generic
                       excessive or documentation
                       does not exist for the
                       accounts that are members
                       of locally defined privileged
                       groups in the directory.

DS00.3200 V0008549     II   Accounts from another                                                    AD,
                            directory are members of                                                 Generic
                            privileged groups and the
                            other directory is not under
                            the control of the same
                            organization or subject to the
                            same security policies.
DS00.3210 V0008344     I    An account used to execute                                               Generic
                            the directory server or a
                            directory service process is
                            a member of a privileged
                            group on the OS or is
                            assigned administrative
                            privileges and the level of
                            privilege assigned exceeds
                            what is needed.

DS00.3220 V0014808     II   An account used for a                                                    Generic
                            directory server or process
                            application is not dedicated
                            to that function.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 266 of 1257
    ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                     Vulnerability   Status   Finding Notes Section
DS00.3230 V0008553 II Replication is not enabled to                                                   AD,
                      occur at least daily for a                                                      Generic
                      directory service in which
                      identification, authentication,
                      or authorization data is
                      replicated.

DS00.3240 V0014839     II    Available options of the                                                  Generic
                             directory server are not
                             configured to enforce the
                             referential integrity of
                             identification, authentication,
                             and authorization data.

DS00.3250 V0014812     II    Accounts are not locked out                                               Generic
                             after multiple, consecutive,
                             unsuccessful logon (bind)
                             attempts according to the
                             parameters of the DoD
                             policy currently in effect.

DS00.3260 V0008327     II    OS services that are critical                                             AD,
                             for the directory server are                                              Generic
                             not configured for automatic
                             startup.
DS00.3270 V0014780     III   There is no policy to ensure                                              AD,
                             that code that is not vendor-                                             Generic
                             provided and is used in a
                             directory server
                             implementation that updates
                             identification, authentication,
                             or authorization data is
                             subject to a configuration
                             management process.

DS00.3280 V0014782     II    A directory service                                                       Generic
                             implementation that
                             transfers replication data
                             over wireless or non-DoD
                             networks does not use
                             encryption to protect the
                             network traffic.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   267 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes Section
DS00.3281 V0014783 II A directory service                                                            AD,
                      implementation at a                                                            Generic
                      classified confidentiality
                      level, that transfers
                      replication data through a
                      network cleared to a lower
                      level than the data or
                      includes SAMI data, does
                      not use separate, NSA-
                      approved cryptography.
DS00.3290 V0014828 II Directory administration                                                        Generic
                      sessions over a network are
                      not encrypted.
DS00.3300 V0014824 II A replication implementation                                                    Generic
                      does not include
                      authentication of the source
                      *and* target directory
                      servers (mutual
                      authentication).
DS00.3310 V0014809 II An account used for                                                             Generic
                      directory replication is not
                      dedicated to that function.
DS00.3320 V0014826  I The password of the                                                             Generic
                      replication account is not
                      encrypted in transit.
DS00.3330 V0014822 II Directory administration                                                        Generic
                      does not include
                      authentication of the target
                      directory server *and*
                      administration client (mutual
                      authentication).
DS00.3340 V0014823 II Directory updates performed                                                     Generic
                      under proxy credentials do
                      not include authentication of
                      the target directory server
                      *and* proxy client (mutual
                      authentication).

DS00.3350 V0014794     III   A directory server that                                                  Generic
                             utilizes PKI certificates does
                             not perform certificate
                             validation that includes CRL
                             or OCSP checking.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  268 of 1257
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement           Vulnerability   Status   Finding Notes Section
DS00.3360 V0014830 III A directory service                                                   Generic
                       implementation does not use
                       data signing or other
                       methods to ensure the
                       integrity of directory
                       administration and
                       replication traffic over a
                       network.
DS00.3370 V0014831 III The directory server does                                              AD,
                       not have a default to                                                  Generic
                       terminate LDAP network
                       connections that have been
                       inactive five (5) minutes or
                       more.
DS00.3375 V0014795 III Accounts are defined with                                              Generic
                       inactivity timeout values
                       higher than five (5) minutes
                       and the accounts are not
                       listed in local documentation.

DS00.4100 V0014785     III   Privileged remote access to                                      Generic
                             a directory server is not
                             implemented through a
                             managed access control
                             point and with increased
                             session security
                             mechanisms.
DS00.4110 V0014786     III   Sessions for privileged                                          Generic
                             remote access to a directory
                             server are not logged or the
                             logs are not reviewed at
                             least weekly.
DS00.4120 V0014787     III   Non-privileged remote                                            Generic
                             access to a directory server
                             is not implemented through
                             a managed access control
                             point.
DS00.4130 V0014788     II    Remote access to a                                               Generic
                             directory server is not
                             encrypted.
DS00.4140 V0008523     II    The VPN used to protect                                          AD,
                             directory network traffic does                                   Generic
                             not support visibility to an
                             IDS.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          269 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes Section
DS00.6110 V0014789 III Code used in a directory                                                      AD,
                       service implementation that                                                   Generic
                       is not vendor-provided is not
                       backed up periodically.

DS00.6120 V0008525     III   Disaster recovery plans do                                               AD,
                             not include sufficient                                                   Generic
                             directory service architecture
                             information such as
                             hierarchy and replication
                             structure.
DS00.6130 V0014793     III   Disaster recovery plans do                                               Generic
                             not include identification of
                             software products used in
                             directory server operations.
DS00.6140 V0008524     II    Only one directory server                                                AD,
                             supports a directory service.                                            Generic

DS00.7100 V0008526     III   Cross-directory                                                          AD,
                             authentication configurations                                            Generic
                             have not been evaluated
                             with respect to possible
                             INFOCON procedures.

DS00.7110 V0014777     II    Security related patches for                                             Generic
                             directory server products are
                             not applied or the application
                             status is not documented.

DS05.0100              III   Note: At this time there is no                                           Generic
                             Common Criteria Protection
                             Profile for directory
                             synchronization products.
                             Therefore this check is not
                             currently active.

DS05.0110              III   Note: At this time there is no                                           Generic
                             Common Criteria Protection
                             Profile for directory
                             synchronization products.
                             Therefore this check is not
                             currently active.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  270 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes Section
DS05.0120 V0011782 II An encryption, signing, or                                                     Generic
                      other cryptographic
                      algorithm used in a directory
                      synchronization application
                      is not FIPS 140-2, validated.

DS05.0130 V0011760     II   A synchronization                                                         Generic
                            implementation that spans
                            enclave boundaries and
                            uses LDAP or HTTP
                            protocol does not use a VPN
                            to protect the network traffic.

DS05.0140 V0011761     II   A synchronization                                                         Generic
                            implementation that spans
                            enclave boundaries and
                            uses LDAPS or HTTPS
                            protocol does not use a
                            DoDI 8551.1-compliant
                            solution to protect the
                            network traffic.
DS05.0150 V0011787     II   Directory synchronization                                                 Generic
                            program or configuration
                            files do not have proper
                            access permissions.
DS05.0155 V0014772     II   Synchronization application                                               Generic
                            software files are not
                            monitored for unauthorized
                            modifications.
DS05.0160 V0011784     I    A non-vendor supported                                                    Generic
                            directory synchronization
                            product is in use.
DS05.0170 V0011762     II   A migration plan has not                                                  Generic
                            been developed to remove
                            or upgrade a
                            synchronization product for
                            which vendor security patch
                            support is soon being or
                            already has been dropped.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  271 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes Section
DS05.0180 V0011763 III A synchronization product                                                     Generic
                       used in routine, scheduled
                       operations is not
                       documented in the CCB and
                       C&A software inventory or
                       the inventory backup copy is
                       not subject to adequate
                       physical protections.

DS05.0190 V0011785     II    Public domain software is                                                Generic
                             used to perform directory
                             synchronization operations.
DS05.0200 V0011786     III   The source code for a                                                    Generic
                             directory synchronization
                             application is located in the
                             same directory as data that
                             is input to or output from the
                             application.
DS05.0210 V0011764      I    A password used in the                                                   Generic
                             execution of a
                             synchronization
                             implementation is embedded
                             in a script or stored in an
                             unencrypted file.

DS05.0220 V0011783     II    PKI certificates used in a                                               Generic
                             directory synchronization
                             application are not issued by
                             the DoD PKI or an approved
                             External Certificate Authority
                             (ECA).
DS05.0230 V0011788      I    Directory synchronization                                                Generic
                             data files do not have proper
                             access permissions.
DS05.0240 V0011789     II    A directory synchronization                                              Generic
                             data file that contains a
                             substantial aggregate of the
                             directory data for an entire
                             geographic command is not
                             encrypted.

DS05.0250 V0011790     II    A directory synchronization                                              Generic
                             application is not configured
                             to collect audit data.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  272 of 1257
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes Section
DS05.0260 V0011791 III Tools are not installed to                                          Generic
                       support reviewing audit data
                       from a directory
                       synchronization application.
DS05.0270 V0011765 III Audit data from a                                                    Generic
                       synchronization
                       implementation is not
                       backed up at least weekly on
                       external media or on a
                       system other than where the
                       implementation executes.

DS05.0280 V0011766     III   Audit data from a                                              Generic
                             synchronization
                             implementation is not
                             retained for at least one year.

DS05.0290 V0011792     II    Directory synchronization                                      Generic
                             audit data files do not have
                             proper access permissions.
DS05.0320 V0011767     III   There is no policy to ensure                                   Generic
                             that code that is not vendor-
                             provided and is used in a
                             synchronization
                             implementation that updates
                             security principal accounts is
                             subject to a configuration
                             management process.

DS05.0330 V0011769     II    A synchronization                                              Generic
                             implementation that
                             transfers data over wireless
                             or non-DoD networks does
                             not use encryption to protect
                             the network traffic.
DS05.0331 V0014773     II    A synchronization                                              Generic
                             implementation at a
                             classified confidentiality
                             level, that transfers data
                             through a network cleared to
                             a lower level than the
                             synchronization data or
                             transfers SAMI data, does
                             not use separate, NSA-
                             approved cryptography.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        273 of 1257
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
   PDI     VMSID CAT             Requirement                 Vulnerability   Status   Finding Notes Section
DS05.0340 V0011771  II A synchronization                                                            Generic
                       implementation that
                       transfers a substantial
                       aggregate of the directory
                       data for an entire geographic
                       command does not use
                       encryption to protect the
                       network traffic.
DS05.0350 V0011772 III A synchronization product                                                     Generic
                       that utilizes PKI certificates
                       does not perform certificate
                       validation that includes CRL
                       or OCSP checking.

DS05.0360 V0011770     III   A synchronization                                                       Generic
                             implementation does not use
                             data signing or other
                             methods to ensure the
                             integrity of directory data
                             network traffic.
DS05.0370 V0011773     II    A synchronization                                                       Generic
                             implementation does not
                             perform authentication of the
                             synchronization client *and*
                             target directory server
                             (mutual authentication).

DS05.0380 V0011774     II    Privileged remote access to                                             Generic
                             a synchronization
                             implementation is not
                             implemented through a
                             managed access control
                             point and with increased
                             session security
                             mechanisms.
DS05.0390 V0011775     II    Sessions for privileged                                                 Generic
                             remote access to a
                             synchronization
                             implementation are not
                             logged or the logs are not
                             reviewed at least weekly.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 274 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes Section
DS05.0400 V0011776 III Non-privileged remote                                                         Generic
                       access to a synchronization
                       implementation is not
                       implemented through a
                       managed access control
                       point.

DS05.0410 V0011777     II    Remote access to a                                                       Generic
                             synchronization
                             implementation is not
                             encrypted.
DS05.0420 V0011778     II    Physical access to a host                                                Generic
                             used in routine, scheduled
                             synchronization operations
                             is not restricted to
                             authorized personnel.
DS05.0430 V0011779     II    Production data from                                                     Generic
                             routine, scheduled
                             synchronization operations
                             is not backed up periodically.

DS05.0440 V0011768     III   Code used in a                                                           Generic
                             synchronization
                             implementation that is not
                             vendor-provided is not
                             backed up periodically.
DS05.0450 V0011780     III   Disaster recovery plans do                                               Generic
                             not include identification of
                             products used in routine,
                             scheduled synchronization
                             operations.
DS05.0460 V0011781     II    Security related patches for                                             Generic
                             synchronization products are
                             not applied or the application
                             status is not documented.

DS10.0150 V0008303     II    The Directory Services                                                   AD
                             Restore Mode (DSRM)
                             password does not meet
                             complexity standards.
DS10.0151 V0008310     II    There is no policy to ensure                                             AD
                             that the DSRM password is
                             changed often enough.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  275 of 1257
   ____ Checklist _V_R_ (<date>)                                               <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                     Vulnerability   Status   Finding Notes Section
DS10.0160 V0008551 III An AD domain that has no                                                       AD
                       Windows NT domain
                       controllers is at a domain
                       functional level that allows
                       the addition of new Windows
                       NT domain controllers.

DS10.0170 V0008533     II   An external, forest, or realm                                              AD
                            AD trust relationship is
                            defined where access
                            requirements do not support
                            the need.
DS10.0180 V0008534     I    An external, forest, or realm                                              AD
                            AD trust relationship is
                            defined between systems at
                            different classification levels.

DS10.0181 V0008536     I    An external, forest, or realm                                              AD
                            AD trust relationship is
                            defined between a DoD
                            system and a non-DoD
                            system without explicit
                            approval of the DAA and
                            appropriate documentation
                            of the external network
                            connection(s).
DS10.0190 V0008538     II   An outgoing external or                                                    AD
                            forest trust is configured
                            without SID filtering.
DS10.0200 V0008540     II   An outgoing forest trust is                                                AD
                            configured without Selective
                            Authentication.
DS10.0210 V0012780     I    The Synchronize Directory                                                  AD
                            Service Data user right has
                            been assigned to an account.

DS10.0220 V0008547     II   The Pre-Windows 2000                                                       AD
                            Compatible Access group
                            includes the Everyone or
                            Anonymous Logon groups.
DS10.0230 V0008555     II   The dsHeuristics option is                                                 AD
                            not configured to prevent
                            anonymous access to AD.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   276 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI     VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes Section
DS10.0240 V0008548 II The number of accounts is                                                     AD
                      excessive or documentation
                      does not exist for the
                      accounts that are members
                      of the Domain Admins,
                      Enterprise Admins, Schema
                      Admins, Group Policy
                      Creator Owners, or
                      Incoming Forest Trust
                      Builders groups.

DS10.0260 V0008521     II    The number of accounts is                                               AD
                             excessive or documentation
                             does not exist for the
                             accounts that have been
                             delegated AD object
                             ownership or update
                             permissions and are *not*
                             members of Windows built-
                             in administrative groups.
DS10.0295 V0008557     II    The domain controller                                                   AD
                             holding the forest
                             authoritative time source is
                             not configured to use a DoD-
                             authorized external time
                             source.
DS10.0310 V0008313     II    Physical access to the AD                                               AD
                             forest root FSMO domain
                             controllers is not restricted
                             to specifically authorized
                             personnel.
DS10.0320 V0008311     II    The offline copy of the                                                 AD
                             DSRM password is not
                             subject to adequate physical
                             protections.
DS10.9100 V0012778     III   The AD domain and forest in                                             AD
                             which the domain controller
                             resides have not been
                             reviewed for vulnerabilities.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 277 of 1257
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                     Vulnerability        Status     Finding Notes
DSN01.01 V0007921 III The IAO does not conduct            Denial of Service
                      and document self-                  (DoS), loss of
                      inspections of the DSN              confidentiality, and
                      components at least semi-           unauthorized
                      annually for security risks.        access may occur
                                                          if a self-inspections
                                                          of the DSN
                                                          components is not
                                                          conducted.
DSN01.02 V0007922     III   The sites telephone switch is Theft of services,
                            not frequently monitored for misuse of services,
                            changing calling patterns     degradation of
                            and system uses for           services provided
                            possible security concerns. by the system, and
                                                          unauthorized
                                                          access may occur
                                                          if effective
                                                          monitoring
                                                          procedures are not
                                                          in place,
                                                          conducted, and
                                                          audited..

DSN01.03 V0007923     II    The ISSO/IAO does not          The inability to
                            ensure that administration     properly maintain
                            and maintenance personnel      and troubleshoot
                            have proper access to the      the system may
                            facilities, functions,         result if this
                            commands, and calling          requirement is not
                            privileges required to         met.
                            perform their job.
DSN02.01 V0007924     III   DSN systems are not            The DoD voice
                            registered in the DISA VMS     system may not be
                                                           protected as
                                                           required and may
                                                           be vulnerable to
                                                           attack or loss of
                                                           availability due to a
                                                           multitude of OS
                                                           and application
                                                           vulnerabilities.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                      278 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                     Vulnerability       Status     Finding Notes
DSN02.02 V0007925 III System Administrators (SAs)         The DoD voice
                      responsible for DSN                 system may not be
                      information systems are not         protected as
                      registered with the DISA            required and may
                      VMS.                                be vulnerable to
                                                          attack or loss of
                                                          availability due to a
                                                          multitude of OS
                                                          and application
                                                          vulnerabilities.
DSN02.03 V0007926     II    The ISSO/IAO and              The
                            ISSM/IAM, in coordination     telecommunication
                            with the SA, will be          system may be left
                            responsible for ensuring that vulnerable to
                            all IAVM notices are          issues outlined
                            responded to within the       within respective
                            specified time period.        IAVAs.
DSN02.04 V0008338     II    IAVMs are not addressed       Patches that have
                            using RTS system vendor       not been approved
                            approved or provided          can break features
                            patches.                      or disable the
                                                          system entirely.

DSN02.05 V0008339     III   DoD voice/video/RTS            Vulnerabilities that
                            information system assets      are not tracked
                            and vulnerabilities are not    and managed
                            tracked and managed using      under some sort of
                            any vulnerability              management
                            management system as           system may allow
                            required by DoD policy.        for repeat and
                                                           untreated
                                                           vulnerabilities,
                                                           resulting in severe
                                                           system
                                                           degradation.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                     279 of 1257
   ____ Checklist _V_R_ (<date>)                                                <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement                        Vulnerability      Status     Finding Notes
DSN03.01 V0008340 III A DoD Voice/Video/RTS                   A DoS, loss of
                      system or device is NOT                 confidentiality, and
                      configured in compliance                unauthorized
                      with all applicable STIGs or            access, to name a
                      the appropriate STIGs have              few examples, may
                      not been applied to the                 occur if the STIG
                      fullest extent possible.                requirements are
                                                              not met to the
                                                              fullest extend
                                                              possible.

DSN03.02 V0008341     III   The purchase / maintenance        Denial of Service
                            contract, or specification, for   (DoS), loss of
                            the Voice/Video/RTS system        confidentiality, and
                            under review does not             unauthorized
                            contain verbiage requiring        access may occur
                            compliance and validation         if STIG guidance is
                            measures for all applicable       not adhered to.
                            STIGs.

DSN03.03 V0008342     III   The DAA, IAM, IAO, or SA          The possibility to
                            for the system DOES NOT           certify and accredit
                            enforce contract                  the system,
                            requirements for STIG             operate it legally,
                            compliance and validation         or connect it to
                                                              another DoD
                                                              system may be the
                                                              result.

DSN03.04 V0008345     II    A Voice/Video/RTS system          The possibility to
                            is in operation but is not        certify and accredit
                            listed on the DSN APL nor is      the system,
                            it in the process of being        operate it legally,
                            tested.                           or connect it to
                                                              another DoD
                                                              system may be the
                                                              result.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                        280 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement                      Vulnerability      Status     Finding Notes
DSN03.05 V0008346 III A Voice/Video/RTS system              The possibility to
                      or device is NOT installed            certify and accredit
                      according to the deployment           the system,
                      restrictions and/or                   operate it legally,
                      mitigations contained in the          or connect it to
                      IA test report, Certifying            another DoD
                      Authoritys recommendation             system may be the
                      and/or DSAWG approval                 result.
                      documentation.


DSN03.06 V0008347     III   A Voice/Video/RTS system        The possibility to
                            or device is NOT installed in   certify and accredit
                            the same configuration and      the system,
                            being used for the same         operate it legally,
                            purpose that was tested for     or connect it to
                            prior to DSAWG approval         another DoD
                            and DSN APL listing.            system may be the
                                                            result.

DSN03.07 V0008348     III   The requirement of DSN          The possibility to
                            APL listing is not being        certify and accredit
                            considered during the           the system,
                            procurement, installation,      operate it legally,
                            connection, or upgrade to       or connect it to
                            the sites Voice/Video/RTS       another DoD
                            infrastructure.                 system may be the
                                                            result.

DSN04.01 V0007930     II    Switch administration,          System not on a
                            ADIMSS, or other Network        dedicated LAN
                            Management terminals are        may be exposed to
                            not located on a dedicated      unnecessary IP
                            LAN.                            network
                                                            vulnerabilities.
DSN04.02 V0007931     II    Network Management              Denial of Service
                            routers located at switch       (DoS), degradation
                            sites are not configured to     of service, loss of
                            provide IP and packet level     confidentiality, and
                            filtering/protection.           unauthorized
                                                            access may occur.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                      281 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                        Vulnerability      Status     Finding Notes
DSN04.03 V0007932 II Administration terminals are           Denial of Service
                     used for other day-to-day              (DoS), degradation
                     functions (i.e. email, web             of service, loss of
                     browsing, etc).                        confidentiality, and
                                                            unauthorized
                                                            access may occur.


DSN04.04 V0007933     II    Switch Administration           Denial of Service
                            terminals do not connect        (DoS), degradation
                            directly to the switch          of service, loss of
                            administration port or          confidentiality, and
                            connect via a controlled,       unauthorized
                            dedicated, out of band          access may occur.
                            network used for switch
                            administration support.
DSN04.05 V0007934     III   Attendant console ports are     This type of access
                            available to unauthorized       to unauthorized
                            users by not allowing any       users or
                            instrument other than the       subscribers can
                            Attendant console to            result in disruption
                            connect to the Attendant        of call processing,
                            console port.                   calls monitored, or
                                                            unauthorized class
                                                            of service.


DSN04.06 V0007935     III   The ISSO/IAO has not            The inability to
                            established Standard            effectively maintain
                            Operating Procedures.           the network or
                                                            voice service while
                                                            applying security
                                                            policy and
                                                            vulnerability
                                                            mitigation may
                                                            exist.

DSN04.07 V0008545     II    OAM&P / NM and CTI              Denial of Service
                            networks are NOT dedicated      (DoS), degradation
                            to the system that they serve   of service, loss of
                            in accordance with their        confidentiality, and
                            separate DSN APL                unauthorized
                            certifications.                 access may occur.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                      282 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                      Vulnerability      Status     Finding Notes
DSN04.08 V0008544 II An OAM&P / NM and CTI                The loss of
                     network/LAN is connected to          protection from
                     the local general use (base)         external sources is
                     LAN without appropriate              forgone resulting in
                     boundary protection.                 Denial of Service
                                                          (DoS), degradation
                                                          of service, loss of
                                                          confidentiality, and
                                                          unauthorized
                                                          access.

DSN04.09 V0008542     II   An OAM&P / NM and CTI          Denial of Service
                           network/LAN is connected to    (DoS), degradation
                           the local general use (base)   of service, loss of
                           LAN without appropriate        confidentiality, and
                           boundary protection.           unauthorized
                                                          access may occur.


DSN04.10 V0008541     II   An OAM&P / NM or CTI           Denial of Service
                           network DOES NOT comply        (DoS), degradation
                           with the Enclave and/or        of service, loss of
                           Network Infrastructure         confidentiality, and
                           STIGs.                         unauthorized
                                                          access may occur.


DSN05.01 V0007936     II   Applicable security            The inability to
                           packages have not been         properly secure the
                           installed on the system.       system, leaving it
                                                          vulnerable to
                                                          attack.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                    283 of 1257
   ____ Checklist _V_R_ (<date>)                                                <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement                      Vulnerability        Status     Finding Notes
DSN06.01 V0007937 II The IAO DOES NOT ensure                Unauthorized
                     that all temporary                     access and
                     Foreign/Local National                 disclosure of
                     personnel given access to              official or classified
                     DSN switches and                       information may
                     subsystems for the purpose             result if this
                     of installation and                    requirement is not
                     maintenance, are controlled            met.
                     and provided direct
                     supervision and oversight
                     (e.g., escort) by a
                     knowledgeable and
                     appropriately cleared U.S.
                     citizen.
DSN06.02 V0008519 II Foreign/Local National                 Unauthorized
                     personnel hired by a                   access and
                     base/post/camp/station for             disclosure of
                     the purpose of operating or            official or classified
                     performing OAM&P / NM                  information may
                     functions on DSN switches              result if this
                     and subsystems have not                requirement is not
                     been vetted through the                met.
                     normal process for providing
                     SA clearance as dictated by
                     the local Status of Forces
                     Agreement (SOFA).

DSN06.03 V0008520     II    Foreign/Local National          Unauthorized
                            personnel have duties or        access and
                            access privileges that          disclosure of
                            exceed those allowed by         official or classified
                            DODI 8500.2 E3.4.8.             information may
                                                            result if this
                                                            requirement is not
                                                            met.

DSN06.04 V0007940     III   The option to restrict user     Unauthorized
                            access based on duty hours      access to the
                            is available but is not being   system outside of
                            utilized.                       duty hours
                                                            provides the
                                                            opportunity for
                                                            misuse or system
                                                            abuse.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                        284 of 1257
   ____ Checklist _V_R_ (<date>)                                                <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                       Vulnerability        Status     Finding Notes
DSN06.05 V0008558 II System administrative and              Denial of Service
                     maintenance users are                  (DoS), degradation
                     assigned accounts with                 of service, loss of
                     privileges that are not                confidentiality, and
                     commensurate with their                unauthorized
                     assigned responsibilities.             access may occur.


DSN06.06 V0008556     III   All system administrative       Denial of Service
                            and maintenance user            (DoS), degradation
                            accounts are not                of service, loss of
                            documented.                     confidentiality, and
                                                            unauthorized
                                                            access may occur.


DSN06.07 V0008554     III   The available option of         Denial of Service
                            Command classes or              (DoS), degradation
                            command screening is NOT        of service, loss of
                            being used to limit system      confidentiality, and
                            privileges                      unauthorized
                                                            access may occur.


DSN07.01 V0007941     III   The Direct Inward System        If this feature is not
                            Access feature and/or           controlled, risk of
                            access to Voice Mail is not     unauthorized
                            controlled by either class of   access to the DSN
                            service, special                could result in call
                            authorization code, or PIN.     fraud and abuse.


DSN07.02 V0007942     III   Direct Inward System            If the special
                            Access and Voice Mail           access code is not
                            access codes are not            changed
                            changed semi-annually.          periodically, the
                                                            service is more
                                                            likely to be
                                                            compromised, thus
                                                            degrading system
                                                            access security.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                        285 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement                      Vulnerability    Status     Finding Notes
DSN07.03 V0007943 III Personal Identification              If the PIN is not
                      Numbers (PIN) assigned to            changed
                      special subscribers used to          periodically, the
                      control Direct Inward System         service is more
                      Access and Voice Mail                likely to be
                      services are not being               compromised, thus
                      controlled like passwords            degrading system
                      and deactivated when no              access security.
                      longer required.
DSN07.04 V0007944 III Privilege authorization,             This can lead to
                      Direct Inward System                 call fraud and
                      Access and/or Voice Mail             abuse, and access
                      special authorization codes          control to the
                      or individually assigned             system may be lost.
                      PINS are not changed when
                      compromised.

DSN08.01 V0007945     III   Equipment, cabling, and        The result could be
                            terminations that provide      Denial of Service
                            emergency life safety          (DoS) to the
                            services such as 911 (or       system.
                            European 112) services
                            and/or emergency
                            evacuation paging systems
                            are NOT clearly identified
                            and marked.
DSN08.02 V0008537     III   There is no system installed   Reduced
                            that can provide emergency     awareness by site
                            life safety or security        personnel of
                            announcements                  potentially life
                                                           threatening
                                                           situations or
                                                           security breaches
                                                           if security
                                                           announcement are
                                                           not installed.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                    286 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                      Vulnerability     Status     Finding Notes
DSN08.03 V0008539 II A policy is NOT in place             The unauthorized
                     and/or NOT enforced                  access to
                     regarding the use of                 classified
                     unclassified telephone/RTS           information for
                     instruments located in areas         which the recipient
                     or rooms where classified            does not either
                     meetings, conversations, or          have the proper
                     work normally occur.                 clearance or need-
                                                          to-know may be
                                                          the result.
DSN08.04 V0008543     II    Voice/Video/RTS devices       The unauthorized
                            located in SCIFs do not       access to
                            prevent on-hook audio pick- classified
                            up and/or do not have a       information for
                            speakerphone feature          which the recipient
                            disabled or are not           does not either
                            implemented in accordance have the proper
                            with DCID 6/9 or TSG          clearance or need-
                            Standard 2.                   to-know may be
                                                          the result.
DSN09.01 V0007946     III   SS7 links are not clearly     The potential for
                            identified and routed         inadvertent Denial
                            separately from termination of Service (DoS) or
                            point to termination point.   degradation of
                                                          service may be the
                                                          result.
DSN09.02 V0007947     III   The SS7 termination blocks The potential for
                            are not clearly identified at inadvertent Denial
                            the MDF.                      of Service (DoS) or
                                                          degradation of
                                                          service may be the
                                                          result.
DSN09.03 V0007948     III   Power cabling that serves     The potential for
                            SS7 equipment is not          inadvertent Denial
                            diversely routed to separate of Service (DoS) or
                            Power Distribution Frames     degradation of
                            (PDF) and identified.         service may be the
                                                          result.
DSN09.04 V0007949     III   Power cabling that serves     The potential for
                            SS7 equipment is not clearly inadvertent Denial
                            identified at both the        of Service (DoS) or
                            termination point and at the degradation of
                            fusing position.              service may be the
                                                          result.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   287 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement            Vulnerability            Status     Finding Notes
DSN09.05 V0007950 II Links within the SS7 network The potential for
                     are not encrypted.           inadvertent Denial
                                                  of Service (DoS),
                                                  degradation of
                                                  service, and
                                                  unauthorized
                                                  access may be the
                                                  result.
DSN10.02 V0007952 II A DoD VoIP system, device, The potential for
                     or network is NOT            inadvertent Denial
                     configured in compliance     of Service (DoS),
                     with all applicable STIGs or degradation of
                     the appropriate STIGs have service, and
                     not been applied to the      unauthorized
                     fullest extent possible.     access may be the
                                                  result.
DSN11.01 V0007953 II Transport circuits are not   The potential for
                     encrypted.                   inadvertent Denial
                                                  of Service (DoS),
                                                  man-in-the-middle,
                                                  degradation of
                                                  service, and
                                                  unauthorized
                                                  access may be the
                                                  result.

DSN11.02 V0007954     III   Physical access to           Physical access to
                            commercial Add/Drop          systems by
                            Multiplexers (ADMs) is not   unauthorized
                            restricted.                  personnel leaves
                                                         the system
                                                         components
                                                         vulnerable to a
                                                         multitude of
                                                         attacks and
                                                         accidental de-
                                                         activation or
                                                         disconnection.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 288 of 1257
    ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                    Vulnerability       Status     Finding Notes
DSN12.01 V0007955 III The ISSO/IAO does not              The inability of site
                      maintain a library of security     personnel to easily
                      documentation.                     access security
                                                         related information
                                                         and be aware of
                                                         policy and
                                                         vulnerabilities
                                                         promotes security
                                                         awareness
                                                         defienciency.
DSN13.01 V0007956     II   Users are not required to     Default passwords
                           change their password         used over the long-
                           during their first session.   term may allow for
                                                         unauthorized
                                                         system and
                                                         network access, or
                                                         subject to
                                                         disclosure through
                                                         password cracking
                                                         tools.

DSN13.02 V0007957      I   Default passwords and user    Default passwords
                           names have not been           used over the long-
                           changed.                      term may allow for
                                                         unauthorized
                                                         system and
                                                         network access, or
                                                         subject to
                                                         disclosure through
                                                         password cracking
                                                         tools.

DSN13.03 V0007958     II   Shared user accounts are      The potential for
                           used and not documented       inadvertent Denial
                           by the ISSO/IAO.              of Service (DoS),
                                                         degradation of
                                                         service, and
                                                         unauthorized
                                                         access may be the
                                                         result.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                    289 of 1257
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement                   Vulnerability       Status     Finding Notes
DSN13.04 V0007959 III The option to disable user          The potential for
                      accounts after 30 days of           inadvertent Denial
                      inactivity is not being used.       of Service (DoS),
                                                          degradation of
                                                          service, and
                                                          unauthorized
                                                          access may be the
                                                          result.
DSN13.05 V0007960      I    Management access points      Unprotected
                            (i.e.                         account provides
                            administrative/maintenance    access to anyone
                            ports, system access, etc.)   who knows the
                            are not protected by          user account name.
                            requiring a valid username
                            and a valid password for
                            access.
DSN13.06 V0007961     III   Passwords do not meet         By not meeting
                            complexity requirements.      DoD complexity
                                                          requirement, nor
                                                          having a password
                                                          entirely, the
                                                          system may be
                                                          open to DoS,
                                                          degradation of
                                                          service, loss of
                                                          confidentiality, and
                                                          unauthorized
                                                          access.
DSN13.07 V0007962     II    Maximum password age          Passwords that do
                            does not meet minimum         not change, or
                            requirements.                 remain the same
                                                          for an extended
                                                          period of time, are
                                                          more subject to
                                                          password cracking
                                                          tools.
DSN13.08 V0007963     II    Users are permitted to        Permitting
                            change their passwords at     passowrds to be
                            an interval of less than 24   changed in
                            hours without ISSO/IAO        immediate
                            intervention.                 succession within
                                                          24-hours allows
                                                          users to cycle
                                                          through their
                                                          password history.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                    290 of 1257
   ____ Checklist _V_R_ (<date>)                                                <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement              Vulnerability               Status     Finding Notes
DSN13.09 V0007964 III Password reuse is not set to Passwords that do
                      8 or greater.                not change, or
                                                   remain the same
                                                   for an extended
                                                   period of time, are
                                                   more subject to
                                                   password cracking
                                                   tools and potential
                                                   compromise of the
                                                   system.

