Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

DIACAP Scorecard and SAR Template - DISA's

VIEWS: 2,607 PAGES: 1286

									   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI      VMSID    CAT          Requirement                 Vulnerability   Status   Finding Notes Section
AC31.010             II Before granting access to
                        non-public information
                        systems (e.g., Privacy Act,
                        FOUO, classified), the IAM,
                        will ensure all personnel are
                        properly identified according
                        to applicable DoD policy (as
                        required for level of access
                        and information sensitivity).

AC31.020              II   The Security Manager and
                           IAM will ensure authorized
                           users are trained to exercise
                           care in the protection of their
                           identity credentials (e.g,
                           CAC, visitor badges).

AC31.030             III   The IAM will ensure DoD-
                           approved PKI is used to
                           authenticate logical access
                           to Information Technology
                           systems and applications
                           that access the
                           Department’s computer
                           networks. If certificate-based
                           authentication is not used, a
                           documented migration plan
                           is required. The DoDI 8520.2
                           policy provides for
                           exceptions for systems that
                           have communities not
                           eligible to be issued PKI
                           (e.g., dependants, retirees).




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   1 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI      VMSID    CAT           Requirement            Vulnerability   Status   Finding Notes Section
AC31.035             III The Security Manager and
                         IAM will ensure compliance
                         with the following out
                         processing requirements: -A
                         program exists to ensure
                         personnel out process
                         through the security section.
                         (Traditional Security
                         Checklist). NOTE: Includes
                         turning in of all access
                         badges, classified or
                         sensitive information and
                         signing of SF 312
                         acknowledging debriefing.
                         Also, revoking and reporting
                         of electronic credentials in
                         accordance with DoD policy
                         for the DoD CAC, DoD-
                         approved PKI, and disable
                         system accounts. User’s
                         CAC is not captured unless
                         the person is leaving DoD.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               2 of 1286
   ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  PDI      VMSID    CAT           Requirement           Vulnerability   Status   Finding Notes Section
AC31.045             II The Security Manager will
                        ensure badges and
                        credentials for Foreign
                        Nationals comply with the
                        following: - Ensure foreign
                        visit requests is processed
                        through DIA and then
                        referred to the DISA Security
                        Division (MPS6). (Traditional
                        Security Checklist) A contact
                        officer is appointed to control
                        the activities of foreign
                        visitors, FLO, and exchange
                        personnel (Traditional
                        Security Checklist) Foreign
                        nationals assigned to the
                        command are issued badges
                        or passes that clearly
                        identify them as foreign
                        nationals. Proper guidelines
                        are being followed when the
                        badges or passes are
                        issued. (Traditional Security
                        Checklist)


AC31.050              I   The Security Manager will
                          ensure authorized personnel
                          validate the identity of any
                          person prior to issuing an
                          authentication token (such
                          as an unescorted visitor’s
                          badge, a CAC or local
                          identity credential) to that
                          person.

AC32.010              I   For information systems
                          processing sensitive
                          information, the IAO will
                          authenticate identity
                          credentials using multi-factor
                          authentication prior to
                          allowing access..




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              3 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI      VMSID    CAT           Requirement            Vulnerability   Status   Finding Notes Section
AC33.010              II Before granting access to
                         sensitive, restricted
                         information, the IAM will
                         ensure users have a
                         demonstrated need-to-know
                         as determined by the data
                         owner. Access is granted in
                         accordance with clearance
                         levels, IT level and DoD
                         5200.2-R.
AC33.015             III The IAO or Security
                         Manager, in coordination
                         with the data owner, will
                         document rules for who is
                         authorized to access the
                         system. Access rules allow
                         the system or attendant to
                         determine who or why
                         access is needed (e.g.,
                         allow all DoD employees; all
                         members of a specific
                         community of interest; all
                         entities that are assigned to
                         a specific role; or by physical
                         or logical access control list.

AC33.020              II   When applicable, ensure
                           mechanisms are in place to
                           allow appropriate users to
                           access information that has
                           been cleared for release to
                           the represented foreign
                           nation, coalition, or
                           international organization in
                           accordance with related
                           policy (e.g., DoDD 5230.11,
                           DoDD 5230.20, DoDI
                           5230.27).




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               4 of 1286
   ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  PDI      VMSID    CAT          Requirement            Vulnerability   Status   Finding Notes Section
AC33.025             I The Security Manager or
                        IAM will ensure a program
                        exists to ensure personnel
                        out process through the
                        security section.) (Traditional
                        Security Checklist). NOTE:
                        This includes that
                        mechanisms are in place to
                        verify individuals are still
                        authorized access to
                        information systems and
                        permissions have not been
                        revoked. A rules-based
                        process will be established
                        for determining how
                        personnel are authorized, for
                        linking personal certificate
                        information to
                        authorization(s), and for
                        removing authorizations
                        when access is no longer
                        needed.

AC34.010             III   The IAM will ensure newly
                           purchased information
                           systems intended for use as
                           or integration into access
                           control solutions which
                           protect DoD information
                           assets are evaluated using
                           the required evaluation
                           processes.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              5 of 1286
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI      VMSID    CAT          Requirement         Vulnerability   Status   Finding Notes Section
AC34.015             II The IAO will ensure the
                        Enclave architecture and
                        components are in
                        compliance with the Enclave
                        and the Network
                        Infrastructure STIGs. NOTE:
                        Comply with this
                        requirement by conducting
                        self-assessments or Security
                        Readiness Reviews using
                        the applicable STIG security
                        checklists that apply to the
                        various technologies used
                        as part of the Enclave
                        architecture.

AC44.010              I   The IAO will ensure NSA
                          approved, Type 1 device is
                          used to protect remote
                          access to classified
                          networks.
AC44.015              I   The IAO will ensure remote
                          administration of network
                          devices, servers, and
                          applications are protected by
                          NIST FIPS 140-2 validated
                          cryptography to implement
                          encryption for
                          communication.
AC44.020              I   Remote access to NIPRNet
                          and SIPRNet resources
                          must be approved by the
                          DAA and must comply with
                          NSA and DoD policies and
                          guidelines.

AC44.025              I   The IAO/NSO will ensure an
                          NSA approved remote
                          access security solution
                          (such as a HARA solution) is
                          used for remote access to a
                          classified network.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           6 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI      VMSID    CAT           Requirement              Vulnerability   Status   Finding Notes Section
AC44.030              II The IAO will ensure remote
                         access configuration and
                         user training is compliant
                         with the Secure Remote
                         Computing STIG.
AC34.020             III The IAO/NSO will ensure
                         disabled ports are placed in
                         an unused VLAN.
AC34.025               I The IAO/NSO will ensure
                         either MAC security (with
                         profiling) or 802.1X port
                         authentication is used on all
                         network access ports and
                         configured in accordance
                         with the Network
                         Infrastructure STIG.

AC34.030             III   The IAO/NSO will ensure if
                           logical Port Security is
                           implemented using MAC
                           filtering, then the MAC
                           addresses are statically
                           configured on all access
                           ports.
AC34.035              II   The IAO/NSO will ensure
                           directory authentication
                           services (e.g., Active
                           Directory) use PKI or
                           encrypted passwords for
                           administrative access on
                           production systems.
AC34.040              II   The IAO/NSO will ensure
                           when utilizing 802.1X, a
                           secure EAP method (e.g.,
                           EAP-TLS or EAP-TTLS)
                           resides on the authentication
                           server and within the
                           operating system or
                           application software on the
                           client devices.

AC34.041             III   The IAO/NSO will ensure
                           802.1X port security
                           violations are sent to an
                           audit log.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 7 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI      VMSID    CAT           Requirement            Vulnerability   Status   Finding Notes Section
AC34.045               I The IAO/NSO will ensure if
                         802.1X Port Authentication
                         is implemented, all access
                         ports start in the
                         unauthorized state
AC34.050              II The IAO/NSO will ensure if
                         802.1X Port Authentication
                         is implemented, re-
                         authentication occurs every
                         60 minutes.
AC34.051              II The IAO/NSO will ensure if
                         Port Authentication is
                         implemented, all access
                         ports are configured in
                         single-host mode.
AC34.031             III The IAO/NSO will ensure if
                         NAC is implemented it is in
                         accordance with the
                         minimum standards set
                         below.
AC34.055              II The IAO/NSO will ensure
                         communication for privileged
                         access (i.e., administrative
                         access) to network devices
                         is secured using products
                         with FIPS 140-2 validated
                         cryptographic module and
                         configured in accordance
                         with the Network
                         Infrastructure STIG.

AC34.060              II   For sensitive but
                           unclassified information
                           systems, the remote user
                           will use a FIPS 140-2
                           validated cryptographic
                           module configured to use
                           NIST approved encryption
                           algorithm to encrypt
                           sensitive government files,
                           folders and/or storage
                           devices on remote or mobile
                           client devices.



   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               8 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI      VMSID    CAT         Requirement                Vulnerability   Status   Finding Notes Section
AC34.065             II For sensitive but
                        unclassified information
                        systems, the IAM will ensure
                        a FIPS 140-2 validated
                        cryptographic module
                        configured to use a NIST
                        approved file encryption
                        algorithm is used to protect
                        DoD sensitive data in transit
                        over non-DoD networks or
                        when transmitted wirelessly.


AC34.066              I    For classified information
                           systems, the IAM will ensure
                           use of an NSA approved,
                           Type 1 device to implement
                           cryptographic services.

AC34.067              II   The IAM will ensure
                           cryptographic-based security
                           systems are implemented in
                           accordance with the vendor-
                           specified security policies
                           required to ensure the
                           cryptographic module, as
                           implemented by the site or
                           organization, satisfies the
                           security requirements of the
                           FIPS or NSA
                           standard/requirements (i.e.,
                           configuration of operating
                           system, physical security, or
                           other security rules)


AC34.070              II   The IAM will ensure
                           certificates are used for
                           authentication IAW DoDI
                           8520.2, PKI and Public Key
                           (PK) Enabling.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 9 of 1286
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI      VMSID    CAT          Requirement         Vulnerability   Status   Finding Notes Section
AC34.075             I The IAM will ensure use of
                        DoD-approved PKI digital
                        certificates to authenticate
                        requests for access to
                        government information not
                        approved for public release.
                        For unclassified sensitive
                        assets, the PKI certificate
                        will be considered necessary
                        but insufficient to provide
                        authorized access.

AC34.080              II   The IAM will ensure
                           implementation of certificate-
                           based logon to the NIPRNet
                           using DoD-approved PKI as
                           required by DoD policy. DoD-
                           approved PKI will be
                           required for SIPRNet when
                           implemented in the future.

AC34.085              I    The IAM will ensure a DoD-
                           approved PKI certificate is
                           used for logon to DoD
                           Enclaves, networks, servers,
                           desktop, laptops, and other
                           network capable client
                           devices. If PKI logon cannot
                           be used, then a DoD
                           compliant ID/password
                           combination may be used
                           and a migration plan
                           implemented IAW JTF-GNO
                           exception reporting
                           requirements. NOTE: The
                           PKI certificate is necessary
                           but insufficient for access.
                           Access must also require an
                           active account and
                           authorization.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          10 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI      VMSID    CAT          Requirement              Vulnerability   Status   Finding Notes Section
AC34.090             I The IAM will ensure PKI is
                        required for the exchange of
                        FOUO information with
                        vendors and contractors, the
                        DoD will only accept PKI
                        certificates obtained from a
                        DoD-approved internal or
                        external certificate authority.

AC34.095              I    The IAM will ensure DoD
                           contractors who are not
                           eligible for a DoDapproved
                           PKI get and use digital
                           certificates issued by
                           approved external PKIs
                           when interacting with DoD
                           PK-Enabled information
                           systems or accessing DoD
                           restricted information and
                           logical assets.
AC34.100             III   The IAM will ensure Sas are
                           trained on administration
                           and implementation of PKI
                           and PKE. At a minimum, this
                           training will include: PKI
                           awareness training How to
                           configure systems for
                           certificate-based logon How
                           to configure systems for
                           digital signature How to
                           configure systems for email
                           encryption How to configure
                           systems for Web server
                           certificates DoD-approved
                           PKI will be used for email
                           and web services in
                           accordance with the
                           following.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               11 of 1286
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI      VMSID    CAT          Requirement                 Vulnerability   Status   Finding Notes Section
AC34.105             II The IAM will require
                        certificate-based client
                        authentication to restricted
                        access (not public) DoD web
                        servers using certificates
                        issued by DoD-approved
                        PKI certificate authorities.

AC34.110              II   The IAO will ensure
                           Browsers, including those
                           that support software
                           tokens, support the use of
                           DoD-approved PKI, High
                           Assurance Remote Access
                           (HARA) solution (as
                           appropriate for the
                           classification level), or NSA
                           certified solution for storing
                           the user’s certificates.

AC34.115              II   The IAO will ensure DoD e-
                           mail systems support
                           sending and receiving e-mail
                           signed by DoD-approved
                           certificates. E-mail
                           containing DoD sensitive or
                           restricted information, are
                           signed using DoD-approved
                           certificates.

AC34.140              II   The IAM will ensure new
                           Commercial-off-the-Shelf
                           (COTS) software to be used
                           in information systems that
                           require PK-Enabling have
                           passed interoperability
                           testing performed by a DoD-
                           approved PKI Program
                           Management Office (PMO)-
                           approved testing facility prior
                           to procurement.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  12 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI      VMSID    CAT           Requirement              Vulnerability   Status   Finding Notes Section
AC34.168             III The DAA will ensure ID and
                         password access for system
                         and network access is used
                         only where use of DoD PKI
                         is not technologically
                         feasible, cost prohibitive, or
                         is deemed unwarranted.
                         Exceptions to the PKI policy
                         must be documented; DAA
                         approved; and coordinated
                         with the service/agency PKI
                         PMO as well as the DOD
                         PKI PMO.


AC34.170              II   The IAM will ensure where
                           passwords are used for
                           access to DoD restricted
                           assets (i.e., networks,
                           workstations, or
                           applications), at a minimum,
                           passwords are created and
                           changed in accordance with
                           current DoD policy. Users
                           must be trained on this
                           requirement and, if possible,
                           an automated procedure
                           must be in place to enforce
                           these rules.

AC34.175              I    The IAO will ensure default
                           installation passwords are
                           removed from installed
                           devices used for production
                           such as communications,
                           databases, applications, or
                           operating systems.
AC34.180              II   The IAO will ensure
                           individual users and system,
                           application, and database
                           administrators use
                           individually assigned
                           accounts rather than a group
                           or shared accounts or
                           authenticators.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                13 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI      VMSID    CAT          Requirement               Vulnerability   Status   Finding Notes Section
AC34.181             II The IAO will ensure group or
                        shared authenticators for
                        application or network
                        access are used only in
                        conjunction with an
                        individual authenticator. Any
                        use of group authenticators
                        not based on the DoD-
                        approved PKI has been
                        explicitly approved by the
                        DAA.
AC34.185             II The IAO will ensure
                        shared/group PINs and
                        passwords are used only in
                        accordance with the DoDI
                        8500.2. Auditing procedures
                        are implemented in
                        conjunction with these
                        methods to support
                        nonrepudiation and
                        accountability.

AC34.189              II   For information systems with
                           DoD sensitive information
                           that are not currently
                           capable of connection to
                           NIPRNet (cannot use PKI
                           authentication), the IAM will
                           ensure, at a minimum, users
                           are authenticated to their
                           CAC, DBIDS, or other DoD
                           issued identification card
                           prior to issuance of a non-
                           CAC hardware token for use
                           to login to DoD sensitive
                           information assets.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                14 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI      VMSID    CAT         Requirement                Vulnerability   Status   Finding Notes Section
AC34.190             II The DAA must document
                        and certify that the system is
                        incapable of connecting to
                        the NIPRNet; ensure the
                        system is compliant with all
                        applicable STIGs; document
                        coordination with the
                        service/agency PKI PMO;
                        and document plan for
                        migration and mitigation of
                        residual risk.
AC34.160              I The IAM will ensure if the
                        hardware token is used as
                        an identity credential to
                        support access to classified
                        assets, it is combined with,
                        at a minimum, a PIN and/or
                        a biometric verification.

AC34.205              II   The IAO will ensure the
                           information system (network
                           device, desktop, laptop,
                           handheld, etc.) is configured
                           to lock the device when the
                           session is left unattended.

AC34.210              II   The IAO will ensure users
                           are trained on the proper
                           handling and security
                           procedures for DoD-issued
                           hardware tokens, used to
                           enable access to sensitive
                           information.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                15 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI      VMSID    CAT          Requirement              Vulnerability   Status   Finding Notes Section
AC34.215             II For authentication to
                        NIPRNet and NIPRNet
                        connected systems where
                        DoD-approved PKI issued
                        on an alternative (non-CAC)
                        hardware token is required,
                        the IAM will ensure use of a
                        DoD-approved hardware
                        token. Use of alternative
                        hardware tokens are limited
                        to particular categories of
                        uses approved by the DoD
                        PKI PMO and documented
                        in the service/agency
                        Certificate Practice
                        Statement (CPS) and
                        addendum.

AC35.025             III   The Security Manager will
                           ensure all physical security
                           controls, including security
                           marking, handling, and
                           facility procedures required
                           for the protection of
                           information systems and
                           associated hardware
                           devices comply with the
                           requirements of the DISA
                           Traditional Security
                           Checklist.
AC35.010              II   The Security Manager will
                           ensure attended access
                           control (e.g., guards and
                           video surveillance systems
                           are implemented in
                           compliance with the policies
                           of DoD 5200.1-R.
AC35.053              II   When using locally issued
                           badges, the Security
                           Manager will comply with
                           applicable DoD policies
                           governing identity cards and
                           with policies in the
                           Identification Credentials
                           section of this STIG.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               16 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI      VMSID    CAT          Requirement             Vulnerability   Status   Finding Notes Section
AC35.055              I The IAM or Security
                        Manager will ensure DoD
                        personnel and contractors
                        are positively authenticated
                        before granting access to
                        DoD protected assets or
                        prior to issuance of any
                        locally issued or
                        supplementary
                        authentication credential
                        used to support access
                        control.
AC35.056             II The Security Manager will
                        ensure supplementary
                        badges, memory cards, and
                        smart cards issued to
                        individuals without a
                        completed National Agency
                        Check with NACI are
                        electronically distinguishable
                        from those credentials
                        revealing a completed NACI
                        (IAW Draft DoD 5200.8-R).

AC35.060              II   The Security Manager will
                           use badges, memory cards,
                           and smart cards (something
                           you have) to protect
                           unclassified, non-sensitive
                           assets. This requirement
                           includes use of the CAC
                           when used only as a badge
                           without requiring
                           authentication by PIN or
                           biometric.
AC35.065              II   The Security Manager will
                           ensure audit logs of badge,
                           memory card, and smart
                           card issuance, revocation,
                           and collection.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              17 of 1286
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI      VMSID    CAT         Requirement                 Vulnerability   Status   Finding Notes Section
AC35.010             II The Security Manager will
                        ensure, at a minimum, PINs
                        and combinations are
                        created and changed in
                        accordance with the DoDI
                        8500.2. Users are trained on
                        this requirement and, if
                        possible, an automated
                        procedure is in place to
                        enforce these rules. (This is
                        not applicable for PKI PIN).