DSN13.10 V0007966     II    User passwords can be         Passwords in the
                            retrieved and viewed in clear clear will be
                            text by another user.         compromised,
                                                          resulting in the
                                                          potential for
                                                          malicious system
                                                          and network
                                                          activity.
DSN13.11 V0007967     II    User passwords are            Passwords in the
                            displayed in the clear when clear will be
                            logging into the system.      compromised,
                                                          resulting in the
                                                          potential for
                                                          malicious system
                                                          and network
                                                          activity.
DSN13.12 V0007968     III   The option to use passwords User defined
                            that are randomly generated passwords have
                            by the DSN component is       the potential to be
                            available but not being used. guessed.


DSN13.13 V0007969     II    The system is not configured   Systems that do
                            to disable a users account     not prompt users
                            after three notifications of   for a password
                            password expiration.           change or lock
                                                           users out after
                                                           three failed
                                                           attempts are
                                                           vulnerable to
                                                           password cracking.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                      291 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                      Vulnerability        Status     Finding Notes
DSN13.14 V0007965 II The ISSO/IAO has not                  This helps prevent
                     recorded the passwords of             time consuming
                     high level users (ADMIN)              password recovery
                     used on DSN components                techniques and
                     and stored them in a secure           denial of
                     or controlled manner.                 administrator
                                                           access.

DSN13.15 V0007970     II   Crash-restart vulnerabilities   System integrity,
                           are present on the DSN          DoS, loss of
                           system component.               confidentiality, and
                                                           system
                                                           compromise may
                                                           exist if there is not
                                                           a measure in place
                                                           to return the
                                                           system away from
                                                           the default settings.

DSN13.16 V0008560     II   Access to all management        Loss of
                           system workstations and         management
                           administrative / management     control, system
                           ports is NOT remotely           abuse, Denial of
                           authenticated                   Service (DoS),
                                                           degradation of
                                                           service, system
                                                           compromise, and
                                                           unauthorized
                                                           access may occur.

DSN13.17 V0008559     II   Strong two-factor               Loss of
                           authentication is NOT used      management
                           to access all management        control and system
                           system workstations and         abuse may occur if
                           administrative / management     two-factor
                           ports on all devices or         authentication is
                           systems                         not used
                                                           throughout the
                                                           system.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                      292 of 1257
   ____ Checklist _V_R_ (<date>)                                               <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                       Vulnerability       Status     Finding Notes
DSN14.01 V0007971 II The DSN system component                Loss of
                     is not installed in a                   management
                     controlled space with visitor           control, system
                     access controls applied.                abuse, Denial of
                                                             Service (DoS),
                                                             degradation of
                                                             service, system
                                                             compromise, and
                                                             unauthorized
                                                             access may occur.

DSN14.02 V0007972     II   Documented procedures do          Denial of Service
                           not exist that will prepare for   (DoS) due to the
                           a suspected compromise of         inability to quickly
                           a DSN component.                  recover from the
                                                             compromise.
DSN15.01 V0007973     II   Audit records are NOT             The inability to
                           stored in an unalterable file     take administrative
                           and can be accessed by            action or prosecute
                           individuals not authorized to     for inappropriate
                           analyze switch access             actions or system
                           activity.                         abuse may be the
                                                             result.


DSN15.02 V0007974     II   Audit records do not record       By not recording
                           the identity of each person       security events the
                           and terminal device having        auditing process is
                           access to switch software or      degraded, and
                           databases.                        unauthorized
                                                             system activity
                                                             may go unreported.


DSN15.03 V0007975     II   Audit records do not record       By not recording
                           the time of the access.           relevant security
                                                             events the auditing
                                                             process is
                                                             degraded, and
                                                             unauthorized
                                                             system activity
                                                             may go unreported.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                       293 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                      Vulnerability     Status     Finding Notes
DSN15.04 V0007976 II The auditing records do not          By not recording
                     record activities that may           relevant security
                     change, bypass, or negate            events the auditing
                     safeguards built into the            process is
                     software.                            degraded, and
                                                          unauthorized
                                                          system activity
                                                          may go unreported.

DSN15.05 V0007977     II   Audit record archive and       By not archiving
                           storage do not meet            relevant security
                           minimum requirements.          events the auditing
                                                          process is
                                                          degraded, and
                                                          unauthorized
                                                          system activity
                                                          may go unreported.

DSN15.06 V0007978     II   Audit records are not being    By not archiving
                           reviewed by the ISSO/IAO       relevant security
                           weekly.                        events the auditing
                                                          process is
                                                          degraded, and
                                                          unauthorized
                                                          system activity
                                                          may go unreported.

DSN15.07 V0008546     II   The auditing process DOES      By not recording
                           NOT record security relevant   relevant security
                           actions such as the            events the auditing
                           changing of security levels    process is
                           or categories of information   degraded, and
                                                          unauthorized
                                                          system activity
                                                          may go unreported.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   294 of 1257
   ____ Checklist _V_R_ (<date>)                                                 <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                           Vulnerability      Status     Finding Notes
DSN16.01 V0007979 II An Information Systems                    No, or inadequate
                     Security Officer/Information              oversight, concern
                     Assurance Officer                         for security issues
                     (ISSO/IAO) is not                         relating to the
                     designated for each                       telecommunications
                     telecommunications                         switching system
                     switching system or DSN                   or DSN site will
                     Site.                                     result if this
                                                               requirement is not
                                                               met.

DSN16.02 V0007980     II    Site personnel have not            The system may
                            received the proper security       be left vulnerable
                            training and/or are not            due to ignorance of
                            familiar with the documents        policy, procedures,
                            located in the security library.   and threats to the
                                                               system.

DSN16.03 V0007981     III   The ISSO/IAO does not              Denial of Service
                            maintain a DSN Personnel           (DoS), and
                            Security Certification letter      unauthorized
                            on file for each person            access to network
                            involved in DSN A/NM duties.       or voice system
                                                               resources or the
                                                               services they
                                                               contain may result
                                                               is this requirement
                                                               is not met.

DSN16.04 V0007982     II    System administrators are          If physical and
                            NOT appropriately cleared.         administrative
                                                               access to systems
                                                               is not confirmed
                                                               and controlled, this
                                                               may result in
                                                               unauthorized
                                                               access or
                                                               compromise.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                         295 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                     Vulnerability      Status     Finding Notes
DSN17.01 V0007983 II Site staff does not verify and       Denial of Service
                     record the identity of               (DoS), and
                     individuals installing or            unauthorized
                     modifying a device or                access to network
                     software.                            or voice system
                                                          resources or the
                                                          services they
                                                          contain may result
                                                          is this requirement
                                                          is not met.

DSN17.02 V0007984     II   System images are not          Denial of Service
                           being backed up on a           (DoS), or
                           weekly basis to the local      degradation of
                           system and a copy is not       service may occur
                           being stored on a removable    if systems
                           storage device and/or is not   operations cannot
                           being stored off site.         be restored quickly.

DSN17.03 V0007985     II   Site staff does not ensure     Denial of Service
                           backup media is available      (DoS), or
                           and up to date prior to        degradation of
                           software modification.         service may occur
                                                          if systems
                                                          operations cannot
                                                          be restored quickly.

DSN17.04 V0008531     II   The latest software loads      Denial of Service
                           and patches are NOT            (DoS), degradation
                           applied to all systems to      of service, loss of
                           take advantage of security     confidentiality, and
                           enhancements.                  unauthorized
                                                          access may occur.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                    296 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                      Vulnerability      Status     Finding Notes
DSN17.05 V0008532 II Maintenance and security              Denial of Service
                     patches are NOT approved              (DoS), degradation
                     by the local DAA prior to             of service, loss of
                     installation in the system            confidentiality, and
                                                           unauthorized
                                                           access may occur
                                                           if system
                                                           operations are not
                                                           restored quickly, or
                                                           based off untested
                                                           code.

DSN17.06 V0008535     II   Major software version          Denial of Service
                           upgrades have NOT been          (DoS), degradation
                           tested, certified, and placed   of service, loss of
                           on the DSN APL before           confidentiality, and
                           installation.                   unauthorized
                                                           access may occur
                                                           if system
                                                           operations are not
                                                           restored quickly, or
                                                           based off untested
                                                           code.

DSN18.01 V0007986     II   Modems are not physically       Failure to control
                           protected to prevent            physical access to
                           unauthorized device             modems could
                           changes.                        result in modem
                                                           settings being
                                                           changed to allow
                                                           unauthorized
                                                           access to DSN
                                                           system
                                                           components.
DSN18.02 V0007987     II   A detailed listing of all       The potential for
                           modems is not being             non-approved
                           maintained.                     modems may be
                                                           present if a listing
                                                           is not maintained.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                     297 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                      Vulnerability      Status     Finding Notes
DSN18.03 V0007988 II Unauthorized modems are               Denial of Service
                     installed.                            (DoS), degradation
                                                           of service, loss of
                                                           confidentiality, and
                                                           unauthorized
                                                           access may occur.


DSN18.04 V0007989     II    Modem phone lines are not      An attacker may
                            restricted and configured to   use special
                            their mission required         features to forward
                            purpose (i.e. inward/outward   modem or voice
                            dial only).                    calls to
                                                           destinations that
                                                           cause toll-fraud, or
                                                           forward the numer
                                                           to itself causing a
                                                           denial of service.

DSN18.05 V0007990     II    Modem phone lines are not      By restricting
                            restricted to single-line      modem phone
                            operation.                     lines to single-line
                                                           operations, the risk
                                                           of unauthorized
                                                           access is limited
                                                           by preventing the
                                                           added functions of
                                                           a multi-line to be
                                                           used by an
                                                           unauthorized
                                                           person to gain
                                                           access.

DSN18.06 V0007991     III   The option of Automatic        Without number
                            Number Identification (ANI)    logs, auditing for
                            is available but not being     unauthorized
                            used.                          accesses and toll-
                                                           fraud becomes
                                                           increasingly
                                                           difficult.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                     298 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                       Vulnerability       Status     Finding Notes
DSN18.07 V0007992 II Authentication is not                  Without
                     required for every session             authentication,
                     requested.                             unauthorized
                                                            access or sessions
                                                            may be granted.

DSN18.08 V0007993     III   The option to use the           Security
                            oecallback feature for          authentication may
                            remote access is not being      be degraded, and
                            used.                           remote unmanned
                                                            sites could be
                                                            abused.
DSN18.09 V0007994     III   FIPS 140-2 validated Link       Denial of Service
                            encryption mechanisms are       (DoS), degradation
                            not being used to provide       of service, loss of
                            end-to-end security of all      confidentiality, and
                            data streams entering the       unauthorized
                            remote access port of a         access may occur.
                            telephone switch.

DSN18.10 V0007995     III   The option to use two-factor    Unauthorized
                            authentication when             persons may be
                            accessing remote access         able to access
                            ports is not being used.        DSN components.
DSN18.11 V0007996     II    Administrative/maintenance      Denial of Service
                            ports are not being             (DoS), degradation
                            controlled by deactivating or   of service, loss of
                            physically disconnecting        confidentiality, and
                            remote access devices           unauthorized
                            when not in use.                access may occur.


DSN18.12 V0007997     II    Idle connections DO NOT         Critical and
                            disconnect in 15 min.           sensitive system
                                                            areas may not be
                                                            protected from
                                                            exposure to
                                                            unauthorized
                                                            personnel with
                                                            physical access to
                                                            an unattended
                                                            administration or
                                                            maintenance
                                                            terminal.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                      299 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                      Vulnerability     Status     Finding Notes
DSN18.13 V0007998 II The DSN component is not            If the time that the
                     configured to be unavailable        port is unavailable
                     for 60 seconds after 3              is substantially
                     consecutive failed logon            greater than 60
                     attempts.                           seconds, DoS
                                                         could result by
                                                         maliciously
                                                         attempting logins
                                                         on all ports.
DSN18.14 V0007999     II   Serial                        A management
                           management/maintenance        port may be
                           ports are not configured to   available with an
                           oeforce out or drop any       active session that
                           interrupted user session.     might allow
                                                         unauthorized use
                                                         by someone other
                                                         than the
                                                         authenticated user.

DSN18.15 V0008518     II   An OOB Management             Denial of Service
                           DOES NOT comply with the      (DoS), degradation
                           Enclave and/or Network        of service, loss of
                           Infrastructure STIGs.         confidentiality, and
                                                         unauthorized
                                                         access may occur.


DSN18.16 V0008517     II   OOB management network        Mitigating
                           are NOT dedicated to          unauthorized
                           management of like or         access to the
                           associated systems            managed systems
                                                         of the sensitive
                                                         management traffic
                                                         may result if the
                                                         requirement is not
                                                         met.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   300 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                   Vulnerability      Status     Finding Notes
DSN18.17 V0008516 II Network                           A management or
                     management/maintenance            maintenance port
                     ports are not configured to       may be available
                     oeforce out or drop any user      with an active
                     session that is interrupted       session that might
                     for more than 15 seconds.         allow unauthorized
                                                       use by someone
                                                       other than the
                                                       authenticated user.


DSN19.01 V0008000     II   A properly worded Login     Having no banner
                           Banner is not used on all   foregoes the
                           system/device management    possibility to
                           access ports and/or         provide a definitive
                           OAM&P/NM workstations.      warning to any
                                                       possible intruders
                                                       that may want to
                                                       access the system
                                                       that certain
                                                       activities are
                                                       illegal, but
                                                       simultaneously
                                                       advises the
                                                       authorized and
                                                       legitimate users of
                                                       their obligations
                                                       relating to
                                                       acceptable use of
                                                       the computerized
                                                       or networked
                                                       environment.
DSN20.01 V0008515     I    A SMU component is not      Physical access to
                           installed in a controlled   systems by
                           space with visitor access   unauthorized
                           controls applied.           personnel leaves
                                                       the system
                                                       components
                                                       vulnerable to a
                                                       multitude of
                                                       attacks and
                                                       accidental de-
                                                       activation or
                                                       disconnection.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 301 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement             Vulnerability               Status     Finding Notes
DSN20.02 V0008514 III The SMU ADIMSS              Denial of Service
                      connection is NOT dedicated (DoS), degradation
                      to the ADIMSS network       of service, loss of
                                                  confidentiality, and
                                                  unauthorized
                                                  access may occur.


DSN20.03 V0008513     II   The ADIMSS server               Denial of Service
                           connected to the SMU is         (DoS), degradation
                           NOT dedicated to ADIMSS         of service, loss of
                           functions.                      confidentiality, and
                                                           unauthorized
                                                           access to the
                                                           ADIMSS network
                                                           may occur.

DSN20.04 V0008512     II   The SMU management port         Denial of Service
                           or management workstations      (DoS), degradation
                           is improperly connected to a    of service, loss of
                           network that is not dedicated   confidentiality, and
                           to management of the SMU.       unauthorized
                                                           access may occur.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                     302 of 1257
   ____ Checklist _V_R_ (<date>)                                       <Test> - TN <Ticket Number>
  PDI     VMSID CAT             Requirement           Vulnerability   Status   Finding Notes
EN005    V0016162  II PKI usage and
                      implementation is not
                      compliant with DoD
                      Instruction 8520.02, Public
                      Key Infrastructure (PKI) and
                      Public Key (PK) Enabling, 1
                      April 2004.
EN010    V0003914  II Enclave assets and/or
                      systems that support
                      enclave protection are not
                      registered with an IAVM
                      tracking mechanism (e.g.,
                      Vulnerability Management
                      System (VMS) and AVTR).
EN020    V0003915 III System Administrators (SAs)
                      are not responsible for
                      critical assets or are not
                      registered with a
                      vulnerability management
                      tracking system and
                      therefore are not aware of
                      critical patch releases or
                      vulnerabilities.
EN030    V0003916  II IAVM notices are not
                      responded to within the
                      specified period of time.
EN040    V0003917  II Security related patches
                      have not been applied to all
                      systems.
EN041    V0004712  II A documented security
                      patch management process
                      is not in place or cannot be
                      validated.
EN042    V0004713 III Workstations do not use an
                      automated patch distribution
                      process from a trusted site
                      or secure source (i.e., tools
                      such as Windows Update
                      Services (WUS), scripts,
                      Tivoli, etc.) to distribute and
                      apply security related
                      patches.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           303 of 1257
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement         Vulnerability   Status   Finding Notes
EN043    V0007572 III Patch testing is not
                      performed, prior to
                      deployment, in a
                      nonproduction environment.
EN050    V0003920  II INFOCON procedures are
                      not followed in accordance
                      with Strategic Command
                      Directive SD 527-1, 27
                      January 2006.
EN070    V0014264 III Supplemental SA INFOCON
                      procedures are not available
                      as required.
EN080    V0003922 III IA or IA enabled products do
                      not meet the minimum EAL
                      and robustness level
                      requirements as established
                      by the Designated Approving
                      Authority (DAA).

EN090    V0003923    III   The acquisition of IA or IA-
                           enabled products does not
                           meet the requirements as
                           set forth by NSTISSP 11 and
                           the DODI 8500.2.
EN100    V0003924    III   Enclave assets are not
                           assigned a Mission
                           Assurance Category (MAC)
                           or not assigned the correct
                           MAC.
EN270    V0004001    II    Low assurance/risky (red
                           port) PPS traffic is allowed
                           through a virtual private
                           network (VPN) without
                           addressing the risk to the
                           other enclaves and is not
                           approved by the DAA.
EN280    V0014265    III   Exceptions to the minimum
                           Enclave requirements have
                           not been approved by the
                           appropriate authority.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        304 of 1257
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement           Vulnerability   Status   Finding Notes
EN290    V0014266 II An external intrusion
                     detection system (IDS) is not
                     present at the enclave
                     perimeter as directed by the
                     Computer Network Defense
                     Service Provider (CNDSP).

EN300    V0004004    II    The external NID is not
                           under the operational control
                           of the CNDSP and is not
                           located outside of a local
                           firewall.
EN360    V0004010    III   Permitted IPs and ports,
                           protocols and services are
                           not documented.
EN430    V0004016    II    The DNS server and
                           architecture is not
                           configured in accordance
                           with the DNS STIG.
EN440    V0004017     I    Privileged level user remote
                           access is not encrypted.
EN460    V0004019    III   Content security checking is
                           not employed for email, ftp,
                           or http data.
EN465    V0014276    II    A policy and procedure is
                           not in place to monitor all
                           virus alerts (to include
                           desktop clients) and/or
                           reporting any malicious
                           activity to appropriate
                           personnel is not being
                           accomplished.
EN480    V0004021    II    A policy is not in place to
                           ensure a DMZ is established
                           within the Enclave Security
                           Architecture to host any
                           remotely or publicly
                           accessible system.

EN540    V0004027    II    Servers do not employ Host
                           Based Intrusion Detection
                           (HIDS).




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        305 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT             Requirement                Vulnerability   Status   Finding Notes
EN550    V0004122 III The SA is not responding to
                      initial real time HIDs alarms
                      and do not perform analysis
                      of reports.
EN560    V0004123  II Significant events are not
                      reported to the sites
                      Computer Network Defense
                      Service Provider (CNDSP)
                      and/or auditing requirements
                      are not met in accordance
                      with the DoDI 8500.2.

EN610    V0004128    III   Local policies have not been
                           developed to ensure
                           information posted to the
                           Internet/Intranet is reviewed
                           by a duly appointed PAO or
                           authorized content reviewer
                           for sensitive information.

EN620    V0004129    II    The web servers are not
                           configured in accordance
                           with the Web Server STIG.
EN670    V0004134     I    Classified or sensitive
                           information is transmitted
                           over unapproved
                           communications systems or
                           non-DOD systems.
EN680    V0004135     I    Anonymous mail
                           redirection/relay is not
                           blocked.
EN690    V0014278    II    Email systems are not
                           configured to block
                           attachments IAW the NSA
                           guide to Email Security in
                           the Wake of Recent
                           Malicious Code Incidents.
EN710    V0004138    III   DOD policy on mobile code
                           is not being followed.
EN730    V0004139    II    The Database Management
                           System (DBMS) is not
                           secured in accordance with
                           the Database STIG.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                306 of 1257
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI     VMSID CAT         Requirement          Vulnerability   Status   Finding Notes
EN735    V0004756 II Wireless Local Area
                     Networks (LANS) and/or
                     devices are not secured in
                     accordance with the
                     Wireless STIG.
EN795    V0014305 II Annual assessments are not
                     being performed in
                     accordance with DoD 8500.2.

EN800    V0014283    III   The site does not coordinate
                           access for the SIPRNet
                           PMO to perform random
                           assessments within the
                           Enclave.
EN805    V0004755    II    The application
                           infrastructure is not in
                           compliance with the
                           Application Security and
                           Development and
                           Application Services STIGs.
EN890    V0015748     I    FTP and/or telnet from
                           outside the enclave into the
                           enclave is permitted, without
                           applying the appropriate
                           security requirements.

EN900    V0015749    II    FTP user IDs do not expire
                           and/or passwords are not
                           changed every 90 days.
EN910    V0015750     I    FTP or Telnet is used with a
                           userid (UID)/password that
                           has administrative or root
                           privileges.
EN920    V0015751    III   An anonymous FTP
                           connection within the
                           enclave is established.
ENCTO-   V0016161    II    The site is not in compliance
0712                       with the JTF-GNO issued
                           CTO-07-12, Deployment of
                           the Host Based Security
                           System.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      307 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
ENCTO-   V0011939 II The site is not in compliance
0715                 with JTF-GNO
                     Communications Tasking
                     Order 07-15, PKI
                     Implementation Phase 2.
ENCTO-   V0004145 II Scanning, remediation, and
08005                reporting of vulnerabilities
                     are not maintained in
                     accordance with JTF CTO
                     08-005.
ENCTO-   V0016160 II The site is not in compliance
08008A               with JTF-GNO issued CTO-
                     08-008A which requires the
                     use of the standardized DoD
                     Warning Banner and user
                     agreement. Compliance has
                     not been reported as
                     outlined in CTO 08-008A

ENTD100 V0003918     II   Test and development
                          systems are not connected
                          to an isolated network
                          separated from production
                          systems.
ENTD110 V0003919     II   Out of band access is not
                          utilized to access a test and
                          development enclave
                          remotely.
ENTD120 V0014306     II   Development is performed
                          on platforms that are not
                          STIG compliant and/or within
                          a non-STIG compliant
                          infrastructure.
ENTD130 V0014307     II   Network infrastructure
                          devices, such as router,
                          switches, firewalls, etc., that
                          support the
                          Test/Development enclave,
                          are not STIG compliant.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 308 of 1257
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
ENTD140 V0014308 II Documentation which details
                    the description and function
                    of each system, the zone the
                    system resides in, the SA of
                    the system, applications,
                    OS, and hardware of the
                    system is incomplete or
                    missing.

ENTD150 V0014309     II   Systems in test and
                          development zones are
                          connected to a DoD
                          production network without
                          security controls, as required
                          by the appropriate STIGs. A
                          Connection Approval
                          Process (CAP) has not been
                          used prior to connection to a
                          DoD network.

ENTD160 V0014310     II   Test and development
                          systems are not physically
                          disconnected or blocked at
                          the firewall from external
                          networks during the
                          installation of an operating
                          system.
ENTD170 V0014311     II   Development is performed in
                          a Zone D test enclave.
ENTD180 V0014312      I   Zone D systems have direct
                          connectivity to a DoD
                          network.
ENTD190 V0014371      I   Zone D systems contain
                          production or “live” DoD data
                          or privacy act information
                          and are connected to an
                          external network.

ENTD200 V0014372      I   DoD client
                          workstations/laptops, used
                          for DoD official business,
                          interact or connect (to
                          include remote access) to a
                          Zone D system or network.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      309 of 1257
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement             Vulnerability   Status   Finding Notes
ENTD210 V0014373  I Zone C systems have
                    external connectivity to a
                    network other than that of an
                    additional testing facility with
                    the same security
                    requirements (e.g. Zone C to
                    Zone C).
ENTD220 V0014472 II Zone C systems are not
                    tightly restricted and/or
                    controlled via network
                    resources to avoid T&D
                    systems traffic or data from
                    entering the DoD network.

ENTD230 V0014380      II   Zone B network connections
                           (all incoming/outgoing traffic)
                           are not strictly controlled via
                           network infrastructure
                           devices to include the
                           establishment of a VPN,
                           VLAN or TACLANE.

ENTD240 V0014381      II   A Network Infrastructure
                           STIG compliant DMZ has
                           not been established for the
                           downloading of applicable
                           software for a Zone B
                           environment.
ENTD250 V0014434      II   External to internal (ingress)
                           network initiated
                           connections are permitted
                           for Zone B environments.
ENTD260 V0014457      II   Zone B egress traffic is not
                           restricted via source and
                           destination filtering as well
                           and ports, protocols and
                           services. Zone B traffic is
                           not restricted to facilitate
                           system testing.
ENTD270 V0014458      II   Systems residing in a Zone
                           A test/development
                           environment are not STIG
                           compliant. POA&Ms are not
                           in place to address any open
                           findings for systems.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          310 of 1257
   ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                Vulnerability   Status   Finding Notes
ENTD280 V0014459 II Zone A systems are not
                    separated/isolated from
                    production assets via
                    network infrastructure
                    devices, e.g., VLANs,
                    separate subnets.
ENTD290 V0014460 II Zone A systems do not
                    comply with the
                    requirements in the DoD
                    PPS Assurance Category
                    Assignments List (CAL) for
                    PPS utilization.
ENTD300 V0014461 II Zone A systems do not
                    utilize a Connection
                    Approval Process to include
                    assessment and scanning
                    for security baselines, and
                    final ATC.
ENTD310 V0014464 II The IAO will ensure, if
                    remote access is required to
                    a non STIG compliant
                    system in Zone B, dedicated
                    clients (non-production) are
                    utilized to access Zone B
                    systems from a VPN or
                    dialup connection. No
                    connectivity will occur from a
                    production STIG compliant
                    client (e.g., STIG‟d
                    Government Furnished
                    Equipment) to a non-STIG‟d
                    system in Zone B.


ENTD320 V0014465     II   Non-STIG‟d systems
                          connect or communicate
                          with STIG compliant
                          production systems via a
                          remote access solution.
ENTD330 V0014466      I   Virtual machine guest
                          operating systems (OS)
                          which are used to access a
                          T&D zone communicate with
                          the host OS or a production
                          OS.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                             311 of 1257
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
ENTD340 V0014467 I In a virtual machine remote
                   access solution, T&D client
                   traffic is not restricted such
                   that all network traffic can
                   only flow to and from the
                   T&D zone.

ENTD350 V0014468     II   Non-production “guests”
                          communicate with DoD
                          networks via the LAN.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         312 of 1257
    PDI      VMSID CAT         Requirement                   Vulnerability   Status   Finding Notes
7.035       V0003765 I IAVM Alert 2002-A-0003,
                       Apache Web Server Chunk
                       Handling Vulnerability, has
                       not been applied.
1999-0001   V0005749 I Mountd Remote Buffer
                       Overflow Vulnerability
1999-0003   V0005751 I Remote FTP Vulnerability
1999-A-     V0005753 I Statd and Automountd
0006                   Vulnerabilities
2000-A-     V0005777 I Cross-Site Scripting
0001                   Vulnerability
2000-A-     V0005778 I Gauntlet Firewall for Unix
0003                   and WebShield
                       Cyberdaemon Buffer
                       Overflow Vulnerability
2000-B-     V0005780 I Bind NXT Buffer Overflow
0001
2000-B-     V0005781   I    Netscape Navigator
0002                        Improperly Validates SSL
                            Sessions
2000-B-     V0005782   I    Multiple Buffer Overflows in
0003                        Kerberos Authenticated
                            Services
2000-B-     V0005783   I    Washington University FTP
0004                        Daemon (wu-ftpd) Site Exec
                            Vulnerability and
                            setproctitle() Vulnerabilty
2000-B-     V0005784   I    Input Validation Problem in
0005                        rpc.statd
2000-T-0006 V0005791   II   Frame Domain Cverification,
                            Unauthorized Cookie Access
                            and Malformed Component
                            Attribute Vulnerabilities

2000-T-0015 V0005798   II   BMC Best/1 Version 6.3
                            Performance Management
                            System Vulnerability
2001-A-     V0005799   I    Multiple Vulnerabilities in
0001                        BIND
2001-A-     V0005803   I    IPlanet Web Servers Expose
0007                        Sensitive Data via Buffer
                            Overflow.
2001-A-     V0005804   I    Gauntlet Firewall for Unix
0009                        and WebShield CSMAP and
                            smap/smapd Buffer
                            Overflow Vulnerability
2001-A-     V0005805   I    Format String Vulnerability in
0011                        CDE ToolTalk
2001-A-     V0005807   I    SSH CRC32 Remote Integer
0013                        Overflow Vulnerability
    PDI     VMSID CAT        Requirement                      Vulnerability   Status   Finding Notes
2001-B-    V0005811 I Encoding Intrusion Detection
0003                  System Bypass Vulnerability

2001-B-     V0005812   I    WU-FTPd Remote Code
0004                        Execution Vulnerability
2001-T-0004 V0005816   II   MySQLd Vulnerability

2001-T-0005 V0005817   II   Input Validation Problems in
                            LPRng
2001-T-0008 V0005820   II   Buffer Overflow in telnetd

2001-T-0009 V0005821   II   Symantec Norton Antivirus
                            LiveUpdate Host Verification
                            Vulnerability
2001-T-0015 V0005825   II   Multiple Vulnerabilities in lpd
                            Daemon
2001-T-0017 V0005826   II   OpenSSH UseLogin Multiple
                            Vulnerabilities
2001-T-0018 V0005827   II   Short Password Vulnerability
                            in SSH Communications
                            Security
2002-A-    V0005830    I    Apache Web Server Chunk
0003                        Handling Vulnerability
2002-A-    V0005837    I    Multiple Simple Network
SNMP-003                    Management Protocol
                            Vulnerabilities in Servers and
                            Applications
2002-A-    V0005838    I    Multiple Simple Network
SNMP-004                    Management Protocol
                            Vulnerabilities in Perimeter
                            Devices
2002-A-    V0005839    I    Multiple Simple Network
SNMP-005                    Management Protocol
                            Vulnerabilities in Enclave
                            Devices
2002-A-    V0005840    I    Multiple Simple Network
SNMP-006                    Management Protocol
                            Vulnerabilities in Servers and
                            Applications
2002-B-    V0005842    I    Multiple Vulnerabilities in
0003                        PHP
2002-B-    V0005847    I    Multiple Simple Network
SNMP-002                    Management Protocol
                            Vulnerabilities in Servers and
                            Applications
2002-T-0004 V0005851   II   Kerberos Telnet Protocol
                            Vulnerability
2002-T-0005 V0005852   II   Multiple Vulnerabilities in
                            Oracle Database Server
2002-T-0006 V0005853   II   Multiple Vulnerabilities in
                            Oracle9i Application Server
    PDI      VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
2002-T-0015 V0005862 II Integer Overflow
                        Vulnerability in SunRPC
                        derived XDR Libraries
2002-T-0016 V0005863 II Multiple Vendor kadmind
                        Remote Buffer Overflow
                        Vulnerability
2002-T-     V0005867 II Multiple Simple Network
SNMP-003                Management Protocol
                        Vulnerabilities in Servers and
                        Applications
2003-A-     V0005873  I Multiple Vulnerabilities in
0006                    Multiple Versions of Oracle
                        Database Server
2003-A-     V0005908  I Multiple Vulnerabilities in
0015                    OpenSSL
2003-B-     V0005877  I Multiple Buffer Overflow
0001                    Vulnerabilities in Various
                        DNS Resolver Libraries
2003-B-     V0005879  I Sendmail Memory
0003                    Corruption Vulnerability
2003-B-     V0005906  I Sendmail Prescan Variant
0005                    Remote Buffer Overrun
                        Vulnerability
2003-T-0004 V0005883 II Multiple Vulnerabilities in
                        Oracle 9i Application Server
2003-T-0007 V0005886 II Sun RPC XDR Library
                        Integer Overflow Vulnerability

2003-T-0015 V0005896    II   Multiple Vendor PDF
                             Hyperlinks Arbitrary
                             Command Execution
                             Vulnerability
2003-T-0018 V0005900    II   Real Networks Helix
                             Universal Server Vulnerability

2003-T-0020 V0005904    II   OpenSSH Buffer
                             Mismanagement and
                             Multiple Portable OpenSSH
                             PAM Vulnerabilities

2003-T-0024 V0005916    II   RSync Daemon Mode
                             Undisclosed Remote Heap
                             Overflow Vulnerability
2004-A-     V0005923    I    Multiple Vulnerabilities in
0002                         Check Point Firewall
2004-A-     V0005929    I    ISS Internet Security
0004                         Systems ICQ Parsing Buffer
                             Overflow Vulnerability
2004-B-     V0005921    I    Cisco Voice Product
0003                         Vulnerabilities on IBM
                             Servers
    PDI        VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
2004-B-       V0005946  I HP Web Jetadmin Multiple
0007                      Vulnerabilities
2004-B-       V0005954  I Oracle E-Business Suite
0009                      Multiple SQL Injection
                          Vulnerability
2004-T-0002   V0005924 II Oracle 9i
                          Application/Database Server
                          Denial Of Service
                          Vulnerability
2004-T-0003   V0005925 II Apache-SSL Client
                          Certificate Forging
                          Vulnerability
2004-T-0005   V0005928 II Oracle9i Lite Mobile Server
                          Multiple Vulnerabilities
2004-T-0008   V0005934 II TCPDump ISAKMP
                          Decoding Routines Multiple
                          Remote Buffer Overflow