AC35.015              I    The IAO will ensure default
                           installation PINs or
                           combinations are changed
                           when installing devices used
                           for production such as GSA-
                           approved safes or
                           combination locks.
AC35.020              II   The Security Manager and
                           IAO will ensure
                           shared/group PINs and
                           combinations are used only
                           in accordance with the DoDI
                           8500.2. Auditing procedures
                           are implemented in
                           conjunction with these
                           methods to support
                           accountability.

AC35.025             III   The Security Manager will
                           ensure all physical security
                           controls for the protection of
                           information systems and
                           associated hardware
                           devices comply with the
                           DISA Traditional Security
                           Checklist.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 18 of 1286
   ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes Section
BIO1010              II The IAO will ensure
                        individuals are assigned in
                        writing to the following
                        administrative roles:
                        Enrollment Administrator
                        (enroll or re-enroll users);
                        Security Administrator
                        (modify the security
                        configuration), and Audit
                        Administrator (review and
                        manage audit logs).
BIO1020              II The IAO will ensure the
                        following functions are
                        restricted to authorized
                        Administrators: -Creation or
                        modification of
                        authentication and
                        authorization rules -Creation,
                        installation, modification or
                        revocation of cryptographic
                        keys -Startup and shutdown
                        of the biometric service

BIO1030               II   The IAO will ensure only
                           authorized Enrollment
                           Administrators are permitted
                           to create user biometric
                           templates.
BIO1040              III   The IAO will ensure only
                           authorized Audit
                           Administrators can clear the
                           audit log or modify any of its
                           entries.
BIO1050               II   The IAO will ensure all
                           Administrators must
                           authenticate to the biometric
                           system to perform
                           administrative functions and
                           that this authentication must
                           include a factor outside of
                           the biometric verification the
                           system supports for ordinary
                           users.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                            19 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement              Vulnerability   Status   Finding Notes Section
BIO3010              II The IAO will ensure the
                        enrollment process is
                        conducted by an authorized
                        Enrollment Administrator
                        who will at a minimum check
                        that: -The enrollee has
                        submitted a completed
                        SAAR DD Form 2875 or
                        similar access authorization
                        form used to authorize
                        access to the system for
                        which the biometric system
                        supports authentication. -
                        The enrollee is in
                        possession of valid DoD
                        photo identification. - The
                        photo on this identification
                        matches the physical
                        characteristics of the
                        enrollee.

BIO3020               I    The IAO will ensure users
                           cannot self-enroll biometric
                           information (i.e., enroll
                           outside of the presence of
                           an authorized Enrollment
                           Administrator).
BIO3030              III   The IAO will ensure
                           Enrollment Administrators
                           receive appropriate training
                           that covers, at a minimum: -
                           The user identification and
                           authorization requirements -
                           Use of the biometric
                           software and capture device
                           to obtain an acceptable user
                           template - How to identify
                           when a template is
                           unacceptable and needs to
                           be recreated
BIO3040               II   Enrollment Administrators
                           will re-create templates
                           when there is an indication
                           that a template has not been
                           properly captured.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               20 of 1286
   ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement          Vulnerability   Status   Finding Notes Section
BIO3050              III The Security Administrator
                         will configure the system to
                         search for matches between
                         the enrolled template and
                         previously existing templates
                         and reject enrollment when a
                         match is discovered. If this
                         process cannot be
                         automated, the Enrollment
                         Administrator will enforce
                         this requirement manually.

BIO4010               II   The Security Administrator
                           will configure the biometric
                           system to encrypt all
                           biometric data resident on
                           non-volatile memory or
                           storage media.
BIO4015               II   The Security Administrator
                           will ensure biometric
                           templates are protected by
                           operating system
                           permissions.
BIO4020               II   The Security Administrator
                           will ensure no user ID has
                           access to the files other than
                           those required for running
                           the biometric application
                           software.
BIO5010               II   The Biometric Security
                           Administrator will set the
                           FAR to be no greater than 1
                           in 100,000.
BIO5030               II   The Security Administrator
                           will configure the biometric
                           system to prohibit the
                           identical biometric sample
                           from being used in
                           consecutive authentication
                           attempts.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                            21 of 1286
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement                Vulnerability   Status   Finding Notes Section
BIO5040              II The Security Administrator
                        will configure the biometric
                        system to lock out for 15
                        minutes any user upon the
                        third unsuccessful
                        authentication attempt within
                        a 15 minute period.
BIO5050              II The Security Administrator
                        will configure the biometric
                        system to not reveal to a
                        user any information related
                        to how close the live sample
                        he or she supplies is to the
                        corresponding biometric
                        template.

BIO6020               II   The IAO will establish
                           adequate identification and
                           authentication procedures
                           that must be followed
                           whenever the biometric
                           system is unavailable.
BIO6010               II   The IAO will ensure
                           biometric technology is not
                           the sole means of access
                           control (i.e., it is one
                           component of a two or three-
                           factor authentication solution
                           or it is accompanied by an
                           automated fallback
                           verification system).

BIO6030               II   The IAO will establish
                           adequate written
                           identification and
                           authentication procedures
                           for users that are unable to
                           present the required live
                           biometric sample.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 22 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement              Vulnerability   Status   Finding Notes Section
BIO6040              III The IAO will designate
                         personnel who have the
                         authority to override false
                         rejections and ensure they
                         receive proper training in
                         how to implement the
                         fallback protocol and verify a
                         user’s identity.
BIO6050               II The IAO will ensure any
                         override of the biometric
                         system is accompanied by a
                         photo ID check of the user
                         and documentation of the
                         following: - The name of the
                         user who was granted entry
                         with the override - The time
                         the override occurred - The
                         reason for the false rejection


BIO6060               II   The Biometric Security
                           Administrator will set the
                           FRR to be no greater than 5
                           in 100.
BIO2009               II   The Security Administrator
                           will configure the biometric
                           system to encrypt and
                           digitally sign all biometric
                           reference data (using DoD-
                           approved PKI before it is
                           transmitted from one
                           physical device to another.
BIO2010               II   The Security Administrator
                           will configure the biometric
                           system uses NIST FIPS 140-
                           2 validated cryptography to
                           implement encryption for
                           communications (data in
                           transit) transmitted from one
                           physical device to another.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                23 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement              Vulnerability   Status   Finding Notes Section
BIO4010              II The Security Administrator
                        will configure the biometric
                        system to encrypt and
                        digitally sign all biometric
                        reference data resident on
                        non-volatile memory or
                        storage media (data at rest).

BIO2020               II   The Security Administrator
                           will ensure only the process
                           running biometric software is
                           able to read relevant private
                           or shared secret keys (with
                           the exception of key
                           supercession events during
                           which the Security
                           Administrator may
                           temporarily have the ability
                           to replace the key [e.g., to
                           modify the key file]).

BIO7010               II   The IAO will ensure the file
                           permissions and storage
                           scheme for biometric audit
                           logs is no less secure than
                           the scheme for the system
                           audit logs of the operating
                           system on which the
                           biometric software resides.
                           The current requirement for
                           audit logs retention is 30
                           days online and one year
                           offline).
BIO7020               II   The Security Administrator
                           will configure the biometric
                           system to audit the following
                           transactions: - All “exact
                           match” verification
                           transactions - All failed
                           identification or
                           authentication attempts - All
                           start and stop events for the
                           biometric service




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                24 of 1286
   ____ Checklist _V_R_ (<date>)                                        <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement          Vulnerability   Status   Finding Notes Section
BIO7030              II The IAO will ensure the
                        physical connections
                        between the following
                        biometric system
                        components are adequately
                        secured. - The connection
                        between the capture device
                        and the comparator - The
                        connection between the
                        comparator and the portal
                        Adequate security depends
                        upon what is being protected
                        and the risk environment,
                        but it, at a minimum,
                        involves ensuring that no
                        wiring is exposed to
                        unauthenticated users and
                        there is no means of
                        opening the capture device
                        with the use of common
                        tools such as a screwdriver.
                        Requirements for protection
                        of the physical distribution
                        system are found in DoDD
                        5200. Also see previous
                        section for discussion of a
                        physical intrusion detection
                        system.



AC42.010             III   The Security Manager will
                           ensure a risk analysis is
                           conducted and documented
                           for the systems and the
                           facility to be protected.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                            25 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI      VMSID    CAT           Requirement            Vulnerability   Status   Finding Notes Section
AC42.015             III The Security Manager will
                         ensure unresolved or
                         unmitigated risks (residual
                         risks) are identified,
                         documented, and accepted
                         by the DAA. System
                         changes that are needed to
                         mitigate these residual risks
                         must be documented.
AC42.020             III The Security Manager will
                         ensure a security plan is
                         prepared and signed by the
                         commander/director or other
                         appropriately authorized
                         senior management official.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              26 of 1286
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAG008 V0019910    I    The antivirus signature file
                         age exceeds 7 days.




DTAM001 V0006453    I    The McAfee VirusScan
                         Control Panel parameters
                         are not configured as
                         required.
DTAM002 V0006467    II   The McAfee VirusScan on
                         access scan parameter for
                         Boot sectors is incorrect.
DTAM003 V0006468    II   The McAfee VirusScan on
                         access scan parameter for
                         floppy disks is incorrect.
DTAM004 V0006469    II   The McAfee VirusScan
                         message dialog parameters
                         are not configured as
                         required.
DTAM005 V0006470    II   The McAfee VirusScan
                         remove messages
                         parameters are not
                         configured as required.
DTAM006 V0006471    II   The McAfee VirusScan
                         Clean Infected file parameter
                         is not configured as required.

DTAM007 V0006472    II   The McAfee VirusScan
                         delete infected file parameter
                         is not configured as required.

DTAM008 V0006473    II   The McAfee VirusScan
                         quarantine parameter is not
                         configured as required.
DTAM009 V0006474    II   The McAfee VirusScan
                         Control Panel log parameter
                         is not configured as required.

DTAM010 V0006475    II   The McAfee VirusScan limit
                         log size parameter is not
                         configured as required.
DTAM011 V0006476    II   The McAfee VirusScan log
                         session parameter is not
                         configured as required.
DTAM012 V0006478    II   The McAfee VirusScan log
                         summary parameter is not
                         configured as required.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAM013 V0006583    II   The McAfee VirusScan log
                         encrypted files parameter is
                         not configured as required.

DTAM014 V0006584    II   The McAfee VirusScan log
                         user name parameter is not
                         configured as required.
DTAM016 V0006585    II   The McAfee VirusScan
                         autoupdate parameters are
                         not configured as required.
DTAM021 V0006586    II   The McAfee VirusScan
                         Exchange scanner is not
                         enabled.
DTAM022 V0006587    II   The McAfee VirusScan find
                         unknown programs email
                         parameter is not configured
                         as required.
DTAM023 V0006588    II   The McAfee VirusScan find
                         unknown macro virus email
                         parameter is not configured
                         as required.
DTAM026 V0006589    II   The McAfee VirusScan scan
                         inside archives email
                         parameter is not configured
                         as required.
DTAM027 V0006590    II   The McAfee VirusScan
                         decode MIME email
                         parameter is not configured
                         as required.
DTAM028 V0006591    II   The McAfee VirusScan scan
                         e-mail message body email
                         parameter is not configured
                         as required.
DTAM029 V0006592    II   The McAfee VirusScan
                         allowed actions email
                         parameter is not configured
                         as required.
DTAM030 V0006593    II   The McAfee VirusScan
                         action prompt email
                         parameter is not configured
                         as required.
DTAM033 V0006594    II   The McAfee VirusScan
                         return reply email parameter
                         is not configured as required.

DTAM034 V0006595    II   The McAfee VirusScan
                         prompt message email
                         parameter is not configured
                         as required.
DTAM035 V0006596    II   The McAfee VirusScan log
                         to file email parameter is not
                         configured as required.
  PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DTAM036 V0006597    II   The McAfee VirusScan limit
                         log size email parameter is
                         not configured as required.

DTAM037 V0006598    II   The McAfee VirusScan log
                         content email parameter is
                         not configured as required.
DTAM038 V0014651    II   He McAfee VirusScan
                         detects unwanted programs
                         email parameter is not
                         configured as required.

DTAM039 V0014652    II   The McAfee VirusScan
                         unwanted programs action
                         email parameter is not
                         configured as required.
DTAM045 V0006599    II   The McAfee VirusScan fixed
                         disk and running processes
                         are not configured as
                         required.
DTAM046 V0006600    II   The McAfee VirusScan
                         include subfolders
                         parameter is not configured
                         as required.
DTAM047 V0006601    II   The McAfee VirusScan
                         include boot sectors
                         parameter is not configured
                         as required.
DTAM048 V0006602    II   The McAfee VirusScan scan
                         all files parameter is not
                         configured as required.
DTAM050 V0006604    II   The McAfee VirusScan
                         exclusions parameter is not
                         configured as required.
DTAM052 V0006611    II   The McAfee VirusScan scan
                         archives parameter is not
                         configured as required.
DTAM053 V0006612    II   The McAfee VirusScan
                         decode MIME encoded files
                         parameter is not configured
                         as required.
DTAM054 V0006614    II   The McAfee VirusScan find
                         unknown programs
                         parameter is not configured
                         as required.
DTAM055 V0006615    II   The McAfee VirusScan find
                         unknown macro viruses
                         parameter is not configured
                         as required.
DTAM056 V0006616    II   The McAfee VirusScan
                         action for Virus parameter is
                         not configured as required.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAM057 V0006617    II   The McAfee VirusScan
                         secondary action for virus
                         parameter is not configured
                         as required.
DTAM058 V0014654    II   The McAfee VirusScan
                         check for unwanted
                         programs parameter is not
                         configured as required.
DTAM059 V0006618    II   The McAfee VirusScan log
                         to file parameter is not
                         configured as required.
DTAM060 V0006620    II   The McAfee VirusScan log
                         file limit parameter is not
                         configured as required.
DTAM061 V0006621    II   The McAfee VirusScan log
                         session settings parameter
                         is not configured as required.

DTAM062 V0006624    II   The McAfee VirusScan log
                         session summary parameter
                         is not configured as required.

DTAM063 V0006625    II   The McAfee VirusScan
                         failure on encrypted files
                         parameter is not configured
                         as required.
DTAM064 V0006626    II   The McAfee VirusScan log
                         user name is not configured
                         as required.
DTAM070 V0006627    II   The McAfee VirusScan
                         schedule is not configured
                         as required.
DTAM090 V0014618    II   The McAfee VirusScan on
                         access scan parameter for
                         scipt scan is incorrect.
DTAM091 V0014619    II   The McAfee VirusScan on
                         access scan parameter for
                         connection blocking is
                         incorrect.
DTAM092 V0014620    II   The McAfee VirusScan on
                         access scan parameter for
                         connection blocking time is
                         incorrect.
DTAM093 V0014621    II   The McAfee VirusScan on
                         access scan parameter for
                         blocking unwanted programs
                         is incorrect.
DTAM100 V0014622    II   The McAfee VirusScan scan
                         default values for processes
                         are not configured as
                         required.
  PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DTAM101 V0014623    II   The McAfee VirusScan scan
                         when writing to disk is not
                         configured as required.

DTAM102 V0014624    II   The McAfee VirusScan scan
                         when reading parameter is
                         not configured as required.

DTAM103 V0014625    II   The McAfee VirusScan scan
                         all files parameter is not
                         configured as required.
DTAM104 V0014626    II   The McAfee VirusScan
                         heuristics program viruses
                         parameter is not configured
                         as required.
DTAM105 V0014627    II   The McAfee VirusScan
                         heuristics macro viruses
                         parameter is not configured
                         as required.
DTAM106 V0014628    II   The McAfee VirusScan scan
                         inside archives parameter is
                         not configured as required.

DTAM107 V0014629    II   The McAfee VirusScan scan
                         MIME files parameter is not
                         configured as required.

DTAM110 V0014630    II   The McAfee VirusScan
                         process primary action
                         parameter is not configured
                         as required.
DTAM111 V0014631    II   The McAfee VirusScan
                         process secondary action
                         parameter is not configured
                         as required.
DTAM112 V0014633    II   The McAfee VirusScan log
                         user name parameter is not
                         configured as required.
DTAM130 V0014657    II   The McAfee VirusScan
                         buffer overflow protection is
                         not configured as required.
DTAM131 V0014658    II   The McAfee VirusScan
                         buffer overflow protection
                         mode is not configured as
                         required.
DTAM132 V0014659    II   The McAfee VirusScan
                         buffer overflow message
                         parameter is not configured
                         as required.
DTAM133 V0014660    II   The McAfee VirusScan
                         buffer overflow log
                         parameter is not configured
                         as required.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAM134 V0014661    II   The McAfee VirusScan log
                         size limitation parameters
                         are not configured as
                         required.
DTAM135 V0014662    II   The McAfee VirusScan
                         detection of Spyware is not
                         configured as required.
DTAM136 V0014663    II   The McAfee VirusScan
                         detection of Adware is not
                         configured as required.
DTAS002 V0006359    II   The Symantec Antivirus is
                         not configured to restart for
                         configuration changes.


DTAS003 V0006360    I    The Symantec Antivirus
                         autoprotect parameter is
                         incorrect.


DTAS004 V0006361    II   The Symantec Antivirus auto
                         protect-All Files configuration
                         is incorrect.


DTAS006 V0006362    II   The Symantec Antivirus
                         display message parameter
                         is incorrect.


DTAS007 V0006363    II   The Symantec Antivirus
                         exclude files configuration is
                         incorrect.


DTAS012 V0006368    II   The Symantec Antivirus
                         autoprotect read parameter
                         is incorrect.


DTAS013 V0006369    II   The Symantec Antivirus
                         AutoProtect parameter for
                         backup options is incorrect.


DTAS014 V0006370    II   The Symantec Antivirus
                         AutoProtect parameter for
                         autoenabler is incorrect.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAS015 V0006371    II   The Symantec Antivirus
                         AutoProtect parameter for
                         floppies is incorrect.


DTAS016 V0006372    II   The Symantec Antivirus
                         AutoProtect parameter for
                         Boot virus is incorrect.


DTAS017 V0006374    II   The Symantec Antivirus
                         AutoProtect parameter for
                         check floppy at shutdown is
                         incorrect.

DTAS020 V0006375    II   The Symantec Antivirus
                         email parameter for Boot
                         sectors is incorrect.


DTAS021 V0006376    II   The Symantec Antivirus
                         email client parameter for all
                         files is incorrect.


DTAS029 V0006383    II   The Symantec Antivirus
                         email client parameter for
                         compressed files is incorrect.


DTAS030 V0006384    II   The Symantec AntiVirus CE
                         History Options parameters
                         are not configured as
                         required.

DTAS031 V0006385    II   The Symantec Antivirus is
                         not scheduled to autoupdate.



DTAS032 V0006386    II   There is no Symantec
                         Antivirus Scheduled Scans
                         or Startup Scans task
                         configured to scan local
                         drive(s) at least weekly.
DTAS037 V0006387    II   The Symantec Antivirus
                         weekly scan parameter for
                         all files is incorrect.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTAS040 V0006388    II   The Symantec Antivirus
                         weekly scan parameter for
                         memory enabled is incorrect.