2004-T-0011 V0005940     II   Oracle Application Server
                              Web Cache HTTP Request
                              Method Heap Overrun
                              Vulnerability
2004-T-0018 V0005955     II   Multiple Vulnerabilities in ISC
                              DHCP 3
2004-T-0022 V0005964     II   Check Point VPN-1, ASN.1
                              Buffer Overflow Vulnerabilty

2004-T-0038 V0005988     II   Sun Java System Web And
                              Application Servers Remote
                              Denial Of Service
                              Vulnerability
2005-A-       V0006033   I    Multiple Vulnerabilities in
0014                          Oracle E-Business and
                              Application Suite
2005-A-       V0011666   I    Multiple Vulnerabilities in
0019                          Oracle E-Business and
                              Applications Suite
2005-A-       V0011700   I    Multiple Vulnerabilities in
0034                          Oracle E-Business and
                              Applications Suite
2005-A-       V0011703   I    VERITAS NetBackup Java
0037                          User-Interface Remote
                              Format String Vulnerability
2005-A-       V0011709   I    VERITAS NetBackup
0041                          Volume Manager Daemon
                              Buffer Overflow Vulnerability
2005-B-       V0006015   I    Symantec UPX Parsing
0007                          Engine Remote Heap
                              Overflow Vulnerability
    PDI        VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
2005-B-       V0006016  I Trend Micro VSAPI ARJ
0008                      Handling Heap Overflow
                          Vulnerability
2005-T-0007   V0006018 II Multiple Vulnerabilities in
                          Computer Associates
                          Products
2005-T-0010   V0006021 II Multiple Vulnerabilities in
                          Sybase Software
2005-T-0013   V0011646 II Computer Associates
                          BrighStor ARCserve Backup
                          UniversalAgent Remote
                          Buffer Overflow
2005-T-0031   V0011680 II Multiple Vulnerabilities in
                          Computer Associates
                          Message Queuing
                          (CAM/CAFT)
2005-T-0035   V0011684 II Check Point SecurePlatform
                          NGX Firewall Rules Bypass
                          Vulnerability

2005-T-0038 V0011687     II   Sun Java System Application
                              Server Web Application JAR
                              Disclosure
2006-A-       V0011723   I    Multiple Vulnerabilities in
0007                          Oracle E-Business Suite and
                              Applications
2006-A-       V0011724   I    Computer Associates (CA)
0008                          iTechnology iGateway
                              Service Vulnerability
2006-A-       V0011732   I    Oracle E-Business Suite
0011                          Unspecified Vulnerability
2006-A-       V0011737   I    Sendmail Asynchronous
0013                          Signal Handling Remote
                              Code Execution Vulnerability

2006-A-       V0011748   I    Multiple Vulnerabilities in
0020                          Oracle E-Business Suite and
                              Applications
2006-A-       V0011756   I    Multiple Vulnerabilities in
0023                          Macromedia Flash
2006-A-       V0012321   I    Multiple Vulnerabilities in
0032                          Oracle E-Business Suite and
                              Applications
2006-A-       V0012899   I    Multiple Vulnerabilities in
0050                          Oracle E-Business Suite and
                              Applications
2006-T-0002 V0011726     I    Multiple Vulnerabilities within
                              BEA WebLogic Software
    PDI      VMSID CAT         Requirement                 Vulnerability   Status   Finding Notes
2006-T-0008 V0011750 II HP Color LaserJet
                        2500/4600 Toolbox Directory
                        Traversal Vulnerability

2006-T-0013 V0011805   I    RealVNC Remote
                            Authentication Bypass
                            Vulnerability
2006-T-0016 V0012055   II   Sun ONE and Sun Java
                            System Application Server
                            Cross-Site Scripting
                            Vulnerability
2007-A-    V0013583    I    Multiple Vulnerabilities in
0010                        Oracle E-Business Suite and
                            Applications
2007-A-    V0013605    I    Trend Micro Antivirus UPX
0013                        Compressed PE File Buffer
                            Overflow Vulnerability
2007-A-    V0013996    I    Multiple Vulnerabilities in
0025                        Oracle E-Business Suite and
                            Applications
2007-A-    V0014480    I    Symantec AntiVirus
0038                        Malformed CAB and RAR
                            Compression Remote
                            Vulnerabilities
2007-B-    V0014462    I    RPC Remote Code
0012                        Execution Vulnerabilities in
                            MIT Kerberos
2007-B-    V0014587    I    Multiple Vulnerabilities in
0018                        Oracle E-Business Suite
2007-B-    V0015376    II   Multiple RealPlayer Remote
0035                        Code Execution
                            Vulnerabilities
2007-T-0025 V0014383   I    Multiple Vulnerabilities in
                            MIT Kerberos
2007-T-0033 V0014842   I    Hewlett-Packard Openview
                            Multiple Remote Buffer
                            Overflow Vulnerabilities
2007-T-0037 V0015097   I    MIT Kerberos Administration
                            Daemon Remote Code
                            Execution Vulnerabilities

2008-A-    V0015746    II   SQL Injection in Cisco
0011                        Unified Communications
                            Manager Vulnerability
2008-A-    V0015966    I    Multiple Vulnerabilities in
0020                        Oracle E-Business Suite
2008-A-    V0016019    I    Cisco Unified
0032                        Communications Manager
                            Denial of Service
                            Vulnerabilities
    PDI      VMSID CAT           Requirement              Vulnerability   Status   Finding Notes
2008-A-     V0016023  I IBM Lotus Sametime
0034                    Multiplexer Buffer Overflow
                        Vulnerability
2008-A-     V0016039  I Multiple Security
0038                    Vulnerabilities in Sun Java
                        ASP
2008-A-     V0016170  I DNS Protocol Cache
0045                    Poisoning Vulnerability
2008-A-     V0016172 II Multiple Vulnerabilities in
0049                    Oracle E-Business Suite
2008-A-     V0016319  I Multiple Vulnerabilities in the
0052                    Oracle WebLogic Server
                        component in BEA Product
                        Suite
2008-A-     V0016523 II Multiple RealPlayer Remote
0053                    Code Execution
                        Vulnerabilities
2008-A-     V0017786  I Multiple Vulnerabilities in
0075                    Oracle E-Business Suite
2008-B-     V0015753 II Multiple Apache HTTP
0017                    Server Vulnerabilities
2008-B-     V0015755  I Multiple Symantec
0020                    Decomposer Denial of
                        Service Vulnerabilities
2008-B-     V0015780  I Multiple MIT Kerberos
0024                    Vulnerabilities
2008-B-     V0015994  I Sun Java System Directory
0041                    Server Remote
                        Unauthorized Access
                        Vulnerability
2008-B-     V0016022  I Multiple CA ARCserve
0043                    Backup Remote
                        Vulnerabilities
2008-B-     V0016025 II Multiple Sun Java System
0045                    Application Server and Web
                        Server Vulnerabilities
2008-B-     V0017414  I Multiple Vulnerabilities in
0064                    Openwsman (VMWare)
2008-B-     V0017742  I Multiple HP OpenView
0073                    Network Node Manager
                        Vulnerabilities
2008-B-     V0017874  I Multiple Vulnerabilities in
0078                    VMware
2008-T-0003 V0015665 II Sun Java Web Proxy Server
                        and Sun Java Web Server
                        Multiple Cross-Site Scripting
                        Vulnerabilities
2008-T-0010 V0015935 II CA BrightStor ARCserve
                        Backup ListCtrl ActiveX
                        Control Buffer Overflow
                        Vulnerability
    PDI      VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
2008-T-0017 V0015995 II CA Products DSM
                         gui_cm_ctrls ActiveX Control
                         Code Execution
2008-T-0026 V0016046  I SNMP Remote
                         Authentication Bypass
                         Vulnerability
2008-T-0046 V0017144 II Red Hat OpenSSH
                         Vulnerability
2008-T-0048 V0017352 II Apache mod_proxy_ftp
                         Cross-Site Scripting
                         Vulnerability
2008-T-0049 V0017350  I Multiple Vulnerabilities in
                         RedHat Fedora Directory
                         Server
2008-T-0050 V0017465  I Denial of Service
                         Vulnerabilities in Cisco
                         Unified Communications
                         Manager
2008-T-0052 V0017542 III MySQL Command-Line
                         Client HTML Injection
                         Vulnerability
2008-T-0054 V0017737  I Cisco Unity Remote
                         Administration
                         Authentication Bypass
                         Vulnerability
2008-T-0063 V0017904 II Multiple Vulnerabilities in
                         Symantec Backup Exec
2008-T-0064 V0017917  I Bzip2 Remote Denial-of-
                         Service Vulnerability
2009-A-     V0018000 II Vulnerability in Oracle
0006                     Collaboration Suite
2009-A-     V0018005  I Multiple Oracle/BEA
0009                     Weblogic Security
                         Vulnerabilities
2009-A-     V0018613  I Multiple Vulnerabilities in
0023                     OpenSSL
2009-A-     V0019765 II Multiple Vulnerabilities in
0057                     Oracle Enterprise Manager
2009-A-     V0019802  I ISC BIND Denial of Service
0060                     Vulnerability
2009-A-     V0021637  I Snort Remote Denial Of
0089                     Service Vulnerability
2009-B-     V0018295  I Multiple Vulnerabilities in
0006                     VMware
2009-B-     V0018638  I Multiple Vulnerabilities in
0015                     VMware
2009-B-     V0018766  I VMware Hosted Products
0016                     Code Execution Vulnerability

2009-B-     V0018751    I   Multiple MIT Kerberos
0017                        Vulnerabilities
    PDI      VMSID CAT           Requirement               Vulnerability   Status   Finding Notes
2009-B-     V0019297  I Multiple Vulnerabilities in
0021                    VMware Products
2009-B-     V0019438 II Multiple Vulnerabilities in
0026                    Apache Tomcat
2009-B-     V0019859  I Multiple Apache HTTP
0034                    Server Vulnerabilities
2009-B-     V0021686  I Multiple Vulnerabilities in
0051                    Apache
2009-T-0024 V0018983  I Multiple Vulnerabilities in
                        Linux Kernel
2009-T-0050 V0021503  I Multiple Vulnerabilities in
                        Wireshark
2009-T-0051 V0021537  I PHP 5.2.10 Denial of
                        Service Vulnerability
ESX0010     V0015783 II ESX Server is not configured
                        in accordance with the UNIX
                        STIG.
ESX0020     V0015784 II An NFS Server is running on
                        the ESX Server host
ESX0030     V0015785 II VMotion virtual switches are
                        not configured with a
                        dedicated physical network
                        adapter
ESX0040     V0015786 II There is no dedicated VLAN
                        or network segment
                        configured for virtual disk file
                        transfers.
ESX0050     V0015787 II Permissions on the
                        configuration and virtual disk
                        files are incorrect.
ESX0055     V0016881 II Permissions on the virtual
                        disk files are incorrect.
ESX0060     V0015788 II ISCSI VLAN or network
                        segment is not configured
                        for iSCSI traffic.
ESX0070     V0015789 II CHAP authentication is not
                        configured for iSCSI traffic.
ESX0080     V0015790 II ISCSI storage equipment is
                        not configured with the latest
                        patches and updates.
ESX0090     V0015791 II ISCSI passwords are not
                        compliant with DoD policy.
ESX0100     V0015792 II Static discoveries are not
                        configured for hardware
                        iSCSI initiators.
ESX0110     V0015793 II USB drives automatically
                        load when inserted into the
                        ESX Server host.
   PDI     VMSID CAT             Requirement              Vulnerability   Status   Finding Notes
ESX0120   V0015801 III The ESX Server does not
                       meet the minimum
                       requirement of two network
                       adapters.
ESX0130   V0015802 II The service console and
                       virtual machines are not on
                       dedicated VLANs or network
                       segments.
ESX0140   V0015803 III Notify Switches feature is not
                       enabled to allowfor
                       notifications to be sent to
                       physical switches.
ESX0150   V0015804 II The ESX Server external
                       physical switch ports are
                       configured to VLAN 1.
ESX0160   V0015805 II Permissions have been
                       changed on the
                       /usr/sbin/esx* utilities
ESX0170   V0015806 II Virtual machines are
                       connected to public virtual
                       switches and are not
                       documented.
ESX0180   V0015807 II Virtual switch port group is
                       configured to VLAN 1
ESX0190   V0015808 II Virtual switch port group is
                       configured to VLAN 1001 to
                       1024.
ESX0200   V0015809 II Virtual switch port group is
                       configured to VLAN 4095.
ESX0210   V0015810 II Port groups are not
                       configured with a network
                       label.
ESX0220   V0015811 II Unused port groups have not
                       been removed
ESX0230   V0015812 II Virtual switches are not
                       labeled.
ESX0240   V0015813 II Virtual switch labels begin
                       with a number.
ESX0250   V0015815  I The MAC Address Change
                       Policy is set to "Accept" for
                       virtual switches.
ESX0260   V0015817  I Forged Transmits are set to
                       "Accept" on virtual switches

ESX0270   V0015818    I   Promiscuous Mode is set to
                          "Accept" on virtual switches.

ESX0280   V0015819    I   Promiscuous mode is
                          enabled for virtual switches
                          during the ESX Server boot
                          process.
   PDI     VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
ESX0290   V0015820 II External physical switch
                      ports configured for EST
                      mode are configured with
                      spanning-tree enabled.
ESX0300   V0015821 II The non-negotiate option is
                      not configured for trunk links
                      between external physical
                      switches and virtual switches
                      in VST mode.

ESX0310   V0015822    II    Undocumented VLANs are
                            configured on ESX Server in
                            VST mode.
ESX0320   V0015824    II    ESX Server firewall is not
                            configured to High Security.
ESX0330   V0015825    II    A third party firewall is
                            configured on ESX Server.
ESX0340   V0015826    II    IP tables or internal
                            router/firewall is not
                            configured to restrict IP
                            addresses to services.
ESX0350   V0015827    III   ESX Server required
                            services are not documented.

ESX0360   V0015828    II    ESX Server service console
                            administrators are not
                            documented
ESX0370   V0015829    II    Hash signatures for the /etc
                            files are not stored offline.

ESX0380   V0015833    II    Hash signatures for the /etc
                            files are not reviewed
                            monthly.
ESX0390   V0015835    II    The setuid and setgid flags
                            have been disabled.
ESX0400   V0015836    II    ESX Server is not
                            authenticating the time
                            source with a hashing
                            algorithm.
ESX0410   V0015840    II    ESX Server does not record
                            log files.
ESX0420   V0015841    II    ESX Server log files are not
                            reviewed daily.
ESX0430   V0015842    II    Log file permissions have
                            not been configured to
                            restrict unauthorized users
ESX0440   V0015843    III   ESX Server does not send
                            logs to a syslog server.
ESX0450   V0015844    II    Auditing is not configured on
                            the ESX Server.
   PDI     VMSID CAT             Requirement                Vulnerability   Status   Finding Notes
ESX0460   V0015845 III The IAO/SA does not
                       subscribe to vendor security
                       patches and update
                       notifications.
ESX0470   V0015846 II The ESX Server software
                       version is not at the latest
                       release.
ESX0480   V0015847 II ESX Server updates are not
                       tested.
ESX0490   V0015848 II VMware tools are not used
                       to update the ESX Server.
ESX0500   V0015849  I ESX Server software version
                       is not supported.
ESX0510   V0015850  I VMware and third party
                       applications are not
                       supported.
ESX0520   V0015851 III There are no procedures for
                       the backup and recovery of
                       the ESX Server,
                       management servers, and
                       virtual machines.
ESX0530   V0015852 II The ESX Servers and
                       management servers are not
                       backed up in accordance to
                       the MAC level of the servers.

ESX0540   V0015853    II   Disaster recovery plan does
                           not include ESX Servers,
                           VirtualCenter servers, virtual
                           machines, and necessary
                           peripherals associated with
                           the system.

ESX0550   V0015854    II   Backups are not located in
                           separate logical partitions
                           from production data.
ESX0560   V0015855    II   VI client sessions to the ESX
                           Server are unencrypted.

ESX0570   V0015856    II   VI Web Access sessions to
                           the ESX Server are
                           unencrypted.
ESX0580   V0015857    II   VirtualCenter
                           communications to the ESX
                           Server are unencrypted.

ESX0590   V0015858    II   SNMP write mode is enabled
                           on ESX Server.
   PDI     VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes
ESX0600   V0015859 II VirtualCenter server is
                      hosting other applications
                      such as database servers, e-
                      mail servers or clients, dhcp
                      servers, web servers, etc.

ESX0610   V0015860    II   Patches and security
                           updates are not current on
                           the VirtualCenter Server.
ESX0650   V0015864    II   VirtualCenter virtual machine
                           is not configured in an ESX
                           Server cluster with High
                           Availability enabled.

ESX0660   V0015865    II   VirtualCenter virtual machine
                           does not have a CPU
                           reservation.
ESX0670   V0015866    II   VirtualCenter virtual machine
                           does not have a memory
                           reservation.
ESX0680   V0015867   III   VirtualCenter virtual machine
                           CPU alarm is not configured.

ESX0690   V0015868   III   VirtualCenter virtual machine
                           memory alarm is not
                           configured.
ESX0700   V0015869    II   Unauthorized users have
                           access to the VirtualCenter
                           virtual machine.

ESX0710   V0015870    II   No dedicated VirtualCenter
                           administrator created within
                           the Windows Administrator
                           Group on the Windows
                           Server for managing the
                           VirtualCenter environment.

ESX0720   V0015871    II   No logon warning banner is
                           configured for VirtualCenter
                           users.
ESX0725   V0017020    II   VirtualCenter is not using
                           DoD approved certificates.
ESX0730   V0015872    II   VI Client sessions with
                           VirtualCenter are
                           unencrypted.
ESX0740   V0015873    II   VI Web Access sessions
                           with VirtualCenter are
                           unencrypted.
ESX0750   V0015874    I    VirtualCenter vpxuser has
                           been modified.
   PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes
ESX0760   V0015875 III Users assigned to
                       VirtualCenter groups are not
                       documented.
ESX0770   V0015876 III Users in the VirtualCenter
                       Server Windows
                       Administrators group are not
                       documented.
ESX0780   V0015877 II VirtualCenter Server groups
                       are not reviewed monthly

ESX0790   V0015878    II   No documented
                           configuration management
                           process exists for
                           VirtualCenter changes.
ESX0800   V0015879    II   There is no VirtualCenter
                           baseline configuration
                           document for users, groups,
                           permissions, and roles.

ESX0810   V0015880    II   VirtualCenter does not log
                           user, group, permission or
                           role changes.
ESX0820   V0015881    II   VirtualCenter logs are
                           reviewed daily.
ESX0828   V0016851   III   ESX administrators have not
                           received proper training to
                           administer the ESX Server.

ESX0860   V0015882    II   There is no up-to-date
                           documentation of the
                           virtualization infrastructure.
ESX0863   V0015973    II   ESX Server is not properly
                           registered in VMS.
ESX0866   V0015974    II   ESX Server assets are not
                           configured with the correct
                           posture in VMS.
ESX0869   V0015975    II   VirtualCenter Server assets
                           are not properly registered in
                           VMS.
ESX0872   V0015984    II   VirtualCenter Server assets
                           are not configured with the
                           correct posture in VMS.

ESX0880   V0015884    II   ISO images are not
                           restricted to authorized users.

ESX0890   V0015885    II   ISO images do not have
                           hash checksums.
ESX0900   V0015886    II   ISO images are not verified
                           for integrity when moved
                           across the network.
   PDI     VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes
ESX0910   V0015887 III Master templates are not
                       stored on a separate
                       partition.
ESX0920   V0015888 II Master templates are not
                       restricted to authorized users
                       only.
ESX0930   V0015889 III The VMware-converter utility
                       is not used for VMDK
                       imports or exports.
ESX0940   V0015890 II Nonpersistent disk mode is
                       set for virtual machines.
ESX0950   V0015891 III No policy exists to assign
                       virtual machines to
                       personnel.
ESX0960   V0015892 III VI Console is used to
                       administer virtual machines.
ESX0970   V0015893 II Clipboard capabilities (copy
                       and paste) are enabled for
                       virtual machines.

ESX0980   V0015894    II    VMware Tools drag and drop
                            capabilities are enabled for
                            virtual machines.

ESX0990   V0015895    II    The VMware Tools setinfo
                            variable is enabled for virtual
                            machines.
ESX1000   V0015896    III   Configuration tools are
                            enabled for virtual machines.

ESX1010   V0015897    II    Virtual machines are not
                            time synchronized with the
                            ESX Server or an
                            authoritative time server.
ESX1020   V0015898    III   The IAO/SA does not
                            document and approve
                            virtual machine renames.
ESX1030   V0015899    II    Test and development virtual
                            machines are not logically
                            separated from production
                            virtual machines.
ESX1040   V0015900    III   No policy exists to restrict
                            copying and sharing virtual
                            machines over networks and
                            removable media.
ESX1050   V0015901    II    Virtual machine moves are
                            not logged from one physical
                            server to another.
ESX1060   V0015902    II    Virtual machine moved to
                            removable media are not
                            documented.
   PDI     VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
ESX1070   V0015903 II Virtual machines are
                       removed from the site
                       without approval
                       documentation.
ESX1080   V0015904 II Production virtual machines
                       are not located in a
                       controlled access area.
ESX1090   V0015905 III Virtual machine rollbacks are
                       performed when virtual
                       machine is connected to the
                       network.
ESX1100   V0015906 II Virtual machine OS log files
                       are not saved before rollback.

ESX1110   V0015907    II    Virtual machine log files do
                            not have a size limit.
ESX1120   V0015908    II    ESX Server is not configured
                            to maintain a specific
                            number of log files via log
                            rotation.
ESX1130   V0015909    II    Virtual machine log files are
                            not maintained for 1 year.

ESX1140   V0015913    II    Virtual machines are not
                            backed up in accordance
                            with the MAC level.
ESX1150   V0015972    II    Virtual machines are not
                            registered in VMS.
ESX1160   V0015919    III   Virtual machine
                            requirements are not
                            documented before creating
                            a virtual machine.
ESX1170   V0015921    II    Unused hardware is enabled
                            in virtual machines.
ESX1180   V0015924    II    Guest OS selection does not
                            match installed OS.
ESX1190   V0015926    I     Guest operating system is
                            not supported by ESX Server.

ESX1200   V0015931    II    Anti-virus software and
                            signatures are out of date for
                            "off" and "suspended" virtual
                            machines
ESX1210   V0015932    II    OS patches and updates are
                            out of date on "off" and
                            "suspended" virtual
                            machines.
ESX1220   V0017043    II    Virtual machines are not
                            configured with the correct
                            posture in VMS.
   PDI     VMSID CAT            Requirement                     Vulnerability   Status   Finding Notes
GEN000020 V0000756 II The UNIX host is bootable in
                      single user mode without a
                      password.
GEN000040 V0000757 II The UNIX host is not
                      configured to require a
                      password when booted to
                      single-user mode and is not
                      documented.
GEN000060 V0000758 II The UNIX host cannot be
                      configured to require a
                      password when booted to
                      single-user mode and is not
                      located in a controlled
                      access area.
GEN000260 V0000759 II A shared account is not
                      justified and documented by
                      the IAO.
GEN000280 V0000760 II A shared, i.e., default,
                      application, or utility -account
                      is logged into directly.

GEN003320 V0000986      II    Default system accounts
                              (with the exception of root)
                              are listed in the at.allow file
                              or excluded from the
                              cron.deny file if cron.allow
                              does not exist.
GEN003680 V0000972      III   Network services required
                              for operations have not been
                              documented by the IAO.

GEN003700 V0012005      II    All inetd/xinetd services are
                              disabled and inetd (xinetd for
                              Linux) is not disabled.

GEN003820 V0004687      I     A system has a vulnerable
                              trust relationship through rsh
                              or remsh.
GEN003840 V0004688      I     A system has the rexec
                              service active.
GEN003860 V0004701      III   A system has the finger
                              service active.
GEN003865 V0012049      II    Network Analysis tools are
                              enabled.
GEN003960 V0004369      II    The traceroute command
                              owner is NOT root.
GEN003980 V0004370      II    The traceroute command
                              group owner is not sys, bin,
                              or root.
   PDI     VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
GEN004000 V0004371 II Traceroute file permissions
                      are less restrictive than 700.

GEN004020 V0004372     III   The browser is NOT capable
                             of 128-bit encryption.

GEN004040 V0004373     II    A browser SmartUpdate, or
                             software update feature, is
                             enabled.
GEN004060 V0004374     II    The browser has
                             unencrypted secure content
                             caching enabled.
GEN004100 V0004376     III   The browser is configured to
                             allow active scripting.
GEN004120 V0004377     II    The browser is not
                             configured to give a warning
                             when form data is redirected.

GEN004160 V0004379     II    The browser gives no
                             warning before viewing
                             remote data with a security
                             certificate that does not
                             match the remote address.
GEN004180 V0004380     II    The browser home page is
                             not configured for a blank
                             page or a locally generated
                             page.
GEN004200 V0004381     II    The browser is NOT
                             configured for Secure
                             Socket Layer (SSL) v2 and
                             SSL v3.
GEN004220 V0004382      I    An SA browses the WEB as
                             root.
GEN004240 V0001038     II    The browser is not a
                             supported version.
GEN004260 V0001039     III   The browser does not issue
                             a warning prior to accepting
                             a cookie from a remote site.

GEN004280 V0001041     III   A browser does not issue a
                             warning when submitting
                             non encrypted form data.
GEN004300 V0001042     III   The browser does not issue
                             a warning prior to viewing a
                             document with both secure
                             and non-secure content.

GEN004320 V0001043     III   The browser does not issue
                             a warning prior to leaving an
                             encrypted or secure site.
   PDI     VMSID CAT            Requirement        Vulnerability   Status   Finding Notes
GEN004540 V0012006 II The sendmail help command
                       is not disabled.
GEN004560 V0004384 III The O Smtp greeting in
                       sendmail.cf, or equivalent,
                       has not been changed to
                       mask the version.
GEN004580 V0004385  I .forward files were found.
GEN004600 V0004689  I A sendmail server has an
                       out-of-date version of
                       sendmail active.
GEN004620 V0004690  I A UNIX sendmail server has
                       the debug feature active.

GEN004640 V0004691     I    A UNIX sendmail server has
                            a uudecode alias active.

GEN004660 V0004692    III   A sendmail server has the
                            EXPN feature active.
GEN004680 V0004693    III   A sendmail server has the
                            VRFY feature active.
GEN004700 V0004694    III   A UNIX sendmail server has
                            the wizard backdoor active.

GEN004720 V0012007     II   FTP or telnet within an
                            enclave is not behind the
                            premise router and protected
                            by a firewall and router
                            access control lists.
GEN004760 V0012008     I    FTP or telnet from outside
                            the enclave into the enclave
                            is enabled and not within
                            requirements.
GEN004780 V0012009     I    FTP or telnet
                            userids/passwords have
                            administrative or root
                            privileges.
GEN004800 V0012010     II   An AORL is not used to
                            document the use of
                            unencrypted FTP or telnet or
                            the risk is not accepted as
                            part of the accreditation
                            package.
GEN004840 V0004702     II   A system allows anonymous
                            FTP access.
GEN005020 V0004388     I    An anonymous ftp account
                            does not implement STIG
                            security guidance.
GEN005040 V0012011     II   An FTP user's umask is not
                            077.
GEN005060 V0012013     I    FSP is enabled.
   PDI     VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes
GEN005140 V0004695  I TFTP is active and it is not
                      justified and documented
                      with the IAO.
GEN005180 V0012014 II .Xauthority files are more
                      permissive than 600.
GEN005200 V0004697  I A system is exporting X
                      displays to the world.
GEN005220 V0012016 II Authorized X clients are not
                      listed in the X*.hosts (or
                      equivalent) file(s) if the
                      .Xauthority utility is not used.

GEN005240 V0012017      II   Access to the X-terminal
                             host is not limited to
                             authorized X clients.
GEN005260 V0012018      II   The X Window System
                             connections are not required
                             and the connections are not
                             disabled.

GEN005280 V0004696      II   A UNIX system has the
                             UUCP service active.
GEN005360 V0012019      II   The snmpd.conf file is not
                             owned by root and group
                             owned by sys or the
                             application.
GEN005380 V0004392      II   An snmp server runs more
                             than network management
                             and DBMS software and
                             there is no IAO justifying
                             documentation.
GEN005400 V0004393      II   Either /etc/syslog.conf is not
                             owned by root or is more
                             permissive than 640.
GEN005420 V0004394      II   The /etc/syslog.conf group
                             owner is NOT root, bin, or
                             sys.
GEN005440 V0012020      II   Local hosts are used as
                             loghosts for systems outside
                             the local network.
GEN005460 V0004395      II   A system is using a remote
                             log host not justified and
                             documented with the IAO.

GEN005480 V0012021      II   The syslog deamon accepts
                             remote messages and is not
                             an IAO documented loghost.

GEN005500 V0004295       I   SSH, or a similar utility, is
                             running and SSHv1 protocol
                             is used.
   PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes
GEN005540 V0012022 II Encrypted communications
                      are not configured for IP
                      filtering and logon warning
                      banners.
GEN005560 V0004397 II The system is not a router
                      but has no default gateway
                      defined.
GEN005580 V0004398 II A system used for routing
                      also uses other applications
                      and/or utilities.
GEN005600 V0012023 II IP forwarding is not disabled.

GEN005620 V0004703     III   A Lotus Domino 5.0.5 Web
                             Application was found
                             vulnerable to the .nsf, .box,
                             and .ns4 directory traversal
                             exploit.
GEN005640 V0004706     III   A system running Squid
                             Web Proxy Cache server
                             was found vulnerable to the
                             authentication header
                             forwarding exploit.
GEN005660 V0004707     II    A system running Squid
                             Web Proxy Cache was
                             found vulnerable to the
                             MSNT auth helper buffer
                             overflow exploit.
GEN005680 V0004709     III   The SA will ensure the Squid
                             Proxy Cache server is not a
                             vulnerable version.
GEN005700 V0004708     III   An iPlanet Web Server was
                             found with the search engine
                             NS-query-pat file viewing
                             vulnerability.
GEN006000 V0012024     II    A public instant messaging
                             client is installed.
GEN006040 V0012025     II    A peer-to-peer file-sharing
                             application is installed and
                             not authorized and
                             documented with the DAA.
GEN006060 V0004321     II    Samba is running and is not
                             being used.
GEN006080 V0001026     II    The Samba Web
                             Administration tool is not
                             used with ssh port
                             forwarding.
GEN006100 V0001027     II    The /etc/smb.conf file is not
                             owned by root.
GEN006120 V0001056     II    The /etc/smb.conf file does
                             not have a group owner of
                             root.
   PDI     VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
GEN006140 V0001028 II The /etc/smb.conf file is
                      more permissive than 644.
GEN006160 V0001029 II The smbpasswd file is not
                      owned by root.
GEN006180 V0001058 II The /etc/smbpasswd file
                      does not have a group
                      owner of root.
GEN006200 V0001059 II The /etc/smbpasswd file has
                      permissions more
                      permissive than 600.
GEN006220 V0001030 II The smb.conf file is not
                      configured correctly.
GEN006240 V0001023 II A Linux Internet Network
                      News server is not
                      authorized and documented
                      by the IAO.
GEN006260 V0004273 II A Linux /etc/news/hosts.nntp
                      is more permissive than 600.

GEN006280 V0004274    II   A Linux
                           /etc/news/hosts.nntp.nolimit
                           is more permissive than 600.

GEN006300 V0004275    II   A Linux
                           /etc/news/nnrp.access is
                           more permissive than 600.
GEN006320 V0004276    II   Linux /etc/news/passwd.nntp
                           is more permissive than 600.

GEN006340 V0004277    II   Linux files in /etc/news are
                           not owned by root or news.
GEN006360 V0004278    II   Linux /etc/news files group
                           owner is not root or news.
GEN006380 V0004399     I   NIS/NIS+ is implemented
                           under UDP.
GEN006420 V0012026    II   NIS maps are not protected
                           through hard-to-guess
                           domain names.
GEN006560 V0012028    II   The system vulnerability
                           assessment tool, host-based
                           intrusion detection tool, and
                           file system integrity baseline
                           tool does not notify the SA
                           and the IAO of a security
                           breach or a suspected
                           security breach.

GEN006620 V0012030    II   The access control program
                           is not configured to grant
                           and deny system access to
                           specific hosts.
    PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes
GEN006640 V0012765 II An approved DOD virus
                      scan program in not used
                      and/or updated.
IAVA0010  V0001002  I A TCP_WRAPPERS Trojan
                      exists on the system.

IAVA0020   V0001006   II    There are Internet Message
                            Access Protocol (IMAP) or
                            Post Office Protocol (POP)
                            vulnerabilities.

IAVA0025   V0001007   II    A vulnerability exists in mime-
                            aware mail and news clients.

IAVA0150   V0007520   II    There are multiple
                            vulnerabilities in Sybase
                            Software.
IAVA0295   V0003612   III   There are multiple SSH
                            vulnerabilities.
IAVA0380   V0004547   II    A vulnerable version of the
                            H.323 Protocol is in use.
IAVA0510   V0004699   I     A BSD system has the FTP
                            RNFR command
                            vulnerability.
LNX00060   V0004246   II    A Linux system Password
                            Configuration Table has the
                            User Password set to ON.
LNX00080   V0004247   I     A Linux system is using a
                            boot diskette as the boot
                            loader.
LNX00100   V0004248   I     A Linux system has not been
                            configured with GRUB as the
                            default boot loader and the
                            boot loader in use has not
                            been authorized, justified,
                            and documented with the
                            IAO.
LNX00120   V0004255   I     The Linux /boot partition is
                            on removable media and is
                            not stored in a secure
                            container.
LNX00140   V0004249   I     The Linux boot-loader does
                            not use an MD5 encrypted
                            password.
LNX00160   V0004250   II    Linux /boot/grub/grub.conf is
                            more permissive than 600.

LNX00180   V0004252   I     A Linux system authorized to
                            use LILO does not have a
                            global password in
                            /etc/lilo.conf.
   PDI      VMSID CAT         Requirement                    Vulnerability   Status   Finding Notes
LNX00200   V0012036 I The LILO Boot Loader
                      password is not encrypted.
LNX00220   V0004253 I A Linux /etc/lilo.conf file is
                      more permissive than 600.
LNX00260   V0004256 I A site SOP does not restrict
                      the use of Kickstart to
                      isolated development LANs.

LNX00300   V0004262    II   A Linux system does not
                            have the rpc.ugidd daemon
                            disabled.
LNX00320   V0004268    I    A Linux system has special
                            privilege accounts, such as
                            shutdown and halt.
LNX00340   V0004269    II   A Linux system has
                            unnecessary accounts.
LNX00360   V0001021    II   A Linux X server does not
                            have the correct options
                            enabled.
LNX00380   V0001022    II   A Linux X server has one of
                            the following options
                            enabled: -ac, -core (except
                            for debugging purposes), or -
                            nolock.
LNX00400   V0001025    II   The /etc/login.access file is
                            not owned by root.
LNX00420   V0001054    II   The /etc/login.access file
                            does not have a privileged
                            group owner.
LNX00440   V0001055    II   The /etc/login.access
                            permissions are more
                            permissive than 640.
LNX00480   V0004334    II   Linux /etc/sysctl.conf is not
                            owned by root.
LNX00500   V0004335    II   Linux /etc/sysctl.conf group
                            owner is not root.
LNX00520   V0004336    II   Linux /etc/sysctl.conf file is
                            more permissive than 600.

LNX00540   V0012037    I    The insecure option is set.
LNX00560   V0004339    I    A Linux NFS Server has the
                            insecure file locking option.

LNX00580   V0004342    I    The Linux x86 CTRL-ALT-
                            DELETE key sequence has
                            not been disabled.
LNX00600   V0004346    II   Linux PAM grants sole
                            access to admin privileges to
                            the first user who logs into
                            the console.
   PDI      VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
LNX00620   V0012038 II The /etc/securetty file is not
                       group owned by root, sys, or
                       bin.
LNX00640   V0012039 II The /etc/securetty file is not
                       owned by root.
LNX00660   V0012040 II The /etc/securetty file is
                       more permissive than 640.
LNX00680   V0012041 II A vulnerable RealPlayer
                       version is installed.
SOL00040   V0004353 II /etc/security/audit_user has
                       a different auditing level for
                       specific users.
SOL00060   V0004352 II /etc/security/audit_user is
                       not owned by root.
SOL00080   V0004351 II The /etc/security/audit_user
                       group is not root, sys, or bin.


SOL00100   V0004245    II    /etc/security/audit_user is
                             more permissive than 640.
SOL00400   V0004300    II    An NFS server does not
                             have logging implemented.
USB00.001. V0006764    III   There is no document
00                           instructing users that USB
                             devices be powered off for at
                             least 60 seconds prior to
                             being connected to an IS.

USB01.001. V0006765    II    MP3 players, camcorders, or
00                           digital cameras are being
                             attached to ISs without prior
                             DAA approval.
USB01.002. V0006766    II    USB devices are attached to
00                           a DoD IS without prior IAO
                             approval.
USB01.003. V0006768    II    Disguised jump drives are
00                           not banned from locations
                             containing DOD ISs.
USB01.004. V0006769    II    Notices are not prominently
00                           displayed informing
                             everyone of the ban of
                             disguised jump drives.
   PDI      VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes
USB01.005. V0006770 II Persistent memory USB
00                     devices are not treated as
                       removable media and
                       contrary to DODD 5200.1-R;
                       the devices are not secured,
                       transported, and sanitized in
                       a manner appropriate for the
                       classification level of the
                       data they contain.

USB01.006. V0006771    II    Persistent memory USB
00                           devices are not labeled in
                             accordance with the
                             classification level of the
                             data they contain.
USB01.007. V0006772    II    Sensitive data stored on a
00                           USB device with persistent
                             memory, that the data owner
                             requires encryption is not
                             encrypted using NIST-
                             certified cryptography.
USB01.008. V0006773    II    USB devices with persistent
00                           memory are not formatted in
                             a manner to allow the
                             application of Access
                             Controls to files or data
                             stored on the device.
USB01.009. V0006774    II    There is no section within
00                           the SFUG, or equivalent
                             documentation, describing
                             the correct usage and
                             handling of USB
                             technologies.
USB01.010. V0006775    III   The USB usage section of
00                           the SFUG, or equivalent
                             document, does not contain
                             a discussion of the devices
                             that contain persistent non-
                             removable memory.
 Section
ESX Server



ESX Server

ESX Server
ESX Server

ESX Server

ESX Server



ESX Server

ESX Server


ESX Server


ESX Server



ESX Server

ESX Server




ESX Server


ESX Server

ESX Server


ESX Server



ESX Server

ESX Server
 Section
ESX Server


ESX Server

ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

ESX Server

ESX Server


ESX Server

ESX Server



ESX Server



ESX Server



ESX Server



ESX Server

ESX Server



ESX Server

ESX Server

ESX Server
 Section
ESX Server


ESX Server


ESX Server



ESX Server


ESX Server

ESX Server


ESX Server

ESX Server


ESX Server

ESX Server


ESX Server



ESX Server


ESX Server




ESX Server


ESX Server

ESX Server


ESX Server
 Section
ESX Server

ESX Server


ESX Server



ESX Server


ESX Server

ESX Server



ESX Server



ESX Server

ESX Server


ESX Server



ESX Server


ESX Server


ESX Server


ESX Server


ESX Server


ESX Server
 Section
ESX Server


ESX Server


ESX Server

ESX Server



ESX Server



ESX Server



ESX Server


ESX Server


ESX Server


ESX Server

ESX Server



ESX Server


ESX Server

ESX Server


ESX Server


ESX Server
 Section
ESX Server



ESX Server


ESX Server



ESX Server


ESX Server


ESX Server


ESX Server



ESX Server


ESX Server

ESX Server


ESX Server

ESX Server


ESX Server



ESX Server


ESX Server

ESX Server
 Section
ESX Server


ESX Server


ESX Server

ESX Server

ESX Server



ESX Server


ESX Server

ESX Server

ESX Server


ESX Server

ESX Server



ESX Server


ESX Server


ESX Server

ESX Server


ESX Server

ESX Server



ESX Server
 Section
ESX Server


ESX Server


ESX Server

ESX Server


ESX Server


ESX Server



ESX Server


ESX Server



ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server


ESX Server
 Section
ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

Virtual
Center


Virtual
Center


ESX Server


ESX Server

Virtual
Center

Virtual
Center
ESX Server


ESX Server

Virtual
Center

ESX Server
 Section
ESX Server



Virtual
Center


Virtual
Center


ESX Server


ESX Server


Virtual
Center


Virtual
Center
Virtual
Center

Virtual
Center
Virtual
Center

ESX Server

Virtual
Center
Virtual
Center
Virtual
Center

Virtual
Center

Virtual
Center

ESX Server
 Section
ESX Server



ESX Server




ESX Server


ESX Server

ESX Policy

ESX Server



ESX Server


ESX Server


ESX Server


ESX Policy


ESX Server

ESX Server



ESX Server

ESX Policy

ESX Server


ESX Server

ESX Server
 Section
ESX Policy



ESX Server


ESX Server

ESX Server

ESX Server

ESX Server


ESX Policy




ESX Server




ESX Policy




ESX Server


ESX Server


ESX Server


ESX Server



ESX Server
  Section
Virtual
Center




Virtual
Center

Virtual
Center



Virtual
Center

Virtual
Center

Virtual
Center

Virtual
Center

Virtual
Center


Virtual
Center




Virtual
Center

Virtual
Center
Virtual
Center

Virtual
Center

ESX Server
 Section
ESX Policy


ESX Policy



ESX Policy


ESX Policy



ESX Policy




Virtual
Center

ESX Policy

ESX Policy



ESX Policy


ESX Server

ESX Server


Virtual
Center

Virtual
Center


ESX Server


ESX Server

ESX Server
 Section
ESX Server


ESX Server


ESX Policy


Virtual
Center
ESX Policy


ESX Policy

Virtual
Center


Virtual
Center


Virtual
Center

Virtual
Center

Virtual
Center


ESX Policy


Virtual
Center


ESX Policy



ESX Server


ESX Policy
 Section
ESX Policy



ESX Server


ESX Policy



ESX Server


ESX Server

ESX Server



ESX Server


ESX Server


ESX Server

ESX Policy



Virtual
Machine
Virtual
Machine
Virtual
Machine

Virtual
Machine


Virtual
Machine


Virtual
Machine
 Section
ESX Server


ESX Server




ESX Server




ESX Server


ESX Server



ESX Server




ESX Server



ESX Server



ESX Server


ESX Server

ESX Server

ESX Server

ESX Server

ESX Server
 Section
ESX Server


ESX Server


ESX Server


ESX Server


ESX Server

ESX Server



ESX Server




ESX Server



ESX Server



ESX Server

ESX Server

ESX Server



ESX Server


ESX Server




ESX Server
 Section
ESX Server

ESX Server



ESX Server
ESX Server


ESX Server


ESX Server


ESX Server

ESX Server

ESX Server


ESX Server




ESX Server



ESX Server



ESX Server




ESX Server

ESX Server


ESX Server

ESX Server
 Section
ESX Server


ESX Server

ESX Server

ESX Server




ESX Server


ESX Server




ESX Server

ESX Server



ESX Server




ESX Server


ESX Server


ESX Server


ESX Server



ESX Server



ESX Server
 Section
ESX Server



ESX Server


ESX Server


ESX Server

ESX Server




ESX Server




ESX Server




ESX Server


ESX Server



ESX Server

ESX Server



ESX Server

ESX Server



ESX Server

ESX Server
 Section
ESX Server

ESX Server

ESX Server


ESX Server


ESX Server

ESX Server



ESX Server


ESX Server



ESX Server


ESX Server


ESX Server

ESX Server

ESX Server

ESX Server


ESX Server




ESX Server
 Section
ESX Server


ESX Server


ESX Server




ESX Server


ESX Server


ESX Server

ESX Server

ESX Server


ESX Server


ESX Server


ESX Server




ESX Server



ESX Server


ESX Server


ESX Server
 Section
ESX Server

ESX Server

ESX Server



ESX Server


ESX Server


ESX Server

ESX Server


ESX Server




ESX Server

ESX Server


ESX Server


ESX Server

ESX Server

ESX Server


ESX Server
ESX Server


ESX Server


ESX Server
 Section
ESX Server


ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

ESX Server



ESX Server

ESX Server

ESX Server




ESX Server



ESX Server


ESX Server


ESX Server
 Section
ESX Server




ESX Server




ESX Server




ESX Server




ESX Server




ESX Server
  PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes
EMG0-056 V0018865 III The E-mail Administrator
                      role is not assigned and
                      authorized by the IAO.
EMG0-075 V0018877 II E-mail Administrator Groups
                      do not ensure least privilege.

EMG0-090 V0018885     III   E-mail acceptable use policy
                            is not documented in the
                            System Security Plan or
                            does not require annual user
                            review.
EMG0-092 V0018886     III   E-mail Acceptable Use
                            Policy does not contain
                            required elements.
EMG1-002 V0018681     III   Unneeded OMA E-mail Web
                            Virtual Directory is not
                            removed.
EMG1-004 V0018682     III   Unneeded Active Sync E-
                            mail Web Virtual Directory is
                            not removed.
EMG1-007 V0018759      II   Default web site allows
                            anonymous access.
EMG1-012 V0018683     III   Unneeded "Public" E-mail
                            Virtual Directory is not
                            removed.
EMG1-103 V0018786      I    Public Folder access does
                            not require secure channels
                            and encryption.
EMG1-105 V0018787      I    Outlook Web Access (OWA)
                            does not require secure
                            channels and encryption.

EMG1-110 V0018733      II   E-mail web applications are
                            operating on non-standard
                            ports.
EMG2-005 V0018666      II   E-mail Server Global
                            Sending or Receiving
                            message size is set to
                            Unlimited.
EMG2-006 V0018671     III   The Global Recipient Count
                            limit is set to "Unlimited".

EMG2-010 V0018667     III   Sending or Receiving
                            message size is not set to
                            Unlimited on the SMTP
                            virtual server.
  PDI     VMSID CAT             Requirement            Vulnerability   Status   Finding Notes
EMG2-013 V0018661 II Mailbox server is not
                     protected by E-mail Edge
                     Transport role (E-mail
                     Secure Gateway) performing
                     Global Accept/Deny list
                     filtering.
EMG2-015 V0018663 II The Mailbox server is not
                     protected by an Edge
                     Transport Server Role (E-
                     mail Secure Gateway)
                     performing 'Block List'
                     filtering.
EMG2-017 V0018664 II Mailbox server is not
                     protected by an Edge
                     Transport Server role (E-
                     mail Secure Gateway)
                     performing Block List
                     exception filtering at the
                     perimeter.
EMG2-021 V0018675 II The E-Mail server is not
                     protected by having
                     connections from "Sender
                     Filter" sources dropped by
                     the Edge Transport Server
                     role (E-Mail Secure
                     Gateway) at the perimeter.
EMG2-024 V0018673 II The Mailbox server is not
                     protected by having filtered
                     messages archived by the
                     Edge Transport Role server
                     (E-mail Secure Gateway) at
                     the perimeter.
EMG2-026 V0018674 II The Mailbox server is not
                     protected by having blank
                     sender messages filtered by
                     the Edge Transport Role
                     server (E-mail Secure
                     Gateway) at the perimeter.
EMG2-029 V0018662 II Mailbox Server is not
                     protected by an Edge
                     Transport Server (E-mail
                     Secure Gateway) performing
                     SPAM evaluation.

EMG2-030 V0018721    II   E-mail servers are not
                          protected by an Edge
                          Transport Server role (E-
                          mail Secure Gateway)
                          removing disallowed
                          message attachments at the
                          network perimeter.
  PDI     VMSID CAT            Requirement               Vulnerability   Status   Finding Notes
EMG2-031 V0018672 II The Exchange E-mail
                     Services environment is not
                     protected by an Edge
                     Transport Server (E-Mail
                     Secure Gateway) performing
                     Non-existent recipient
                     filtering at the perimeter.

EMG2-038 V0018818    II   E-mail Services are not
                          protected by having an Edge
                          Transport Server (E-mail
                          Secure Gateway) performing
                          outbound message signing
                          at the perimeter.

EMG2-043 V0018665    II   Mailbox Server is not
                          protected by an Edge
                          Transport Server (E-mail
                          Secure Gateway) performing
                          Sender Authentication at the
                          perimeter.

EMG2-046 V0018660    II   Automated Response
                          Messages are Enabled.
EMG2-105 V0018734    II   E-mail SMTP services are
                          using Non-PPSM compliant
                          ports.
EMG2-107 V0018670    II   Message Recipient Count
                          Limit is not limited on the
                          SMTP virtual server.
EMG2-109 V0018735    II   SMTP Virtual Server is not
                          bound to the PPSM
                          Standard Port.
EMG2-111 V0018780    II   Exchange Server is not
                          protected by an Edge
                          Transport Server (E-mail
                          Secure Gateway) that
                          performs Anonymous
                          Connections interaction with
                          Internet-based E-mail
                          servers.
EMG2-114 V0018690   III   Maximum outbound
                          connection timeout limit is
                          not at 10 minutes or less.
EMG2-117 V0018693   III   Maximum Inbound
                          Connection Timeout Limit is
                          not 10 or less.
EMG2-120 V0018691   III   Outbound Connection Limit
                          per Domain Count is not 100
                          or less.
  PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
EMG2-123 V0018687 III The Outbound Delivery Retry
                      Values are not at the
                      Defaults, or do not have
                      alternate values documented
                      in the System Security Plan.

EMG2-124 V0018770     II   SMTP Virtual Server
                           Auditing is not active.
EMG2-125 V0018692    III   Inbound Connection Count
                           Limit is not set to "Unlimited".

EMG2-126 V0018689    III   SMTP Maximum outbound
                           connections are not at 1000,
                           or an alternate value is not
                           documented in System
                           Security Plan.
EMG2-129 V0018668    III   The SMTP Virtual Server
                           Session Size is not set to
                           "Unlimited".
EMG2-130 V0018688    III   SMTP Maximum Hop Count
                           is not 30.
EMG2-131 V0018701     II   Smart-Host is specified at
                           the Virtual Server level.
EMG2-133 V0018762     I    One or more SMTP Virtual
                           Servers do not have a Valid
                           Certificate.
EMG2-136 V0018643    III   E-mail user mailboxes do
                           not have Storage Quota
                           Limitations.
EMG2-139 V0018644    III   E-mail Public Folders do not
                           have Storage Quota
                           Limitations.
EMG2-143 V0018704    III   The SMTP Virtual Server is
                           configured to perform DNS
                           lookups for anonymous E-
                           mails.
EMG2-144 V0018782     II   SMTP Virtual Servers do not
                           Require Secure Channels
                           and Encryption.
EMG2-146 V0018700     II   SMTP virtual Server does
                           not Restrict Relay Access.
EMG2-148 V0018702    III   The SMTP Virtual Server
                           performs reverse DNS
                           lookups for anonymous
                           message delivery.
EMG2-149 V0018669    III   The SMTP Virtual Server
                           Message Count Limit is not
                           20.
EMG2-250 V0018694     II   SMTP Connection
                           Restrictions do not use the
                           "Deny All" strategy.
  PDI     VMSID CAT         Requirement                    Vulnerability   Status   Finding Notes
EMG2-251 V0018696 II ExAdmin Virtual Directory is
                     not Configured for Integrated
                     Windows Authentication.

EMG2-255 V0018805     II   Scripts are Permitted to
                           Execute in the ExAdmin
                           Virtual Server.
EMG2-256 V0018760     I    OWA does not require only
                           Integrated Windows
                           Authentication.
EMG2-259 V0018803     II   Scripts are permitted to
                           execute in the OWA Virtual
                           Server.
EMG2-263 V0018806     II   Users do not have correct
                           permissions in the OWA
                           Virtual Server.
EMG2-266 V0018719     II   Users do not have correct
                           permissions in the Public
                           Virtual Server.
EMG2-269 V0018807     II   ExAdmin does not have
                           correct permissions in the
                           ExAdmin Virtual Server.
EMG2-271 V0018745     I    OWA Virtual Server has
                           Forms-Based Authentication
                           enabled.
EMG2-272 V0018695    III   SMTP Sender, Recipient, or
                           Connection Filters are not
                           engaged.
EMG2-275 V0018804     II   Scripts are permitted to
                           execute in the Public Folder
                           web server.
EMG2-303 V0018812    III   Exchange application
                           memory is not zeroed out
                           after message deletion.
EMG2-305 V0018788    III   ExAdmin is configured for
                           Secure Channels and
                           Encryption.
EMG2-307 V0018725    III   Mailbox Stores Restore
                           Overwrite is enabled.
EMG2-311 V0018726    III   Public Folder Stores Restore
                           Overwrite is enabled.

EMG2-313 V0018641     II   User mailboxes are hosted
                           on non-Mailbox Server role.
EMG2-317 V0018727    III   E-mail message copies are
                           not archived.
EMG2-318 V0018646    III   Mailbox Stores "Do Not
                           Mount at Startup" is enabled.
  PDI     VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
EMG2-320 V0018655 II Public Folder Stores "Do not
                     Mount at Startup" is enabled.

EMG2-323 V0018642     I    E-mail Server does not
                           require S/MIME capable
                           clients.
EMG2-327 V0018744     I    E-mail Public Folders do not
                           require S/MIME capable
                           clients.
EMG2-333 V0018705    III   E-mail Server "Circular
                           Logging" is not set
                           appropriately.
EMG2-340 V0018723     II   Mailboxes and messages
                           are not retained until
                           backups are complete.
EMG2-344 V0018724     II   Public Folder stores and
                           documents are not retained
                           until backups are complete.

EMG2-507 V0018645    III   Public Folders Store storage
                           quota limits are overridden.

EMG2-511 V0018658    III   Public Folder "Send on
                           Behalf of" feature is in use.
EMG2-710 V0018686     II   Message size restrictions
                           are specified on routing
                           group connectors.
EMG2-713 V0018685    III   Connectors are not clearly
                           named as to direction or
                           purpose.
EMG2-718 V0019198     II   Message size restriction is
                           specified at the SMTP
                           connector level. .
EMG2-721 V0018698     II   The SMTP connectors do
                           not specify use of a "Smart
                           Host".
EMG2-730 V0018697     II   Routing Group is not
                           selected as the SMTP
                           connector scope.
EMG2-736 V0018699     I    SMTP connectors allow
                           unauthenticated relay.
EMG2-743 V0018784     I    SMTP Connectors perform
                           outbound anonymous
                           connections.
EMG2-803 V0018703     II   Virtual Server default
                           outbound security is not
                           anonymous and TLS.
EMG2-806 V0018715     II   SMTP Queue Monitor is not
                           configured with a threshold
                           and alert.
  PDI     VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
EMG2-807 V0018713 II CPU Monitoring Notifications
                     are not configured with
                     threshold and action.

EMG2-810 V0018707    II    E-mail "Subject Line" logging
                           is enabled during production
                           operations.
EMG2-811 V0018706    II    E-mail Diagnostic Logging is
                           enabled during production
                           operations.
EMG2-813 V0018714    II    Virtual memory monitoring
                           notifications are not
                           configured with threshold
                           and action.
EMG2-815 V0018716    II    Windows 2003 Services
                           Monitoring Notifications are
                           not configured with
                           thresholds and actions.
EMG2-817 V0018717    II    Exchange Core Services
                           Monitors are not configured
                           with threshold and actions.
EMG2-825 V0018710    II    SMTP Virtual Server Audit
                           Records are not directed to a
                           separate partition.
EMG2-831 V0018711    II    Exchange sends fatal errors
                           to Microsoft.
EMG2-833 V0018767    II    The "Disable Server
                           Monitoring" feature is
                           enabled.
EMG2-835 V0018712    II    Disk Space Monitoring is not
                           Configured with Threshold
                           and Action.
EMG2-840 V0018763    III   Audit Records do not contain
                           all required fields.
EMG2-863 V0019186    II    Mailbox access control
                           mechanisms are not audited
                           for changes.
EMG3-005 V0018881    III   The E-mail backup and
                           recovery strategy is not
                           documented or is not tested
                           on an INFOCON compliant
                           frequency.
EMG3-006 V0018880    II    Audit logs are not included in
                           backups.

EMG3-007 V0018883    II    E-mail backups do not meet
                           schedule or storage
                           requirements.
EMG3-009 V0018882    II    E-mail backup and recovery
                           data is not protected.
  PDI     VMSID CAT            Requirement                    Vulnerability   Status   Finding Notes
EMG3-010 V0018884 II E-mail critical software
                     copies are not stored offsite
                     in a fire rated container.

EMG3-015 V0018857     II    Annual procedural reviews
                            are not conducted at the site.

EMG3-020 V0018858     II    Exchange with Outlook Web
                            Access is not deployed as
                            Front-end/Back-end
                            Architecture.
EMG3-028 V0018868     III   E-mail software installation
                            account usage is not logged.

EMG3-037 V0018869     III   E-mail audit trails are not
                            reviewed daily.

EMG3-045 V0018864     II    E-Mail Configuration
                            Management (CM)
                            procedures are not
                            implemented.
EMG3-050 V0018867     II    E-mail Services are not
                            documented in System
                            Security Plan.
EMG3-058 V0018741     II    E-mail software is not
                            monitored for change on
                            INFOCON frequency
                            schedule.
EMG3-071 V0018879     II    E-mail audit records are not
                            retained for 1 year.

EMG3-079 V0018878     II    Automated audit reporting
                            tools are not available.

EMG3-106 V0019546     I     E-mail services and servers
                            are not protected by routing
                            all SMTP traffic through an
                            Edge Transport Server.

EMG3-108 V0019548     I     E-mail web services are not
                            protected by having an
                            application proxy server
                            outside the enclave.
EMG3-115 V0018731     II    E-mail application installation
                            is sharing a partition with
                            another application.

EMG3-116 V0018792     II    SMTP service banner
                            response reveals
                            configuration details.
  PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes
EMG3-119 V0018795 II E-mail Services accounts
                     are not restricted to named
                     services.
EMG3-121 V0018801 II Services permissions do not
                     reflect least privilege.
EMG3-145 V0018796 II E-Mail service accounts are
                     not operating at least
                     privilege.
EMG3-150 V0018819 II E-Mail audit trails are not
                     protected against
                     unauthorized access.
EMG3-801 V0018676 II E-Mail server has unneeded
                     processes or services active.

EMG3-802 V0018742     II   Security support data or
                           process is sharing a
                           directory or partition with
                           Exchange.
EMG3-805 V0018743     II   Exchange software baseline
                           copy does not exist.

EMG3-817 V0018684     II   VRFY command is resident
                           on Exchange 2003 server.

EMG3-823 V0018732     II   Audit data is sharing
                           directories or partitions with
                           the E-mail application.
EMG3-824 V0018802     II   Exchange application
                           permissions are not at
                           vendor recommended
                           settings.
EMG3-828 V0018799     II   E-mail restore permissions
                           are not restricted to E-mail
                           administrators.
EMG3-829 V0018820     I    E-mail servers do not have E-
                           mail aware virus protection.
  Section
Email
Services
Policy 2003
Email
Services
Policy 2003
Email
Services
Policy 2003


Email
Services
Policy 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003
  Section
Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003
  Section
Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003




Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003




Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
  Section
Exchange
Server 2003




Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003



Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003
  Section
Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003
Exchange
Server 2003
  Section
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
  Section
Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Email
Services
Policy 2003


Email
Services
Policy 2003
Email
Services
Policy 2003
Email
Services
Policy 2003
  Section
Email
Services
Policy 2003

Email
Services
Policy 2003
Email
Services
Policy 2003

Email
Services
Policy 2003
Email
Services
Policy 2003
Email
Services
Policy 2003

Email
Services
Policy 2003
Exchange
Server 2003


Email
Services
Policy 2003
Email
Services
Policy 2003
Email
Services
Policy 2003


Email
Services
Policy 2003

Exchange
Server 2003


Exchange
Server 2003
  Section
Exchange
Server 2003

Exchange
Server 2003
Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003

Exchange
Server 2003


Exchange
Server 2003

Exchange
Server 2003
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
 PDI    VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes     Section
H20100 V0014282 II A static IP address does not                                                   McAfee
                   exist for the ePO server.                                                      ePO Server

H20120 V0014483     II   **The ePO server is not                                                  McAfee
                         located in a protected                                                   ePO Server
                         Enclave Security Services
                         DMZ or screened subnet.
H20140 V0014484     II   The ePO server's                                                         McAfee
                         management workstations,                                                 ePO Server
                         outside the enclave, do not
                         use encrypted VPNs for
                         access.
H20160 V0014485     II   VPN traffic into the ePO is                                              McAfee
                         not visible to a network                                                 ePO Server
                         intrusion detection system.
H20200 V0014486     I    The ePO server perimeter                                                 McAfee
                         protection is not in deny by                                             ePO Server
                         default with allowable
                         exceptions.
H20220 V0014487     II   **The distributed repository                                             McAfee
                         is not in a protected enclave                                            ePO
                         non-public DMZ.                                                          Distributed
                                                                                                  Repository
H20180 V0014488     II   The ePO server is not being                                              McAfee
                         protected by a local Network                                             ePO Server
                         IDS.
H20260 V0014489     II   The site has not registered                                              McAfee
                         the HBSS server within the                                               ePO Server
                         Ports and Protocols
                         database.
H30100 V0014491    III   The HBSS is not under                                                    McAfee
                         direct control of a site CCB.                                            ePO Server
H30140 V0014493     II   The ePO server does not                                                  McAfee
                         have at least two entries for                                            ePO Server
                         DoD controlled source
                         repositories.
H30160 V0014494    III   A non-DoD controlled DNS                                                 McAfee
                         server is used for resolution                                            ePO Server
                         for the ePO server.

H36960 V0014495     II   The ePO server firewall                                                  McAfee
                         rules are inadequate.                                                    ePO Server




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                383 of 1257
    ____ Checklist _V_R_ (<date>)                                       <Test> - TN <Ticket Number>
 PDI    VMSID CAT           Requirement              Vulnerability   Status   Finding Notes     Section
H30200 V0014496 II HBSS is operating on                                                       McAfee
                   different classification levels                                            ePO Server
                   or across mixed DoD and
                   Non-DoD systems or
                   networks.
H30220 V0014497  I **The ePO server is shared                                                 McAfee
                   with other applications.                                                   ePO Server
H30240 V0014498 II **The ePO is not using the                                                 McAfee
                   correct port assignments.                                                  ePO Server
H30260 V0014499 II The ePO software                                                           McAfee
                   directories are not                                                        ePO Server
                   adequately protected from
                   unauthorized modification.
H30280 V0014500 II HBSS does not have the                                                     McAfee
                   current security patches                                                   Policy
                   installed.                                                                 Auditor,
                                                                                              McAfee
                                                                                              System
                                                                                              Compliance
                                                                                              Profiler,
                                                                                              McAfee
                                                                                              Infocon
                                                                                              Asset
                                                                                              Tracking,
                                                                                              McAfee
                                                                                              ePO Agent,
                                                                                              McAfee
                                                                                              ePO
                                                                                              Server,
                                                                                              McAfee
                                                                                              Host
                                                                                              Intrusion
                                                                                              Protection
                                                                                              Module,
                                                                                              McAfee
                                                                                              Rogue
                                                                                              System
                                                                                              Sensor

H30300 V0014501      I   **The ePO server is using                                            McAfee
                         the default keys.                                                    ePO Server
H30400 V0014502     II   The ePO server has agents                                            McAfee
                         using the default keys.                                              ePO Server




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                            384 of 1257
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
 PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes     Section
H30500 V0014503 II The ePO server does not                                                  McAfee
                   have a scheduled task to                                                 ePO Server
                   pull updates daily.
H30540 V0014504 II The ePO server does not                                                  McAfee
                   have a scheduled task to                                                 ePO Server
                   replicate changes to
                   repositories daily.
H30560 V0014505 II The ePO server does not                                                  McAfee
                   have a scheduled task to do                                              ePO Server
                   complete repository updates
                   at least weekly.
H30580 V0014506 II The ePO server does not                                                  McAfee
                   have a scheduled task to                                                 ePO Server
                   identify Inactive Agents daily.

H30640 V0014507      I    The ePO server is part of a                                       McAfee
                          domain.                                                           ePO Server
H30620 V0014508     II    The ePO server is managed                                         McAfee
                          remotely by an unauthorized                                       ePO Server
                          machine.
H30700 V0014509     II    The ePO server is not being                                       McAfee
                          regularly checked for file                                        ePO Server
                          integrity.
H31100 V0014510      I    The ePO SQL database                                              McAfee
                          installation is shared with                                       ePO Server
                          other applications.
H31120 V0014511     III   The SQL database                                                  McAfee
                          installation partition is not                                     ePO Server
                          separated from the other
                          parts of the application.
H50110 V0014512     II    The SQL Database reviewer                                         McAfee
                          account is not configured as                                      ePO Server
                          least privilege.