DTAS041 V0006389    II   The Symantec Antivirus
                         weekly scan parameter for
                         messages is incorrect.


DTAS042 V0006390    II   The Symantec Antivirus
                         weekly scan parameter for
                         exclude files is incorrect.


DTAS047 V0006395    II   The Symantec Antivirus
                         weekly scan parameter for
                         compressed files is incorrect.


DTAS048 V0006396    II   The Symantec Antivirus
                         weekly scan parameter for
                         backup files is incorrect.


DTAS050 V0006397    II   The Symantec Antivirus
                         weekly scan parameter for
                         scan lock is incorrect.


DTAS060 V0014477    II   The Symantec Antivirus
                         autoprotect parameter for
                         Block Security Risks is
                         incorrect.

DTAS061 V0014481    II   The Symantec Antivirus
                         autoprotect parameter for
                         scan for security risks is
                         incorrect.

DTAS062 V0014482    II   The Symantec Antivirus
                         autoprotect parameter for
                         Delete Infected Files on
                         Creation is incorrect.

DTAS063 V0014591    II   The Symantec AntiVirus
                         Auto-Protect parameter for
                         Threat Tracer is incorrect.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAS064 V0014592    II   The Symantec Antivirus
                         autoprotect parameter for
                         Bloodhound technology is
                         incorrect.

DTAS065 V0014593    II   The Symantec Antivirus
                         autoprotect parameter for
                         Heuristics Level is incorrect.


DTAS066 V0014594    II   The Symantec Antivirus
                         autoprotect parameter for
                         macro virus first action is
                         incorrect.

DTAS067 V0014595    II   The Symantec Antivirus
                         autoprotect parameter for
                         macro virus second action is
                         incorrect.

DTAS068 V0014596    II   The Symantec Antivirus
                         autoprotect parameter for
                         non-macro first action virus
                         is incorrect.

DTAS069 V0014597    II   The Symantec Antivirus
                         autoprotect parameter for
                         check non-macro second
                         action is incorrect.

DTAS070 V0014598    II   The Symantec Antivirus
                         autoprotect parameter for
                         Security Risks first action is
                         incorrect.

DTAS071 V0014600    II   The Symantec Antivirus
                         autoprotect parameter for
                         Security Risks Second
                         Action is incorrect.

DTAS080 V0014601    II   The Symantec Antivirus
                         email client for notification
                         into the email is incorrect.


DTAS081 V0014602    II   The Symantec Antivirus
                         autoprotect email parameter
                         for macro virus first action is
                         incorrect.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAS082 V0014603    II   The Symantec Antivirus
                         autoprotect email parameter
                         for macro virus second
                         action is incorrect.

DTAS083 V0014604    II   The Symantec Antivirus
                         autoprotect email parameter
                         for non-macro first action
                         virus is incorrect.

DTAS084 V0014605    II   The Symantec Antivirus
                         autoprotect email parameter
                         for check non-macro second
                         action is incorrect.

DTAS085 V0014606    II   The Symantec Antivirus
                         autoprotect email parameter
                         for Security Risks first action
                         is incorrect.

DTAS086 V0014607    II   The Symantec Antivirus
                         Auto-Protect parameter for
                         Email Security Risks Second
                         Action is incorrect.

DTAS091 V0014609    II   The Symantec Antivirus
                         weekly scan parameter for
                         scanning load points is
                         incorrect.

DTAS092 V0014610    II   The Symantec Antivirus
                         weekly scan parameter for
                         well knowns before others is
                         incorrect.

DTAS093 V0014611    II   The Symantec Antivirus
                         weekly scan parameter for
                         macro virus first action is
                         incorrect.

DTAS094 V0014612    II   The Symantec Antivirus
                         weekly scan parameter for
                         macro virus second action is
                         incorrect.

DTAS095 V0014613    II   The Symantec Antivirus
                         weekly scan parameter for
                         non-macro first action virus
                         is incorrect.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTAS096 V0014615    II   The Symantec Antivirus
                         Auto-Protect parameter for
                         check non-macro second
                         action is incorrect.

DTAS097 V0014616    II   The Symantec Antivirus
                         weekly scan parameter for
                         Security Risks first action is
                         incorrect.

DTAS098 V0014617    II   The Symantec Antivirus
                         weekly scan parameter for
                         Security Risks second action
                         is incorrect.

DTSG001 V0014678    I    AntiSpyware software is not
                         installed or not configured for
                         on access and on demand
                         detection.
DTSG002 V0014679    I    The Antispyware software is
                         not at a vendor supported
                         level.
DTSG003 V0014680    II   A migration plan does not
                         exist for Antispyware
                         software that is scheduled to
                         go non-support by the
                         vendor.
DTSG004 V0014682    II   The Antispyware software
                         does not have the latest
                         maintenance rollup of
                         software update applied
DTSG005 V0014684    II   The Antispyware software is
                         not configured to download
                         updates from a trusted
                         source.
DTSG006 V0014700    II   The Antispyware
                         definition/signature files are
                         not automatically set to be
                         updated at least weekly.
DTSG007 V0014701    I    The Antispyware signature
                         files are older than 7 days.
DTSG008 V0014702    II   Beta or non-production
                         Antispyware
                         definitions/signature files are
                         being used on a production
                         machine.
DTSG009 V0014704    I    The Antispyware software
                         does not start on-access
                         protection automatically
                         when the machine is booted.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTSG010 V0014706    II   The Antispyware software is
                         not configured to perform a
                         scan of local hard drives at
                         least weekly.
DTSG011 V0014708    II   The Antispyware scheduled
                         scan is not configured to
                         scan memory and drives
                         (with an indepth scan option).

DTSG012 V0014709    II   The Antispyware, when
                         running in on access mode,
                         is not configured to inform
                         the user (or report or report
                         to a central monitoring
                         console) when malicious
                         activity or spyware is found.

DTSG013 V0014710    II   The Antispyware, when
                         running in a scheduled scan,
                         is not configured to inform
                         the user (or report to a
                         central monitoring console)
                         when malicious activity or
                         spyware is found.
DTSG014 V0014711    II   The Antispyware, when
                         running in on-demand mode,
                         is not configured to inform
                         the user (or report to a
                         central monitoring console)
                         when malicious activity or
                         spyware is found.
DTSG015 V0014712   III   The Antispyware software is
                         not configured to maintain
                         logs for at least 30 days.

DTSG016 V0014713   III   The Antispyware software is
                         not configured to maintain
                         logs for at least 30 days.

DTSG017 V0014714   III   The Antispyware software is
                         included in the incident
                         response procedures both
                         for the user and the site.
    Section

McAfee Local
Client, McAfee
Managed Client,
Symantec
Managed Client,
Symantec Local
Client


McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client


McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
    Section

McAfee Local
Client, McAfee
Managed Client

McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client
    Section

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Symantec
Managed Client,
Symantec Local
Client

Spyware



Spyware


Spyware




Spyware



Spyware



Spyware



Spyware

Spyware




Spyware
   Section

Spyware



Spyware




Spyware




Spyware




Spyware




Spyware



Spyware



Spyware
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes Section
APP2010 V0006197 II The Program Manager will
                    ensure an SSP is
                    established to describe the
                    technical, administrative,
                    and procedural IA program
                    and policies governing the
                    DoD information system,
                    and identifying all IA
                    personnel and specific IA
                    requirements and objectives.

APP2020 V0016773     II    The Program Manager will
                           provide an Application
                           Configuration Guide to the
                           application hosting providers
                           to include a list of all
                           potential hosting enclaves
                           and connection rules and
                           requirements.
APP2040 V0006145     II    If the application contains
                           classified data, the Program
                           Manager will ensure a
                           Security Classification Guide
                           exists containing data
                           elements and their
                           classification.
APP2050 V0016775     II    The Program Manager will
                           ensure the system has been
                           assigned specific MAC and
                           confidentiality levels.

APP2060 V0016776     II    The Program Manager will
                           ensure the development
                           team follows a set of coding
                           standards.
APP2070 V0006170     III   The Program Manager and
                           designer will ensure any IA,
                           or IA enabled, products used
                           by the application are NIAP
                           approved or in the NIAP
                           approval process.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 51 of 1286
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes Section
APP2080 V0016777 II The Program Manager will
                    ensure COTS IA and IA
                    enabled products, comply
                    with NIAP/NSA endorsed
                    protection profiles.
APP2090 V0016778 II The Program Manager will
                    document and obtain DAA
                    risk acceptance for all open
                    source, public domain,
                    shareware, freeware, and
                    other software
                    products/libraries with no
                    warranty and no source
                    code review capability, but
                    are required for mission
                    accomplishment.

APP2100 V0006169     II   The Program Manager and
                          designer will ensure the
                          application design complies
                          with the DoD Ports and
                          Protocols guidance.

APP2110 V0016779     II   The Program Manager and
                          designer will ensure the
                          application is registered with
                          the DoD Ports and Protocols
                          Database.
APP2120 V0016780     II   The Program Manager will
                          ensure all levels of program
                          management, designers,
                          developers, and testers
                          receive the appropriate
                          security training pertaining to
                          their job function.
APP2130 V0016781     II   The Program Manager will
                          ensure a vulnerability
                          management process is in
                          place to include ensuring a
                          mechanism is in place to
                          notify users, and users are
                          provided with a means of
                          obtaining security updates
                          for the application.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  52 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes Section
APP2135 V0021519  I The Program Manager will
                    ensure all products are
                    supported by the vendor or
                    the development team.
APP2140 V0016782 II The Program Manager will
                    ensure a security incident
                    response process for the
                    application is established
                    that defines reportable
                    incidents and outlines a
                    standard operating
                    procedure for incident
                    response to include
                    Information Operations
                    Condition (INFOCON).
APP2150 V0016783 II The Program Manager will
                    ensure procedures are
                    implemented to assure
                    physical handling and
                    storage of information is in
                    accordance with the data’s
                    sensitivity.
APP2160 V0006198 II The Program Manager and
                    IAO will ensure development
                    systems, build systems, test
                    systems, and all
                    components comply with all
                    appropriate DoD STIGS,
                    NSA guides, and all
                    applicable DoD policies. The
                    Test Manager will ensure
                    both client and server
                    machines are STIG
                    compliant.

APP3010 V0007013     II   The designer will create and
                          update the Design
                          Document for each release
                          of the application.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               53 of 1286
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes Section
APP3020 V0006148 II The designer will ensure
                    threat models are
                    documented and reviewed
                    for each application release
                    and updated as required by
                    design and functionality
                    changes or new threats are
                    discovered.
APP3050 V0006149 II The designer will ensure the
                    application does not contain
                    source code that is never
                    invoked during operation,
                    except for software
                    components and libraries
                    from approved third-party
                    products.
APP3060 V0006150 II The Designer will ensure the
                    application does not store
                    configuration and control
                    files in the same directory as
                    user data.
APP3070 V0016784 II The designer will ensure the
                    user interface services are
                    physically or logically
                    separated from data storage
                    and management services.

APP3080 V0006157     II   The designer will ensure the
                          application does not contain
                          invalid URL or path
                          references.
APP3100 V0006163     II   The Designer will ensure the
                          application removes
                          temporary storage of files
                          and cookies when the
                          application is terminated.
APP3110 V0016786     II   The designer will ensure the
                          application installs with
                          unnecessary functionality
                          disabled by default.
APP3120 V0006166     II   The designer will ensure the
                          application is not subject to
                          error handling vulnerabilities.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  54 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes Section
APP3130 V0016787  I The designer will ensure the
                    application follows the
                    secure failure design
                    principle.
APP3140 V0006167 II The designer will ensure
                    application initialization,
                    shutdown, and aborts are
                    designed to keep the
                    application in a secure state.

APP3150 V0006137     II   The designer will ensure the
                          application uses the Federal
                          Information Processing
                          Standard (FIPS) 140-2,
                          validated cryptographic
                          modules and random
                          number generator if the
                          application implements
                          encryption, key exchange,
                          digital signature, and hash
                          functionality.

APP3170 V0016788     II   The designer will ensure the
                          application uses encryption
                          to implement key exchange
                          and authenticate endpoints
                          prior to establishing a
                          communication channel for
                          key exchange.

APP3180 V0016789     II   The designer will ensure
                          private keys are accessible
                          only to administrative users.

APP3190 V0016790     II   The designer will ensure the
                          application does not connect
                          to a database using
                          administrative credentials or
                          other privileged database
                          accounts.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                55 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes Section
APP3200 V0016791 III The designer will ensure
                     transaction based
                     applications implement
                     transaction rollback and
                     transaction journaling.
APP3210 V0006135  II The designer will ensure the
                     appropriate cryptography is
                     used to protect stored DoD
                     information if required by the
                     information owner.

APP3220 V0016792     II   The designer will ensure
                          sensitive data held in
                          memory is cryptographically
                          protected when not in use, if
                          required by the information
                          owner, and classified data
                          held in memory is always
                          cryptographically protected
                          when not in use.

APP3230 V0016793     II   The designer will ensure the
                          application properly clears or
                          overwrites all memory
                          blocks used to process
                          sensitive data, if required by
                          the information owner, and
                          clears or overwrites all
                          memory blocks used for
                          classified data.

APP3240 V0006142     II   The designer will ensure all
                          access authorizations to
                          data are revoked prior to
                          initial assignment, allocation
                          or reallocation to an unused
                          state.
APP3250 V0006136      I   The designer will ensure
                          data transmitted through a
                          commercial or wireless
                          network is protected using
                          an appropriate form of
                          cryptography.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 56 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes Section
APP3260 V0016794 II The designer will ensure the
                    application uses
                    mechanisms assuring the
                    integrity of all transmitted
                    information (including labels
                    and security parameters).

APP3270 V0006146      I   The designer will ensure the
                          application has the capability
                          to mark sensitive/classified
                          output when required.

APP3280 V0006127     II   The designer will ensure
                          applications requiring user
                          authentication are PK-
                          enabled and are designed
                          and implemented to support
                          hardware tokens (e.g., CAC
                          for NIPRNet).
APP3290 V0006128     II   The designer and IAO will
                          ensure PK-enabled
                          applications are designed
                          and implemented to use
                          approved credentials
                          authorized under the DoD
                          PKI program.
APP3300 V0006168     II   The designer will ensure
                          applications requiring server
                          authentication are PK-
                          enabled.
APP3305 V0006129      I   The designer will ensure the
                          application using PKI
                          validates certificates for
                          expiration, confirms origin is
                          from a DoD authorized CA,
                          and verifies the certificate
                          has not been revoked by
                          CRL or OCSP, and CRL
                          cache (if used) is updated at
                          least daily.
APP3310 V0016795      I   The designer will ensure the
                          application does not display
                          account passwords as clear
                          text.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 57 of 1286
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement             Vulnerability   Status   Finding Notes Section
APP3320 V0006130 II The designer will ensure the
                    application has the capability
                    to require account
                    passwords that conform to
                    DoD policy.
APP3330 V0016796  I The designer will ensure the
                    application transmits
                    account passwords in an
                    approved encrypted format.
APP3340 V0016797  I The designer will ensure the
                    application stores account
                    passwords in an approved
                    encrypted format.
APP3350 V0006156  I The designer will ensure the
                    application does not contain
                    embedded authentication
                    data.
APP3360 V0016798 II The designer will ensure the
                    application protects access
                    to authentication data by
                    restricting access to
                    authorized users and
                    services.
APP3370 V0016799 II The designer will ensure the
                    application installs with
                    unnecessary accounts
                    disabled, or deleted, by
                    default.
APP3380 V0006131 II The designer will ensure the
                    application prevents the
                    creation of duplicate
                    accounts.
APP3390 V0016800  I The designer will ensure
                    users’ accounts are locked
                    after three consecutive
                    unsuccessful logon attempts
                    within one hour.
APP3400 V0016801 II The designer will ensure
                    locked users’ accounts can
                    only be unlocked by the
                    application administrator.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           58 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes Section
APP3405 V0016785  I The designer will ensure the
                    application supports
                    detection and/or prevention
                    of communication session
                    hijacking.
APP3410 V0006144 II The designer will ensure the
                    application provides a
                    capability to limit the number
                    of logon sessions per user
                    and per application.

APP3415 V0016802     II   The designer will ensure the
                          application provides a
                          capability to automatically
                          terminate a session and log
                          out after a system defined
                          session idle time limit is
                          exceeded.
APP3420 V0006155     II   The designer will ensure the
                          application provides a
                          capability to terminate a
                          session and log out.
APP3430 V0006153      I   The designer will ensure the
                          application removes
                          authentication credentials on
                          client computers after a
                          session terminates.
APP3440 V0006152     II   The designer will ensure the
                          application is capable of
                          displaying a customizable
                          click-through banner at
                          logon which prevents further
                          activity on the information
                          system unless and until the
                          user executes a positive
                          action to manifest
                          agreement by clicking on a
                          box indicating "OK.”




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                59 of 1286
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement           Vulnerability   Status   Finding Notes Section
APP3450 V0016803 II The designer and IAO will
                    ensure application resources
                    are protected with
                    permission sets which allow
                    only an application
                    administrator to modify
                    application resource
                    configuration files.
APP3460 V0016804  I The designer will ensure the
                    application does not rely
                    solely on a resource name to
                    control access to a resource.

APP3470 V0006154     II   The designer will ensure the
                          application is organized by
                          functionality and roles to
                          support the assignment of
                          specific roles to specific
                          application functions.

APP3480 V0006141      I   The designer will ensure
                          access control mechanisms
                          exist to ensure data is
                          accessed and changed only
                          by authorized personnel.

APP3500 V0006143     II   The designer will ensure the
                          application executes with no
                          more privileges than
                          necessary for proper
                          operation.
APP3510 V0006164      I   The designer will ensure the
                          application validates all input.

APP3530 V0016806     II   The designer will ensure the
                          web application assigns the
                          character set on all web
                          pages.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        60 of 1286
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes Section
APP3540 V0016807 I The designer will ensure the
                   application is not vulnerable
                   to SQL Injection, uses
                   prepared or parameterized
                   statements, does not use
                   concatenation or
                   replacement to build SQL
                   queries, and does not
                   directly access the tables in
                   a database.

APP3550 V0016808      I   The designer will ensure the
                          application is not vulnerable
                          to integer arithmetic issues.

APP3560 V0016809      I   The designer will ensure the
                          application does not contain
                          format string vulnerabilities.

APP3570 V0016810      I   The designer will ensure the
                          application does not allow
                          command injection.
APP3580 V0016811      I   The designer will ensure the
                          application does not have
                          cross site scripting (XSS)
                          vulnerabilities.
APP3585 V0021500     II   The designer will ensure the
                          application does not have
                          CSRF vulnerabilities.
APP3590 V0006165      I   The designer will ensure the
                          application does not have
                          buffer overflows, use
                          functions known to be
                          vulnerable to buffer
                          overflows, and does not use
                          signed values for memory
                          allocation where permitted
                          by the programming
                          language.
APP3600 V0016812     II   The designer will ensure the
                          application has no canonical
                          representation vulnerabilities.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  61 of 1286
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement          Vulnerability   Status   Finding Notes Section
APP3610 V0016813 I The designer will ensure the
                   application does not use
                   hidden fields to control user
                   access privileges or as a
                   part of a security mechanism.