H33100 V0014513     II    The workstation used for                                          McAfee
                          remote access is not                                              ePO
                          dedicated to HBSS.                                                Remote
                                                                                            Console
H33120 V0014514      I    The workstation used for                                          McAfee
                          remote access is not                                              ePO
                          blocked from other                                                Remote
                          connections..                                                     Console




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          385 of 1257
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes     Section
H33130 V0014515 II The workstation used for                                                      McAfee
                   remote access is not                                                          ePO
                   protected both logically and                                                  Remote
                   physically by a DoD enclave                                                   Console

H33140 V0014516     II   The ePO server's                                                        McAfee
                         management workstation                                                  ePO
                         outside the enclave does not                                            Remote
                         use VPNs for access.                                                    Console
H33150 V0014517     I    The ePO server's remote                                                 McAfee
                         console machine is a part of                                            ePO
                         a domain                                                                Remote
                                                                                                 Console
H33160 V0014518     II   The ePO server's remote                                                 McAfee
                         console machine does not                                                ePO
                         have a static IP address.                                               Remote
                                                                                                 Console
H34100 V0014519     II   Rogue System Detection is                                               McAfee
                         not in place.                                                           ePO Server
H35100 V0014520     II   The ePO agent is not                                                    McAfee
                         configured for Agent                                                    ePO Agent
                         Wakeup.
H35120 V0014521     II   The ePO agent is not                                                    McAfee
                         configured correctly for the                                            ePO Agent
                         policy enforcement interval.
H35140 V0014522     I    The ePO agent to server                                                 McAfee
                         communication is not                                                    ePO Agent
                         enabled.
H35160 V0014523     II   The ePO agent to server                                                 McAfee
                         communication interval is                                               ePO Agent
                         too long.
H35180 V0014524     II   The ePO agent policy age                                                McAfee
                         parameter is set to an                                                  ePO Agent
                         interval that is too long.
H35200 V0014525     II   The ePO agent property                                                  McAfee
                         type is set incorrectly.                                                ePO Agent
H35220 V0014526     II   The ePO agent is not                                                    McAfee
                         configured to upload events                                             ePO Agent
                         immediately
H35300 V0014527     II   The ePO agent is not
                         configured for logging.
H35320 V0014528     I    The ePO agent is configured                                             McAfee
                         to allow remote access to                                               ePO Agent
                         logs.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               386 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes     Section
H35400 V0014529 II The ePO agent is not                                                           McAfee
                   configured to use ePO                                                          ePO Agent
                   repositories.
H35420 V0014530 II The ePO agent is not                                                           McAfee
                   configured to use multiple                                                     ePO Agent
                   ePO repositories.
H35440 V0014531 II The ePO agent is not                                                           McAfee
                   configured to use DoD                                                          ePO Agent
                   controlled ePO repositories.
H36100 V0014532 II The HIPS parameter that                                                        McAfee
                   controls the 'add and                                                          Host
                   remove' programs option is                                                     Intrusion
                   enabled.                                                                       Protection
                                                                                                  Module
H36140 V0014533     I    The HIPS Admin password                                                  McAfee
                         for the User Interface has                                               Host
                         not been changed from the                                                Intrusion
                         default.                                                                 Protection
                                                                                                  Module
H36120 V0014534     I    The HIPS Admin password                                                  McAfee
                         for the User Interface is not                                            Host
                         known or not protected.                                                  Intrusion
                                                                                                  Protection
                                                                                                  Module
H36160 V0014535     II   The HIPS User Interface                                                  McAfee
                         Admin password does not                                                  Host
                         meet password complexity                                                 Intrusion
                         requirements.                                                            Protection
                                                                                                  Module
H36180 V0014536     II   The HIPS Admin password                                                  McAfee
                         for the User Interface time                                              Host
                         based password is enabled.                                               Intrusion
                                                                                                  Protection
                                                                                                  Module
H36200 V0014537     II   The HIPS User Interface                                                  McAfee
                         parameter for disabling                                                  Host
                         features from the tray is                                                Intrusion
                         incorrect                                                                Protection
                                                                                                  Module
H36220 V0014538     II   The ePO Server's HIPS                                                    McAfee
                         Trusted Network address list                                             ePO Server
                         allows unacceptable
                         networks.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                387 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
 PDI    VMSID CAT         Requirement                     Vulnerability   Status   Finding Notes      Section
H36260 V0014540 II The HIPS Trusted Network                                                        McAfee
                   address list allows                                                             Host
                   unacceptable networks.                                                          Intrusion
                                                                                                   Protection
                                                                                                   Module
H36280 V0014541     II   The HIPS Trusted Network                                                  McAfee
                         address list includes the                                                 Host
                         local subnet automatically.                                               Intrusion
                                                                                                   Protection
                                                                                                   Module
H36300 V0014542     II   The HIPS trusted application                                              McAfee
                         list has not been reviewed                                                Host
                         against the machine's                                                     Intrusion
                         expected baseline.                                                        Protection
                                                                                                   Module
H36400 V0014543     I    The HIPS policy has not                                                   McAfee
                         enabled Host IPS.                                                         Host
                                                                                                   Intrusion
                                                                                                   Protection
                                                                                                   Module
H36420 V0014544     I    The HIPS policy has not                                                   McAfee
                         enabled Network IPS.                                                      Host
                                                                                                   Intrusion
                                                                                                   Protection
                                                                                                   Module
H36440 V0014545     I    The HIPS policy has not                                                   McAfee
                         enabled the automatic                                                     Host
                         blocking of network intruders.                                            Intrusion
                                                                                                   Protection
                                                                                                   Module
H36410 V0014546     II   The HIPS policy allows the                                                McAfee
                         retention of existing client                                              Host
                         rules.                                                                    Intrusion
                                                                                                   Protection
                                                                                                   Module
H36500 V0014547     I    The HIPS policy for High                                                  McAfee
                         Severity is not set properly.                                             Host
                                                                                                   Intrusion
                                                                                                   Protection
                                                                                                   Module
H36510 V0014548     II   The HIPS policy for Medium                                                McAfee
                         Severity is not set properly.                                             ePO Server




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 388 of 1257
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes      Section
H36640 V0014552 II The HIPS policy does not                                                        McAfee
                   contain an appropriate rules                                                    Host
                   hierarchy.                                                                      Intrusion
                                                                                                   Protection
                                                                                                   Module
H36660 V0014553     II   The HIPS policy does not                                                  McAfee
                         include the signature for                                                 Host
                         protection of the ePO                                                     Intrusion
                         registry.                                                                 Protection
                                                                                                   Module
H36661 V0014554     II   The HIPS policy does not                                                  McAfee
                         include the signature for                                                 ePO Server
                         protection of the ePO Server
                         KeyStore.
H36662 V0014555     II   The HIPS policy does not                                                  McAfee
                         include the signature for                                                 Host
                         protection of the INFOCON                                                 Intrusion
                         registry key.                                                             Protection
                                                                                                   Module
H36663 V0014556     II   The HIPS policy does not                                                  McAfee
                         include the signature for                                                 ePO
                         protection of Server.ini.                                                 Remote
                                                                                                   Console
H36663 V0014556     II   The HIPS policy does not                                                  McAfee
                         include the signature for                                                 ePO Server
                         protection of Server.ini.
H36664 V0014557     II   The HIPS policy does not                                                  McAfee
                         include the signature for                                                 Host
                         protection of HIPs                                                        Intrusion
                         preferences.                                                              Protection
                                                                                                   Module
H36900 V0014560     II   The HIPS for the ePO server                                               McAfee
                         does not have the firewall                                                ePO Server
                         installed and enabled.

H36920 V0014561     II   The HIPS for the ePO server                                               McAfee
                         does not have the firewall                                                ePO Server
                         set for regular protection.

H36940 V0014562     II   The HIPS for the ePO server                                               McAfee
                         has the firewall set to retain                                            ePO Server
                         client rules.
H37100 V0014563     II   The Assets Module Baseline                                                McAfee
                         has not been installed on all                                             ePO Agent
                         clients.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 389 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes     Section
H38100 V0014565 II The distributed repository is                                                  McAfee
                   not a super agent repository.                                                  ePO
                                                                                                  Distributed
                                                                                                  Repository
H40100 V0014566     I    Default operating system                                                 McAfee
                         passwords exist on the                                                   ePO Server
                         HBSS Server.
H40120 V0014567     I    Default passwords exist                                                  McAfee
                         within the HBSS application.                                             ePO Server

H40140 V0014568     II   The ePO does not have                                                    McAfee
                         users assigned in                                                        ePO Server
                         appropriate roles.
H40160 V0014569     II   The ePO users are granted                                                McAfee
                         access without proper                                                    ePO Server
                         procedures and/or
                         verification of need to know.
H40180 V0014570     II   The ePO does not have a                                                  McAfee
                         comprehensive account                                                    ePO Server
                         management process.
H40220 V0014571     II   The account used for                                                     McAfee
                         vulnerability scanning on the                                            ePO Server
                         ePO server does not meet
                         creation and deletion
                         requirements.
H50100 V0014572     II   SA account is being used                                                 McAfee
                         within the application.                                                  ePO Server
H50120 V0014573     II   **A plan for grouping of                                                 McAfee
                         machines for updates and                                                 ePO Server
                         alerts is not in place.
H50240 V0014574     II   Procedures do not exist or                                               McAfee
                         are not followed to mark                                                 ePO Server
                         classified or sensitive data.
H60100 V0014575     II   HBSS Audit Logs are not                                                  McAfee
                         being retained for at least                                              ePO Server
                         one year.
H60120 V0014577     II   HBSS audit log reviews are                                               McAfee
                         not performed at least                                                   ePO Server
                         weekly.
H60140 V0014578     II   The HBSS audit data is not                                               McAfee
                         backed up at least weekly to                                             ePO Server
                         a different system or media.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                390 of 1257
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes     Section
H60160 V0014579 II The HBSS audit data is not                                                       McAfee
                   being properly protected                                                         ePO Server
                   from unauthorized access.

H60180 V0014580     II   The Remote Admin access                                                    McAfee
                         of ePO is not being reviewed.                                              ePO Server

H80100 V0014581     II   The disaster recovery plan                                                 McAfee
                         does not include HBSS.                                                     ePO Server
H80120 V0014582     II   The ePO Data Backup                                                        McAfee
                         Frequency or content is                                                    ePO Server
                         inadequate.
H90120 V0014583     II   The ePO server is not                                                      McAfee
                         registered in VMS.                                                         ePO Server
H90140 V0014584     II   The ePO does not have the                                                  McAfee
                         correct attributes within VMS.                                             ePO Server

H90160 V0014585     II   HBSS is has not been                                                       McAfee
                         incorporated into the site's                                               ePO Server
                         incident response plan.
H20280 V0014843     II   The site is not using a proxy                                              McAfee
                         for http/https traffic.                                                    ePO Server
H40200 V0014868     II   The account management                                                     McAfee
                         process does not enforce                                                   ePO Server
                         password complexity.
H31160 V0014939     II   The SQL Database is not                                                    McAfee
                         configured as least privilege                                              ePO Server
                         or unauthorized users have
                         access to data.
H35000 V0015346     II   The site does not scan hosts                                               McAfee
                         before installation of the                                                 ePO Server
                         HBSS client.
H80200 V0015354     II   Offline copies of the HBSS                                                 McAfee
                         database are not encrypted.                                                ePO Server

H90200 V0015357     II   The HBSS SA or Analyst                                                     McAfee
                         has not completed training.                                                ePO Server
H90300 V0015358     II   The site does not                                                          McAfee
                         incorporate the installation of                                            ePO Server
                         HBSS agents on new hosts
                         prior to network connection.

H36000 V0015363     II   HIPS module is not                                                         McAfee
                         deployed.                                                                  ePO Agent


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  391 of 1257
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
 PDI    VMSID CAT           Requirement                Vulnerability   Status   Finding Notes     Section
H30290 V0017880 II HBSS application does not                                                    McAfee
                   have a DoD Certificate                                                       ePO Server
                   installed.
H30120 V0017882 II The HBSS is not using the                                                    McAfee
                   approved WSUS                                                                ePO Server
                   configuration for Microsoft
                   patches.
H34120 V0017883 II The Rogue system detector                                                    McAfee
                   is performing OS                                                             Rogue
                   fingerprinting.                                                              System
                                                                                                Sensor
H35110 V0017884     II   The ePO agent is not                                                   McAfee
                         configured to only accept                                              ePO Agent
                         connections from the ePO
                         server.
H30720 V0017885     II   The ePO server does not                                                McAfee
                         have MyAverts disabled.                                                ePO Server
H30740 V0017886     II   The ePO server does not                                                McAfee
                         have the correct warning                                               ePO Server
                         banner.
H30760 V0017887     II   The ePO server does have                                               McAfee
                         the user timeout parameter                                             ePO Server
                         set properly.
H30780 V0017888     II   The HBSS console is using                                              McAfee
                         tabbed browsing.                                                       ePO
                                                                                                Remote
                                                                                                Console
H30780 V0017888     II   The HBSS console is using                                              McAfee
                         tabbed browsing.                                                       ePO Server
H30800 V0017889     II   The HBSS has vendor site                                               McAfee
                         supplied data dashboards in                                            ePO Server
                         use.
H30820 V0017890     II   The HBSS dashboard                                                     McAfee
                         refresh rate is not set                                                ePO Server
                         properly.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              392 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
 PDI    VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
H35500 V0017891 II The ePO component is not                                                       McAfee
                   in enforcement mode.                                                           Infocon
                                                                                                  Asset
                                                                                                  Tracking,
                                                                                                  McAfee
                                                                                                  ePO Agent,
                                                                                                  McAfee
                                                                                                  Host
                                                                                                  Intrusion
                                                                                                  Protection
                                                                                                  Module,
                                                                                                  McAfee
                                                                                                  Rogue
                                                                                                  System
                                                                                                  Sensor

H36110 V0017892     II   The HIPS error reporting                                                 McAfee
                         feature is enabled.                                                      Host
                                                                                                  Intrusion
                                                                                                  Protection
                                                                                                  Module
H36210 V0017893     II   The HIPS IPS Engines are                                                 McAfee
                         not active.                                                              Host
                                                                                                  Intrusion
                                                                                                  Protection
                                                                                                  Module
H36665 V0017894     II   The HIPS policy does not                                                 McAfee
                         include the signature for                                                ePO Server
                         protection of ePO Server
                         Agent Keystore.
H36666 V0017895     II   The HIPS policy does not                                                 McAfee
                         include the signature for                                                ePO Server
                         protection of Protect Product
                         Folders.
H41100 V0017896     II   EPO application accounts                                                 McAfee
                         are not using Windows                                                    ePO Server
                         authentication.
H41110 V0017897     II   EPO accounts are set up                                                  McAfee
                         with shared Windows                                                      ePO Server
                         accounts.
H50260 V0017898     II   Application Report Header is                                             McAfee
                         not configured correctly.                                                ePO Server
H62100 V0017899     II   HBSS Event Logs are not                                                  McAfee
                         being retained for at least                                              ePO Server
                         one year.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                393 of 1257
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
 PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes     Section
H39200 V0019885 II Policy Auditor has not been                                            McAfee
                   installed.                                                             ePO Agent




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        394 of 1257
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement               Vulnerability       Status   Finding Notes Systems Components
                                                                                                         Affected  Affected

R3-6[4]                Low A process (e.g., an NSC,         An administrator
                           service, or application) that    will not be able to
                           is invoked by a user, shall      distinguish
                           be associated with the           between entities
                           identifier (e.g., userID) of     that are
                           that user. When the invoked      accessing the
                           process invokes another          system. The
                           process, the invoked             system will not
                           process shall be associated      provide enough
                           with the identifier of the       information to
                           invoking process.                facilitate after
                           Autonomous processes (i.e.,      incident audits, or
                           processes running without        investigations.
                           user invocation, such as
                           print spoolers, database
                           management servers,
                           translation process monitors,
                           etc.) shall be associated with
                           a system defined unique
                           identification code (e.g.,
                           system ownership).


R3-17[42]             Medi The access point shall
                      um perform the entire user
                           authentication procedure
                           even if the user-ID that is
                           entered is not valid.
R3-18[43]             Medi The error feedback
                      um generated by the access
                           point after the user
                           authentication procedure,
                           shall provide no information
                           other than “invalid,” i.e., it
                           shall not reveal which part of
                           the user-entered information
                           (user-ID and/or
                           authenticator) is incorrect.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 395 of 1257
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement              Vulnerability     Status   Finding Notes Systems Components
                                                                                                      Affected  Affected

R3-25[13]             Medi Access points that provide a
                      um login service shall not
                           prevent a user from
                           choosing (e.g., unknowingly)
                           a password that is already
                           associated with another user-
                           ID. (Otherwise, an existing
                           password may be divulged.)

R3-26[14]             High The NE/FS/NS shall store
                           passwords in a one-way
                           encrypted form.
R3-30[18]             Medi The NE/FS/NS shall provide      The system is
                      um a mechanism for a password        vulnerable to
                           to be user changeable. This     unauthorized
                           mechanism shall require re-     access and
                           authentication of user          masquerading. At
                           identity.                       the time that the
                                                           password is
                                                           issued, both the
                                                           user and the
                                                           issuing authority
                                                           know the user
                                                           name and
                                                           password. The
                                                           issuing authority
                                                           could
                                                           masquerade as
                                                           the user and
                                                           perform malicious
                                                           acts on the
                                                           system.
R3-61[236]            Medi An SS7 Signaling Transfer
                      um Point (STP) shall provide
                           gateway screening
                           capabilities for operations
                           and services functions and
                           for all types of messages.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              396 of 1257
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement           Vulnerability   Status   Finding Notes Systems Components
                                                                                                 Affected  Affected

R3-62[237]            Medi An NGN Signaling Gateway
                      um (SGW) shall provide
                           gateway screening
                           capabilities for operations
                           and services functions and
                           for all types of messages.
CR3-65[240]           Medi NE/FS/NSs that support
                      um remote network
                           management applications
                           and/or critical network
                           services shall provide data
                           integrity services to enable
                           the access point to
                           determine if all received
                           messages /operations
                           requests have been modified
                           since being sent from an
                           authorized entity.
CR3-69[244]           Low NE/FS/NSs that support
                           remote network
                           management applications
                           and/or critical network
                           services shall provide
                           support for message replay
                           detection services to enable
                           the NSC to detect message
                           replay attacks.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         397 of 1257
    ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement               Vulnerability      Status   Finding Notes Systems Components
                                                                                                        Affected  Affected

R3-87[55]              Low If the NE/FS/NS belongs to       The system is
                           class A, the following shall     vulnerable to
                           be displayed upon                unauthorized
                           successful access to the         access. An
                           NE/FS/NS: 1.The date and         adversary could
                           time (and location identifier,   access the
                           when available) of the user‟s    system using
                           last successful access to the    compromised
                           NE/FS/NS. 2.The number of        credentials
                           unsuccessful attempts by         without the user
                           that user-ID to gain system      knowing that his
                           access to the NE/FS/NS           account has been
                           (e.g., mis-typed password)       compromised.
                           since the last successful        The system is
                           access by that user-ID.          also vulnerable to
                                                            an adversary
                                                            guessing account
                                                            information in an
                                                            attempt to gain
                                                            access.


R3-119[83]            Medi The security log and its         The system may
                      um control mechanisms shall           be vulnerable to
                           survive system restarts (e.g.,   an attacker
                           via reloading).                  performing
                                                            undetectable
                                                            malicious acts.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                398 of 1257
    ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement               Vulnerability      Status   Finding Notes Systems Components
                                                                                                        Affected  Affected

R3-127[101]            Low The NE/FS/NS shall have
                           the capability to protect data
                           integrity by performing
                           integrity checks and/or data
                           update such as: 1. Proper
                           rule checking on data
                           update. 2. Adequate alert
                           messages (e.g.,“Do you
                           really mean it?”) in response
                           to potentially damaging
                           commands before executing
                           them, so that involuntary
                           human errors may be
                           reduced. 3. Proper handling
                           of duplicate/multiple inputs.
                           4. Checking return status. 5.
                           Checking intermediate
                           results. 6. Checking inputs
                           for reasonable values.

R3-129[97]             Low The NE/FS/NS shall provide       If the system has
                           mechanisms to monitor            a problem that
                           NE/FS/NS resources and           affects the secure
                           their availability (e.g.,        operation of the
                           overflow indication, lost        system, it could
                           messages, buffer queues).        go unnoticed and
                                                            eventually cause
                                                            a denial of
                                                            service.

R3-130[98]             Low The NE/FS/NS shall provide
                           mechanisms to detect
                           communication errors
                           (relevant to the NE/FS/NS)
                           above a specifiable
                           threshold.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                399 of 1257
   ____ Checklist _V_R_ (<date>)                                               <Test> - TN <Ticket Number>
  GR-815              CAT          Requirement               Vulnerability        Status   Finding Notes Systems Components
                                                                                                         Affected  Affected

R3-145[112]           Low Display all users currently      The system may
                          logged on, where the word        be vulnerable to
                          user is used in a broad          unauthorized use
                          sense as elsewhere in this       since an
                          document.                        administrator
                                                           would not be able
                                                           to verify who was
                                                           using the system.

R3-156[123]           Medi The following security          The system will
                      um/L parameters shall not be hard-   not be able to
                       ow coded (i.e., they shall be       adjust to future,
                           specifiable/assignable and      more stringent
                           adjustable by an appropriate    requirements.
                           administrator using
                           operations-related
                           messages): 1. Password
                           Aging Interval, i.e., the
                           length of time the password
                           will remain valid after being
                           updated. 2.The interval (or
                           equivalent) during which an
                           expired password of a user
                           shall be denied being
                           selected again as a new
                           password by the same user
                           (to prevent “password
                           flipping”). 3.The events that
                           may trigger alarms (e.g.,
                           failed login attempts), the
                           levels of alarms (e.g.,
                           critical, major, minor), the
                           type of notification (e.g.,
                           beep and/or message), and
                           the routing of the alarm
                           (e.g., specific port). 4.The
                           duration of channel lock-out,
                           which occurs when the
                           threshold on the number of
                           incorrect logins is exceeded.
                           5.A customized advisory



   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 400 of 1257
    ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement                Vulnerability    Status   Finding Notes Systems Components
                                                                                                       Affected  Affected

CR3-                   Low For an NE/FS/NS that is           The system is
158[125]                   required to provide a             vulnerable to
                           notification to users requiring   password
                           them to change their              guessing and
                           passwords, the mechanism          password hacking
                           to accomplish this shall not      scripts.
                           be hard-coded (i.e., it shall
                           be specifiable/assignable
                           and adjustable by an
                           appropriate administrator
                           using operations-related
                           messages). The following
                           are examples of alternative
                           ways to accomplish this: *
                           Adjusting the early warning
                           period” (i.e., how early shall
                           the user be notified before
                           the password expiration). *
                           Adjusting the "grace period”
                           (i.e., the period over which
                           an expired password is still
                           accepted by the NE/FS/NS).
                           * Adjusting the subsequent
                           number of logins that will be
                           allowed after password
                           expiration.


R3-167[134]            Low When an NE/FS/NS needs
                           to be restarted, default user-
                           IDs and passwords,
                           previously modified by an
                           administrator, shall not
                           revert back to the vendor-
                           delivered default user-IDs
                           and passwords.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               401 of 1257
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
IM0010 V0015437 III No policy prohibiting peer-to-
                    peer applications or software
                    exists
IM0020 V0015398   I Peer-to-peer applications
                    are used for instant
                    messaging
IM0030 V0015436   I Publicly hosted instant
                    messaging applications are
                    being used for instant
                    messaging.
IM0040 V0015401   I Instant messaging servers
                    are not located behind a
                    firewall
IM0050 V0015402  II Instant messaging clients
                    connect to unapproved
                    instant messaging servers.
IM0060 V0015403  II Instant messaging gateway
                    servers are not located in
                    the DMZ.
IM0070 V0015404   I Instant messaging system
                    communicates or interacts
                    with public servers.
IM0080 V0015405  II Instant messaging traffic is
                    not encrypted
IM0090 V0015438  II Instant messaging clients
                    are not using DoD certificate
                    authority.
IM0100 V0015439  II Instant messaging services
                    not required are enabled.
                    Required services will be
                    documented with the IAO/SA.

IM0110 V0015440    III   There is no topology
                         diagram of the instant
                         messaging system.
IM0130 V0015441    III   Instant messaging username
                         policy does not exist.

IM0140 V0015442    III   Instant messaging
                         usernames are not in
                         accordance with the
                         username policy.
IM0150 V0015443     II   Instant messaging system is
                         not linked to a directory
                         service.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          402 of 1257
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement        Vulnerability   Status   Finding Notes
IM0160 V0015444 III There are no documented
                    procedures for adding and
                    deleting instant messaging
                    users.
IM0170 V0015445  II User passwords are not in
                    accordance with DoD
                    password policy.
IM0180 V0015446  II System administrator
                    passwords are not in
                    accordance with DoD
                    password policy.
IM0190 V0015406  II Instant messaging system
                    stored passwords are not
                    encrypted.
IM0200 V0015447  II Anonymous and guest users
                    are enabled.
IM0210 V0015448  II Unsuccessful logon attempts
                    is not configured to three
                    with an account lockout of
                    15 minutes or until it is
                    unlocked.
IM0220 V0015449  II Instant messaging system
                    does not log user events.
IM0230 V0015450  II Instant messaging system
                    does not log system events.

IM0240 V0015451    II    Instant messaging system
                         does not log virtual meeting
                         entries and exits.
IM0250 V0015452    II    Instant messaging system
                         does not log virtual meeting
                         tools.
IM0310 V0015453    II    Instant messaging system
                         logs are not stored offline for
                         a year.
IM0320 V0015454    III   No centralized syslog server
                         is deployed for the instant
                         messaging system.
IM0330 V0015455    II    Instant messaging system
                         logs are not restricted to
                         authorized users only. These
                         authorized users will be
                         documented.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       403 of 1257
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement          Vulnerability   Status   Finding Notes
IM0340 V0015735  II Instant messaging system
                    logs are not reviewed.
IM0350 V0015457  II No warning banner
                    configured on instant
                    messaging system.
IM0360 V0015458  II Instant messaging servers
                    are not configured according
                    to the operating system
                    STIG.
IM0370 V0015459  II Instant messaging system
                    databases are not
                    configured according to the
                    Database STIG.
IM0380 V0015396 III The IAO/SA does not
                    subscribe to instant
                    messaging system patches
                    or update notices.
IM0390 V0015461  II Instant messaging servers
                    and clients are not
                    configured with the latest
                    patches and updates.
IM0400 V0015462  II Remote administration to
                    instant messaging servers is
                    not restricted to authorized
                    IP addresses.
IM0410 V0015463  II Remote administration traffic
                    is not encrypted.
IM0420 V0015464  II Instant messaging servers
                    do not have antivirus or Host
                    Based IDS.
IM0430 V0015407  II Instant messaging servers
                    are not located in a
                    controlled access area.
IM0440 V0015408  II Instant messaging system is
                    not configured in accordance
                    with the PPS CAL. The
                    ports, protocols, and
                    services for the instant
                    messaging system are not
                    documented with the IAO/SA.

IM0450 V0015465    III   The instant messaging
                         system is not registered in
                         the Ports and Protocols
                         Registration system.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         404 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
IM0460 V0015466 II The instant messaging
                   system is not registered in
                   VMS.
IM0470 V0015467 II Instant messaging system is
                   not configured to product
                   specific checklist.
IM0500 V0015468  I No antivirus software is
                   installed on instant
                   messaging client computers.

IM0510 V0015469    II    IM community
                         announcements are not
                         restricted to authorized
                         users only.
IM0520 V0015470    III   No policy prohibiting IM file
                         sharing exists.
IM0530 V0015471    II    IM file sharing is enabled.
IM0560 V0015472    II    IM server ports are open
                         that are not required for
                         operation. Ports that are
                         required for operation are
                         not documented with the
                         IAO/SA.
IM0570 V0015473    II    Unapproved IM client
                         software used on IM
                         network. Approved IM client
                         software is not documented
                         with the IAO/SA.

IM0580 V0015474    II    Common IM domain names
                         are not blocked at enclave
                         perimeter.
IM0590 V0015475    III   No IM user policy exists
                         outlining the acceptable
                         behavior and consequences
                         for violation of the policy.

IM0600 V0015476    III   No IM instruction presented
                         to all users outlining known
                         IM risks and possible ways
                         to mitigate these risks.

IM0700 V0015477    II    Virtual spaces or rooms are
                         not restricted to authorized
                         users.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                405 of 1257
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
IM0710 V0015478 II Virtual spaces and rooms
                   are not labeled according to
                   the classification assignment
                   (unclassified, FOUO,
                   classified).
IM0720 V0015479 II Virtual meeting data is not
                   labeled in accordance to the
                   classification of the virtual
                   space or room (unclassified,
                   FOUO, or classified).

IM0730 V0015480    II    Virtual meeting tools are not
                         disabled if not required for
                         virtual meeting.
IM0740 V0015481    II    Uninvited users are able to
                         participate in virtual
                         meetings.
IM0750 V0015482    II    Virtual meetings do not
                         require passwords.
IM0800 V0015483    III   Virtual meeting application
                         sharing tools are not
                         restricted to authorized
                         users.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                406 of 1257
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI      VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes      Section
5.3.5.3.1               I The system shall support                                                 System
                           dual IPv4 and IPv6 stacks                                               Requirements
                           as described in RFC 4213.
                           NOTE: The tunnel
                           requirements are only
                           associated with appliances
                           that provide IP routing
                           functions (e.g., routers). The
                           primary intent of these
                           requirements is to (1)
                           require dual stacks on all UC
                           appliances and (2) allow
                           dual stacks and tunneling on
                           routers.
5.3.5.3.1.1             I If the system supports                                                   System
                           routing functions, the system                                           Requirements
                           shall support the manual
                           tunnel requirements as
                           described in RFC 4213.

5.3.5.3.2                II   The system shall support the                                         System
                              IPv6 format as described in                                          Requirements
                              RFC 2460 and updated by
                              RFC 5095.
5.3.5.3.3               III   The system shall support the                                         System
                              transmission of IPv6 packets                                         Requirements
                              over Ethernet networks
                              using the frame format
                              defined in RFC 2464. NOTE:
                              This requirement does not
                              mandate that the remaining
                              sections of RFC 2464 have
                              to be implemented.


5.3.5.3.1.4              I    The system shall support                                             MTU
                              Path Maximum
                              Transmission Unit (MTU)
                              Discovery (RFC 1981).




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            407 of 1257
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI        VMSID   CAT           Requirement         Vulnerability   Status   Finding Notes     Section
5.3.5.3.1.5              II The system shall support a                                             MTU
                            minimum MTU of 1280 bytes
                            (RFC 2460 and updated by
                            RFC 5095). NOTE:
                            Guidance on MTU
                            requirements and settings
                            can be found in UCR 2008,
                            Section 5.3.3.10.1.2 Layer 2-
                            Data Link Layer.
5.3.5.3.1.6              II If Path MTU Discovery is                                               MTU
                            used and a “Packet Too Big”
                            message is received
                            requesting a next-hop MTU
                            that is less than the IPv6
                            minimum link MTU, the
                            system shall ignore the
                            request for the smaller MTU
                            and shall include a fragment
                            header in the packet.NOTE:
                            This is to mitigate an attack
                            where the path MTU is
                            adequate, but the Packet
                            Too Big messages are used
                            to make the packet so small
                            it is inefficient.

5.3.5.3.2.7              II   The system shall not use the                                         Flow Label
                              Flow Label field as
                              described in RFC 2460.
5.3.5.3.2.7.1            II   The system shall be capable                                          Flow Label
                              of setting the Flow Label
                              field to zero when originating
                              a packet.
5.3.5.3.2.7.2            II   The system shall not modify                                          Flow Label
                              the Flow Label field when
                              forwarding packets.
5.3.5.3.2.7.3            II   The system shall be capable                                          Flow Label
                              of ignoring the Flow Label
                              field when receiving packets.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            408 of 1257
    ____ Checklist _V_R_ (<date>)                                       <Test> - TN <Ticket Number>
     PDI       VMSID   CAT         Requirement          Vulnerability   Status   Finding Notes      Section
5.3.5.3.3.8             II The system shall support the                                          Address
                           IPv6 Addressing
                           Architecture as described in
                           RFC 4291.NOTE: The use
                           of “IPv4 Mapped” addresses
                           “on-the-wire” is discouraged
                           due to security risks raised
                           by inherent ambiguities.

5.3.5.3.4.10             II   If Dynamic Host                                                    DHCP
                              Configuration Protocol
                              (DHCP) is supported within
                              an IPv6 system, it shall be
                              implemented in accordance
                              with the DHCP for IPv6
                              (DHCPv6) as described in
                              RFC 3315.NOTE 1: UCR
                              2008, Section 5.4,
                              Information Assurance,
                              requires that the voice or
                              video DHCP servers are not
                              to be located on the same
                              physical appliance as the
                              voice or video LAN switches
                              and routers in accordance
                              with the Security Technical
                              Implementation Guides
                              (STIGs). Also, the VoIP
                              STIG requires (in VoIP
                              0082) separate DHCP
                              servers for (1) the phone
                              system in the phone
                              VLAN(s) and (2) the data
                              devices (PCs) in the data
                              VLAN(s). NOTE 2: There is
                              no requirement that separate
                              DHCP servers be used for
                              IPv4 and for IPv6.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                          409 of 1257
    ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
     PDI        VMSID   CAT           Requirement              Vulnerability   Status   Finding Notes     Section
5.3.5.3.4.10.            II If the system is a DHCPv6                                                   DHCP
1                           client, the system shall
                            discard any messages that
                            contain options that are not
                            allowed, which are specified
                            in Section 15 of RFC 3315.

5.3.5.3.4.10.            II   The system shall support                                                  DHCP
2                             DHCPv6 as described in
                              RFC 3315. NOTE: The
                              following subtended
                              requirements are predicated
                              upon an implementation of
                              DHCPv6 for the end
                              instrument. It is not expected
                              that other UC appliances will
                              use DHCPv6.

5.3.5.3.4.10.            II   If the system is a DHCPv6                                                 DHCP
2.1                           client,and the first
                              Retransmission Timeout has
                              elapsed since the client sent
                              the Solicit message and the
                              client has received an
                              Advertise message(s),but
                              the Advertise message(s)
                              does not have a preference
                              value of 255, the client shall
                              continue with a client-
                              initiated message exchange
                              by sending a Request
                              message.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                 410 of 1257
    ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement               Vulnerability   Status   Finding Notes     Section
5.3.5.3.4.10.            II If the system is a DHCPv6                                                   DHCP
2.2                         client and the DHCPv6
                            message exchange fails, it
                            shall restart the
                            reconfiguration process after
                            receiving user input, system
                            restart, attachment to a new
                            link, a system configurable
                            timer, or a user defined
                            external event occurs.
                            NOTE: The intent is to
                            ensure that the DHCP client
                            continues to restart the
                            configuration process
                            periodically until it succeeds.

5.3.5.3.4.10.            II   If the system is a DHCPv6                                                 DHCP
2.3                           client and it sends an
                              Information-Request
                              message,it shall include a
                              Client Identifier option to
                              allow it to be authenticated
                              to the DHCPv6 server.
5.3.5.3.4.10.            II   If the system is a DHCPv6                                                 DHCP
2.4                           client, it shall perform
                              duplicate address detection
                              upon receipt of an address
                              from the DHCPv6 server
                              prior to transmitting packets
                              using that address for itself.

5.3.5.3.4.10.            II   If the system is a DHCPv6                                                 DHCP
2.5                           client, it shall log all
                              reconfigure events.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                 411 of 1257
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement             Vulnerability   Status   Finding Notes     Section
5.3.5.3.4.10.            II If the system supports                                                    DHCP
3                           DHCPv6 and uses
                            authentication, it shall
                            discard unauthenticated
                            DHCPv6 messages from UC
                            systems and log the event.
                            NOTE: This requirement
                            assumes authentication is
                            used as described in RFC
                            3118 (and extended in RFC
                            3315) but does not require
                            authentication.

5.3.5.3.5.11             II   The system shall support                                                Neighbor
                              Neighbor Discovery for IPv6                                             Discovery
                              as described in RFC 2461
                              and RFC 4861 (FY2010).
5.3.5.3.5.11.            II   The system shall not set the                                            Neighbor
1                             override flag bit in the                                                Discovery
                              neighbor advertisement
                              message for solicited
                              advertisements for anycast
                              addresses or solicited proxy
                              advertisements.
5.3.5.3.5.11.            II   The system shall set the                                                Neighbor
2                             override flag bit in the                                                Discovery
                              neighbor advertisement
                              message to “1” if the
                              message is not an anycast
                              address or a unicast
                              address for which the
                              system is providing proxy
                              service.
5.3.5.3.5.11.            II   If a valid neighbor                                                     Neighbor
3                             advertisement is received by                                            Discovery
                              the system and the system
                              neighbor cache does not
                              contain the target‟s entry,
                              the advertisement shall be
                              silently discarded.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                               412 of 1257
    ____ Checklist _V_R_ (<date>)                                               <Test> - TN <Ticket Number>
     PDI        VMSID   CAT           Requirement               Vulnerability   Status   Finding Notes       Section
5.3.5.3.5.11.            II If a valid neighbor                                                          Neighbor
4                           advertisement is received by                                                 Discovery
                            the system and the system
                            neighbor cache entry is in
                            the INCOMPLETE state
                            when the advertisement is
                            received and the link layer
                            has addresses and no target
                            link-layer option is included,
                            the system shall silently
                            discard the received
                            advertisement.

5.3.5.3.5.11.            II   If address resolution fails on                                             Neighbor
5                             a neighboring address, the                                                 Discovery
                              entry shall be deleted from
                              the system‟s neighbor cache.

5.3.5.3.5.1.1            II   The system shall support the                                               Redirect
1.6                           ability to configure the                                                   Messages
                              system to ignore redirect
                              messages.
5.3.5.3.5.1.1            II   The system shall only                                                      Redirect
1.7                           accept redirect messages                                                   Messages
                              from the same router as is
                              currently being used for that
                              destination. NOTE: The
                              intent of this requirement is
                              that if a node is sending its
                              packets destined for location
                              A to router X, that it can only
                              accept a redirect message
                              from router X for packets
                              destined for location A to be
                              sent to router Z.


5.3.5.3.5.1.1            II   If redirect messages are                                                   Redirect
1.7.1                         allowed, the system shall                                                  Messages
                              update its destination cache
                              in accordance with the
                              validated redirect message.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                  413 of 1257
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement             Vulnerability   Status   Finding Notes      Section
5.3.5.3.5.1.1            II If the valid redirect message                                             Redirect
1.7.2                       is allowed and no entry                                                   Messages
                            exists in the destination
                            cache, the system shall
                            create an entry.

5.3.5.3.5.2.1            II   If the system sends router                                              Router
1.8                           advertisements, the system                                              Advertisments
                              shall inspect valid router
                              advertisements sent by other
                              routers and verify that the
                              routers are advertising
                              consistent information on a
                              link and shall log any
                              inconsistent router
                              advertisements.
5.3.5.3.5.2.1            II   The system shall prefer                                                 Router
1.8.1                         routers that are reachable                                              Advertisments
                              over routers whose
                              reachability is suspect or
                              unknown.
5.3.5.3.5.2.1            II   If the system sends router                                              Router
1.9                           advertisements, the system                                              Advertisments
                              shall include the MTU value
                              in the router advertisement
                              message for all links in
                              accordance with RFC 2461
                              and RFC 4861 (FY2010).

5.3.5.3.6.12             II   If the system supports                                                  Stateless
                              stateless IP address                                                    Address
                              autoconfiguration, the                                                  Autoconfigurati
                              system shall support IPv6                                               on and Manual
                              Stateless Address Auto-                                                 Address
                              Configuration (SLAAC) for                                               Assignment
                              interfaces supporting UC
                              functions in accordance with
                              RFC 2462 and RFC 4862
                              (FY2010).




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                               414 of 1257
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
     PDI        VMSID   CAT         Requirement               Vulnerability   Status   Finding Notes       Section
5.3.5.3.6.12.            II The system shall have a                                                    Stateless
1                           configurable parameter that                                                Address
                            allows the “managed                                                        Autoconfigurati
                            address configuration” flag                                                on and Manual
                            and the “other stateful                                                    Address
                            configuration” flag to always                                              Assignment
                            be set and not perform
                            stateless autoconfiguration.
                            NOTE: The objective of this
                            requirement is to prevent a
                            system from using stateless
                            auto configuration.


5.3.5.3.6.12.            II   The system shall support                                                 Stateless
2                             manual assignment of IPv6                                                Address
                              addresses.                                                               Autoconfigurati
                                                                                                       on and Manual
                                                                                                       Address
                                                                                                       Assignment

5.3.5.3.6.12.            II   The system shall support                                                 Stateless
3                             stateful autoconfiguration                                               Address
                              (i.e., ManagedFlag=TRUE).                                                Autoconfigurati
                              NOTE: This requirement is                                                on and Manual
                              associated with the earlier                                              Address
                              requirement for the EI to                                                Assignment
                              support DHCPv6.

5.3.5.3.6.12.            II   If the system sends router                                               Stateless
3.1                           advertisements, the system                                               Address
                              shall default to using the                                               Autoconfigurati
                              “managed address                                                         on and Manual
                              configuration” flag and the                                              Address
                              “other stateful flag” set to                                             Assignment
                              TRUE in their router
                              advertisements when
                              stateful autoconfiguration is
                              implemented.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                415 of 1257
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
     PDI        VMSID   CAT           Requirement            Vulnerability   Status   Finding Notes       Section
5.3.5.3.6.12.            II If the system supports a                                                  Stateless
4                           subtended appliance behind                                                Address
                            it, the system shall ensure                                               Autoconfigurati
                            that the IP address                                                       on and Manual
                            assignment process of the                                                 Address
                            subtended appliance is                                                    Assignment
                            transparent to the UC
                            components of the system
                            and does not cause the
                            system to attempt to change
                            its IP address. NOTE: An
                            example is a PC that is
                            connected to the LAN
                            through the hub or switch
                            interface on a phone. The
                            address assignment process
                            of the PC should be
                            transparent to the EI and
                            should not cause the phone
                            to attempt to change its IP
                            address.

5.3.5.3.6.12.            II   If the system supports IPv6                                             Stateless
5                             SLAAC, the system shall                                                 Address
                              have a configurable                                                     Autoconfigurati
                              parameter that allows the                                               on and Manual
                              function to be enabled and                                              Address
                              disabled.                                                               Assignment

5.3.5.3.6.12.            II   If the system supports                                                  Stateless
6                             SLAAC and security                                                      Address
                              constraints prohibit the use                                            Autoconfigurati
                              of hardware identifiers as                                              on and Manual
                              part of interface addresses                                             Address
                              generated using SLAAC,                                                  Assignment
                              IPsec capable systems shall
                              support privacy extensions
                              for stateless address
                              autoconfiguration as defined
                              in RFC 4941 - Privacy
                              Extensions for Stateless
                              Address Autoconfiguration in
                              IPv6.



    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                               416 of 1257
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement              Vulnerability   Status   Finding Notes       Section
5.3.5.3.6.12.            II If the system supports                                                     Stateless
7                           stateless IP address                                                       Address
                            autoconfiguration, the                                                     Autoconfigurati
                            system shall support a                                                     on and Manual
                            configurable parameter to                                                  Address
                            enable or disable manual                                                   Assignment
                            configuration of the site-local
                            and Global addresses (i.e.,
                            disable the “Creation of
                            Global and Site-Local
                            Addresses” as described in
                            Section 5.5 of RFC 2462).

5.3.5.3.6.12.            II   All IPv6 nodes shall support                                             Stateless
8                             link-local address                                                       Address
                              configuration, and the                                                   Autoconfigurati
                              Duplicate Address Detection                                              on and Manual
                              (DAD) shall not be disabled                                              Address
                              in accordance with RFC                                                   Assignment
                              2462 and RFC 4862
                              (FY2010).
5.3.5.3.7.14             II   The system shall support the                                             Internet
                              Internet Control Message                                                 Control
                              Protocol for IPv6 (ICMPv6)                                               Message
                              as described in RFC 4443.                                                Protocol
                                                                                                       (ICMP)
5.3.5.3.7.14.            II   The system shall have a                                                  Internet
1                             configurable rate limiting                                               Control
                              parameter for rate limiting                                              Message
                              the forwarding of ICMP                                                   Protocol
                              messages.                                                                (ICMP)
5.3.5.3.7.14.            II   The system shall support the                                             Internet
2                             capability to enable or                                                  Control
                              disable the ability of the                                               Message
                              system to generate a                                                     Protocol
                              Destination Unreachable                                                  (ICMP)
                              message in response to a
                              packet that cannot be
                              delivered to its destination
                              for reasons other than
                              congestion.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                417 of 1257
    ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
     PDI        VMSID   CAT           Requirement           Vulnerability   Status   Finding Notes       Section
5.3.5.3.7.14.            II The system shall support the                                             Internet
3                           enabling or disabling of the                                             Control
                            ability to send an Echo                                                  Message
                            Reply message in response                                                Protocol
                            to an Echo Request                                                       (ICMP)
                            message sent to an IPv6
                            multicast/anycast address.
                            NOTE: The number of
                            responses may be traffic
                            conditioned to limit the effect
                            of a denial of service attack.

5.3.5.3.7.14.            II   The system shall validate                                              Internet
4                             ICMPv6 messages, using                                                 Control
                              the information contained in                                           Message
                              the payload, prior to acting                                           Protocol
                              on them.                                                               (ICMP)
5.3.5.3.8.15             II   If the system supports                                                 Routing
                              routing functions, the system                                          Functions
                              shall support the Open
                              Shortest Path First (OSPF)
                              for IPv6 as described in RFC
                              2740.
5.3.5.3.8.15.            II   If the system supports                                                 Routing
1                             routing functions, the system                                          Functions
                              shall support securing OSPF
                              with Internet Protocol
                              Security (IPSec) as
                              described for other IPSec
                              instances in UCR 2008,
                              Section 5.4, Information
                              Assurance.
5.3.5.3.8.15.            II   If the system supports                                                 Routing
2                             routing functions, the system                                          Functions
                              shall support router-to-router
                              integrity using the IP
                              Authentication Header with
                              HMAC-SHA1-128 as
                              described in RFC 4302.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                              418 of 1257
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement              Vulnerability   Status   Finding Notes      Section
5.3.5.3.8.16             II If the system acts as a CE                                                 Routing
                            router, the system shall                                                   Functions
                            support the use of Border
                            Gateway Protocol (BGP) as
                            described in RFC 1772 and
                            4271
5.3.5.3.8.16.            II If the system acts as a                                                    Routing
1                           customer edge router, the                                                  Functions
                            system shall support the use
                            of BGP-4 multiprotocol
                            extensions for IPv6 Inter-
                            Domain routing (RFC 2545).
                            NOTE: The requirement to
                            support BGP-4 is in UCR
                            2008, Section 5.3.3, Wide
                            Area Network General
                            System Requirements.

5.3.5.3.8.17             II   If the system acts as a CE                                               Routing
                              router, the system shall                                                 Functions
                              support multiprotocol
                              extensions for BGP-4 RFC
                              2858 and RFC 4760
                              (FY2010). NOTE: The
                              requirement to support BGP-
                              4 is in UCR 2008, Section
                              5.3.3, Wide Area Network
                              General System
                              Requirements.
5.3.5.3.8.18             II   If the system acts as a CE                                               Routing
                              router, the system shall                                                 Functions
                              support the Generic Routing
                              Encapsulation (GRE) as
                              described in RFC 2784.

5.3.5.3.8.19             II   If the system acts as a CE                                               Routing
                              router, the system shall                                                 Functions
                              support the Generic Packet
                              Tunneling in IPv6
                              Specification as described in
                              RFC 2473. NOTE: Tunneling
                              is provided for data
                              applications and is not
                              needed as part of the VVoIP
                              architecture.

    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                419 of 1257
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
     PDI       VMSID   CAT          Requirement               Vulnerability   Status   Finding Notes      Section
5.3.5.3.8.20            II If the system supports                                                      Routing
                           routing functions, the system                                               Functions
                           shall support the Multicast
                           Listener Discovery (MLD)
                           process as described in
                           RFC 2710 and extended in
                           RFC 3810. NOTE: The FY
                           2008 VVoIP design does not
                           utilize multicast, but routers
                           supporting VVoIP also
                           support data applications
                           that may utilize multicast. A
                           softphone will have non-
                           routing functions that require
                           MLDv2.


5.3.5.3.8.21             II   The system shall support                                                 Routing
                              MLD as described in RFC                                                  Functions
                              2710. NOTE: This
                              requirement was added in
                              order to ensure that
                              Neighbor Discovery
                              multicast requirements are
                              met. Routers are not
                              included in this requirement
                              since they have to meet
                              RFC 2710 in the preceding
                              requirement.
5.3.5.3.9.22             II   If the system uses IPSec,                                                IP Security
                              the system shall support the
                              Security Architecture for the
                              IP RFC 2401 and RFC 4301
                              (FY2010). In FY2008, RFC
                              2401 (and its related RFCs)
                              is the Threshold requirement
                              as described in UCR 2008,
                              Section 5.4, Information
                              Assurance. In addition, the
                              interfaces required to use
                              IPSec are defined in UCR
                              2008, Section 5.4,
                              Information Assurance.



    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                420 of 1257
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
     PDI        VMSID   CAT         Requirement              Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If RFC 4301 is supported,                                                 IP Security
1                           the system shall support
                            binding of a security
                            association (SA) with a
                            particular context.
5.3.5.3.9.22.            II If RFC 4301 is supported,                                                 IP Security
2                           the system shall be capable
                            of disabling the BYPASS
                            IPSec processing choice.
                            NOTE: The intent of this
                            requirement is to ensure that
                            no packets are transmitted
                            unless they are protected by
                            IPSec.

5.3.5.3.9.22.            II   If RFC 4301 is supported,                                               IP Security
3                             the system shall not support
                              the mixing of IPv4 and IPv6
                              in a security association.

5.3.5.3.9.22.            II   If RFC 4301 is supported,                                               IP Security
4                             the system‟s security
                              association database (SAD)
                              cache shall have a method
                              to uniquely identify a SAD
                              entry. NOTE: The concern is
                              that a single SAD entry will
                              be associated with multiple
                              security associations. RFC
                              4301, Section 4.4.2,
                              describes a scenario where
                              this could occur.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                               421 of 1257
    ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
     PDI        VMSID   CAT         Requirement                Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If RFC 4301 is supported,                                                   IP Security
5                           the system shall be capable
                            of correlating the
                            Differentiated Services Code
                            Point (DSCP) for a VVoIP
                            stream to the security
                            association in accordance
                            with UCR 2008, Section
                            5.3.2, Assured Services
                            Requirements and Section
                            5.3.3, Network Infrastructure
                            End-to-End Performance
                            Requirements, plain text
                            DSCP plan. For a more
                            detailed description of the
                            requirement, please see
                            Section 4-1 of RFC 4301 -
                            Security Architecture for the
                            Internet Protocol.


5.3.5.3.9.22.            II   If RFC 4301 is supported,                                                 IP Security
6                             the system shall implement
                              IPSec to operate with both
                              integrity and confidentiality.

5.3.5.3.9.22.            II   If RFC 4301 is supported,                                                 IP Security
7                             the system shall be capable
                              of enabling and disabling the
                              ability of the system to send
                              an ICMP message informing
                              the sender that an outbound
                              packet was discarded.

5.3.5.3.9.22.            II   If an ICMP outbound packet                                                IP Security
7.1                           message is allowed, the
                              system shall be capable of
                              rate limiting the transmission
                              of ICMP responses




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                 422 of 1257
    ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement           Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If RFC 4301 is supported,                                               IP Security
8                           the system shall be capable
                            of enabling or disabling the
                            propagation of the Explicit
                            Congestion Notification
                            (ECN) bits.
5.3.5.3.9.22.            II If RFC 4301 is supported,                                               IP Security
9                           the system‟s Security Policy
                            Database (SPD) shall have
                            a nominal, final entry that
                            discards anything
                            unmatched.
5.3.5.3.9.22.            II If RFC 4301 is supported,                                               IP Security
10                          and the system receives a
                            packet that does not match
                            any SPD cache entries and
                            the system determines it
                            should be discarded, the
                            system shall log the event
                            and include the date/time,
                            Security Parameter Index
                            (SPI) if available, IPSec
                            protocol if available, source
                            and destination of the
                            packet, and any other
                            selector values of the packet.


5.3.5.3.9.22.            II   If RFC 4301 is supported,                                             IP Security
11                            the system should include a
                              management control to allow
                              an administrator to enable or
                              disable the ability of the
                              system to send an Internet
                              Key Exchange (IKE)
                              notification of an
                              INVALID_SELECTORS.

5.3.5.3.9.22.            II   If RFC 4301 is supported,                                             IP Security
12                            the system shall support the
                              Encapsulating Security
                              Payload (ESP) Protocol in
                              accordance with RFC 4303.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                             423 of 1257
    ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
     PDI        VMSID   CAT         Requirement                Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If RFC 4303 is supported,                                                   IP Security
12.1                        the system shall be capable
                            of enabling anti-replay.

5.3.5.3.9.22.            II   If RFC 4303 is supported,                                                 IP Security
12.2                          the system shall check as its
                              first check after a packet has
                              been matched to its SA
                              whether the packet contains
                              a Sequence Number that
                              does not duplicate the
                              Sequence Number of any
                              other packet received during
                              the life of the sec.

5.3.5.3.9.22.            II   If RFC 4301 is supported,                                                 IP Security
13                            the system shall support the
                              cryptographic algorithms as
                              defined in RFC 4308 for
                              Suite Virtual Private Network
                              (VPN)-B.
5.3.5.3.9.22.            II   If RFC 4301 is supported,                                                 IP Security
13.1                          the system shall support the
                              use of AES-CBC with 128-
                              bits keys for encryption.

5.3.5.3.9.22.            II   If RFC 4301 is supported,                                                 IP Security
13.2                          the system shall support the
                              use of HMAC-SHA1-96 for
                              (Threshold) and AES-XCBC-
                              MAC-96 (FY2010).
5.3.5.3.9.22.            II   If RFC 4301 is supported,                                                 IP Security
14                            the system shall support IKE
                              Version 1 (IKEv1)
                              (Threshold) as defined in
                              RFC 2409, and IKE Version
                              2 (IKEv2) (FY2010) as
                              defined in RFC 4306. NOTE:
                              Internet Key Exchange
                              version 1 (IKEv1)
                              requirements are found in
                              UCR 2008, Section 5.4,
                              Information Assurance.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                 424 of 1257
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement              Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If the system supports                                                     IP Security
14.1                        IKEv2, it shall be capable of
                            configuring the maximum
                            User Datagram Protocol
                            (UDP) message size.

5.3.5.3.9.22.            II   If IKEv2 is supported, the                                               IP Security
14.2                          system shall support the use
                              of the ID_IPv6_ADDR and
                              ID_IPV4_ADDR
                              Identification Type.
5.3.5.3.9.22.            II   If the system supports                                                   IP Security
14.3                          IKEv2, the system shall be
                              capable of ignoring
                              subsequent SA setup
                              response messages after
                              the receipt of a valid
                              response.
5.3.5.3.9.22.            II   If the system supports                                                   IP Security
14.4                          IKEv2, the system shall be
                              capable of sending a Delete
                              payload to the other end of
                              the security association.

5.3.5.3.9.22.            II   If the system supports                                                   IP Security
14.5                          IKEv2, the system shall
                              reject initial IKE messages
                              unless they contain a Notify
                              payload of type COOKIE.

5.3.5.3.9.22.            II   If the system supports                                                   IP Security
14.6                          IKEv2, the system shall
                              close a SA instead of
                              rekeying when its lifetime
                              expires if there has been no
                              traffic since the last rekey.

5.3.5.3.9.22.            II   If the system supports                                                   IP Security
14.7                          IKEv2, the system shall not
                              use the Extensible
                              Authentication Protocol
                              (EAP) method for IKE
                              authentication.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                425 of 1257
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
     PDI        VMSID   CAT          Requirement              Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If the system supports                                                     IP Security
14.8                        IKEv2, the system shall limit
                            the frequency to which it
                            responds to messages on
                            UDP port 500 or 4500 when
                            outside the context of a
                            security association known
                            to it.
5.3.5.3.9.22.            II If the system supports                                                     IP Security
14.9                        IKEv2, the system shall not
                            support temporary IP
                            addresses or respond to
                            such requests.
5.3.5.3.9.22.            II If the system supports                                                     IP Security
14.10                       IKEv2, the system shall
                            support the IKEv2
                            cryptographic algorithms
                            defined in RFC 4307.
5.3.5.3.9.22.            II If the system supports                                                     IP Security
14.11                       IKEv2, the system shall
                            support the VPN-B Suite as
                            defined in RFC 4308 and
                            RFC 4869 (FY2010).
5.3.5.3.9.22.            II If RFC 4301 is supported,                                                  IP Security
15                          the system shall support
                            extensions to the Internet IP
                            Security Domain of
                            Interpretation for the Internet
                            Security Association and
                            Key Management Protocol
                            (ISAKMP) as defined in RFC
                            2407.

5.3.5.3.9.22.            II   If RFC 4301 is supported,                                                IP Security
16                            the system shall support the
                              ISAKMP as defined in RFC
                              2408.
5.3.5.3.9.22.            II   If the system supports the                                               IP Security
17                            IPsec Authentication Header
                              Mode, the system shall
                              support the IP Authentication
                              Header (AH) as defined in
                              RFC 4302.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                426 of 1257
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
     PDI        VMSID   CAT         Requirement               Vulnerability   Status   Finding Notes       Section
5.3.5.3.9.22.            II If RFC 4301 is supported,                                                  IP Security
18                          the system shall support
                            manual keying of IPSec.
5.3.5.3.9.22.            II If RFC 4301 is supported,                                                  IP Security
19                          the system shall support the
                            ESP and AH cryptographic
                            algorithm implementation
                            requirements as defined in
                            RFC 4305 and RFC 4835
                            (FY2010).

5.3.5.3.9.22.            II   If RFC 4301 is supported,                                                IP Security
21                            the system shall support the
                              IKEv1 security algorithms as
                              defined in RFC 4109.

5.3.5.3.10.2             II   The system shall comply                                                  Network
3                             with the Management                                                      Management
                              Information Base (MIB) for
                              IPv6 textual conventions and
                              general group as defined in
                              RFC 4293. NOTE: The
                              requirements to support
                              SNMPv3 are found in UCR
                              2008, Section 5.3.2.17.3.1.5,
                              SNMP Version 2 and
                              Version 3 Format Alarm
                              messages, and UCR 2008,
                              Section 5.4, Information
                              Assurance.

5.3.5.3.10.2             II   If the system performs                                                   Network
3.1                           routing functions, the system                                            Management
                              shall support the SNMP
                              management framework as
                              described in RFC 3411.

5.3.5.3.10.2             II   If the system performs                                                   Network
3.2                           routing functions, the system                                            Management
                              shall support SNMP
                              message processing and
                              dispatching as described in
                              RFC 3412.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                427 of 1257
    ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
     PDI       VMSID   CAT          Requirement          Vulnerability   Status   Finding Notes      Section
5.3.5.3.10.2            II If the system performs                                                 Network
3.3                        routing functions, the system                                          Management
                           shall support the SNMP
                           applications as described in
                           RFC 3413.
5.3.5.3.10.2            II The system shall support the                                           Network
4                          ICMPv6 MIBs as defined in                                              Management
                           RFC 4293.
5.3.5.3.10.2            II The system shall support the                                           Network
5                          Transmission Control                                                   Management
                           Protocol (TCP) MIBs as
                           defined in RFC 4022.
5.3.5.3.10.2            II The system shall support the                                           Network
6                          UDP MIBs as defined in                                                 Management
                           RFC 4113.
5.3.5.3.10.2            II If the system performs                                                 Network
7                          routing functions, the system                                          Management
                           shall support IP tunnel MIBs
                           as described in RFC 4087.

5.3.5.3.10.2             II   If the system performs                                              Network
8                             routing functions, the system                                       Management
                              shall support the IP
                              Forwarding MIB as defined
                              in RFC 4292.
5.3.5.3.10.2             II   If the system supports                                              Network
9                             mobile users, the system                                            Management
                              shall support the Mobile IP
                              Management MIBs as
                              described in RFC 4295.
5.3.5.3.10.3             II   If the system supports                                              Network
1                             SNMP and IPsec, the                                                 Management
                              system shall support the
                              IPsec security policy
                              database as described in
                              RFC 4807.
5.3.5.3.10.3             II   If the system uses Uniform                                          Network
2                             Resource Identifiers (URIs),                                        Management
                              the system shall use the URI
                              syntax described in RFC
                              3986.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                           428 of 1257
    ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
     PDI       VMSID   CAT          Requirement          Vulnerability   Status   Finding Notes      Section
5.3.5.3.10.3            II If the system uses the                                                 Network
3                          Domain Name System                                                     Management
                           (DNS), the system shall
                           conform to RFC 3596 for
                           DNS queries. NOTE: DNS is
                           primarily used for NM
                           applications.
5.3.5.3.12.3            II The system shall forward                                               IP Version
7                          packets using the same IP                                              Negotiation
                           version as the version in the
                           received packet.NOTE: If
                           the packet was received as
                           an IPv6 packet, the
                           appliance will forward it as
                           an IPv6 packet. If the packet
                           was received as an IPv4
                           packet, the appliance will
                           forward the packet as an
                           IPv4 packet. This
                           requirement is primarily
                           associated with the signaling
                           packets to ensure that
                           translation does not occur.
                           REMINDER: This
                           requirement may be waived
                           from FY2008 to FY2012 in
                           order to support IPv4 or IPv6
                           only EIs.

5.3.5.3.12.3             II   The system shall use the                                            IP Version
8                             Alternative Network Address                                         Negotiation
                              Types (ANAT) semantics for
                              the Session Description
                              Protocol (SDP) in
                              accordance with RFC 4091
                              when establishing media
                              streams from dual stacked
                              appliances for AS-SIP
                              signaled sessions.
5.3.5.3.12.3             II   The system shall place the                                          IP Version
8.2                           SDP-ANAT option-tag in a                                            Negotiation
                              required header field when
                              using ANAT semantics in
                              accordance with RFC 4092.


    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                           429 of 1257
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
     PDI       VMSID   CAT         Requirement            Vulnerability   Status   Finding Notes       Section
5.3.5.3.12.3            II Dual stacked systems shall                                              IP Version
8.3                        include the IPv4 and IPv6                                               Negotiation
                           addresses within the SDP of
                           the SIP INVITE message
                           when the INVITE contains
                           the SDP.
5.3.5.3.13.4            II The system shall be able to                                             AS-SIP IPv6
5                          provide topology hiding (e.g.,                                          Unique
                           NAT) for IPv6 packets in the                                            Requirements
                           manner described in UCR
                           2008 Section 5.4,
                           Information Assurance.

5.3.5.3.13.4             II   The system shall support                                             AS-SIP IPv6
6                             default address selection for                                        Unique
                              IPv6 as defined in RFC 3484                                          Requirements
                              (except for Section 2.1).

5.3.5.3.13.4             II   If the system supports                                               Miscellaneous
7                             Remote Authentication Dial                                           Requirements
                              In User Service (RADIUS)
                              authentication, the system
                              shall support RADIUS in the
                              manner defined in RFC 3162.

5.3.5.3.14.4             II   If the system supports                                               Miscellaneous
8                             Mobile IP version 6 (MIPv6),                                         Requirements
                              the system shall provide
                              mobility support as defined
                              in RFC 3775.
5.3.5.3.14.4             II   If the system acts as a home                                         Miscellaneous
8.1                           agent, the system shall                                              Requirements
                              provide mobility support as
                              defined in RFC 3775.

5.3.5.3.14.4             II   If the system supports                                               Miscellaneous
9                             Mobile IP version 6 (MIPv6),                                         Requirements
                              the system shall provide a
                              secure manner to signal
                              between mobile nodes and
                              home agents in manner
                              described in RFC 3776 and
                              RFC 4877 (FY2010).




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                            430 of 1257
    ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
     PDI       VMSID   CAT          Requirement               Vulnerability   Status   Finding Notes      Section
5.3.5.3.14.5            II If the system supports                                                      Miscellaneous
1                          network mobility (NEMO),                                                    Requirements
                           the system shall support the
                           function as defined in RFC
                           3963.
5.3.5.3.14.5            II The systems shall support                                                   Miscellaneous
2                          Differentiated Services as                                                  Requirements
                           Described in RFC 2474 and
                           RFC 5072 (FY 2010) for a
                           voice and video stream to
                           the security association in
                           accordance with UCR 2008,
                           Section 5.3.2, Assured
                           Services Requirements and
                           UCR 2008, Section 5.3.3,
                           Network Infrastructure End-
                           to-End Performance
                           Requirements, plain text
                           DSCP plan.

5.3.5.3.14.5             II   If the system acts as an IPv6                                            Miscellaneous
3                             tunnel broker, the system                                                Requirements
                              shall support the function in
                              the manner defined in RFC
                              3053.
5.3.5.3.14.5             II   If the system supports                                                   Miscellaneous
4                             roaming (as defined within                                               Requirements
                              RFC 4282), the system shall
                              support this function as
                              described by RFC 4282.
5.3.5.3.14.5             II   If the system supports the                                               Miscellaneous
5                             Point-to-Point Protocol                                                  Requirements
                              (PPP), the system shall
                              support PPP as described in
                              RFC 2472.




    Legend:
    R or RAE = Required Ancillary Equipment
    NF = Not a Finding
    NA = Not Applicable                                                                431 of 1257
   PDI    VMSID CAT             Requirement                Vulnerability   Status   Finding Notes
ISA0-056 V0021620 III ISA Server Administrator
                      role must be assigned or
                      authorized by the IAO.
ISA2-001 V0021629 II The ISA server must not be
                      deployed on a Single
                      Network Adapter Template.
ISA2-007 V0021653 II The ISA Servers must have
                      appropriate web filters
                      enabled.
ISA2-010 V0021651 II The ISA Server must have
                      UDP fragment blocking
                      disabled.
ISA2-013 V0021652 II ISA server must have Syn
                      Flood and DOS attack
                      prevention enabled plus
                      associated logging.
ISA2-023 V0021648 II The ISA System Policy must
                      restrict Active Directory
                      traffic to specific Domain
                      Controllers.
ISA2-025 V0021640 II Non-Microsoft authentication
                      traffic from the ISA server
                      must not be allowed.

ISA2-026 V0021670   II    Certification Revocation
                          Checking must be performed
                          and use specific
                          configurations.
ISA2-027 V0021641   II    Remote Management traffic
                          to the ISA server must be
                          disabled.
ISA2-028 V0021642   II    PING to the ISA server must
                          be disabled.
ISA2-029 V0021643   II    Remote MS Monitoring
                          traffic to the ISA server must
                          be disabled.
ISA2-030 V0021644   II    SMTP traffic from the ISA
                          server must be disabled.
ISA2-031 V0021635   II    Error Reporting to Microsoft
                          must be disabled.
ISA2-032 V0021639   II    DHCP traffic from the ISA
                          server must not be allowed.
ISA2-035 V0021664   II    The ISA server must have a
                          valid DoD SSL certificate for
                          OWA.
ISA2-038 V0021634   III   Unneeded ISA Server
                          application filters must be
                          disabled.
ISA2-040 V0021676   II    Unneeded VPN services
                          must be disabled.
   PDI    VMSID CAT            Requirement              Vulnerability   Status   Finding Notes
ISA2-041 V0021675 II Unneeded Cache services
                      must be disabled.
ISA2-042 V0021677 II ISA services must be
                      restricted to specific service
                      accounts.
ISA2-056 V0021647 II ISA Server must have a
                      specific domain scope
                      defined.
ISA2-135 V0021671 II The OWA Web Listener
                      must require only SSL
                      connections.
ISA2-171 V0021654 II OWA Web Listener must
                      require only Client Certificate
                      Authentication.
ISA2-175 V0021649 II OWA Listeners in the DoD
                      must trust only DoD Root
                      Certificate Authorities.
ISA2-204 V0021632 II ISA Rule must use IP
                      addresses for applications.
ISA2-220 V0021650 II The OWA firewall rule must
                      be restricted to authenticated
                      users.
ISA2-241 V0021646 II The OWA firewall rule must
                      require Kerberos
                      Constrained Delegation
                      (KCD) to enable CAC
                      authentication.
ISA2-247 V0021655 II ISA Server must restrict
                      each firewall rule to one
                      published application such
                      as OWA.
ISA2-833 V0021645 II ISA Server's Microsoft
                      Customer Experience
                      Improvement Program
                      Participation must be
                      disabled.
ISA2-855 V0021656 II Failsafe shutdown must be
                      configured for low disk
                      space condition.
ISA2-882 V0021680 II The ISA Server must be
                      monitored for Invalid
                      Certificate Usage.
ISA2-884 V0021666 III The ISA Server must be
                      monitored for Certificates
                      nearing their expiration date.