APP3620 V0016814     II    The designer will ensure the
                           application does not disclose
                           unnecessary information to
                           users.
APP3630 V0016815     II    The designer will ensure the
                           application is not vulnerable
                           to race conditions.

APP3640 V0016816     II    The designer will ensure the
                           application supports the
                           creation of transaction logs
                           for access and changes to
                           the data.
APP3650 V0006139     III   The designer will ensure the
                           application has a capability
                           to notify an administrator
                           when audit logs are nearing
                           capacity as specified in the
                           system documentation.

APP3660 V0016817     III   The designer will ensure the
                           application has a capability
                           to notify the user of
                           important login information.

APP3670 V0016818     II    The designer will ensure the
                           application has a capability
                           to display the user’s time
                           and date of the last change
                           in data content.
APP3680 V0006138     II    The designer will ensure the
                           application design includes
                           audits on all access to need-
                           to-know information and key
                           application events.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       62 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes Section
APP3690 V0006140 II The designer and IAO will
                    ensure the audit trail is
                    readable only by the
                    application and auditors and
                    protected against
                    modification and deletion by
                    unauthorized individuals.
APP3700 V0006159 II The designer will ensure
                    unsigned Category 1A
                    mobile code is not used in
                    the application in
                    accordance with DoD policy.

APP3710 V0006161     II   The designer will ensure
                          signed Category 1A and
                          Category 2 mobile code
                          signature is validated before
                          executing.
APP3720 V0006160     II   The designer will ensure
                          unsigned Category 2 mobile
                          code executing in a
                          constrained environment has
                          no access to local system
                          and network resources.

APP3730 V0006162     II   The designer will ensure
                          uncategorized or emerging
                          mobile code is not used in
                          applications.
APP3740 V0006158     II   The designer will ensure the
                          application only embeds
                          mobile code in e-mail which
                          does not execute
                          automatically when the user
                          opens the e-mail body or
                          attachment.
APP3750 V0016819     II   The designer will ensure
                          development of new mobile
                          code includes measures to
                          mitigate the risks identified.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 63 of 1286
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                     Vulnerability   Status   Finding Notes Section
APP3760 V0019689 II The designer will ensure
                    web services are designed
                    and implemented to
                    recognize and react to the
                    attack patterns associated
                    with application-level DoS
                    attacks.
APP3770 V0019690 II The designer will ensure the
                    web service design includes
                    redundancy of critical
                    functions.
APP3780 V0019691 II The designer will ensure
                    web service design of critical
                    functions is implemented
                    using different algorithms to
                    prevent similar attacks from
                    forming a complete
                    application level DoS.

APP3790 V0019692     II   The designer will ensure
                          web services are designed
                          to prioritize requests to
                          increase availability of the
                          system.
APP3800 V0019693     II   The designer will ensure
                          execution flow diagrams are
                          created and used to mitigate
                          deadlock and recursion
                          issues.
APP3810 V0021498      I   The designer will ensure the
                          application is not vulnerable
                          to XML Injection.
APP3820 V0019695      I   The designer will ensure
                          web services provide a
                          mechanism for detecting
                          resubmitted SOAP
                          messages.
APP3830 V0019696     II   The designer and IAO will
                          ensure digital signatures
                          exist on UDDI registry
                          entries to verify the publisher.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   64 of 1286
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement             Vulnerability   Status   Finding Notes Section
APP3840 V0019697 II The designer and IAO will
                    ensure UDDI versions are
                    used supporting digital
                    signatures of registry entries.

APP3850 V0019698     II   The designer and IAO will
                          ensure UDDI publishing is
                          restricted to authenticated
                          users.
APP3860 V0019701     II   The designer will ensure
                          SOAP messages requiring
                          integrity, sign the following
                          message elements: -
                          Message ID -Service
                          Request -Timestamp -SAML
                          Assertion (optionally
                          included in messages)

APP3870 V0019702      I   The designer will ensure
                          when using WS-Security,
                          messages use timestamps
                          with creation and expiration
                          times.
APP3880 V0019703      I   The designer will ensure
                          validity periods are verified
                          on all messages using WS-
                          Security or SAML assertions.

APP3890 V0019704     II   The designer shall ensure
                          each unique asserting party
                          provides unique assertion ID
                          references for each SAML
                          assertion.
APP3900 V0019705     II   The designer shall ensure
                          encrypted assertions, or
                          equivalent confidentiality
                          protections, when assertion
                          data is passed through an
                          intermediary, and
                          confidentiality of the
                          assertion data is required to
                          pass through the
                          intermediary.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          65 of 1286
   ____ Checklist _V_R_ (<date>)                                 <Test> - TN <Ticket Number>
  PDI    VMSID CAT        Requirement           Vulnerability   Status   Finding Notes Section
APP3910 V0022028 I The designer shall use the
                   <NotBefore> and
                   <NotOnOrAfter> when using
                   the <SubjectConfirmation>
                   element in a SAML assertion.


APP3920 V0022029      I   The designer shall use both
                          the <NotBefore> and
                          <NotOnOrAfter> elements or
                          <OneTimeUse> element
                          when using the
                          <Conditions> element in a
                          SAML assertion.
APP3930 V0022032     II   The designer shall ensure if
                          a OneTimeUse element is
                          used in an assertion, there is
                          only one used in the
                          Conditions element portion
                          of an assertion.
APP3940 V0022030     II   The designer will ensure the
                          asserting party uses FIPS
                          approved random numbers
                          in the generation of
                          SessionIndex in the SAML
                          element AuthnStatement.

APP3950 V0022031     II   The designer shall ensure
                          messages are encrypted
                          when the SessionIndex is
                          tied to privacy data.
APP3960 V0019706     II   The designer will ensure the
                          application is compliant with
                          all DoD IT Standards
                          Registry (DISR) IPv6 profiles.

APP3970 V0019707     II   The designer will ensure
                          supporting application
                          services and interfaces have
                          been designed, or upgraded
                          for, IPv6 transport.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      66 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes Section
APP3980 V0019708 II The designer will ensure the
                    application is compliant with
                    IPv6 multicast addressing
                    and features an IPv6
                    network configuration
                    options as defined in RFC
                    4038.
APP3990 V0019709 II The designer will ensure the
                    application is compliant with
                    the IPv6 addressing scheme
                    as defined in RFC 1884.

APP4010 V0016820     III   The Release Manager will
                           ensure the access privileges
                           to the configuration
                           management (CM)
                           repository are reviewed
                           every 3 months.
APP4030 V0016822     II    The Release Manager will
                           develop an SCM plan
                           describing the configuration
                           control and change
                           management process of
                           objects developed and the
                           roles and responsibilities of
                           the organization.

APP4040 V0016823     II    The Release Manager will
                           establish a Configuration
                           Control Board (CCB), that
                           meets at least every release
                           cycle, for managing the CM
                           process.
APP5010 V0016824     III   The Test Manager will
                           ensure at least one tester is
                           designated to test for
                           security flaws in addition to
                           functional testing.
APP5030 V0006147     II    The Test Manager will
                           ensure the application does
                           not modify data files outside
                           the scope of the application.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 67 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes Section
APP5040 V0016825 II The Test Manager will
                    ensure the changes to the
                    application are assessed for
                    IA and accreditation impact
                    prior to implementation.

APP5050 V0016826     II    The Test Manager will
                           ensure tests plans and
                           procedures are created and
                           executed prior to each
                           release of the application or
                           updates to system patches.

APP5060 V0016827     II    The Test Manager will
                           ensure test procedures are
                           created and at least annually
                           executed to ensure system
                           initialization, shutdown, and
                           aborts are configured to
                           ensure the system remains
                           in a secure state.

APP5070 V0016828     III   The Test Manager will
                           ensure code coverage
                           statistics are maintained for
                           each release of the
                           application.
APP5080 V0016829     II    The Test Manager will
                           ensure a code review is
                           performed before the
                           application is released.
APP5090 V0016830     II    The Test Manager will
                           ensure flaws found during a
                           code review are tracked in a
                           defect tracking system.
APP5100 V0016831     III   The Test Manager will
                           ensure fuzz testing is
                           included in the test plans
                           and procedures and
                           performed for each
                           application release based on
                           application exposure.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 68 of 1286
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes Section
APP5110 V0016832 II The Test Manager will
                    ensure security flaws are
                    fixed or addressed in the
                    project plan.
APP6010 V0016833 II The IAO will ensure if an
                    application is designated
                    critical, the application is not
                    hosted on a general purpose
                    machine.
APP6020 V0016834 II The IAO shall ensure if a
                    DoD STIG or NSA guide is
                    not available, a third-party
                    product will be configured by
                    the following in descending
                    order as available: 1)
                    commercially accepted
                    practices, (2) independent
                    testing results, or (3) vendor
                    literature.

APP6030 V0006151      II    The IAO will ensure
                            unnecessary services are
                            disabled or removed.
APP6040 V0016835      II    The IAO will ensure at least
                            one application administrator
                            has registered to receive
                            update notifications, or
                            security alerts, when
                            automated alerts are
                            available.

APP6050 V0016836      II    The IAO will ensure the
                            system and installed
                            applications have current
                            patches, security updates,
                            and configuration settings.
APP6060 V0016837       I    The IAO will ensure the
                            application is
                            decommissioned when
                            maintenance or support is
                            no longer available.
APP6070 V0016838      III   Procedures are not in place
                            to notify users when an
                            application is
                            decommissioned.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  69 of 1286
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes Section
APP6080 V0016839  II The IAO will ensure
                     protections against DoS
                     attacks are implemented.
APP6090 V0016840 III The IAO will ensure the
                     system alerts an
                     administrator when low
                     resource conditions are
                     encountered.
APP6100 V0006174  II The IAO will ensure
                     production database exports
                     have database
                     administration credentials
                     and sensitive data removed
                     before releasing the export.
APP6110 V0016841 III The IAO will review audit
                     trails periodically based on
                     system documentation
                     recommendations or
                     immediately upon system
                     security events.
APP6120 V0016842  II The IAO will report all
                     suspected violations of IA
                     policies in accordance with
                     DoD information system IA
                     procedures.
APP6130 V0016843 III The IAO will ensure, for
                     classified systems,
                     application audit trails are
                     continuously and
                     automatically monitored, and
                     alerts are provided
                     immediately when unusual
                     or inappropriate activity is
                     detected.
APP6140 V0006173  II The IAO will ensure
                     application audit trails are
                     retained for at least 1 year
                     for applications without
                     SAMI data, and 5 years for
                     applications including SAMI
                     data.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          70 of 1286
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement           Vulnerability   Status   Finding Notes Section
APP6160 V0006171 II The IAO will ensure recovery
                    procedures and technical
                    system features exist so
                    recovery is performed in a
                    secure and verifiable
                    manner. The IAO will
                    document circumstances
                    inhibiting a trusted recovery.

APP6170 V0016844     II   The IAO will ensure back-up
                          copies of the application
                          software are stored in a fire-
                          rated container and not
                          collocated with operational
                          software.

APP6180 V0016845     II   The IAO will ensure
                          procedures are in place to
                          assure the appropriate
                          physical and technical
                          protection of the backup and
                          restoration of the application.

APP6190 V0006172     II   The IAO will ensure data
                          backup is performed at
                          required intervals in
                          accordance with DoD policy.

APP6200 V0016846     II   The IAO will ensure a
                          disaster recovery plan exists
                          in accordance with DoD
                          policy based on the Mission
                          Assurance Category (MAC).

APP6210 V0016847     II   The IAO will ensure an
                          account management
                          process is implemented,
                          verifying only authorized
                          users can gain access to the
                          application, and individual
                          accounts designated as
                          inactive, suspended, or
                          terminated are promptly
                          removed.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         71 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI    VMSID CAT            Requirement                Vulnerability   Status   Finding Notes Section
APP6220 V0016848   I The IAO will ensure
                     passwords generated for
                     users are not predictable
                     and comply with the
                     organization's password
                     policy.
APP6230 V0016849  II The IAO will ensure the
                     application's users do not
                     use shared accounts.
APP6240 V0006132 III The IAO will ensure all user
                     accounts are disabled which
                     are authorized to have
                     access to the application but
                     have not authenticated
                     within the past 30 days.

APP6250 V0006133     II   The IAO will ensure
                          unnecessary built-in
                          application accounts are
                          disabled.
APP6260 V0006134      I   The IAO will ensure default
                          passwords are changed.
APP6270 V0016850     II   The IAO will ensure
                          connections between DoD
                          enclaves and the Internet or
                          other public or commercial
                          wide area networks require a
                          DMZ.
APP6280 V0019687      I   The IAO will ensure web
                          servers are on logically
                          separate network segments
                          from the application and
                          database servers if it is a
                          tiered application.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               72 of 1286
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI    VMSID CAT           Requirement            Vulnerability   Status   Finding Notes Section
APP6290 V0019688  I The designer and the IAO
                    will ensure physical
                    operating system separation
                    and physical application
                    separation is employed
                    between servers of different
                    data types in the web tier of
                    Increment 1/Phase 1
                    deployment of the DoD DMZ
                    for Internet-facing
                    applications.
APP6300 V0019694 II The IAO will ensure an XML
                    firewall is deployed to
                    protect web services.
APP6310 V0019699 II The IAO will ensure web
                    service inquiries to UDDI
                    provide read-only access to
                    the registry to anonymous
                    users.
APP6320 V0019700 II The IAO will ensure if the
                    UDDI registry contains
                    sensitive information and
                    read access to the UDDI
                    registry is granted only to
                    authenticated users.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          73 of 1286
Application Services Checklist V1R1.1 (21 Sep 06)                       <Test> - TN <Ticket Number>


  PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
APS0110 V0006199 II Application server does not
                    utilize a Public Key
                    Infrastructure (PKI).
APS0130 V0006200  I The application server or a
                    served application does not
                    verify the following when
                    presented with a PKI
                    certificate:1. Revoked
                    certificate 2. Invalid
                    certificate 3. Improperly
                    signed certificate Application
                    Server/ApplicationName(s):

APS0140 V0006202       II   Passwords are not
                            encrypted at logon.
                            Passwords are not required
                            to meet complexity
                            requirements. Passwords
                            are not changeable by the
                            user. Accounts are not
                            protected by lockout on
                            failed logon attempts.

APS0210 V0006203       II   The following default
                            usernames and passwords
                            have not been modified from
                            their default values:
APS0320 V0006205       II   Sensitive data tis not
                            encrypted with NIST-
                            validated or NSA-approved
                            cryptography.
APS0350 V0006208       II   The application server is not
                            configured to encrypt
                            sensitive data in transit.




Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                  74 of 1286
Application Services Checklist V1R1.1 (21 Sep 06)                       <Test> - TN <Ticket Number>


  PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes
APS0410 V0006209 II Auditing is not enabled for
                    the application server.
                    Auditing is not configured to
                    include logon events.
                    Auditing is not configured to
                    include attempts to access
                    security files. Auditing is not
                    configured to include actions
                    taken in response to failed l

APS0510 V0006210       II   The application server
                            administrator role has been
                            assigned to unauthorized
                            personnel.
APS0530 V0006212       II   If session time limits are
                            enforced by applications or
                            other mean external to the
                            application server, then this
                            check is NA. If the
                            applications are dependent
                            on the application server to
                            employ session time limits
                            and this is not configured to
                            a limit of 24 hours or less.

APS0540 V0012304       II   The application server
                            serves data of different
                            classification levels to
                            different audiences. The
                            application server does not
                            provide protection through
                            separation to applications
                            serving data of different
                            sensitivity to different
                            audiences.




Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                  75 of 1286
Application Services Checklist V1R1.1 (21 Sep 06)                       <Test> - TN <Ticket Number>


  PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
APS0560 V0012322 II External interfaces are
                    defined on the application
                    server that are not identified
                    in the functional architecture
                    for the applcation. Protection
                    mechanisms configured for
                    the interface are not
                    sufficient for the data being
                    exchanged.

APS0570 V0012308       II   Hyperlinks are not approved
                            prior to incorporation in the
                            application server content.

APS0590 V0012310       II   The web page does not
                            identify content obtained
                            from remote systems.
APS0615 V0012312       II   Application server software
                            and data are not located in
                            separate directories.
APS0630 V0012323       I    The application server
                            software is not a supported
                            version.
APS0640 V0012313       II   A migration plan to upgrade
                            from an unsupported version
                            does not exist.

APS0670 V0012316       II   A baseline of the application
                            server software directories
                            and files is not maintained.

APS0720 V0012319       II   A public WebLogic Platform
                            server is not installed in a
                            DMZ.
APS0730 V0006220       II   The application services is
                            not addressed in a disaster
                            recovery plan.
APS0740 V0006221       II   The application server
                            software and data is not
                            included in the site or
                            system backup strategy.


Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                  76 of 1286
Application Services Checklist V1R1.1 (21 Sep 06)                     <Test> - TN <Ticket Number>


  PDI    VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
ASG0520 V0006211 II The application server
                    process runs with privileges
                    not necessary for proper
                    operation.
ASG0540 V0006213 II A classification guide does
                    not exist for the application.
ASG0550 V0006214 II The application does not
                    mark printed and displayed
                    output with appropriate
                    classification labels.
ASG0750 V0006222 II A process does not exist to
                    ensure application server log
                    files are retained for at least
                    one year.
ASG0760 V0006223 II Application server does not
                    have an assigned IAO or
                    IAM.
ASJ0120 V0006201 II Application server utilizes
                    unapproved DOD PKI
                    certificates.
ASJ0330 V0006206 II Java file permissions are not
                    adequately restrictive.
ASJ0840 V0011810 II Java cryptography is
                    inadequate implementing
                    poor entropy.
AST0310 V0006204 II Sensitive application data is
                    not adequately protected at
                    rest.
AST0340 V0006207 II OS level file permissions are
                    not adequately restrictive.

AST0560 V0006215       I    Application Security
                            Manager is not turned on.
AST0580 V0006216       II   Shutdown restriction’s
                            default password has not
                            been changed.
AST0610 V0006217       II   Application server default
                            content has not been
                            removed.
AST0710 V0006218       I    Application server may be
                            controlled from outside the
                            enclave.

Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                                77 of 1286
Application Services Checklist V1R1.1 (21 Sep 06)              <Test> - TN <Ticket Number>


  PDI    VMSID CAT            Requirement          Vulnerability   Status   Finding Notes
AST0720 V0006219 II Java socket permissions are
                    inadequate.
AST0820 V0006225 II Admin and Manager Web
                    Applications are not
                    adequately restrictive.
AST0830 V0011828 II Application server’s directory
                    listing is enabled.




Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable                                                         78 of 1286
  PDI      VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTBG003 V0006227      I    The installed version of IE is
                           at an unsupported version.

DTBG007 V0006317      II   IE is not capable to use 128-
                           bit encryption.
DTBG010 V0006318      II   The DOD Root Certificate is
                           not installed.
DTBI001   V0006228    II   The IE home page is not set
                           to blank, a local file, or a
                           trusted site.
DTBI002   V0006229    II   IE Local zone security
                           parameter is set incorrectly.