ISA2-886 V0021665     II   The ISA Server must be
                           monitored for failed
                           Kerberos Credential
                           Delegation.
   PDI    VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
ISA2-890 V0021631 II ISA firewall rules must have
                     logging enabled.
ISA2-892 V0021669 II The ISA Server must be
                     monitored for Log Storage
                     Failure.
ISA2-894 V0021668 II The ISA Server must be
                     monitored for Logging failure.

ISA2-896 V0021667    II   The ISA Server must be
                          monitored for Available Free
                          Disk Space
ISA3-002 V0021618    II   ISA-Unique security
                          requirements, such as
                          Interface Model, server role,
                          and protected assets must
                          be documented.
ISA3-005 V0021626    II   The ISA Backup and
                          Recovery strategy must be
                          documented and must be
                          tested according to the
                          INFOCON schedule.
ISA3-006 V0021625    II   Audit Logs must be included
                          in Backups.
ISA3-007 V0021622    II   ISA Recovery Data must be
                          restricted to Administrators
                          and Backup/Recovery
                          processes.

ISA3-009 V0021672    II   Access to ISA configuration
                          data must be restricted to
                          ISA Server Administrator
                          role.
ISA3-010 V0021627    II   Software Critical Copies for
                          ISA Services must be
                          backed up and available for
                          restore action.
ISA3-015 V0021617    II   Procedural Reviews for ISA
                          Services must be done
                          annually.
ISA3-041 V0021679    I    The ISA Server must utilize
                          file-and-web Antivirus
                          software.
ISA3-045 V0021619    II   Configuration Management
                          (CM) procedures must be
                          implemented for ISA
                          services.
ISA3-050 V0021621    II   ISA services must be
                          documented in the System
                          Security Plan.
   PDI    VMSID CAT          Requirement             Vulnerability   Status   Finding Notes
ISA3-058 V0021662 II The ISA software must be
                     monitored for change
                     compliant with INFOCON
                     frequency.
ISA3-071 V0021624 II ISA audit records must be
                     retained for at least one year.

ISA3-079 V0021623    II   Automated tools must be
                          available for review and
                          reporting on ISA Services
                          audit records.
ISA3-108 V0021661    II   ISA services must be
                          configured to use PPSM-
                          compliant ports and
                          protocols.
ISA3-112 V0021674    II   The ISA External interface
                          must have only TCPIP
                          protocol installed.
ISA3-150 V0021678    II   ISA audit trails must be
                          protected against
                          unauthorized access.
ISA3-169 V0021673    II   ISA Server interfaces must
                          not have IPv6 protocol
                          installed.
ISA3-815 V0021658    II   The ISA Application must be
                          installed on a dedicated
                          partition separate from
                          Security functions or other
                          applications.
ISA3-821 V0021660    II   The ISA logs or audit data
                          must be on a separate
                          partition from the ISA
                          application.
ISA3-825 V0021659    II   The ISA Configuration
                          Storage Server must be
                          installed on a separate
                          computer.
ISA3-858 V0021663    II   The ISA software baseline
                          must exist to be used for
                          scan comparisons.
  Section
ISA 2006
OWA Proxy

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server


ISA 2006
Server


ISA 2006
Server


ISA 2006
Server


ISA 2006
Server

ISA 2006
Server
ISA 2006
Server

ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server

ISA 2006
Server

ISA 2006
Server
  Section
ISA 2006
Server
ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server
ISA 2006
Server

ISA 2006
Server



ISA 2006
Server


ISA 2006
Server



ISA 2006
Server

ISA 2006
Server

ISA 2006
Server


ISA 2006
Server
  Section
ISA 2006
Server
ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
OWA Proxy



ISA 2006
OWA Proxy



ISA 2006
OWA Proxy
ISA 2006
OWA Proxy



ISA 2006
Server


ISA 2006
OWA Proxy


ISA 2006
OWA Proxy

ISA 2006
Server

ISA 2006
OWA Proxy


ISA 2006
OWA Proxy
  Section
ISA 2006
Server


ISA 2006
OWA Proxy

ISA 2006
OWA Proxy


ISA 2006
Server


ISA 2006
Server

ISA 2006
Server

ISA 2006
Server

ISA 2006
Server



ISA 2006
Server


ISA 2006
Server


ISA 2006
Server
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0090   V0008046    II   The IAO/NSO will maintain a
                           current drawing of the site‟s
                           network topology that
                           includes all external and
                           internal links, subnets, and
                           all network equipment.
NET0130   V0008047    II   The IAO/NSO will ensure
                           that all external connections
                           are validated and approved
                           by the CAP and DAA, SNAP
                           or CAO requirements have
                           been met, and MOA and
                           MOU is established between
                           enclaves, prior to
                           connections.

NET0135   V0008048    II   The IAO/NSO will review all
                           connection requirements on
                           a semi-annual basis to
                           ensure the need remains
                           current, as well as evaluate
                           all undocumented network
                           connections discovered
                           during inspections.
NET0140   V0008049   III   The IAO/NSO will ensure the
                           connection between the
                           CSU/DSU and the local
                           exchange carrier‟s (LEC)
                           data service jack (i.e.,
                           demarc) is in a secured
                           environment.
NET0141   V0008050   III   The IAO/NSO will ensure the
                           network management
                           modems connected to all
                           Channel Service Units
                           (CSUs)/Data Service Units
                           (DSUs) are disabled or
                           disconnected when not in
                           use.
NET0160   V0008051    I    The IAM will ensure that
                           written approval is obtained
                           from the GIG Waiver Panel
                           or the Office of the DoD
                           Chief Information Officer
                           (DoD CIO) prior to
                           establishing an ISP
                           connection.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0162   V0004622    I    The IAO/NSO will ensure
                           premise router interfaces
                           that connect to an AG (i.e.,
                           ISP) are configured with an
                           ingress ACL that only
                           permits packets with
                           destination addresses within
                           the site‟s address space.


NET0164   V0004623    I    The IAO/NSO will ensure the
                           premise router does not
                           have a routing protocol
                           session with a peer router
                           belonging to an AS
                           (Autonomous System) of the
                           AG service provider. A static
                           route is the only acceptable
                           route to an AG.

NET0166   V0004624   III   The IAO/NSO will ensure the
                           AG network service provider
                           IP addresses are not
                           redistributed into or
                           advertised to the NIPRNet or
                           any router belonging to any
                           other Autonomous System
                           (AS) i.e. to another AG
                           device in another AS.

NET0167   V0014632    II   The IAO/NSO will ensure the
                           route to the AG network
                           adheres to the PPS CAL
                           boundary 13 and 14 policies
                           and is in compliance with all
                           perimeter filtering defined in
                           the perimeter and router
                           sections of the Network
                           STIG.

NET0168   V0014634    II   If the site has a non-DoD
                           external connection
                           (Approved Gateway), the
                           IAO/NSO will ensure that the
                           external NIDS is located
                           between the site‟s Approved
                           Gateway (Service Delivery
                           Router) and the premise
                           router.
   PDI     VMSID     CAT          Requirement            Vulnerability   Status   Finding Notes

NET0170   V0008052    II   The IAO/NSO will ensure
                           that no backdoor
                           connections exist between
                           the site‟s secured private
                           network and the Internet,
                           NIPRNet, SIPRNet, or other
                           external networks unless
                           approved by the DAA.

NET0180   V0002990    II   The IAO/NSO will ensure all
                           public address ranges used
                           on the NIPRNet are properly
                           registered with the .MIL
                           Network Information Center
                           (NIC).
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0185   V0003157    II   The IAO/NSO will ensure
                           that all addresses used
                           within the site's SIPRNet
                           infrastructure are authorized
                           .smil.mil or .sgov.gov
                           addresses that have been
                           registered and assigned to
                           the activity. RFC1918
                           addresses are not permitted.




NET0190   V0003005   III   The IAO/NSO will ensure
                           that workstation clients' real
                           IPv4 addresses are not
                           revealed to the public by
                           implementing NAT on the
                           firewall or the router.




NET0198   V0008099   III   The IAO/NSO will ensure
                           that the DHCP server is
                           configured to log hostnames
                           or MAC addresses for all
                           clients, and all logs are
                           stored online for 30 days and
                           offline for one year.

NET0199   V0008100   III   The IAO/NSO will ensure
                           that any DHCP server used
                           within SIPRNet infrastructure
                           is configured with a lease
                           duration time of 30 days or
                           more.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET0210   V0008054    II   The IAO/NSO will ensure
                           that all network devices (i.e.,
                           IDS, routers, RAS, NAS,
                           firewalls, etc.) are located in
                           a secure room with limited
                           access.
NET0230   V0003012    I    The IAO/NSO will ensure all
                           communications devices are
                           password protected.

NET0240   V0003143    I    The IAO/NSO will ensure all
                           default manufacturer
                           passwords are changed.




NET0260   V0008055    II   The IAO/NSO will ensure all
                           passwords are created and
                           maintained in accordance
                           with the rules outlined in
                           DODI 8500.2, IAIA-1, and
                           IAIA-2.
                           http://www.dtic.mil/whs/directi
                           ves/corres/html/85002.htm.

NET0270   V0008056    II   The IAO/NSO will record the
                           locally configured passwords
                           used on communications
                           devices and store them in a
                           secured manner.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0340   V0003013    II   An approved DoD login
                           banner is not used on the
                           device.




NET0345   V0008065    II   The IAO will ensure only
                           firewalls that have been
                           evaluated and validated
                           against NIAP existing
                           profiles are placed in the
                           network infrastructure.
NET0346   V0014638    II   The IAO/NSO will ensure
                           that DMZ Architecture is
                           implemented, providing
                           boundary protection for
                           classified and sensitive
                           architectures that
                           interconnect enclaves.
NET0347   V0014639   III   The IAO will ensure the
                           Accreditation documentation
                           (e.g. SSAA) will be updated
                           to reflect the installation or
                           modification of the site‟s
                           firewall.

NET0348   V0014640    II   The IAO will ensure publicly
                           accessible servers (i.e., web
                           servers) are placed in an
                           enclave DMZ.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET0351   V0008066    II   The IAO/NSO will ensure,
                           when protecting the
                           boundaries of a network, the
                           firewall is placed between
                           the private network and the
                           perimeter router and the
                           DMZ.
NET0355   V0014641    II   The IAO/NSO will ensure,
                           when protecting the
                           boundaries of a network, the
                           firewall and IDS are separate
                           components or the physical
                           integrated device has
                           separate hardware
                           components (i.e., CPU,
                           memory, etc) for the firewall
                           and IDS.
NET0365   V0014642    I    The IAO will ensure the
                           enclave is protected by
                           providing a firewall that
                           provides full packet
                           awareness as provided by
                           application-level gateways,
                           hybrid firewalls or a non
                           application-level firewall
                           solution using an application-
                           proxy gateway.
NET0366   V0014643    II   The SA will configure the
                           firewall for the minimum
                           content and protocol
                           inspection requirements.
NET0369   V0011796    I    The IAO will ensure the
                           Enclave perimeter is
                           protected via deny by default
                           policy implemented at the
                           perimeter router or at the
                           firewall. This does not
                           negate the firewall
                           requirement.
NET0375   V0003156    II   The IAO/NSO will ensure
                           that the firewall is configured
                           to protect the network
                           against denial of service
                           attacks such as Ping of
                           Death, TCP SYN floods, etc.
   PDI     VMSID     CAT            Requirement               Vulnerability   Status   Finding Notes

NET0377   V0003054    II   The FA will ensure the
                           firewall will not utilize any
                           services or capabilities other
                           than firewall software (e.g.,
                           DNS servers, e-mail client
                           servers, ftp servers, web
                           servers, etc.), and if these
                           services are part of the
                           standard firewall suite, they
                           will be either uninstalled or
                           disabled.
NET0379   V0004619    II   The FA will ensure that if the
                           firewall product operates on
                           an OS platform, the host
                           must be STIG compliant
                           prior to the installation of the
                           firewall product.

NET0380   V0014644    II   The IAO will ensure the
                           firewall shall reject requests
                           for access or services where
                           the source address received
                           by the firewall specifies a
                           loopback address.

NET0384   V0008067   III   The FA will subscribe to the
                           vendor's vulnerability mailing
                           list to be made aware of
                           required upgrades and
                           patches.
NET0386   V0014646   III   The firewall or IDS will
                           immediately alert the
                           administrators by displaying
                           a message at the remote
                           administrative console,
                           generate an alarm or alert,
                           and page or send an
                           electronic message if the
                           audit trail exceeds 75 %
                           percentage or more of
                           storage capacity.
NET0388   V0014647   III   The FA will have a
                           procedure in place to dump
                           logs when they reach 75%
                           capacity to a syslog server.
NET0390   V0003176    II   The IAO/NSO will ensure the
                           IDS or firewall is configured
                           to alert the administrator of a
                           potential attack or system
                           failure.
   PDI     VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

NET0391   V0014648    II   The IAO/NSO will ensure the
                           firewall provides critical alert
                           message levels to the FA
                           regardless of whether an
                           administrator is logged in.

NET0392   V0014649    II   The IAO/NSO will ensure the
                           message is displayed at the
                           remote console if an
                           administrator is already
                           logged in, or when an
                           administrator logs in if the
                           alarm message has not
                           been acknowledged
NET0395   V0014653   III   The IAO/NSO will ensure the
                           alarm message identifying
                           the potential security
                           violation makes accessible
                           the audit record contents
                           associated with the event(s).

NET0396   V0014655   III   The IAO/NSO will ensure an
                           alert will remain written on
                           the consoles until
                           acknowledged by an
                           administrator.
NET0398   V0014656   III   The IAO/NSO will ensure an
                           acknowledgement message
                           identifying a reference to the
                           potential security violation is
                           logged and it contains a
                           notice that it has been
                           acknowledged, the time of
                           the acknowledgement and
                           the user identifier that
                           acknowledged the alarm, at
                           the remote administrator
                           session that received the
                           alarm.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0400   V0003034    II   The router administrator will
                           ensure neighbor
                           authentication with IPSec AH
                           or MD5 Signatures are
                           implemented for interior
                           routing protocols with all
                           peer routers within the same
                           or between Autonomous
                           Systems (AS).




NET0408   V0014665    II   The router administrator will
                           ensure neighbor
                           authentication with MD5 or
                           IPSec is implemented for all
                           BGP routing protocols with
                           all peer routers within the
                           same or between
                           autonomous systems (AS).




NET0410   V0003035    II   The router administrator will
                           restrict BGP connections to
                           known IP addresses of
                           neighbor routers from
                           trusted Autonomous
                           Systems.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0412   V0014666    II   If multiple eBGP peers are
                           defined in the network, the
                           IAO will ensure all eBGP
                           neighbor authentications are
                           configured with unique
                           passwords when TCP MD5
                           Signature option is
                           implemented


NET0420   V0008058    II   The IAO/NSO will ensure a
                           key management policy has
                           been implemented to include
                           key generation, distribution,
                           storage, usage, lifetime
                           duration, and destruction of
                           all keys used for encryption.

NET0422   V0014667   III   The IAO/NSO will ensure a
                           rotating key does not have a
                           duration exceeding 180 days.




NET0425   V0007009    I    The IAO/NSO will ensure the
                           lifetime of a MD5 Key
                           expiration is set to never
                           expire. The lifetime of the
                           MD5 key will be configured
                           as infinite for route
                           authentication, if supported
                           by the current approved
                           router software version.
                           Note: Only Enhanced Interior
                           Gateway Routing Protocol
                           (EIGRP), and Routing
                           Information Protocol (RIP)
                           Version 2 use key chains.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0430   V0014720    II   The IAO/NSO will ensure
                           two authentication servers
                           are deployed to provide
                           authentication for
                           administrative access to all
                           network devices.
NET0431   V0014721   III   The IAO/NSO will ensure all
                           AAA authentication services
                           are configured to use two-
                           factor authentication during
                           normal operation.

NET0432   V0014722   III   The IAO/NSO will ensure the
                           device is configured to use
                           AAA tiered authorization
                           groups for management
                           authentication.

NET0433   V0015432    II   The IAO/NSO will ensure an
                           authentication method list is
                           applied to all interfaces via
                           an explicit definition or by
                           use of default key word.




NET0434   V0015433    II   The IAO/NSO will ensure the
                           AAA authentication method
                           implements user
                           authentication.
NET0435   V0017906    II   The AAA servers are not
                           connected to the
                           management network.
NET0436   V0017843    II   The AAA server is not
                           compliant with respective OS
                           STIG.
NET0437   V0017844   III   The AAA server is not
                           configured with a unique key
                           to be used for
                           communication (i.e.
                           RADIUS, TACACS+) with
                           any client requesting
                           authentication services.
NET0438   V0017845    II   An HIDS has not been
                           implemented on the AAA
                           server
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0440   V0003966    II   The IAO/NSO will ensure
                           when an authentication
                           server is used for
                           administrative access to the
                           device, only one account or
                           console account is defined
                           locally for use in an
                           emergency (i.e.,
                           authentication server or
                           connection to the device is
                           down).




NET0441   V0015434    I    The IAO/NSO will ensure the
                           emergency account defaults
                           to the lowest authorization
                           level and the password is in
                           a locked safe.




NET0445   V0014723    II   To ensure the proper
                           authorized network
                           administrator is the only one
                           who can access the device,
                           the IAO/NSO will ensure
                           device management is
                           restricted by two-factor
                           authentication (e.g.,
                           SecurID, DoD PKI, or
                           alternate token logon).
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0460   V0003056    I    The IAO/NSO will ensure
                           each user accessing the
                           device locally have their own
                           account with username and
                           password.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET0465   V0003057    II   The IAO/NSO will ensure all
                           user accounts are assigned
                           the lowest privilege level that
                           allows them to perform their
                           duties.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0470   V0003058    II   The IAO/NSO will
                           immediately have accounts
                           removed from the
                           authentication server or
                           device, which are no longer
                           required.




NET0580   V0004583   III   The router administrator will
                           ensure a password is
                           required to gain access to
                           the router's diagnostics port.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0600   V0003062    I    The administrator will ensure
                           passwords are not viewable
                           when displaying the
                           configuration.




NET0700   V0003160    II   The administrator will
                           implement a current
                           supported operating system
                           with all IAVMs addressed.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0710   V0003077   III   The router administrator will
                           ensure CDP is disabled on
                           all active external interfaces
                           on Cisco premise routers.

NET0720   V0003078   III   The router administrator will
                           ensure TCP & UDP small
                           servers are disabled.




NET0722   V0005614   III   The router administrator will
                           ensure PAD services are
                           disabled unless approved by
                           the DAA.




NET0724   V0005615   III   The router administrator will
                           ensure TCP Keep-Alives for
                           Telnet Session are enabled.




NET0726   V0005616   III   The router administrator will
                           ensure identification support
                           is not enabled.




NET0728   V0005617   III   The router administrator will
                           ensure DHCP Services are
                           disabled on premise routers.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0730   V0003079   III   The router administrator will
                           ensure Finger is disabled.




NET0740   V0003085    II   The router administrator will
                           ensure HTTP servers are
                           disabled.




NET0742   V0014668    II   The router administrator will
                           ensure FTP server is
                           disabled.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0744   V0014669    II   The router administrator will
                           ensure BSD r command
                           services are disabled.




NET0750   V0003086   III   The router administrator will
                           ensure Bootp server is
                           disabled.




NET0760   V0003080    II   The administrator will ensure
                           configuration auto-loading is
                           disabled.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0770   V0003081    II   The router administrator will
                           ensure IP source routing is
                           disabled.




NET0780   V0003082    II   The router administrator will
                           ensure IP Proxy ARP is
                           disabled on all external
                           interfaces.
NET0781   V0005618    II   The router administrator will
                           ensure Gratuitous ARP is
                           disabled.




NET0790   V0003083   III   The router administrator will
                           ensure IP directed broadcast
                           is disabled on all router
                           interfaces.




NET0800   V0003084    II   The router administrator will
                           ensure ICMP unreachable
                           notifications, mask replies,
                           and redirects are disabled on
                           all external interfaces of the
                           premise router.
   PDI     VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

NET0809   V0017853   III   The NTP server is not
                           configured to restrict
                           received messages to only
                           authorized clients and peers
                           determined by their IP
                           address.
NET0810   V0017860   III   Two NTP servers have not
                           been deployed in the
                           management network.
NET0812   V0023747   III   The IAO/NSO will ensure all
                           managed network elements
                           are configured to use two or
                           more NTP servers to
                           synchronize time.
   PDI     VMSID     CAT          Requirement             Vulnerability   Status   Finding Notes

NET0813   V0014671    II   The IAO will ensure all NTP-
                           enabled devices
                           authenticate received NTP
                           messages.




NET0814   V0017905    II   The NTP server is
                           connected to a network other
                           than the management
                           network.
NET0815   V0017848   III   The NTP server is not
                           compliant with the OS STIG
NET0816   V0017849   III   An HIDS has not been
                           implemented on the NTP
                           server.
NET0817   V0017850   III   Two independent sources of
                           time reference are not being
                           utilized.
NET0819   V0017852   III   The NTP server is not
                           configured with a symmetric
                           key that is unique from any
                           key configured on any other
                           NTP server.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0820   V0003020   III   The IAO/NSO will ensure
                           that the DNS servers are
                           defined if the router is
                           configured as a client
                           resolver.




NET0890   V0003021    II   The router administrator will
                           restrict SNMP access to the
                           router from only authorized
                           internal IP addresses.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0892   V0003022    II   The router administrator will
                           ensure SNMP is blocked at
                           all external interfaces. SNMP
                           Access is permitted for
                           enterprise mapping
                           capabilities as directed by
                           USSTRATCOM CTO 08-002.



NET0894   V0003969    II   The administrator will ensure
                           SNMP is only enabled in the
                           read mode. Write mode is
                           permitted if SNMPv3 with
                           authentication is
                           implemented, or if approved
                           and documented by the IAO.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0897   V0014672   III   The router administrator will
                           ensure the router's loopback
                           address is used as the
                           source address when
                           originating TACACS+ or
                           RADIUS traffic.




NET0898   V0014673   III   The router administrator will
                           ensure the router's loopback
                           address is used as the
                           source address when
                           originating syslog traffic.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0899   V0014674   III   The router administrator will
                           ensure the router's loopback
                           address is used as the
                           source address when
                           originating NTP traffic.




NET0900   V0014675   III   The router administrator will
                           ensure the router's loopback
                           address is used as the
                           source address when
                           originating SNMP traffic.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0901   V0014676   III   The router administrator will
                           ensure the router's loopback
                           address is used as the
                           source address when
                           originating NetFlow traffic.




NET0902   V0014677   III   The router administrator will
                           ensure the router's loopback
                           address is used as the
                           source address when
                           originating TFTP or FTP
                           traffic.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0903   V0014681   III   The router administrator will
                           ensure the router's loopback
                           address is used as the
                           source address for iBGP
                           peering sessions.




NET0910   V0005731    II   The SA will utilize ingress
                           and egress ACLs to restrict
                           traffic destined to the
                           enclave perimter in
                           accordance with the
                           guidelines contained in DoD
                           Instruction 8551.1 for all
                           ports and protocols required
                           for operational commitments.



NET0911   V0003026    II   The System Administrator
                           can permit inbound ICMP
                           messages Echo Reply (type
                           0), ICMP Destination
                           Unreachable fragmentation
                           needed (type 3 - code 4),
                           Source Quench (type 4),
                           Time Exceeded (type 11),
                           and Parameter Problem
                           (type 12). All other inbound
                           ICMP messages are
                           prohibited. The following
                           exception: All ICMP
                           messages must be denied
                           from external AG addresses.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET0912   V0003027    II   The System Administrator
                           can permit outbound ICMP
                           messages Packet-too-Big
                           (type 3, code 4), Source
                           Quench (type 4), Echo
                           Request (type 8), and Time
                           Exceeded (type 11). All other
                           outbound ICMP messages
                           are prohibited. The following
                           exception: All ICMP
                           messages must be denied to
                           external AG addresses.

NET0918   V0003028   III   The router administrator will
                           block all inbound traceroutes
                           to prevent network discovery
                           by unauthorized users.




NET0920   V0003968    II   The router administrator will
                           bind the ingress ACL filtering
                           packets entering the network
                           to the external interface on
                           an inbound direction.




NET0921   V0014688    II   The router administrator will
                           bind the egress ACL filtering
                           packets leaving the network
                           to the internal interface on
                           an inbound direction.




NET0923   V0014689    I    The router administrator will
                           restrict the premise router
                           from accepting any inbound
                           IP packets with a local host
                           loop back address
                           (127.0.0.0/8).
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0924   V0014690    I    The router administrator will
                           restrict the premise router
                           from accepting any inbound
                           IP packets with a link-local
                           IP address range
                           (169.254.0.0/16)




NET0926   V0014691    I    The router administrator will
                           restrict the premise router
                           from accepting any inbound
                           IP packets having a source
                           field from BOGON, Martian
                           IP addresses.




NET0927   V0014692    I    The router administrator will
                           restrict the premise router
                           from accepting any inbound
                           IP packets having a source
                           field from RFC1918 IP
                           addresses.




NET0928   V0005607    II   The Router Administrator will
                           have a procedure in place to
                           check for changes and
                           modify the BOGON/Martian
                           list on a monthly basis.
   PDI     VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

NET0940   V0003024    I    The router administrator will
                           restrict the premise router
                           from accepting any inbound
                           IP packets with a source
                           address that contain an IP
                           address from the internal
                           network, any local host loop
                           back address (127.0.0.0/8),
                           the link-local IP address
                           range (169.254.0.0/16),
                           IANA unallocated addresses
                           or any reserved private
                           addresses in the source field.


NET0949   V0005645    II   The router administrator will
                           enable CEF to improve
                           router stability during a SYN
                           flood attack to the network.




NET0950   V0003164    I    The router administrator will
                           restrict the router from
                           accepting any outbound IP
                           packet that contains an
                           illegitimate address in the
                           source address field by
                           enabling Unicast Reverse
                           Path Forwarding (uRPF)
                           Strict mode or via egress
                           ACL.
NET0960   V0003165    II   The IAO/NSO will implement
                           tcp intercept features
                           provided by the router or
                           implement a filter to rate limit
                           tcp syn to protect servers
                           from any TCP SYN flood
                           attacks from an outside
                           network.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0965   V0005646    II   The router administrator will
                           set the maximum wait
                           interval for establishing a
                           TCP connection request to
                           the router to 10 seconds or
                           less, or implement a feature
                           to rate-limit TCP SYN traffic
                           destined to the router.




NET0966   V0019188    II   Control plane protection is
                           not enabled.
   PDI     VMSID     CAT          Requirement             Vulnerability   Status   Finding Notes

NET0985   V0017815    II   IGP instances configured on
                           the OOBM gateway router
                           do not peer only with their
                           appropriate routing domain.




NET0986   V0017816    II   The routes from the two IGP
                           domains are redistributed to
                           each other.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0987   V0017817    II   Traffic from the managed
                           network is able to access the
                           OOBM gateway router




NET0988   V0017818    II   Traffic from the managed
                           network will leak into the
                           management network via the
                           gateway router interface
                           connected to the OOBM
                           backbone.
   PDI     VMSID     CAT           Requirement           Vulnerability   Status   Finding Notes

NET0989   V0017819    II   Management network traffic
                           is leaking into the managed
                           network.




NET0990   V0017820    II   The OOBM access switch is
                           not physically connected to
                           the managed network
                           element OOBM interface.

NET0991   V0017821    II   Managed NE OOBM
                           interface is not configured
                           with an OOBM network
                           address.
   PDI     VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

NET0992   V0017822    II   The management interface
                           is not configured with both
                           an ingress and egress ACL.




NET0993   V0017823   III   The management interface
                           is not configured as passive
                           for the IGP instance for the
                           managed network.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET0994   V0017824    II   The management interface
                           is an access switchport and
                           has not been assigned to a
                           separate management
                           VLAN.




NET0995   V0017825   III   An address has not been
                           configured for the
                           management VLAN from
                           space belonging to the
                           OOBM network assigned to
                           that site.




NET0996   V0017826    II   The access switchport
                           connecting to the OOBM
                           access switch is not the only
                           port with membership to the
                           management VLAN.




NET0997   V0017827   III   The management VLAN is
                           not pruned from any VLAN
                           trunk links belonging to the
                           managed network‟s
                           infrastructure.




NET0998   V0017772    II   A separate management
                           subnet has not been
                           implemented.
NET0999   V0017858    II   Not all management network
                           elements with an IP address
                           from management address
                           block.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET1000   V0017829    II   The gateway router for the
                           managed network is not
                           configured with an ACL or
                           filter on the egress interface
                           to block all outbound
                           management traffic.




NET1001   V0017830    II   A firewall located behind the
                           premise router must be
                           configured to block all
                           outbound management
                           traffic.
NET1002   V0017901    II   The management station or
                           server is not connected to
                           the management VLAN.
NET1003   V0017832    II   The management VLAN is
                           not configured with an IP
                           address from the
                           management network
                           address block.




NET1004   V0017833    II   The IAO will ensure that only
                           authorized management
                           traffic is forwarded by the
                           multi-layer switch from the
                           production or managed
                           VLANs to the management
                           VLAN.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET1005   V0017834    II   An inbound ACL is not
                           configured for the
                           management network sub-
                           interface of the trunk link to
                           block non-management
                           traffic.




NET1006   V0017835    II   Traffic entering the tunnels is
                           not restricted to only the
                           authorized management
                           packets based on
                           destination address.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1007   V0017836   III   Management traffic is not
                           classified and marked at the
                           nearest upstream MLS or
                           router when management
                           traffic must traverse several
                           nodes to reach the
                           management network.




NET1008   V0017837   III   The core router within the
                           managed network has not
                           been configured to provide
                           preferred treatment for
                           management traffic that
                           must traverse several nodes
                           to reach the management
                           network.
   PDI     VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

NET1020   V0003000   III   The IAO/NSO will ensure all
                           attempts to any port,
                           protocol, or service that is
                           denied is logged.




NET1021   V0004584   III   The IAO/NSO will configure
                           all devices to log severity
                           levels 0 through 6 and send
                           log data to a syslog server.




NET1022   V0023749    II   The IAO will ensure the
                           syslog server is only
                           connected to the
                           management network.
NET1023   V0023750    II   The IAO will ensure the
                           syslog servers are
                           configured IAW the
                           appropriate OS STIG.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1025   V0008060   III   The IAO/NSO will ensure a
                           centralized syslog server is
                           deployed and configured by
                           the syslog administrator to
                           store all syslog messages for
                           a minimum of 30 days online
                           and then stored offline for
                           one year.
NET1027   V0003031   III   The syslog administrator will
                           configure the syslog sever to
                           collect syslog messages
                           from levels 0 through 6.

NET1030   V0003072   III   The administrator will ensure
                           that the running and startup
                           configurations are
                           synchronized after changes
                           have been made and
                           implemented.




NET1040   V0008061   III   The IAO will ensure all
                           current and previous router
                           and switch configurations
                           are stored in a secured
                           location. Storage can take
                           place on a classified
                           network, an OOB network, or
                           offline. The configurations
                           can only be accessed by the
                           server or network
                           administrator.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET1050   V0003074   III   The IAO/NSO will ensure
                           that on the system where the
                           configuration files are stored,
                           the router administrator uses
                           the local operating system's
                           security mechanisms for
                           restricting access to the files
                           (i.e., password restricted file
                           access). The IAO/NSO will
                           ensure only authorized
                           router administrators are
                           given access to the stored
                           configuration files.




NET1060   V0008062    I    The router administrator will
                           not store unencrypted router
                           passwords in an offline
                           configuration file.
NET1070   V0008063    II   The IAO/NSO will authorize
                           and maintain justification for
                           all TFTP implementations.

NET1071   V0005644    II   If TFTP implementation is
                           used, the router
                           administrator will ensure the
                           TFTP server resides on a
                           controlled managed LAN
                           subnet, and access is
                           restricted to authorized
                           devices within the local
                           enclave.
   PDI     VMSID     CAT            Requirement                Vulnerability   Status   Finding Notes

NET1110   V0008064    II   The IAO/NSO will ensure all
                           changes and updates are
                           documented in a manner
                           suitable for review and audit.

NET1111   V0014718    II   The IAO/NSO will ensure
                           request forms are used to
                           aid in recording the audit trail.

NET1113   V0014719    II   The IAO/NSO will ensure
                           current paper or electronic
                           copies of configurations are
                           maintained in a secure
                           location.
NET1114   V0015430    II   The IAO/NSO will ensure
                           only authorized personnel,
                           with proper verifiable
                           credentials, are allowed to
                           request changes to routing
                           tables or service parameters.

NET1280   V0008068   III   The IAO/NSO will ensure
                           there is a review on a daily
                           basis, of the firewall log data
                           by the firewall administrator
                           (FA), or other qualified
                           personnel, to determine if
                           attacks or inappropriate
                           activity has occurred.

NET1281   V0014726   III   The IAO will ensure a HIDS
                           is implemented on the syslog
                           servers.
NET1284   V0008070   III   The IAO/NSO will ensure the
                           firewall configuration data
                           are backed up weekly and
                           whenever configuration
                           changes occur.
NET1286   V0008071   III   The IAO/NSO will ensure the
                           audit data is backed up
                           weekly.
NET1287   V0014727   III   The IAO/NSO will ensure the
                           audit logs are protected from
                           deletion.
NET1288   V0014728   III   The IAO/NSO will ensure the
                           audit trail events are
                           stamped with accurate date
                           and time.
   PDI     VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

NET1289   V0014729   III   The IAO/NSO will ensure the
                           audit trail events include
                           source IP, destination IP,
                           port, protocol used and
                           action taken.

NET1299   V0014730   III   The IAO will ensure the
                           firewall provides the ability to
                           perform searches and
                           sorting of audit data based
                           on source address,
                           destination address, date,
                           time, protocol, port, and
                           ingress interface.
NET1300   V0003178   III   The IAO/NSO will ensure
                           administrator logons,
                           changes to the administrator
                           group, and account lockouts
                           are logged.

NET1328   V0008075   III   The IAO/NSO will ensure
                           that the data from the
                           external NIDS is restricted to
                           CNDSP personnel only.
NET1340   V0008076    II   The IAO/NSO will establish
                           policies outlining procedures
                           to notify JTF GNO when
                           suspicious activity is
                           observed.
NET1342   V0008077    II   The IAO/NSO will ensure
                           that authorized reviewers of
                           Network IDS data are
                           identified in writing by the
                           site‟s IAM.
NET1344   V0008273    II   The IAO/NSO will ensure
                           that any unauthorized traffic
                           is logged for further
                           investigation.
NET1352   V0018576    II   The Network administrator
                           will implement additional
                           intrusion protection that
                           detect both specific attacks
                           on mail and traffic types
                           (protocols) that should not
                           be seen on the segments
                           containing mail servers at
                           the regional enclave mail
                           perimeter.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET1432   V0014734    II   The IAO/NSO will ensure if
                           Sticky MAC Port Security is
                           implemented, the running
                           and startup configuration
                           files are identical.

NET1433   V0014735    II   The IAO will ensure that if
                           Sticky MAC Port Security is
                           implemented, a policy is in
                           place that prohibits
                           connection to the switchport
                           unless it has been approved.

NET1440   V0014736    II   The IAO/NSO will ensure
                           VMPS must not be used to
                           provide port authentication
                           or dynamic VLAN
                           assignment.
NET1615   V0017840    II   The communications server
                           is not configured to use PPP
                           encapsulation and PPP
                           authentication CHAP for the
                           async or AUX port used for
                           dial in.
NET1616   V0017841   III   The communications server
                           is not configured to require
                           AAA authentication for PPP
                           connections using a RADIUS
                           or TACACS+ authentication
                           server in conjunction with 2-
                           factor authentication.

NET1617   V0017842   III   The communications server
                           is not configured accept a
                           callback request or in a
                           secured mode so that it will
                           not callback an unauthorized
                           user.
NET1621   V0014715    II   The IAO will properly register
                           all network components in
                           an asset management
                           tracking system such as
                           VMS.
NET1622   V0014716    II   The IAO/NSO will ensure an
                           OOB management network
                           is in place for MAC I systems
                           or 24x7 personnel have
                           immediate console access
                           (direct connection method)
                           for communication device
                           management.
   PDI     VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

NET1623   V0004582    I    The IAO will ensure that all
                           OOB management
                           connections to the device
                           require authentication.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1624   V0003967    II   The system administrator will
                           ensure the console port is
                           configured to time out after
                           10 minutes or less of
                           inactivity.




NET1628   V0008059    II   The IAO/NSO will ensure
                           modems are not connected
                           to the console port.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET1629   V0007011   III   The system administrator will
                           ensure that the device
                           auxiliary port is disabled if a
                           secured modem providing
                           encryption and
                           authentication is not
                           connected.
   PDI     VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

NET1636   V0003175    I    The IAO will ensure that all
                           in-band management
                           connections to the device
                           require authentication.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1637   V0005611    II   The system administrator will
                           ensure that the device only
                           allows in-band management
                           sessions from authorized IP
                           addresses from the internal
                           network.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1638   V0003069    II   The system administrator will
                           ensure in-band management
                           access to the device is
                           secured using FIPS 140-2,
                           approved encryption or hash
                           algorithms such as AES,
                           3DES, SSH, or TLS / SSL.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1639   V0003014    II   The system administrator will
                           ensure the timeout for in-
                           band management access is
                           set for no longer than 10
                           minutes.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1640   V0003070   III   The system administrator will
                           configure the ACL that is
                           bound to the inband
                           interface to log permitted
                           and denied access attempts.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1645   V0005612    II   The system administrator will
                           ensure SSH timeout value is
                           set to 60 seconds or less,
                           causing incomplete SSH
                           connections to shut down
                           after 60 seconds or less.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1646   V0005613    II   The system administrator will
                           ensure the maximum
                           number of unsuccessful
                           SSH login attempts is set to
                           three, locking access to the
                           network device.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1647   V0014717    II   The system administrator will
                           ensure SSH version 2 is
                           implemented.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1660   V0003196    I    The IAO will ensure that if
                           SNMP is implemented, the
                           device is configured to use
                           SNMP Version 3 Security
                           Model with FIPS 140-2,
                           compliant cryptography (i.e.,
                           SHA authentication and AES
                           encryption).
   PDI     VMSID     CAT          Requirement             Vulnerability   Status   Finding Notes

NET1665   V0003210    I    The IAO/NSO will ensure
                           that all SNMP community
                           strings are changed from the
                           default values.




NET1670   V0008092   III   The IAO/NSO will establish
                           and maintain a standard
                           operating procedure
                           managing SNMP community
                           strings and usernames to
                           include the following: -
                           Community string and
                           username expiration period -
                           SNMP community string and
                           username distribution
                           including determination of
                           membership
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET1675   V0003043    II   The IAO/NSO will ensure
                           that if both privileged and
                           non-privileged modes are
                           used on all devices. Different
                           community names will be
                           used for read-only access
                           and read-write access.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET1710   V0003046   III   The IAO/NSO will ensure
                           that security alarms are set
                           up within the managed
                           network's framework. At a
                           minimum, these will include
                           the following: - Integrity
                           Violation: Indicates that
                           network contents or objects
                           have been illegally modified,
                           deleted, or added. -
                           Operational Violation:
                           Indicates that a desired
                           object or service could not
                           be used. - Physical Violation:
                           Indicates that a physical part
                           of the network (such as a
                           cable) has been damaged or
                           modified without
                           authorization. - Security
                           Mechanism Violation:
                           Indicates that the network's
                           security system has been
                           compromised or breached. -
                           Time Domain Violation:
                           Indicates that an event has
                           happened outside its allowed
                           or typical time slot.
   PDI     VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

NET1720   V0003047   III   The IAO/NSO will ensure
                           that alarms are categorized
                           by severity using the
                           following guidelines: - Critical
                           and major alarms are given
                           when a condition that affects
                           service has arisen. For a
                           critical alarm, steps must be
                           taken immediately in order to
                           restore the service that has
                           been lost completely. - A
                           major alarm indicates that
                           steps must be taken as soon
                           as possible because the
                           affected service has
                           degraded drastically and is in
                           danger of being lost
                           completely. - A minor alarm
                           indicates a problem that
                           does not yet affect service,
                           but may do so if the problem
                           is not corrected. - A warning
                           alarm is used to signal a
                           potential problem that may
                           affect service. - An
                           indeterminate alarm is one
                           that requires human
                           intervention to decide its
                           severity.



NET1730   V0008093    II   The IAO/NSO will ensure
                           that the management
                           workstation is located in a
                           secure environment.
NET1731   V0017854    II   The SNMP manager is not
                           compliant with the OS STIG
NET1732   V0017855   III   An HIDS has not been
                           implemented on the SNMP
                           manager
NET1733   V0017856    II   The SNMP manager is not
                           connected to only the
                           management network.
NET1734   V0017857   III   SNMP messages are stored
                           for a minimum of 30 days
                           and then archived.
NET1740   V0008094    II   The IAO/NSO will ensure
                           that only those accounts
                           necessary for the operation
                           of the system and for access
                           logging are maintained.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET1750   V0003050   III   The IAO/NSO will ensure a
                           record is maintained of all
                           logons and transactions
                           processed by the
                           management station. NOTE:
                           Include time logged in and
                           out, devices that were
                           accessed and modified, and
                           other activities performed.

NET1760   V0003051    I    The IAO/NSO will ensure
                           access to the NMS is
                           restricted to authorized users
                           with individual userids and
                           passwords.
NET1762   V0004613    II   The IAO/NSO will ensure
                           that all in-band sessions to
                           the NMS is secured using
                           FIPS 140-2, approved
                           encryption or hash
                           algorithms such as AES,
                           3DES, SSH, or SSL.
NET1770   V0003052    II   The IAO/NSO will ensure
                           connections to the NMS are
                           restricted by IP address to
                           only the authorized devices
                           being monitored..

NET1780   V0003184    II   The IAO/NSO will ensure all
                           accounts are assigned the
                           lowest possible level of
                           access/rights necessary to
                           perform their jobs.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1800   V0003008    II   The IAO will ensure IPSec
                           VPNs are established as
                           tunnel type VPNs when
                           transporting management
                           traffic across an ip backbone
                           network.




NET1807   V0017754    II   Management traffic is not
                           restricted to only the
                           authorized management
                           packets based on
                           destination and source IP
                           address.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET1808   V0017814    II   Gateway configuration at the
                           remote VPN end-point is a
                           not a mirror of the local
                           gateway




NET1815   V0012101    II   The IAM will ensure REL
                           LAN environments are
                           documented in the SSAA.
NET1816   V0012102    II   The IAM will ensure annual
                           reviews are performed on
                           REL LAN environments.
NET1820   V0008275    II   The IAM will require the
                           customer to provide a Host
                           Based IDS capability for any
                           gateway-to-host VPN
                           established that bypasses
                           the site‟s current IDS
                           capability.
NET1826   V0014741    I    Leasing of point-to-point
                           circuits that extend classified
                           backside connectivity to any
                           non-DoD, foreign or
                           contractor facility is
                           prohibited unless the
                           termination is government
                           operated in the contractor or
                           foreign government facility.
   PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET1827   V0014742    II   The IAO/NSO will have all
                           C2 and non-C2 exceptions
                           of SIPRNet use documented
                           in the enclave‟s accreditation
                           package and an Interim
                           Authority to
                           Connect/Authority to
                           Connect (IATC/ATC)
                           amending the connection
                           approval received, prior to
                           implementation.

NET1830   V0014744    II   The IAM will ensure the
                           controls over the type of data
                           to be moved are described in
                           classification guidance,
                           Executive Orders, or other
                           issuances pertaining to
                           controls over categories of
                           information.
NET1832   V0014745    II   The IAM will ensure the VPN
                           tunnel demarcation is
                           located in facilities
                           authorized to process
                           classified US government
                           information, classified at the
                           Secret Level (for SIPRNet).

NET1930   V0015266    II   The IAO/NSO will ensure the
                           internal router's egress
                           interface is the only interface
                           accepting native IPv6 traffic.




NET1931   V0015269    II   The IAO/NSO will ensure the
                           internal router's ingress
                           interfaces does not allow
                           native IPv6 traffic.
   PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET1934   V0015272    II   The IAO/NSO will ensure the
                           internal router's ingress
                           interfaces do not allow native
                           IPv6 NLRI exchanges.




NET1935   V0015275    II   The IAO/NSO will ensure
                           there is only one IPv6 to
                           IPv4 tunnel between the
                           interfaces of the internal
                           router's ingress interface and
                           the perimeter router's egress
                           interface.




NET1940   V0015282    II   IAO/NSO will ensure the
                           perimeter router does not
                           route native IPv6 traffic
                           during MO2.
   PDI       VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET1942     V0015283    II   The IAO/NSO will ensure an
                             access list is applied on all
                             interfaces not supporting
                             IPv6 that blocks native IPv6
                             traffic when IPv6 is used in
                             an enclave environment.




NET1945     V0015285    II   The IAO/NSO will ensure
                             tunnels used for IPv6
                             transition are filtered by
                             protocol 41 and the
                             endpoints are explicitly
                             defined on the permit filter.




NET1970     V0025037    I    The IAO will ensure that the
                             router or firewall software
                             has been upgraded to
                             mitigate the risk of DNS
                             cache poisoning attack
                             caused by a flawed PAT
                             implementation using a
                             predictable source port
                             allocation method for DNS
                             query traffic.


NET-IDPS-   V0018489    II   The Network IDPS
001                          administrator will ensure all
                             Network IDPS systems are
                             installed and operational in
                             stealth mode -no ip address
                             on interface with data flow.
   PDI       VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET-IDPS-   V0018484    II   The IAO/NSO will ensure the
002                          IDPS consoles,
                             management and database
                             servers reside in the
                             management network.
NET-IDPS-   V0003179    II   The IAO/NSO will ensure the
003                          sensor's monitoring
                             application or mechanism
                             retrieves events from the
                             sensor before the queue
                             becomes full.
NET-IDPS-   V0018501    II   The IAO/NSO will ensure
004                          notifications are sent to the
                             syslog server or central
                             controller when threshold
                             limits exceed the sensor's
                             capacity.
NET-IDPS-   V0018502    II   The Network IDPS
005                          administrator will review
                             whitelists and blacklists
                             regularly and validate all
                             entries to ensure that they
                             are still accurate and
                             necessary.
NET-IDPS-   V0018508    II   The Network administrator
006                          will implement signatures
                             that detect specific attacks
                             and protocols that should not
                             be seen on the segments
                             containing web servers.

NET-IDPS-   V0018509    II   The Network administrator
007                          will implement signatures
                             that detect both specific
                             attacks on public service
                             servers and traffic types
                             (protocols) that should not
                             be seen on the segments
                             containing ftp servers.
NET-IDPS-   V0018513    II   The Network IDPS
008                          administrator will ensure IP
                             hijacking signatures have
                             been implemented with the
                             common default signatures.
NET-IDPS-   V0018512    II   The Network IDPS
009                          administrator will tune the
                             sensor to alarm if
                             unexpected protocols for
                             network management enter
                             the subnet.
   PDI       VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET-IDPS-   V0019233    II   The IDPS device positioned
010                          to protect servers in Server
                             Farms and DMZs must
                             provide protection from
                             DDOS SYN Floods by
                             dropping half open TCP
                             sessions.
NET-IDPS-   V0019246    II   The Network IDPS
011                          administrator will ensure the
                             IDPS is protecting the
                             enclave from malware and
                             unexpected traffic by using
                             TCP Reset signatures.
NET-IDPS-   V0019250    II   The IDPS administrator will
012                          ensure LAND DoS signature
                             has been implemented to
                             protect the enclave.

NET-IDPS-   V0019256    II   The IDPS Administrator will
013                          ensure Atomic Signatures
                             are implemented to protect
                             the enclave.

NET-IDPS-   V0018490    II   The IAO will ensure an IDPS
016                          sensor is monitoring DMZ
                             segments housing all public
                             servers.
NET-IDPS-   V0018491    II   The IAO will ensure an IDPS
017                          sensor is monitoring VPN
                             concentrators to monitor
                             unencrypted VPN traffic and
                             behind all tunnel endpoints
                             to monitor all traffic (IPv4
                             and IPv6) entering the
                             enclave.
NET-IDPS-   V0018492    II   The IAO will ensure an IDPS
018                          sensor is monitoring Server
                             Farms segments containing
                             databases, private backend
                             servers, and personnel data.

NET-IDPS-   V0018493    II   The IAO will ensure an IDPS
019                          sensor is monitoring
                             segments that house
                             network security
                             management servers
                             (Network Management
                             segments or OOB networks).
   PDI       VMSID     CAT            Requirement                Vulnerability   Status   Finding Notes

NET-IDPS-   V0018494    II   The IAO will ensure an IDPS
020                          sensor is monitoring WAN
                             junction points between the
                             Regional enclave and the
                             local enclave networks as
                             well as between tenant
                             network enclaves. A MOU or
                             MOA may be required to
                             achieve the policy.

NET-IDPS-   V0008272    II   The IAO will ensure an IDS
021                          is installed and operational
                             behind the firewall that
                             monitors all traffic entering
                             and leaving the enclave or all
                             traffic not being monitored by
                             other positioned sensors.

NET-IDPS-   V0014732    II   The IAO will ensure IDPS
022                          components that have been
                             evaluated and validated
                             against NIAP existing
                             profiles are placed in the
                             network infrastructure.

NET-IDPS-   V0018495    II   The IAO/NSO will ensure the
023                          Regional Enclave has
                             developed a hierarchical
                             structure that allows the local
                             enclave (base, camp, post,
                             station) sensor data to be
                             exported to the regional
                             enclave management
                             network segment.

NET-IDPS-   V0018496    II   The IAO/NSO will ensure the
024                          sensor traffic in transit will be
                             protected at all times via an
                             OOB network or an
                             authenticated tunnel
                             between site locations.
NET-IDPS-   V0018497    II   The SA will ensure IDPS
025                          communication traffic from
                             the sensor to the
                             management and database
                             servers traverses a separate
                             VLAN logically separating
                             IDPS traffic from all other
                             enclave traffic.
   PDI       VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET-IDPS-   V0018503   III   The Network IDPS
026                          administrator will review and
                             ensure thresholds and alert
                             settings are adjusted
                             periodically to compensate
                             for changes in the
                             environment.
NET-IDPS-   V0018504   III   The Network IDPS
027                          administrator will ensure that
                             any products collecting
                             baselines for anomaly-based
                             detection have their
                             baselines rebuilt periodically
                             to support accurate
                             detection. Readiness is
                             required for INFOCON
                             levels, additional information
                             can be found in Strategic
                             Command Directive (SD)
                             527-1.
NET-IDPS-   V0018505    II   The Network IDPS
028                          administrator located at a
                             regional enterprise enclave
                             will establish an automated
                             update for enterprise sensor
                             update deployments to
                             Base, Camp, Post and
                             Station local networks.

NET-IDPS-   V0018506    II   The Network IDPS
029                          administrator will ensure if a
                             SFTP server is used to
                             provide updates to the
                             sensors, the server is
                             configured to allow read-only
                             access to the files within the
                             directory on which the
                             signature packs are placed.

NET-IDPS-   V0018507    II   The Network IDPS
030                          administrator will ensure if
                             an automated scheduler is
                             used to provide updates to
                             the sensors, an account is
                             defined that only the sensors
                             will use.
   PDI       VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET-IDPS-   V0018510   III   The Network IDPS
031                          administrator will back up
                             configuration settings before
                             applying software or
                             signature updates to ensure
                             that existing settings are not
                             inadvertently lost.

NET-IDPS-   V0018511   III   The Network IDPS
032                          administrator will compare
                             and verify IDPS update‟s file
                             checksums provided by the
                             vendor with checksums
                             computed from downloaded
                             files. If removable media
                             (CD) is used for updates, its'
                             content will be verified.

NET-IDPS-   V0008078    II   The IAO/NSO will establish
033                          weekly data backup
                             procedures for the Network
                             IDS.
NET-IDPS-   V0008080   III   The Network IDS
035                          administrator will subscribe
                             to the vendor‟s vulnerability
                             mailing list. The Network IDS
                             administrator will update the
                             Network IDS when software
                             is provided by Field Security
                             Operations for the
                             RealSecure distribution, and
                             for all other Network IDS
                             software distributions when a
                             security-related update is
                             provided by the vendor.


NET-IDPS-   V0015424   III   The IDS administrator will
036                          update the Network IDS
                             when updates are provided
                             by the vendor
NET-IDPS-   V0008072    II   The IAO will ensure an
037                          external IDPS is installed
                             and implemented so that all
                             external connections can be
                             monitored.
NET-IDPS-   V0008073    II   The IAO will ensure the
038                          accredited CNDSP is
                             continuously monitoring any
                             reported unauthorized or
                             suspicious traffic from the
                             IDPS.
   PDI       VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET-IPV6-   V0018585    II   The IAO will ensure IPv6 is
001                          disabled by default on all
                             network interfaces and
                             nodes.
NET-IPV6-   V0008053    II   The IAO/NSO will ensure
002                          that IPv6 implemented on
                             any DOD network that
                             transports production or
                             operations traffic is approved
                             by the DAA.
NET-IPV6-   V0014636   III   The IAO/NSO will ensure
003                          that a devised hard to guess
                             IPv6 scheme is implemented
                             through out the infrastructure.

NET-IPV6-   V0014637    II   The IAO/NSO will ensure
004                          that all external interfaces on
                             Premise, AG, Backdoor and
                             Tunnel end-points have
                             Router Advertisements
                             suppressed.




NET-IPV6-   V0018589    II   The IAO will ensure firewalls
005                          deployed in an IPv6 enclave
                             meet the requirements
                             defined by DITO and NSA
                             milestone objective 3
                             guidance.
NET-IPV6-   V0014683    II   The system administrator will
006                          ensure the undetermined
                             transport packet is blocked
                             at the perimeter in an IPv6
                             enclave by the firewall or
                             router.




NET-IPV6-   V0018610    II   The IAO/NSO will ensure
008                          IPv6 6bone address space is
                             blocked on the ingress and
                             egress filter, (3FFE::/16).
   PDI       VMSID     CAT          Requirement            Vulnerability   Status   Finding Notes

NET-IPV6-   V0018618    II   The IAO/NSO will ensure the
009                          IPv6 router advertisement
                             interval is not set at an
                             unsafe interval .




NET-IPV6-   V0014686    II   The system administrator
010                          can permit inbound ICMPv6
                             messages Packet-too-big
                             (type 2), Time Exceeded
                             (type 3), Parameter Problem
                             (type 4), Echo Reply (type
                             129), Network Discovery
                             (type 135-136), Router.
                             Remaining ICMPv6
                             messages must be blocked
                             inbound.

NET-IPV6-   V0014687    II   The system administrator
011                          can permit outbound
                             ICMPv6 messages Packet-
                             too-big (type 2), Echo
                             Request (type 128), Network
                             Discovery (type 135-136),
                             Router Discovery (type 133-
                             134).
   PDI       VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET-IPV6-   V0014664    II   The IAO/NSO will ensure
015                          neighbor authentication is
                             implemented between
                             OSPFv3 peer routers within
                             the same or between
                             autonomous systems (AS)
                             using IPSec




NET-IPV6-   V0014670    II   The router administrator will
016                          ensure ICMPv6 unreachable
                             notifications, and redirects
                             are disabled on all external
                             interfaces of the premise
                             router.




NET-IPV6-   V0014685    II   The system administrator will
017                          ensure the routing header
                             extension type 0, 1, and 3-
                             255 are rejected in an IPv6
                             enclave by the firewall or
                             router.




NET-IPV6-   V0018599    II   The IAO/NSO will ensure
022                          IPv6 Link-Local Unicast
                             source addresses with a
                             prefix of FE80::/10 are
                             dropped at the enclave
                             perimeter by the ingress and
                             egress filters. Note: This
                             consists of all addresses that
                             begin with FE8, FE9, FEA
                             and FEB.
   PDI       VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET-IPV6-   V0018608    II   The IAO/NSO will ensure
024                          IPv6 6-to-4 addresses with a
                             prefix of 2002::/16 are
                             dropped at the enclave
                             perimeter by the ingress and
                             egress filters.




NET-IPV6-   V0014693    II   The IAO/NSO will ensure
025                          IPv6 Site Local Unicast
                             addresses are not defined in
                             the enclave, (FEC0::/10).
                             Note that this consist of all
                             addresses that begin with
                             FEC, FED, FEE and FEF.




NET-IPV6-   V0014694    I    The IAO/NSO will ensure
026                          IPv6 Site Local Unicast
                             addresses are blocked on
                             the ingress inbound filter,
                             (FEC0::/10). Note that this
                             consist of all addresses that
                             begin with FEC, FED, FEE
                             and FEF.
   PDI       VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET-IPV6-   V0014695    I    The router administrator will
027                          restrict the premise router
                             from accepting any inbound
                             IP packets with a local host
                             loop back address,
                             (0:0:0:0:0:0:0:1 or ::1/128).




NET-IPV6-   V0014696    I    The router administrator will
028                          restrict the premise router
                             from accepting any IP
                             packets from the unspecified
                             address, (0:0:0:0:0:0:0:0 or
                             ::/128).




NET-IPV6-   V0014697    II   The IAO/NSO will ensure
029                          that IPv6 well-known
                             Multicast addresses are
                             blocked on the ingress and
                             egress inbound filters,
                             (FF00::/16).




NET-IPV6-   V0014698    II   The IAO/NSO will ensure
030                          IPv6 addresses with
                             embedded IPv4-compatible
                             IPv6 addresses are blocked
                             on the ingress and egress
                             filters, (0::/96).




NET-IPV6-   V0014699    II   The IAO/NSO will ensure
031                          that IPv6 addresses with
                             embedded IPv4-mapped
                             IPv6 addresses are blocked
                             on the ingress and egress
                             filters, (0::FFFF/96).
   PDI       VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

NET-IPV6-   V0014703    II   The IAO/NSO will ensure
032                          IPv6 Unique Local Unicast
                             Addresses are blocked on
                             the ingress and egress filter,
                             (FC00::7). Note that this
                             consist of all addresses that
                             begin with FC or FD.



NET-IPV6-   V0014705    II   The router administrator will
033                          enable CEF to improve
                             router stability during a SYN
                             flood attack in an IPv6
                             enclave.




NET-IPV6-   V0014707    II   The router administrator will
034                          restrict the router from
                             accepting any outbound IP
                             packet that contains an
                             illegitimate address in the
                             source address field via
                             egress ACL or by enabling
                             Unicast Reverse Path
                             Forwarding in an IPv6
                             enclave.




NET-IPV6-   V0018815    II   The IAO will ensure the IPV6
035                          Jumbo Payload hop by hop
                             header is blocked.
NET-IPV6-   V0015207    II   The IAO/NSO will ensure the
036                          customer edge interface
                             facing the core‟s provider
                             edge does not allow native
                             IPv6 traffic during MO2.
   PDI       VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

NET-IPV6-   V0015233    II   The IAO/NSO will ensure the
037                          customer edge interface
                             facing the core‟s provider
                             edge does not allow native
                             IPv6 network layer
                             reachability information
                             (NLRI) during MO2.



NET-IPV6-   V0015237    II   The IAO/NSO will ensure in
038                          a dual stack environment the
                             enclave perimeter device
                             does not support IPv6 in
                             IPv4 GRE or VPN tunnels
                             between enclave internal
                             devices.



NET-IPV6-   V0018632    II   The IAO/NSO will ensure if
039                          DHCPV6 is not being used
                             in the enclave it will be
                             disabled.
NET-IPV6-   V0015250    II   Split Domain IPv6 interface
044                          must not have IPv4 in IPv6
                             tunnel traffic.
   PDI       VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET-IPV6-   V0015253    II   The IAO/NSO will ensure
045                          interfaces supporting IPv4 in
                             Split Domain Architecture do
                             not have any IPv4 in IPv6
                             tunnel traffic between the
                             interfaces.




NET-IPV6-   V0015261    II   The IAO/NSO will ensure the
046                          enclave boundary does not
                             have any other IPv6
                             Transition Mechanisms
                             implemented when
                             supporting Split Domain.




NET-IPV6-   V0015296    II   The IAO/NSO will ensure
047                          interfaces supporting IPv4 in
                             NAT-PT Architecture do not
                             receive IPv6 traffic.
   PDI       VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

NET-IPV6-   V0015295    II   The IAO/NSO will ensure in
048                          NAT-PT architecture there is
                             no tunneled IPv4 in IPv6
                             traffic.




NET-IPV6-   V0015239    I    IAO/NSO will ensure in a
050                          dual stack environment the
                             enclave IPv6 security policy
                             mirrors the IPv4 security
                             policy.
NET-IPV6-   V0015278    II   The IAO/NSO will ensure the
051                          tunnel between the internal
                             router‟s ingress interface and
                             the perimeter router‟s egress
                             interface is accessible to an
                             IDS device capable of
                             analyzing IPv6 in IPv4 traffic.


NET-IPV6-   V0015280    I    The IAO/NSO will ensure the
052                          tunnel between the internal
                             router‟s ingress interface and
                             the perimeter router‟s egress
                             interface is accessible to a
                             firewall device capable of
                             inspecting and filtering IPv6
                             in IPv4 traffic.

NET-IPV6-   V0015290    I    The IAO/NSO will ensure AG
053                          does not have Tunnel Broker
                             solutions implemented for
                             IPv6 transition

NET-IPV6-   V0015291    I    The IAO/NSO will ensure if
054                          TCP-UDP Relay is
                             implemented in the enclave
                             it will not cross the enclave
                             boundary.
NET-IPV6-   V0015292    I    The IAO/NSO will ensure
055                          Bump-in-the-Stack (BIS)
                             does not cross the enclave
                             boundary.
NET-IPV6-   V0015298    I    The IAO/NSO will ensure
056                          SOCKS-Based Gateway
                             does not cross the enclave
                             boundary.
   PDI       VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET-IPV6-   V0015299    II   The IAO/NSO will ensure the
057                          enclave boundary does not
                             have any other IPv6
                             Transition Mechanisms
                             implemented when
                             supporting NAT-PT.
NET-IPV6-   V0015487    II   The IAO/NSO will ensure
058                          perimeter devices do not run
                             routing protocols capable of
                             advertising IPv6 NLRI during
                             MO2.
NET-      V0019189     III   Administrative scoped
MCAST-010                    multicast traffic is not
                             blocked at the administrative
                             or site boundary.




NET-NAC-    V0018555    II   The production VLAN
001                          assigned from the AAA
                             server contains IP segments
                             not intended for untrusted
                             resources.
NET-NAC-    V0018558    II   The IAO/NSO will ensure the
004                          network access control
                             policy contains all non-
                             authenticated network
                             access requests in an
                             Unauthorized VLAN with
                             limited access.
NET-NAC-    V0018561   III   The IAO/NSO will ensure the
007                          network access control
                             solution supports wired,
                             wireless and remote access
                             NARs (clients).
   PDI      VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET-NAC-   V0018562   III   The network access control
008                         solution will not use the
                            DHCP mechanism to
                            separate authenticated and
                            non-authenticated network
                            access requests due to
                            known weaknesses that
                            bypass the authentication
                            process by rogue devices
                            with self-configured IP
                            addresses.
NET-NAC-   V0005626    I    The IAO/NSO will ensure all
009                         host facing access
                            switchports and wireless
                            endpoints are secured by
                            NAC authentication.




NET-NAC-   V0007542    II   The IAO will ensure that
010                         802.1x is implemented using
                            a secure EAP such as EAP-
                            TLS, EAP-TTLS or PEAP.

NET-NAC-   V0004608    II   The IAO/NSO will ensure if
011                         802.1X Port Authentication is
                            implemented, all access
                            ports do not start in the
                            authorized state.




NET-NAC-   V0005624    II   The IAO/NSO will ensure if
012                         802.1x Port Authentication is
                            implemented, re-
                            authentication must occur
                            every 60 minutes.




NET-NAC-   V0018573    II   The IAO/NSO will ensure the
017                         VPN concentrator is
                            connected to the network
                            access control gateway‟s
                            untrusted interface.
   PDI      VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

NET-NAC-   V0018567    II   The IAO/NSO will ensure
030                         wall jacks are secured with
                            MAC address definitions on
                            switch ports or Manual
                            Authentication by the SA is
                            used on all access ports not
                            capable of authentication
                            software being loaded on the
                            client, example printers.

NET-NAC-   V0018566    II   The IAO/NSO will ensure
031                         only a single device network
                            interface card (NIC) with a
                            registered MAC address
                            would be allowed to connect
                            to a single switch port.




NET-NAC-   V0018565   III   The IAO will ensure that all
032                         switchports configured using
                            MAC port security will
                            shutdown upon receiving a
                            frame with a different layer 2
                            source address than what
                            has been configured or
                            learned for port security.


NET-       V0019187    II   Servers do not employ Host
SRVFRM-                     Based Intrusion Detection
001                         (HIDS).
NET-       V0018518    II   The IAO will ensure there is
SRVFRM-                     automated vulnerability
002                         scanning on all server farm
                            components.
NET-       V0018522    II   The IAO will ensure the
SRVFRM-                     Server Farm VLAN
003                         interfaces are protected by
                            severely restricting the
                            actions of hosts outside the
                            server farm by firewall filters.
   PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

NET-      V0018523    II   The IAO will ensure the
SRVFRM-                    Server Farm infrastructure is
004                        secured by ACLs on VLAN
                           interfaces that restrict data
                           originating from one server
                           farm segment destined to
                           another server farm segment.



NET-      V0018525    II   The IAO will ensure the
SRVFRM-                    Server Farm VLANs are
005                        protected by severely
                           restricting the actions the
                           hosts can perform on the
                           servers by firewall content
                           filtering.
NET-      V0023731    II   The IAO will ensure that the
SRVFRM-                    server farm is protected by a
006                        reverse proxy that only
                           allows connections from
                           authorized hosts requesting
                           authorized services.

NET-TUNL- V0018633    II   The IAO will ensure outdated
001                        IPv6 tunneling schemes are
                           blocked to avoid importing
                           IPv6 packets and IP-in-IP
                           tunnels are disabled by
                           default.

NET-TUNL- V0018640    I    The IAO will ensure the
002                        firewall content filtering
                           performs tunneled Inner IP
                           packet inspection at the