DTBI003   V0006230    II   The IE Trusted sites zone
                           security parameter is set
                           incorrectly.
DTBI004   V0006231    II   The IE Internet zone security
                           parameter is set incorrectly.

DTBI005   V0006232    II   The IE Restricted sites zone
                           security parameter is set
                           incorrectly.
DTBI006   V0006233    II   The IE Local zone includes
                           parameter is not set correctly.

DTBI007   V0006234    II   The IE third party cookies
                           parameter is not set correctly.

DTBI010   V0017296    II   Prevent performance of First
                           Run Customize settings is
                           not enabled.
DTBI011   V0007006    II   The IE search parameter is
                           not set correctly.
DTBI012   V0006236    II   The IE signature checking
                           parameter is not set correctly.

DTBI013   V0006237    II   The IE save encrypted
                           pages to disk parameter is
                           not set correctly.
DTBI014   V0006238    II   The IE SSL/TLS parameter
                           is not set correctly.
DTBI015   V0006239    II   The IE warning of invalid
                           certificates parameter is not
                           set correctly
DTBI016   V0006240    II   The IE changing zones
                           parameter is not set correctly.

DTBI017   V0006241    II   The IE form redirect
                           parameter is not set correctly.

DTBI021   V0006242    II   Users can change the
                           advanced settings in IE.
  PDI      VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DTBI022   V0006243    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Internet Zone.
DTBI023   V0006244    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the
                           Internet Zone.
DTBI024   V0006245    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Internet
                           Zone.
DTBI025   V0016879    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Lockdown Zone.
DTBI026   V0006246    II   The Script ActiveX controls
                           marked safe for scripting
                           property is not set properly
                           for the Internet Zone.
DTBI030   V0006248    II   The Font download control is
                           not set properly for the
                           Internet Zone.
DTBI031   V0006249    II   The Java Permissions is not
                           set properly for the Internet
                           Zone.
DTBI032   V0006250    II   The Access data sources
                           across domains is not set
                           properly for the Internet
                           Zone.
DTBI034   V0006251    II   The Display mixed content is
                           not set properly for the
                           Internet Zone.
DTBI035   V0006252    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Internet
                           Zone.
DTBI036   V0006253    II   The Allow Drag and drop or
                           copy and paste files is not
                           set properly for the Internet
                           Zone.
DTBI037   V0006254    II   The Installation of desktop
                           items is not set properly for
                           the Internet Zone.
DTBI038   V0006255    II   The Launching programs
                           and files in IFRAME are not
                           set properly for the Internet
                           Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI039   V0006256    II   The Navigate windows and
                           frames across different
                           domains is not set properly
                           for the Internet Zone.
DTBI040   V0006257    II   The Software channel
                           permissions is not set
                           properly for the Internet
                           Zone.
DTBI041   V0006258    II   The Submit non-encrypted
                           form data is not set properly
                           for the Internet Zone.

DTBI042   V0006259    II   The Userdata persistence is
                           not set properly for the
                           Internet Zone.
DTBI044   V0006260    II   The Allow paste operations
                           via script is not set properly
                           for the Internet Zone.

DTBI045   V0006261    II   The Scripting of Java applets
                           is not set properly for the
                           Internet Zone.
DTBI046   V0006262    II   The user Authentication -
                           Logon is not set properly for
                           the Internet Zone.
DTBI052   V0006263    II   The Download signed
                           ActiveX controls property is
                           not set properly for the Local
                           Zone.
DTBI053   V0006264    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the Local
                           Zone.
DTBI054   V0006265    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Local Zone.

DTBI056   V0006266    II   The Script ActiveX controls
                           marked safe for scripting
                           property is not set properly
                           for the Local Zone.
DTBI061   V0006267    II   The Java Permissions is not
                           set properly for the Local
                           Zone.
DTBI062   V0006268    II   The Access data sources
                           across domains is not set
                           properly for the Local Zone.
DTBI065   V0006271    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Local Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI067   V0006272    II   The Installation of desktop
                           items is not set properly for
                           the Local Zone.
DTBI068   V0006273    II   The Launching programs
                           and files in IFRAME is not
                           set properly for the Local
                           Zone.
DTBI070   V0006274    II   The Software channel
                           permissions is not set
                           properly for the Local Zone.
DTBI074   V0006275    II   The Allow paste operations
                           via script is not set properly
                           for the Local Zone.
DTBI076   V0006276    II   The User Authentication -
                           Logon is not set properly for
                           the Local Zone.
DTBI082   V0006277    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Trusted Sites Zone.
DTBI083   V0006278    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the
                           Trusted Sites Zone.
DTBI084   V0006279    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Trusted Sites
                           Zone.
DTBI086   V0006280    II   The ActiveX controls marked
                           safe for scripting property is
                           not set properly for the
                           Trusted Sites Zone.
DTBI091   V0006281    II   The Java Permissions is not
                           set properly for the Trusted
                           Sites Zone.
DTBI092   V0006282    II   The Access data sources
                           across domains is not set
                           properly for the Trusted Sites
                           Zone.
DTBI095   V0006283    II   The Don't prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Trusted Sites
                           Zone.
DTBI097   V0006284    II   The Installation of desktop
                           items is not set properly for
                           the Trusted Sites Zone.
DTBI098   V0006285    II   The Launching programs
                           and files in IFRAME is not
                           set properly for the Trusted
                           Sites Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI100   V0006286    II   The Software channel
                           permissions is not set
                           properly for the Trusted Sites
                           Zone.
DTBI1010 V0022687     II   Internet Explorer Processes
                           Restrict ActiveX Install
                           (Explorer) property is
                           properly set.
DTBI1020 V0022688     II   Internet Explorer Processes
                           Restrict ActiveX Install
                           (IExplorer) property is
                           properly set.
DTBI104   V0006287    II   The Allow paste operations
                           via script is not set properly
                           for the Trusted Sites Zone.

DTBI106   V0006288    II   The User Authentication -
                           Logon is not set properly for
                           the Trusted Sites Zone.
DTBI112   V0006289    II   The Download signed
                           ActiveX controls property is
                           not set properly for the
                           Restricted Sites Zone.
DTBI113   V0006290    II   The Download unsigned
                           ActiveX controls property is
                           not set properly for the
                           Restricted Sites Zone.
DTBI114   V0006291    II   The Initialize and script
                           ActiveX controls not marked
                           as safe property is not set
                           properly for the Restricted
                           Sites Zone.
DTBI115   V0006292    II   Run ActiveX controls and
                           plug-ins property is not set
                           properly for the Restricted
                           Sites Zone.
DTBI116   V0006293    II   The Script ActiveX controls
                           marked safe for scripting
                           property is not set properly
                           for the Restricted Sites Zone.

DTBI119   V0006294    II   The File download control is
                           not set properly for the
                           Restricted Sites Zone.
DTBI120   V0006295    II   The Font download control is
                           not set properly for the
                           Restricted Sites Zone.
DTBI121   V0007007    II   The Java Permissions is not
                           set properly for the
                           Restricted Sites Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI122   V0006297    II   The Access data sources
                           across domains is not set
                           properly for the Restricted
                           Sites Zone.
DTBI123   V0006298    II   The Allow META REFRESH
                           is not set properly for the
                           Restricted Sites Zone.

DTBI124   V0006299    II   The Display mixed content is
                           not set properly for the
                           Restricted Sites Zone.
DTBI125   V0006300    II   The Don’t prompt for client
                           certificate selection when no
                           certificate or only one
                           certificate exists is not set
                           properly for the Restricted
                           Sites Zone.
DTBI126   V0006301    II   The Drag and drop or copy
                           and paste files is not set
                           properly for the Restricted
                           Sites Zone.
DTBI127   V0006302    II   The Installation of desktop
                           items is not set properly for
                           the Restricted Sites Zone.

DTBI128   V0006303    II   The Launching programs
                           and files in IFRAME is not
                           set properly for the
                           Restricted Sites Zone.
DTBI129   V0006304    II   The Navigate windows and
                           frames across different
                           domains are not set properly
                           for the Restricted Sites Zone.

DTBI130   V0006305    II   The Software channel
                           permissions is not set
                           properly for the Restricted
                           Sites Zone.
DTBI131   V0006306    II   The Submit non-encrypted
                           form data is not set properly
                           for the Restricted Sites Zone.

DTBI132   V0006307    II   The Userdata persistence is
                           not set properly for the
                           Restricted Sites Zone.
DTBI133   V0006308    II   The Active scripting is not
                           set properly for the
                           Restricted Sites Zone.
DTBI134   V0006309    II   The Allow paste operations
                           via script is not set properly
                           for the Restricted Sites Zone.
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI135   V0006310    II   The Scripting of Java applets
                           is not set properly for the
                           Restricted Sites Zone.

DTBI136   V0006311    II   The User Authentication
                           Logon is not set properly for
                           the Restricted Sites Zone.

DTBI137   V0003433   III   Internet Explorer is
                           configured to notify users
                           when programs are modified
                           through the software
                           distribution channel.

DTBI140   V0006319    II   The Error Reporting tool for
                           IE is installed or enabled.
DTBI150   V0006312    II   The Microsoft Java VM is
                           installed.
DTBI151   V0006313    II   The Cipher setting for DES
                           56/56 is not set properly.
DTBI152   V0006314    II   The Cipher setting for Null is
                           not set properly.
DTBI153   V0006315    II   The Cipher setting for Triple
                           DES is not set properly.

DTBI160   V0006316    II   The Hash setting for SHA is
                           not set properly.
DTBI300   V0021887    II   Disable Configuring History -
                           History setting is not set to
                           40 days.
DTBI305   V0015490    II   Automatic configuration of
                           Internet Explorer is not
                           disabled.
DTBI315   V0015492    II   Prevent participation in the
                           Customer Experience
                           Improvement Program is not
                           disabled.
DTBI316   V0003431    II   Internet Explorer is
                           configured to allow
                           Automatic Install of
                           components.
DTBI317   V0003432    II   Internet Explorer is
                           configured to automatically
                           check for updates.
DTBI318   V0003429    II   Internet Explorer is
                           configured to allow users to
                           add/delete sites.
DTBI319   V0003428    II   Internet Explorer is
                           configured to allow users to
                           change policies.
  PDI      VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

DTBI320   V0003427    II   Internet Explorer is not
                           configured to require
                           consistent security zone
                           settings to all users.
DTBI325   V0015494    II   Turn off the Security Settings
                           Check feature is not disabled.

DTBI330   V0015495    II   Turn off Managing Phishing
                           filter is not disabled.
DTBI340   V0015497    II   Allow active content from
                           CDs to run on user
                           machines is not disabled.
DTBI350   V0015499    II   Allow software to run or
                           install even if the signature is
                           invalid is not disabled.
DTBI355   V0015500    II   Allow third-party browser
                           extensions are not disabled.

DTBI365   V0015502    II   Check for server certificate
                           revocation is not enabled.
DTBI367   V0003430   III   Internet Explorer is not
                           configured to disable making
                           Proxy Settings Per Machine.

DTBI370   V0015503    II   Check for signatures on
                           downloaded programs is not
                           enabled.
DTBI375   V0015504    II   Intranet Sites: Include all
                           network paths (UNCs) are
                           disabled.
DTBI385   V0015507    II   Allow script-initiated windows
                           without size or position
                           constraints for Internet Zone
                           is not disabled.

DTBI390   V0015508    II   Allow script-initiated windows
                           without size or position
                           constraints for Restricted
                           Sites Zone is not disabled.

DTBI395   V0015509    II   Allow Scriptlets are not
                           disabled.
DTBI415   V0015513    II   Automatic prompting for file
                           downloads is not enabled.

DTBI425   V0015515    II   Java permissions for my
                           computer are not disabled.
DTBI430   V0015516    II   Java permissions for my
                           computer group policy are
                           not disabled.
DTBI435   V0015517    II   Java permissions for group
                           policy for Local Intranet Zone
                           are not disabled.
  PDI      VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DTBI440   V0015518    II   Java permissions for group
                           policy for Trusted Sites Zone
                           are not disabled.
DTBI445   V0015519    II   Java permissions for group
                           policy for Internet Zone are
                           not disabled.
DTBI450   V0015520    II   Java permissions for group
                           policy for Restricted Sites
                           Zone are not disabled.
DTBI455   V0015521    II   Loose XAML files for Internet
                           Zone are not disabled.

DTBI460   V0015522    II   Loose XAML files for
                           Restricted Sites Zone are
                           not disabled.
DTBI465   V0015523    II   Open files based on content,
                           not file extension for Internet
                           Zone is not disabled.

DTBI470   V0015524    II   Open files based on content,
                           not file extension for
                           Restricted Sites Zone is not
                           disabled.
DTBI475   V0015525    II   Turn Off First-Run Opt-In for
                           Internet Zone is not disabled.

DTBI480   V0015526    II   Turn Off First-Run Opt-In for
                           Restricted Sites Zone is not
                           disabled.
DTBI485   V0015527    II   Turn on Protected Mode
                           Internet Zone is not enabled.

DTBI490   V0015528    II   Turn on Protected Mode for
                           Restricted Sites Zone is not
                           enabled.
DTBI495   V0015529    II   Use Pop-up Blocker for
                           Internet Zone is not enabled.

DTBI500   V0015530    II   Use Pop-up Blocker for
                           Restricted Sites Zone is not
                           enabled.
DTBI515   V0015533    II   Web sites in less privileged
                           Web content zones can
                           navigate into Internet Zone is
                           not disabled.

DTBI520   V0015534    II   Web sites in less privileged
                           Web content zones can
                           navigate into Restricted
                           Sites Zone is not disabled.

DTBI575   V0015545    II   Allow binary and script
                           behaviors are not disabled.
  PDI      VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DTBI580   V0015546    II   Automatic prompting for file
                           downloads is not enabled.

DTBI590   V0015548    II   Internet Explorer Processes
                           for MIME handling is not
                           enabled. (Reserved)

DTBI592   V0015565    II   Internet Explorer Processes
                           for MIME handling is not
                           enabled. (Explorer)

DTBI594   V0015566    II   Internet Explorer Processes
                           for MIME handling is not
                           enabled. (IExplore)

DTBI595   V0015549    II   Internet Explorer Processes
                           for MIME sniffing is not
                           enabled. (Reserved)

DTBI596   V0015603    II   Internet Explorer Processes
                           for MIME sniffing is not
                           enabled. (Explorer)

DTBI597   V0015604    II   Internet Explorer Processes
                           for MIME sniffing is not
                           enabled. (IExplore)

DTBI599   V0015568    II   Internet Explorer Processes
                           for MK protocol is not
                           enabled. (Reserved)
DTBI600   V0015550    II   Internet Explorer Processes
                           for MK protocol is not
                           enabled. (Explorer)
DTBI605   V0015551    II   Internet Explorer Processes
                           for MK protocol is not
                           enabled. (IExplore)
DTBI610   V0015552    II   Internet Explorer Processes
                           for Zone Elevation is not
                           enabled. (Reserved)

DTBI612   V0015569    II   Internet Explorer Processes
                           for Zone Elevation is not
                           enabled. (Explorer)

DTBI614   V0015570    II   Internet Explorer Processes
                           for Zone Elevation is not
                           enabled. (IExplore)

DTBI630   V0015556    II   Internet Explorer Processes
                           for Download prompt is not
                           enabled. (Reserved)
  PDI      VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DTBI635   V0015557    II   Internet Explorer Processes
                           for Download prompt is not
                           enabled. (Explorer)

DTBI640   V0015558    II   Internet Explorer Processes
                           for Download prompt is not
                           enabled. (IExplore)

DTBI645   V0015559    II   Internet Explorer Processes
                           for restricting pop-up
                           windows is not enabled.
                           (Reserved)
DTBI647   V0015571    II   Internet Explorer Processes
                           for restricting pop-up
                           windows is not enabled.
                           (Explorer)
DTBI649   V0015572    II   Internet Explorer Processes
                           for restricting pop-up
                           windows is not enabled.
                           (IExplorer)
DTBI650   V0015560    II   Run .NET Framework-reliant
                           components not signed with
                           Authenticode are not
                           disabled.
DTBI655   V0015561    II   Run .NET Framework-reliant
                           components signed with
                           Authenticode are not
                           disabled.
DTBI670   V0015562    II   Scripting of Java applets is
                           not disabled.
DTBI675   V0015563    II   Turn off changing the URL to
                           be displayed for checking
                           updates to Internet Explorer
                           and Internet Tools is not
                           disabled.

DTBI680   V0015564    II   Turn off configuring the
                           update check interval is not
                           disabled.
DTBI690   V0015574    II   Disable AutoComplete for
                           forms is not enabled.
DTBI695   V0015575    II   Disable external branding of
                           Internet Explorer is not
                           enabled.
DTBI697   V0014245   III   Internet Explorer - Do not
                           allow users to enable or
                           disable add-ons.
DTBI705   V0015577    II   Disable the Reset Web
                           Settings feature is not
                           enabled.
DTBI715   V0015579    II   Turn off Crash Detection is
                           not enabled.
  PDI      VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DTBI720   V0015580    II   Turn off page transitions is
                           not enabled.
DTBI725   V0015581    II   Turn on the auto-complete
                           feature for user names and
                           passwords on forms are not
                           disabled.
DTBI730   V0015582    II   Turn on the Internet
                           Connection Wizard Auto
                           Detect is not disabled.
DTBI740   V0022108    II   Turn off Managing
                           SmartScreen Filter property
                           is not properly set.
DTBI750   V0022147   III   Include updated Web site
                           lists from Microsoft is
                           disabled.
DTBI760   V0022148    II   Delete Browsing History on
                           exit is disabled.
DTBI770   V0022149    II   Prevent Deleting Web sites
                           that the User has Visited is
                           enabled.
DTBI780   V0022150    II   Turn off InPrivate Browsing
                           is enabled.
DTBI800   V0022152    II   Allow scripting of Internet
                           Explorer web browser
                           control property is set
                           (Internet Zone).
DTBI810   V0022153    II   Include local directory path
                           when uploading files to a
                           server property is properly
                           set.
DTBI820   V0022154    II   Launching programs and
                           unsafe files property is
                           properly set (Internet Zone).
DTBI830   V0022155    II   Only allow approved
                           domains to use ActiveX
                           controls without prompt
                           property is properly set
                           (Internet Zone).
DTBI840   V0022156    II   Turn on Cross-Site Scripting
                           (XSS) Filter property is
                           properly set (Internet Zone).

DTBI850   V0022157    II   Allow scripting of Internet
                           Explorer web browser
                           control property is properly
                           configured (Restricted Sites
                           Zone).
DTBI860   V0022158    II   Include local directory path
                           when uploading files to a
                           server is properly set
                           (Restricted Sites Zone).
  PDI      VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DTBI870   V0022159    II   Launching programs and
                           unsafe files property is
                           properly set (Restricted Sites
                           Zone).
DTBI880   V0022160    II   Only allow approved
                           domains to use ActiveX
                           controls without prompt
                           property is properly set
                           (Restricted Sites Zone).
DTBI890   V0022161    II   Turn on Cross-Site Scripting
                           (XSS) Filter property is
                           properly set (Restricted Sites
                           Zone).
DTBI900   V0022171    II   Internet Explorer Processes
                           Restrict ActiveX Install
                           (Reserved) property is
                           properly set.
DTBI910   V0022634    II   Allow status bar updates via
                           script (Internet Zone)
                           property is properly set.
DTBI920   V0022635    II   Run .NET Framework-reliant
                           components not signed with
                           Authenticode (Internet Zone)
                           property is properly set.

DTBI930   V0022636    II   Run .NET Framework-reliant
                           components signed with
                           Authenticode (Internet Zone)
                           property is properly set.

DTBI940   V0022637    II   Allow Scriptlets (Restricted
                           Sites Zone) property is
                           properly set.
DTBI950   V0022638    II   Allow status bar updates via
                           script (Restricted Sites Zone)
                           property is properly set.
  Section

IE6


IE6

IE7, IE6

IE6


IE6


IE6


IE6


IE6


IE6


IE6


IE8, IE7


IE6

IE6


IE6


IE6

IE6


IE6


IE6


IE6
  Section

IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6



IE6



IE8, IE7, IE6


IE8, IE7, IE6


IE8, IE7, IE6



IE6


IE6




IE8, IE7, IE6



IE8, IE7, IE6


IE8, IE7, IE6
  Section

IE8, IE7, IE6



IE8, IE7, IE6



IE6



IE8, IE7, IE6


IE8, IE7, IE6



IE6


IE8, IE7, IE6


IE6



IE6



IE6




IE6



IE8, IE7, IE6


IE6


IE6
  Section

IE6


IE6



IE6


IE6


IE6


IE6



IE6



IE6




IE6



IE8, IE7, IE6


IE6



IE6




IE6


IE6
  Section

IE6



IE8



IE8



IE6



IE6


IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6


IE8, IE7, IE6


IE8, IE7, IE6
  Section

IE8, IE7, IE6



IE8, IE7, IE6



IE6


IE6




IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6



IE8, IE7, IE6




IE8, IE7, IE6



IE6



IE8, IE7, IE6


IE8, IE7, IE6


IE8, IE7, IE6
  Section

IE6



IE8, IE7, IE6



IE6




IE6

IE6

IE6

IE6

IE6


IE6

IE8, IE7


IE8, IE7


IE7



IE6



IE6


IE8, IE7, IE6


IE8, IE7, IE6
  Section

IE8, IE7, IE6



IE8, IE7


IE7

IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7

IE8, IE7, IE6



IE8, IE7


IE8, IE7


IE8, IE7




IE8, IE7




IE8, IE7

IE8, IE7


IE8, IE7

IE8, IE7


IE8, IE7
  Section

IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7



IE8, IE7



IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7




IE8, IE7




IE8, IE7
  Section

IE8, IE7


IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7
  Section

IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7



IE8, IE7

IE8, IE7




IE8, IE7


IE8, IE7

IE8, IE7


IE8, IE7


IE8, IE7


IE8, IE7
  Section

IE8, IE7

IE8, IE7



IE7


IE8


IE8


IE8

IE8


IE8

IE8



IE8



IE8


IE8




IE8



IE8




IE8
  Section

IE8



IE8




IE8



IE8



IE8


IE8




IE8




IE8


IE8
    PDI      VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes
BTS-IAP-    V0014344 II The IAP ingress and egress
100                     filters bound to all interfaces
                        are not the most current as
                        directed by JTF-GNO.

BTS-IAP-    V0014345    II   JTF-GNO instructions on
110                          implementing exceptions to
                             the IAP filters are not
                             followed.
BTS-IPv6-   V0014352    II   IPv6 is enabled on
100                          unauthorized interfaces.
BTS-IPv6-   V0014357    II   IPv6 traffic is tunneled using
110                          other method than IPv4 or
                             GRE encapsulation.
BTS-IPv6-   V0014359    II   IPv6 is enabled on
120                          unauthorized 6to4 and 6to4
                             relay router interfaces.
BTS-IPv6-   V0014360    II   6to4 router is accepting
130                          native IPv6 packets without
                             access to a 6to4 relay router.

BTS-IPv6-   V0014361    II   6to4 relay router accepts
140                          IPv6 packets from IPv6
                             network with a destination
                             prefix other than 2002::/16.
BTS-IPv6-   V0014362    II   6to4 router is configured to
150                          accept tunneled IPv6 traffic
                             from undocumented sources.

BTS-IPv6-   V0014363    II   6to4 relay router is
160                          configured to accept
                             tunneled IPv6 traffic from
                             undocumented sources.
BTS-IPv6-   V0014364    II   6PE router at the backbone
170                          edge is not configured to
                             tunnel all IPv6 traffic using
                             MPLS encapsulation.

BTS-IPv6-   V0014365    II   IPv6 is enabled on
180                          unauthorized 6PE router
                             interfaces.
BTS-IPv6-   V0014366    II   CE-facing interfaces on the
190                          6PE router accepts MPLS
                             traffic.
BTS-      V0012652      II   Protocol Independent
MCAST-010                    Multicast (PIM) is not
                             disabled on all interfaces
                             that are not required to
                             support multicast routing.
   PDI     VMSID CAT             Requirement         Vulnerability   Status   Finding Notes
BTS-      V0014342 III PIM neighbor filter is not
MCAST-015              bound to interfaces that have
                       PIM enabled.
BTS-      V0012653 III The PIM router’s receive
MCAST-020              path or interface filter does
                       not validate the source
                       address for all traffic
                       destined to the “all PIM
                       routers” address
                       (224.0.0.13).
BTS-      V0012654 III Customer-facing interfaces
MCAST-030              on the PIM router and does
                       not block inbound and
                       outbound administratively-
                       scoped multicast traffic.
BTS-      V0014343 III Customer-facing interfaces
MCAST-035              do not block inbound and
                       outbound Auto-RP discovery
                       and announcement
                       messages.
BTS-      V0012655 III PIM router accepts BSR
MCAST-040              messages.
BTS-      V0012656 III RP router is not configured
MCAST-050              to limit the multicast
                       forwarding cache to ensure
                       that its resources are not
                       saturated managing an
                       overwhelming number of
                       PIM and MSDP SA entries.
BTS-      V0012657 III The RP router peering with
MCAST-060              customer PIM-SM routers
                       has not been configured with
                       a PIM import policy to block
                       join and registration
                       messages for reserved,
                       Martian, single-source
                       multicast (SSM), and any
                       other undesirable multicast
                       groups as well as any Bogon
                       source addresses.
BTS-      V0012659 II The Multicast Source
MCAST-070              Discovery Protocol (MSDP)
                       router's receive path or
                       interface filter is not
                       configured to only accept
                       MSDP packets from known
                       MSDP peers.
BTS-      V0012660  I MSDP packets received by
MCAST-080              an MSDP router are not
                       authenticated using MD5
                       passwords.
   PDI     VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes
BTS-      V0012383 II MD5 passwords used for
MCAST-090              MSDP sessions with each
                       peering customer network
                       are not unique.
BTS-      V0012661 III The MSDP router peering
MCAST-100              with customer MSDP routers
                       has not been configured with
                       an import policy to block
                       source-active (SA) multicast
                       advertisements for reserved,
                       Martian, single-source
                       multicast (SSM), and any
                       other undesirable multicast
                       groups as well as any SA
                       messages with Bogon
                       source addresses.

BTS-      V0012662    III   An export policy has not
MCAST-110                   been configured on the
                            MSDP router to avoid global
                            visibility of multicast (S,G)
                            states local to the IP core.

BTS-      V0012663    III   The MSDP cache table is
MCAST-120                   not configured to limit the SA
                            count globally, as well as on
                            a per-peer and a per-source
                            basis.
BTS-      V0012388     II   Each VPN customer is not
MCAST-130                   assigned a unique Default-
                            MDT to keep its multicast
                            data and control traffic
                            separate from global as well
                            as other customers’
                            multicast traffic.
BTS-      V0012389     II   Each VPN customer is not
MCAST-140                   assigned a unique pool of
                            Data-MDTs to keep its
                            multicast data traffic
                            separate from global as well
                            as other customers’
                            multicast traffic.
BTS-      V0012392    III   Group addresses are not
MCAST-150                   assigned for both Default-
                            MDT and Data-MDTs is from
                            the Administratively Scoped
                            IP Multicast range as defined
                            in RFC 2365.
BTS-MGMT- V0012394     I    All network devices are not
010                         located in a secure room
                            with limited access.
    PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
BTS-MGMT- V0012674 II Login warning banner is not
030                   configured on the network
                      device.
BTS-MGMT- V0012675  I Access to the network
040                   component does not require
                      an account identifier and
                      password.
BTS-MGMT- V0012676  I Default and backdoor
050                   accounts have not been
                      removed.
BTS-MGMT- V0012677 II Expired or unauthorized
060                   accounts are not removed
                      from device.
BTS-MGMT- V0012678 II Each system administrator is
070                   not assigned an individual
                      account and password for
                      the purpose of administrative
                      access. CAVEAT: If
                      documented in the SSAA,
                      group accounts can be used
                      for network management
                      workstations located in a
                      controlled access area.

BTS-MGMT- V0012679     II   Accounts are not assigned
075                         the lowest privilege level that
                            allows system administrators
                            and engineers to perform
                            their duties.

BTS-MGMT- V0012396    III   A formal process for
080                         granting, creating, deleting,
                            and distributing accounts is
                            not implemented or the
                            process does not include an
                            authorization form and a
                            registration authority to
                            ensure that only authorized
                            users are gaining
                            management access to
                            network devices.
BTS-MGMT- V0012398    III   A log is not maintained that
085                         records the creation,
                            deletion, and distribution of
                            all accounts.
BTS-MGMT- V0012680     II   More than one emergency
090                         account is configured or the
                            account does not default to
                            the lowest authorization level.
    PDI    VMSID CAT            Requirement                    Vulnerability   Status   Finding Notes
BTS-MGMT- V0012399 III The emergency account log
095                    is not reviewed periodically
                       to ensure emergency
                       accounts are changed at
                       regular intervals and are not
                       compromised in any way.

BTS-MGMT- V0012699      II   Username and passwords of
096                          all emergency accounts are
                             not stored in a sealed
                             envelope kept in a safe or on
                             file server attached to the
                             classified network.
BTS-MGMT- V0012681      I    The network device is not
100                          password protected.
BTS-MGMT- V0012401      I    Passwords are not set up
105                          and maintained in
                             accordance with DODI
                             8500.2 IAIA-1 and IAIA-2.
BTS-MGMT- V0012682      I    Default manufacturer
110                          passwords are not removed
                             or changed from the device.

BTS-MGMT- V0012402      II   Passwords are not
120                          encrypted both for storage
                             and for transmission.
BTS-MGMT- V0012683      II   An authentication server is
130                          not being used to
                             authenticate all users prior to
                             acquiring administrative
                             access to the device.
BTS-MGMT- V0012698      II   The authentication server is
135                          not compliant with the
                             security requirements
                             specified in the appropriate
                             operating system STIG.
BTS-MGMT- V0012684      II   Two-factor authentication is
140                          not used to authenticate all
                             users prior to acquiring
                             administrative access to the
                             device.
BTS-MGMT- V0012685     III   Two or more authentication
145                          servers are not configured to
                             support user authentication
                             for administrative access to
                             the device.

BTS-MGMT- V0014374     III   The key configured on the
150                          authentication server used
                             for communication with
                             clients is not unique.
    PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
BTS-MGMT- V0012405  I Keys are not set up and
160                   maintained in accordance
                      with DODI 8500.2 IAIA-1 and
                      IAIA-2.
BTS-MGMT- V0012406 II A key management policy is
165                   not implemented to include
                      key generation, distribution,
                      storage, usage, lifetime
                      duration, and destruction of
                      all keys used for encryption
                      within the backbone
                      infrastructure.
BTS-MGMT- V0012408 II Key lifetime exceeds 180
170                   days for Type 3 encryptors
                      or 30 days for Type 1
                      encryptors.
BTS-MGMT- V0012686  I Key chains are used and
175                   there is no key exists within
                      the chain that is configured
                      with a lifetime of infinite, or
                      the lifetime key is not
                      changed 7 days after the
                      rotating keys have expired
                      and have been redefined.

BTS-MGMT- V0012411      II   All backbone network
190                          components were not IAVM
                             compliant prior to connecting
                             the component to the
                             backbone network.
BTS-MGMT- V0012412     III   IAVM notices are not
200                          responded to within the
                             specified time period.
BTS-MGMT- V0012747      I    Unsupported network
210                          components are being used
                             within the backbone network
                             infrastructure.
BTS-MGMT- V0012687      II   Software or firmware
220                          versions are not upgraded
                             on all network components
                             as directed by the PMO.
BTS-MGMT- V0012754     III   Documented procedures are
230                          not used for upgrading or
                             deploying new approved
                             software.
BTS-MGMT- V0012418     III   Testing procedures for new
240                          or upgraded hardware or
                             software are not maintained.
    PDI    VMSID CAT            Requirement                    Vulnerability   Status   Finding Notes
BTS-MGMT- V0012419 III Baseline configurations for
250                    all network components are
                       not maintained with
                       incremental backups.
BTS-MGMT- V0012420 III File servers used for network
260                    element configuration
                       management are not located
                       on the out-of-band network
                       or are not restricted to
                       authorized personnel.
                       Caveat: File servers used for
                       classified network element
                       configuration management
                       are not required to be
                       accessed via an out-of-band
                       network.

BTS-MGMT- V0012421     II    OSS LAN is not configured
270                          IAW the Network
                             Infrastructure STIG.
BTS-MGMT- V0012422     II    OSS servers and
280                          workstations are not
                             configured IAW the
                             appropriate OS STIG.
BTS-MGMT- V0012423     I     The OOBM network (DCN)
290                          is not configured IAW with
                             the Network Infrastructure
                             STIG.
BTS-MGMT- V0012424     II    Dial-up connections for
300                          managing network elements
                             do not use FIPS 140-2
                             compliant encryption to
                             protect information in transit.

BTS-MGMT- V0012688     II    Management dial-up
310                          connections are not
                             authenticated using two-
                             factor authentication.
BTS-MGMT- V0012691     III   Communication server is not
320                          configured to use CHAP
                             authentication to authorized
                             users prior to allowing the
                             PPP connection.

BTS-MGMT- V0014375     III   Communication server is not
325                          configured to use CHAP
                             authentication or to enable
                             callback to authorized phone
                             numbers prior to allowing the
                             PPP connection.
    PDI    VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes
BTS-MGMT- V0012692 II The network element is not
330                   configured to timeout an idle
                      user session to 15 minutes
                      or less.
BTS-MGMT- V0012693 II In-band management
340                   connection to the device is
                      not encrypted using FIPS
                      140-2 compliant
                      cryptography.
BTS-MGMT- V0012694 II OOBM interfaces or console
350                   port that is connected to a
                      terminal access server is not
                      used to connect to the DCN.
                      CAVEAT: If OOBM
                      interfaces are not available
                      for a layer-3 device, this
                      finding can be downgraded
                      to a Category III if the device
                      is configured to ensure
                      management traffic and
                      route advertisements does
                      not leak from the
                      management network into
                      the transit network and vise
                      versa using interface filters
                      and route policies.

BTS-MGMT- V0014376      II   A modem is connected to
355                          the network component
BTS-MGMT- V0012425     III   Optical link used for the
360                          Optical Supervisory Channel
                             (OSC) exceeds 20 spans or
                             there is not a DCN
                             connection at the near and
                             far end OTS terminals.
    PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
BTS-MGMT- V0012695 I SNMP Version 3 Security
370                  Model (both SHA packet
                     authentication and DES
                     encryption of the PDU) is not
                     used across the entire
                     network infrastructure.
                     CAVEAT: If Version 1 or
                     Version 2 is being used with
                     all of the appropriate patches
                     to mitigate the known
                     security vulnerabilities, this
                     finding can be downgraded
                     to a Category II. If Version 1
                     or Version 2 is being used
                     with all of the appropriate
                     patches and the PMO has
                     developed a migration plan
                     to implement the Version 3
                     Security Model, this finding
                     can be downgraded to a
                     Category III.

BTS-MGMT- V0012696     I     SNMP community strings
380                          are not changed from the
                             default values and
                             usernames do not match any
                             other password values.
BTS-MGMT- V0012697     II    Different community names
390                          or usernames are not used
                             for read-only access and
                             read-write access.Write
                             access was enabled without
                             approval by the IAO.

BTS-MGMT- V0012426     III   There is no standard
400                          operating procedure (SOP)
                             for managing SNMP
                             community strings and
                             usernames to include the
                             following: - Community string
                             and username expiration
                             period. - Community string
                             and username creation will
                             comply with the password
                             requirements outlined in
                             Section 5.2.3 Passwords. -
                             SNMP community string and
                             username distribution
                             including determination of
                             membership
    PDI    VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
BTS-MGMT- V0012664 III A centralized syslog server is
410                    not deployed and configured
                       to store all syslog messages
                       for a minimum of 30 days
                       and then stored offline for
                       one year.

BTS-MGMT- V0012665     III   The syslog sever is not
420                          configured to collect syslog
                             messages from levels 0
                             through 6 at a minimum.

BTS-MGMT- V0012666     III   The syslog sever is not
430                          configured to accept
                             messages from only
                             authorized devices and
                             administrative access from
                             trusted management
                             workstations by restricting
                             access via source IP
                             address and destination port.

BTS-MGMT- V0014377     III   The syslog server is
440                          connected to a network that
                             is not the management
                             network.
BTS-MGMT- V0014378      II   The syslog server is not
450                          configured IAW the
                             respective OS STIG.
BTS-MGMT- V0014379     III   An HIDS is not implemented
460                          on the syslog server to
                             provide access control for
                             the syslog data as well as
                             provide the necessary
                             protection against
                             unauthorized user and
                             service access.
BTS-MGMT- V0012427      II   A COOP is not developed or
510                          is not maintained or the
                             COOP is not being exercised
                             periodically to provide
                             continuous operational
                             services of the backbone
                             network. At a minimum, the
                             COOP must be exercised
                             semi-annually for MAC I
                             networks and annually for
                             MAC II and III networks.
    PDI    VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes
BTS-MGMT- V0012428 II The COOP plan does not
520                   include the identification,
                      procurement, inventory,
                      storage, and deployment for
                      all critical spare
                      partsspecifically those parts
                      that can service single points
                      of failure.
BTS-MGMT- V0012430 II The COOP plan does not
530                   establish procedures for a
                      smooth transition of mission
                      essential backbone network
                      functions to include
                      management, operation, and
                      monitoring.

BTS-MPLS- V0012638     I     Not all CE-facing interfaces
010                          on a PE router, providing
                             MPLS VPN services, are
                             bound to a VRF.
BTS-MPLS- V0012639     II    CE-facing interface, on a PE
020                          router providing MPLS VPN
                             services, is configured to
                             accept MPLS traffic.

BTS-MPLS- V0012640     III   A route policy has not been
030                          implemented to ensure
                             routes contained within any
                             VRF used for PE-CE links
                             are not advertised to any
                             customer networks.

BTS-MPLS-   V0012431   I     A unique RD is not assigned
040                          for each VPN.
BTS-MPLS-   V0012641   I     Incorrect RDs are configured
050                          for some VRFs.
BTS-MPLS-   V0012642   I     VRFs are not bound to the
060                          proper CE-facing interface.
BTS-MPLS-   V0012643   I     Incorrect RT is configured
070                          for VRF.
BTS-MPLS-   V0012432   II    Junior engineers who are not
080                          trained in the design of
                             MPLS VPN networks are
                             authorized to configure VRF
                             information including RT and
                             RD and their associated
                             import and export route
                             policies.
    PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
BTS-MPLS- V0014338 II PE-ASBR-facing interfaces
085                   are not bound to a VRF for a
                      VRF-to-VRF implementation
                      on the PE-ASBR router.

BTS-MPLS- V0014339    III   PE-ASBR-facing interfaces
086                         on a PE-ASBR are
                            configured to accept MPLS
                            traffic for a VRF-to-VRF
                            implementation.
BTS-MPLS- V0014340    II    PE-ASBR-facing interfaces
087                         for a VRF-to-VRF
                            implementation are not
                            bound to the correct VPN.
BTS-MPLS- V0012644    III   Route-target filtering are not
090                         configured to only import and
                            export those route
                            advertisements with RTs that
                            represent the inter-AS VPNs
                            provisioned by the AS.

BTS-MPLS- V0012645    III   The PE-ASBR leaks IPv4
100                         routes to the adjacent AS
                            across the MP-eBGP
                            connection
BTS-MPLS- V0014341    II    Multi-hop eBGP
110                         redistribution of labeled VPN-
                            IPv4 routes between source
                            and destination ASes is used
                            to implement inter-AS VPN
                            connectivity.
BTS-MSPP- V0012670    III   The MSPP does not log
010                         system events, circuit
                            provisioning, user actions,
                            and configuration changes.
BTS-MSPP- V0012433    II    A daily review of the MSPP
020                         audit data is not conducted
                            by the system administrator
                            or qualified personnel to
                            determine if attempted
                            attacks or inappropriate
                            activity has occurred.

BTS-MSPP- V0012434    III   The MSPP audit logs are not
030                         backed up on a weekly basis
                            or are not retained for at
                            least one year.
BTS-MSPP- V0012671    III   The MSPP is not configured
040                         to synchronize its clock with
                            a trusted stratum-1 SNTP
                            server.
    PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
BTS-MSPP- V0012672 II Unused MSPP interfaces are
050                   not set to out of service
                      when not providing service.
BTS-OPTI- V0012435  I SONET components are not
010                   installed in controlled areas
                      that restrict access to only
                      authorized personnel.

BTS-OPTI-   V0012436   II    A semi-annual security
020                          analysis of a sample (20% or
                             more) of the SONET
                             components is not
                             conducted and documented.

BTS-OPTI-   V0012667   II    SONET payload scrambling
030                          is not enabled using a self-
                             synchronous scrambler (1 +
                             X 43) applied to all backbone
                             facing PoS interfaces of all
                             PE routers as well as all P
                             router and ADM PoS
                             interfaces.

BTS-OPTI-   V0012437   II    An attack detection method
040                          such as Wideband Power
                             Detection, Optical Spectral
                             Analysis, Pilot Tone, or
                             Optical Time Domain
                             Reflectometry is not used
                             globally to detect and locate
                             attacks.
BTS-OPTI-   V0012438   II    Optical monitoring is not
050                          implemented at all service
                             delivery nodes.
BTS-OPTI-   V0012439   III   Additional monitoring points
060                          are not installed at regular
                             intervals within the spans of
                             the service delivery nodes.

BTS-OPTI-   V0012441   I     OTDR scans are not
070                          performed on all new fiber
                             spans before being placed in
                             production. Maintenance
                             scans are not performed
                             every six months.
    PDI      VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes
BTS-OPTI-   V0012668 II OSPF is being used by
080                     ODXCs to determine the
                        optimum path for
                        dynamically provisioning a
                        circuit as well as for in-band
                        management routing without
                        MD5 authentication of the
                        link-state advertisements.

BTS-OPTI-   V0012669    II    LDP is being used on the
090                           control plane by ODXCs to
                              establish a circuit with
                              dynamic provisioning without
                              MD5 authentication.
BTS-OPTI-   V0012442    II    MD5 keys used for routing
100                           protocol authentication are
                              not changed every 180 days.

BTS-OPTI-   V0012443    I     The ITF and OTN facilities
110                           used for ULH connections is
                              not secured because 1) the
                              facility is not in a
                              government-controlled area
                              that allows access to only
                              authorized personnel using 2-
                              factor authentication, or 2)
                              access to the facility is not
                              monitored and limited to
                              essential and authorized
                              personnel, or 3) a visitor log
                              is not maintained.
BTS-OPTI-   V0012444    III   Diverse routes into and out
120                           of ITF and OTN facilities are
                              not engineered to reduce
                              risk of breaks to both fiber
                              segments residing in same
                              bundle, conduit, or right-of-
                              way.
BTS-OPTI-   V0012445    III   ULH connections are not
130                           created using carrier grade
                              transmission equipment
                              placed at Government
                              owned locations in order to
                              minimize the placement of
                              optical equipment in
                              commercial facilities.
    PDI      VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
BTS-OPTI-   V0012446 II Secured storage cabinets
140                     requiring 2-factor
                        authentication for access are
                        not used at ITFs to house
                        the fiber optic equipment and
                        have locking cabinet doors.

BTS-OPTI-   V0012447   III   Locking cabinet doors used
150                          at the ITFs are not equipped
                             with alarm sensors that
                             activate when doors are
                             opened or they do not report
                             to the GNSC or TNC within
                             its operating area via OOB in-
                             network circuits.

BTS-OPTI-   V0012448    I    Traffic traversing OCONUS
160                          DISN Core segments is not
                             bulk encrypted using NIST
                             certified Type III encryptors.

BTS-OPTI-   V0012449    I    SONET/SDH bulk encryptors
170                          are not deployed using Path
                             level encryption with Path
                             headers passed in the clear
                             wherever leased bandwidth
                             from commercial carriers is
                             used for transport.


BTS-OPTI-   V0012450    I    SONET/SDH bulk encryptors
180                          are not deployed using Line
                             level encryption with both
                             Section and Line overhead
                             encrypted wherever dark
                             fiber is used for transport.

BTS-OPTI-   V0012451    II   A COMSEC custodian is not
190                          assigned to manage the
                             SONET/SDH bulk encryption
                             devices and keys.

BTS-QoS-    V0012647    II   QoS policies is not
010                          configured on the PE router
                             to ensure all customer traffic
                             receives forwarding
                             treatment as specified in the
                             SLA.
    PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes
BTS-QoS-   V0012648 III Traffic that is not in
030                     compliance with the
                        approved DSCP
                        classification is not placed
                        into the Scavenger class.
BTS-QoS-   V0012649 III Traffic not in compliance
040                     with the customer’s SLA is
                        not placed into the
                        Scavenger class.
BTS-QoS-   V0012650 III QoS policing is not
050                     configured on to validate the
                        use of classes reserved for
                        premium traffic and either
                        mark down or rate limit traffic
                        according to customer
                        projections and SLAs prior to
                        entering the core.

BTS-QoS-   V0012651    III   QoS policing has not been
060                          configured on PE router that
                             will mark down out-of-profile
                             traffic into the Scavenger
                             class.
BTS-QoS-   V0012727    II    QoS policies are not
070                          configured to ensure the
                             necessary congestion
                             management is
                             implemented. This will
                             include classifying all traffic
                             and defining queues with
                             appropriate service levels to
                             accommodate the different
                             traffic classes.
BTS-RAS-   V0014346    III   AAA server is not used to
100                          authenticate the subscriber’s
                             LNS prior to establishing an
                             L2TP tunnel with the LNS.

BTS-RAS-   V0014347     I    AAA server configuration
110                          does not correctly map
                             domain names to the
                             appropriate VPN.
BTS-RAS-   V0014349    II    The AAA server does not
120                          proxy the challenge
                             response message to the
                             appropriate VPN’s AAA
                             server to authenticate the
                             user.
    PDI     VMSID CAT             Requirement              Vulnerability   Status   Finding Notes
BTS-RAS-   V0014350 III The RAS, NAS, or LAC
130                     device is not configured to
                        use CHAP authentication to
                        provide a challenge query to
                        the client prior to initiating
                        the L2TP connection to
                        validate the domain name
                        and user.
BTS-RAS-   V0014351 II AAA server is not used to
140                     validate the client’s domain
                        name, username, and
                        password to the PPP
                        authentication challenge
                        prior to initiating the L2TP
                        connection.
BTS-RTR-   V0012559 II Neighbor authentication with
010                     MD5, SHA-1, or IPSec is not
                        implemented for all routing
                        protocols with all peer
                        routers within the same
                        autonomous system as well
                        as between autonomous
                        systems.
BTS-RTR-   V0014770 II MPLS signaling protocols
015                     deployed to build LSP
                        tunnels are not using a
                        secured hashing algorithm
                        such as MD5 or SHA-1for
                        neighbor or message
                        authentication.
BTS-RTR-   V0012646 II The eBGP router does not
020                     have a unique key for each
                        eBGP neighbor that it peers
                        with.
BTS-RTR-   V0012452 II MD5 keys used for routing
030                     protocol authentication are
                        not changed every 180 days.

BTS-RTR-   V0012560    I   Key chains are being used
040                        and there is no infinite key
                           exists within the chain. The
                           lifetime key is not changed
                           seven days after the rotating
                           keys expire and are
                           redefined.
    PDI     VMSID CAT          Requirement                Vulnerability   Status   Finding Notes
BTS-RTR-   V0012561 II The eBGP router is not
050                    configured to reject inbound
                       route advertisements for any
                       Bogon prefixes and any
                       prefixes belonging to the IP
                       core.

BTS-RTR-   V0014316   II   The eBGP router is not
055                        configured to reject inbound
                           route advertisements for for
                           any IPv6 prefixes unless the
                           prefixes are received from a
                           customer network and 6PE
                           is implemented to transport
                           those prefixes across the
                           backbone using MP-iBGP.


BTS-RTR-   V0012562   II   The eBGP router is not
060                        configured to reject inbound
                           route advertisements from a
                           CE router for prefixes that
                           are not allocated to that
                           customer.

BTS-RTR-   V0012563   II   BGP is not configured to
070                        filter outbound route
                           advertisements for prefixes
                           that are not allocated to or
                           belong to any GIG IP
                           customers.
BTS-RTR-   V0014317   II   The eBGP router is not
075                        configured to reject
                           outbound route
                           advertisements for for any
                           IPv6 prefixes unless the
                           prefixes are for a customer
                           network supported by a 6PE
                           deployment.
BTS-RTR-   V0012564   II   BGP is not configured to
080                        filter outbound route
                           advertisements belonging to
                           the IP core.
BTS-RTR-   V0012565   II   The eBGP router is not
100                        configured to reject inbound
                           route advertisements with an
                           originating AS that does not
                           belong to the specific
                           customer.
    PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
BTS-RTR-   V0012566 III ASBR is not configured to
110                     deny updates received from
                        eBGP peers that do not list
                        their AS number as the first
                        AS in the AS_PATH attribute.

BTS-RTR-   V0012567   III   Graded damping algorithms
120                         are not used to penalize
                            longer prefixes (> /20) more
                            than shorter prefixes.

BTS-RTR-   V0012568    II   BGP is not configured to use
130                         the maximum prefixes
                            feature to protect against
                            route table flooding and
                            prefix de-aggregation
                            attacks.
BTS-RTR-   V0012569   III   BGP is not configured to limit
140                         the prefix size on any route
                            advertisement to /24 or the
                            least significant prefixes
                            issued to the customer.

BTS-RTR-   V0012570   III   BGP is not configured to use
150                         Generalized TTL Security
                            Mechanism (GTSM) to
                            mitigate risks associated
                            with a control plane DoS
                            attack.
BTS-RTR-   V0014318   III   Routers with RSVP-TE
152                         enabled do not have
                            message pacing configured
                            to adjust maximum burst and
                            maximum number of RSVP
                            messages to an output
                            queue based on the link
                            speed and input queue size
                            of adjacent core routers.


BTS-RTR-   V0012571   III   The router’s loopback
155                         address is not used as the
                            router ID for OSPF, IS-IS,
                            iBGP, LDP, and MPLS-TE
                            configurations.
BTS-RTR-   V0012573    II   URPF strict mode is not
160                         enabled on all customer-
                            facing interfaces.
    PDI     VMSID CAT            Requirement          Vulnerability   Status   Finding Notes
BTS-RTR-   V0012574 II A filter is not implemented to
170                    block inbound packets with
                       source Bogon address
                       prefixes.
BTS-RTR-   V0012575  I A filter is not implemented to
180                    block inbound packets
                       destined to the IP core
                       infrastructure address space.

BTS-RTR-   V0012576    I     A receive-path filter or
190                          ingress filter bound to all
                             interfaces is not
                             implemented to restrict all
                             traffic destined to the router.

BTS-RTR-   V0014319    III   A receive-path filter is not
195                          implemented to restrict all
                             traffic destined to the router.

BTS-RTR-   V0012579    II    Management plane traffic
200                          destined for the router is not
                             restricted to only authorized
                             network management
                             stations.
BTS-RTR-   V0012580    II    BGP connections are not
210                          restricted to known IP
                             addresses of BGP routers
                             from the same or trusted AS.

BTS-RTR-   V0012581    III   NTP traffic is not restricted
220                          to only authorized NTP
                             servers.
BTS-RTR-   V0012582    II    The router’s receive path
230                          filter does not drop all
                             fragmented ICMP packets.
BTS-RTR-   V0012583    II    The maximum wait interval
240                          for establishing a TCP
                             connection request to the
                             router is not set to ten
                             seconds or less, or a method
                             to ratelimit TCP SYN traffic
                             destined to the router has
                             not been implemented.

BTS-RTR-   V0012586    II    CEF is not enabled on Cisco
250                          router.
BTS-RTR-   V0012585    II    IPv4 packets with Option
260                          Type = 131 or 137 are not
                             blocked or IP source routing
                             is not disabled.
    PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes
BTS-RTR-   V0014320 II IPv6 packets that include a
265                     Routing Header with Routing
                        Type 0 are not blocked or IP
                        source routing is not
                        disabled.
BTS-RTR-   V0012587 III IP directed broadcast is not
270                     disabled on all router
                        interfaces.
BTS-RTR-   V0012589 II IP redirects is not disabled
280                     on all router interfaces.
BTS-RTR-   V0012590 II ICMP mask replies is not
290                     disabled on all router
                        interfaces.
BTS-RTR-   V0012591 II ICMP unreachables are not
300                     disabled on all customer-
                        facing interface interfaces.
                        Note: This requirement does
                        not force the router to block
                        ICMP Destination
                        Unreachable messages type
                        3, code 4 meaning
                        “Fragmentation Needed and
                        Don't Fragment was Set”
                        and, therefore, will not
                        disrupt Path MTU Discovery
                        as specified in RFC 1191.
                        Black-hole filtering enables
                        traffic destined for a
                        particular IP address to be
                        forwarded to an pseudo-
                        interface where it is
                        discarded. The address of
                        the pseudo-interface is
                        called Null0. The interface is
                        always live but can never
                        forward or receive traffic.
                        Hence, when a route is
                        pointed to the Null0
                        interface, traffic sent to that
                        destination is dropped.

BTS-RTR-   V0012592    III   Inactive interfaces are not
310                          disabled. CAVEAT: Inactive
                             physical interfaces or
                             subinterfaces that are
                             preconfigured for planned
                             access circuits that will soon
                             become active is permitted,
                             provided that a description is
                             defined for each interface.
    PDI     VMSID CAT              Requirement                 Vulnerability   Status   Finding Notes
BTS-RTR-   V0014321 III There is no filter that denies
315                     all traffic applied to all
                        inactive interfaces.
BTS-RTR-   V0012593 III Two or more authentication
320                     servers are not defined for
                        the purpose of granting
                        administrative access.
BTS-RTR-   V0012594 III The router is not configured
330                     to use AAA tiered
                        authorization groups for
                        management authentication.

BTS-RTR-   V0014322    III   Passwords are configured
340                          on line interfaces (VTY,
                             console, auxiliary, and
                             asynchronous lines).
BTS-RTR-   V0012601    II    Individual accounts with
350                          username and password are
                             not being used to access the
                             router.
BTS-RTR-   V0012602    II    Accounts are not assigned
360                          the lowest privilege level that
                             allows them to perform their
                             duties.
BTS-RTR-   V0012609     I    Passwords are not
370                          encrypted using MD5 or
                             SHA-1 hash algorithm.
BTS-RTR-   V0012606    II    Inactive accounts exist on
380                          the authentication server or
                             router.
BTS-RTR-   V0012607    II    More than one local
390                          emergency account is
                             configured on the router, or
                             the emergency account is
                             not at the lowest privilege
                             level.
BTS-RTR-   V0012453    II    There are no procedures to
395                          securely control the creation,
                             storage, deletion, and
                             distribution of local
                             emergency user accounts.
BTS-RTR-   V0012454    III   A log is not being maintained
400                          to record the creation,
                             change, deletion, and
                             release of all emergency
                             accounts.
    PDI     VMSID CAT            Requirement                    Vulnerability   Status   Finding Notes
BTS-RTR-   V0012455 III The emergency account log
405                     is not being reviewed
                        periodically to ensure
                        emergency accounts are
                        changed at regular intervals
                        and are not compromised in
                        any way.
BTS-RTR-   V0012610 III A password is not required
410                     to gain access to the router's
                        diagnostics port.
BTS-RTR-   V0012615 III CDP is not disabled on all
420                     external interfaces on all
                        Cisco PE and ASBR routers.

BTS-RTR-   V0012616    III   The router is not configured
430                          to send periodic TCP
                             keepalive messages to
                             connection end points if
                             telnet is being used for
                             administrative access.
BTS-RTR-   V0014323    II    Logging is not enabled on
440                          the router.
BTS-RTR-   V0012618    III   The router is not configured
450                          to log severity levels 0
                             through 6 events and send
                             all log data to a syslog server.

BTS-RTR-   V0014324    III   Router is not configured to
460                          send all log data to a syslog
                             server.
BTS-RTR-   V0012617    III   The router is not configured
470                          to log all denied packets.
BTS-RTR-   V0014325    III   The router is not configured
480                          to log all denied packets.
BTS-RTR-   V0014326    III   Configuration changes that
485                          identify the time, the
                             command, and the
                             administrator that executed
                             the command are not logged.

BTS-RTR-   V0012619    III   Two or more NTP servers
490                          are not defined on the router
                             to synchronize its time.

BTS-RTR-   V0012620    II    The router is configured to
500                          function as an NTP server.
BTS-RTR-               II    The router is not configured
510                          to use MD5 to authenticate
                             the time source.
    PDI     VMSID CAT            Requirement               Vulnerability   Status   Finding Notes
BTS-RTR-   V0012622 III The router is not configured
520                     to use its loopback address
                        as the source address when
                        originating TACACS+ or
                        RADIUS traffic.

BTS-RTR-   V0014327   III   The router is not configured
521                         to use its loopback address
                            as the source address when
                            originating syslog traffic.

BTS-RTR-   V0014328   III   The router is not configured
522                         to use its loopback address
                            as the source address when
                            originating NTP traffic.

BTS-RTR-   V0014329   III   The router is not configured
523                         to use its loopback address
                            as the source address when
                            originating SNMP traffic.

BTS-RTR-   V0014330   III   The router is not configured
524                         to use its loopback address
                            as the source address when
                            originating NetFlow traffic.

BTS-RTR-   V0014331   III   The router is not configured
525                         to use its loopback address
                            as the source address when
                            originating TFTP or FTP
                            traffic.
BTS-RTR-   V0014332   III   The router is not configured
526                         to use its loopback address
                            as the source address when
                            originating SSH traffic.

BTS-RTR-   V0014333   III   The router is not configured
527                         to use its loopback address
                            as the source address when
                            originating MSDP traffic.

BTS-RTR-   V0014334   III   The router is not configured
528                         to use its loopback address
                            as the source address for
                            iBGP peering sessions.

BTS-RTR-   V0014335   III   The router is not configured
529                         to use its loopback address
                            as the source addressfor
                            LDP peering sessions.
    PDI     VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes
BTS-RTR-   V0012623 II The latest operating system
530                     as directed by the PMO is
                        not implemented on the
                        router.
BTS-RTR-   V0012730 II The latest operating system
530                     as directed by the PMO is
                        not implemented on the
                        router.
BTS-RTR-   V0012624 III Finger service is not
540                     disabled.
BTS-RTR-   V0012625 III TCP and UDP small servers
550                     are not disabled.
BTS-RTR-   V0012626 III PAD services are not
560                     disabled.
BTS-RTR-   V0012627 III Identification support is not
570                     disabled.
BTS-RTR-   V0012628 II BSD r-command services
580                     are not disabled.
BTS-RTR-   V0012629 II FTP server is enabled.
590
BTS-RTR-   V0014336    II    TFTP server is not disabled.
595
BTS-RTR-   V0012630    III   DHCP server is enabled.
600
BTS-RTR-   V0012631    II    HTTP server is enabled.
610
BTS-RTR-   V0012632    III   Bootp server is enabled.
620
BTS-RTR-   V0012634    II    Configuration auto-loading is
630                          not disabled.
BTS-RTR-   V0012635    III   The router is configured as a
640                          client resolver and DNS
                             servers are not defined.
BTS-RTR-   V0012636    II    Proxy ARP is not disabled.
650
BTS-RTR-   V0012637    II    Gratuitous ARP is not
660                          disabled.
BTS-RTR-   V0014337    II    URPF strict mode is not
900                          enabled on CE routers’ PE-
                             facing interfaces.
    PDI     VMSID CAT             Requirement         Vulnerability   Status   Finding Notes
BTS-SDN-   V0012456  I The facility used to house
010                    SDN equipment is not
                       secured 1) because the
                       facility is not in a
                       government-controlled area
                       that allow access to only
                       authorized personnel using 2-
                       factor authentication, or 2)
                       access to the facility is not
                       monitored and limited to
                       essential and authorized
                       personnel, or 3) a visitor log
                       is not maintained.
BTS-SDN-   V0012457 II A connection approval
020                    process to be used when
                       provisioning GIG services to
                       DoD customers is not
                       implemented or enforced.
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
DG0001 V0005658  I Vendor supported software
                   is evaluated and patched
                   against newly found
                   vulnerabilities.
DG0002 V0004758 II An upgrade/migration plan
                   should be developed to
                   address an unsupported
                   DBMS software version.
DG0003 V0005659 II The latest security patches
                   should be installed.
DG0005 V0006756 II Only necessary privileges to
                   the host system should be
                   granted to DBA OS accounts.

DG0007 V0006767     II    The database should be
                          secured in accordance with
                          DoD, vendor and/or
                          commercially accepted
                          practices where applicable.
DG0009 V0015608     II    Access to DBMS software
                          files and directories should
                          not be granted to
                          unauthorized users.
DG0010 V0002420     III   Database executable and
                          configuration files should be
                          monitored for unauthorized
                          modifications.
DG0011 V0003726     III   Configuration management
                          procedures should be
                          defined and implemented for
                          database software
                          modifications.
DG0012 V0004754     II    Database software
                          directories including DBMS
                          configuration files are stored
                          in dedicated directories
                          separate from the host OS
                          and other applications.

DG0013 V0015126     II    Database backup
                          procedures should be
                          defined, documented and
                          implemented.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      157 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement                Vulnerability   Status   Finding Notes
DG0014 V0015609  II Default demonstration and
                    sample database objects
                    and applications should be
                    removed.
DG0016 V0003728 III Unused database
                    components, database
                    application software and
                    database objects should be
                    removed from the DBMS
                    system.
DG0017 V0003803  II A production DBMS
                    installation should not
                    coexist on the same DBMS
                    host with other, non-
                    production DBMS
                    installations.
DG0019 V0003805 III Application software should
                    be owned by a Software
                    Application account.

DG0020 V0015129     II   Backup and recovery
                         procedures should be
                         developed, documented,
                         implemented and
                         periodically tested.
DG0021 V0003806     II   A baseline of database
                         application software should
                         be documented and
                         maintained.
DG0025 V0015610     II   DBMS should use NIST
                         FIPS 140-2, validated
                         cryptography.
DG0029 V0005685     II   Required auditing
                         parameters for database
                         auditing should be set.
DG0030 V0002507     II   Audit trail data should be
                         retained for one year.
DG0031 V0015133     II   Transaction logs should be
                         periodically reviewed for
                         unauthorized modification of
                         data. Users should be
                         notified of time and date of
                         the last change in data
                         content.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              158 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                   Vulnerability   Status   Finding Notes
DG0032 V0005686 II Audit records should be
                   restricted to authorized
                   individuals.
DG0040 V0002422 II The DBMS software
                   installation account should
                   be restricted to authorized
                   users.
DG0041 V0015110 II Use of the DBMS installation
                   account should be logged.

DG0042 V0015111     II    Use of the DBMS software
                          installation account should
                          be restricted to DBMS
                          software installation,
                          upgrade and maintenance
                          actions.
DG0050 V0002423     II    Database software,
                          applications and
                          configuration files should be
                          monitored to discover
                          unauthorized changes.
DG0051 V0003808     II    Database job/batch queues
                          should be reviewed regularly
                          to detect unauthorized
                          database job submissions.

DG0052 V0003807     II    All applications that access
                          the database should be
                          logged in the DBMS audit
                          trail where available.

DG0053 V0003809     II    A single database
                          connection configuration file
                          should not be used to
                          configure all database
                          clients.
DG0054 V0015611     III   The audit logs should be
                          periodically monitored to
                          discover DBMS access
                          using unauthorized
                          applications.
DG0064 V0015120     II    DBMS backup and
                          restoration files should be
                          protected from unauthorized
                          access.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                159 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
DG0065 V0003810 II DBMS authentication should
                   require use of a DoD PKI
                   certificate.
DG0066 V0003811 II Procedures for establishing
                   temporary passwords that
                   meet DoD password
                   requirements for new
                   accounts should be defined,
                   documented and
                   implemented.
DG0067 V0003812  I Database account
                   passwords should be stored
                   in encoded or encrypted
                   format whether stored in
                   database objects, external
                   host files, environment
                   variables or any other
                   storage locations.
DG0068 V0003813 II DBMS tools or applications
                   that echo or require a
                   password entry in clear text
                   should be protected from
                   password display.

DG0069 V0015140     II   Procedures and restrictions
                         for import of production data
                         to development databases
                         should be documented,
                         implemented and followed.

DG0072 V0015612     II   Database password
                         changes by users should be
                         limited to one change within
                         24 hours where supported
                         by the DBMS.
DG0076 V0003819     II   Sensitive information from
                         production database exports
                         should be modified after
                         import to a development
                         database.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               160 of 1286
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
DG0077 V0003820  II Production databases
                    should be protected from
                    unauthorized access by
                    developers on shared
                    production/development host
                    systems.
DG0078 V0015613  II Each database user,
                    application or process
                    should have an individually
                    assigned account.
DG0083 V0015102  II Automated notification of
                    suspicious activity detected
                    in the audit trail should be
                    implemented.
DG0084 V0015614 III The DBMS should be
                    configured to clear residual
                    data from memory, data
                    objects and files, and other
                    storage locations.
DG0085 V0015615  II The DBA role should not be
                    assigned excessive or
                    unauthorized privileges.
DG0088 V0015112 III The DBMS should be
                    periodically tested for
                    vulnerability management
                    and IA compliance.
DG0090 V0015131  II Sensitive information stored
                    in the database should be
                    protected by encryption.

DG0092 V0015132     II    Database data files
                          containing sensitive
                          information should be
                          encrypted.
DG0093 V0003825     II    Remote adminstrative
                          connections to the database
                          should be encrypted.

DG0095 V0003827     II    Audit trail data should be
                          reviewed daily or more
                          frequently.
DG0096 V0015138     III   The DBMS IA policies and
                          procedures should be
                          reviewed annually or more
                          frequently.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       161 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
DG0097 V0015139 II Plans and procedures for
                   testing DBMS installations,
                   upgrades, and patches
                   should be defined and
                   followed prior to production
                   implementation.

DG0098 V0015617     II    Access to external objects
                          should be disabled if not
                          required and authorized.
DG0099 V0015618     II    Access to external DBMS
                          executables should be
                          disabled or restricted.
DG0101 V0015620     II    OS accounts used to
                          execute external procedures
                          should be assigned
                          minimum privileges.

DG0102 V0015141     II    DBMS processes or
                          services should run under
                          custom, dedicated OS
                          accounts.
DG0103 V0015621     II    The DBMS listener should
                          restrict database access by
                          network address.
DG0104 V0015622     III   DBMS service identification
                          should be unique and clearly
                          identifies the service.

DG0107 V0015144     II    Sensitive data is stored in
                          the database and should be
                          identified in the System
                          Security Plan and AIS
                          Functional Architecture
                          documentation.
DG0108 V0015145     III   The DBMS restoration
                          priority should be assigned.
DG0109 V0015146     II    The DBMS should not be
                          operated without
                          authorization on a host
                          system supporting other
                          application services.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               162 of 1286
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement           Vulnerability   Status   Finding Notes
DG0110 V0015179 II The DBMS should not share
                   a host supporting an
                   independent security service.

DG0111 V0015147     II   The DBMS data files,
                         transaction logs and audit
                         files should be stored in
                         dedicated directories or disk
                         partitions separate from
                         software or other application
                         files.
DG0112 V0015623     II   DBMS system data files
                         should be stored in
                         dedicated disk directories.
DG0113 V0015624     II   DBMS data files should be
                         dedicated to support
                         individual applications.
DG0114 V0015119     II   DBMS files critical for DBMS
                         recovery should be stored
                         on RAID or other high-
                         availability storage devices.

DG0115 V0015625     II   Recovery procedures and
                         technical system features
                         exist to ensure that recovery
                         is done in a secure and
                         verifiable manner.

DG0116 V0015626     II   Database privileged role
                         assignments should be
                         restricted to IAO-authorized
                         DBMS accounts.

DG0118 V0015127     II   The IAM should review
                         changes to DBA role
                         assignments.
DG0123 V0015631     II   Access to DBMS system
                         tables and other
                         configuration or metadata
                         should be restricted to DBAs.

DG0124 V0015632     II   Use of DBA accounts should
                         be restricted to
                         administrative activities.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       163 of 1286
   ____ Checklist _V_R_ (<date>)                                               <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                       Vulnerability   Status   Finding Notes
DG0126 V0015633 II Password reuse should be
                   prevented where supported
                   by the DBMS.
DG0128 V0015635  I DBMS default accounts
                   should be assigned custom
                   passwords.
DG0129 V0015636  I Passwords should be
                   encrypted when transmitted
                   across the network.

DG0130 V0015637     II    DBMS passwords should not
                          be stored in compiled,
                          encoded or encrypted batch
                          jobs or compiled, encoded or
                          encrypted application source
                          code.
DG0131 V0015638     III   DBMS default account
                          names should be changed.
DG0134 V0015640     II    Concurrent connections to
                          the DBMS should be limited
                          and controlled.
DG0140 V0015643     II    Access to DBMS security
                          should be audited.
DG0141 V0015644     II    Attempts to bypass access
                          controls should be audited.

DG0142 V0015645     II    Changes to configuration
                          options should be audited.
DG0145 V0015646     II    Audit records should contain
                          required information.

DG0146 V0015647     II    Audit records should include
                          the reason for blacklisting or
                          disabling DBMS connections
                          or accounts.

DG0151 V0015648     II    Access to the DBMS should
                          be restricted to static, default
                          network ports.

DG0152 V0015148     II    DBMS network
                          communications should
                          comply with PPS usage
                          restrictions.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   164 of 1286
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
DG0153 V0015149 III DBA roles assignments
                    should be assigned and
                    authorized by the IAO.
DG0154 V0015150 III The DBMS requires a
                    System Security Plan
                    containing all required
                    information.
DG0155 V0015649  II The DBMS should have
                    configured all applicable
                    settings to use trusted files,
                    functions, features, or other
                    components during startup,
                    shutdown, aborts, or other
                    unplanned interruptions.

DG0156 V0015650     III   The IAO for the DBMS
                          should be assigned and
                          authorized by the IAM.
DG0157 V0015651      II   Remote DBMS
                          administration should be
                          documented and authorized
                          or disabled.
DG0158 V0015652      II   DBMS remote administration
                          should be audited.

DG0159 V0015118      II   Remote administrative
                          access to the database
                          should be monitored by the
                          IAO or IAM.
DG0160 V0015653     III   The DBMS should limit failed
                          logins within a specified time
                          period.
DG0161 V0015103      II   An automated tool that
                          monitors audit data and
                          immediately reports
                          suspicious activity should be
                          employed for the DBMS.
DG0167 V0015104      I    Sensitive data served by the
                          DBMS should be protected
                          by encryption when
                          transmitted across the
                          network.
DG0170 V0015655      II   DBMS transaction journaling
                          should be enabled.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 165 of 1286
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
DG0171 V0015656 II The DBMS should not have
                   a connection defined to
                   access or be accessed by a
                   DBMS at a different
                   classification level.
DG0175 V0015116 II The DBMS host platform
                   and other dependent
                   applications should be
                   configured in compliance
                   with applicable STIG
                   requirements.
DG0176 V0015117 II The DBMS audit logs should
                   be included in backup
                   operations.
DG0179 V0015658 II The DBMS warning banner
                   should meet DoD policy
                   requirements.
DG0186 V0015122 II The database should not be
                   directly accessible from
                   public or unauthorized
                   networks.
DG0187 V0015121 II DBMS software libraries
                   should be periodically
                   backed up.
DG0190 V0015154 II Credentials stored and used
                   by the DBMS to access
                   remote databases or
                   applications should be
                   authorized and restricted to
                   authorized users.
DG0192 V0015660 II Remote database or other
                   external access should use
                   fully-qualified names.
DG0194 V0015108 II Privileges assigned to
                   developers on shared
                   production and development
                   DBMS hosts and the DBMS
                   should be monitored every
                   three months or more
                   frequently for unauthorized
                   changes.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        166 of 1286
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement         Vulnerability   Status   Finding Notes
DG0195 V0015109 II DBMS production
                   application and data
                   directories should be
                   protected from developers
                   on shared
                   production/development
                   DBMS host systems.
DG0198 V0015662 II Remote administration of the
                   DBMS should be restricted
                   to known, dedicated and
                   encrypted network
                   addresses and ports.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      167 of 1286
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0001 V0005658    I    Vendor supported software
                        is evaluated and patched
                        against newly found
                        vulnerabilities.


DG0002 V0004758    II   An upgrade/migration plan
                        should be developed to
                        address an unsupported
                        DBMS software version.
DG0003 V0005659    II   The latest security patches
                        should be installed.




DG0004 V0005683    II   Application object owner
                        accounts should be disabled
                        when not performing
                        installation or maintenance
                        actions.
DG0005 V0006756    II   Only necessary privileges to
                        the host system should be
                        granted to DBA OS accounts.



DG0007 V0006767    II   The database should be
                        secured in accordance with
                        DoD, vendor and
                        commercially accepted
                        practices where applicable.

DG0008 V0015607    II   Application objects should
                        be owned by accounts
                        authorized for ownership.
DG0009 V0015608    II   Access to DBMS software
                        files and directories should
                        not be granted to
                        unauthorized users.


DG0010 V0002420   III   Database executable and
                        configuration files should be
                        monitored for unauthorized
                        modifications.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DG0011 V0003726   III   Configuration management
                        procedures should be
                        defined and implemented for
                        database software
                        modifications.

DG0012 V0004754    II   Database data files should
                        not be stored in the same
                        logical storage partition as
                        database application
                        software.

DG0013 V0015126    II   Database backup
                        procedures should be
                        defined, documented and
                        implemented.


DG0014 V0015609    II   Default demonstration and
                        sample database objects
                        and applications should be
                        removed.
DG0015 V0003727   III   Database applications
                        should be restricted from
                        using static DDL statements
                        to modify the application
                        schema.
DG0016 V0003728   III   Unused database
                        components, database
                        application software and
                        database objects should be
                        removed from the DBMS
                        system.
DG0017 V0003803    II   System resources and
                        database identifiers should
                        be clearly separated and
                        defined.


DG0019 V0003805   III   Application software should
                        be owned by a Software
                        Application account.



DG0020 V0015129    II   Backup and recovery
                        procedures should be
                        developed, documented,
                        implemented and
                        periodically tested.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0021 V0003806    II   A baseline of database
                        application software should
                        be documented and
                        maintained.


DG0025 V0015610    II   DBMS should use NIST
                        FIPS 140-2, validated
                        cryptography.



DG0029 V0005685    II   Required auditing
                        parameters for database
                        auditing should be set.
DG0030 V0002507    II   Audit trail data should be
                        retained for one year.
DG0031 V0015133    II   Transaction logs should be
                        periodically reviewed for
                        unauthorized modification of
                        data. Users should be
                        notified of time and date of
                        the last change in data
                        content.
DG0032 V0005686    II   Audit records should be
                        restricted to authorized
                        individuals.
DG0040 V0002422    II   The DBMS software
                        installation account should
                        be restricted to authorized
                        users.


DG0041 V0015110    II   Use of the DBMS installation
                        account should be logged.




DG0042 V0015111    II   Use of the DBMS software
                        installation account should
                        be restricted to DBMS
                        software installation,
                        upgrade and maintenance
                        actions.
DG0050 V0002423    II   Database software,
                        applications and
                        configuration files should be
                        monitored to discover
                        unauthorized changes.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0051 V0003808    II   Database job/batch queues
                        should be reviewed regularly
                        to detect unauthorized
                        database job submissions.


DG0052 V0003807    II   All applications that access
                        the database should be
                        logged in the DBMS audit
                        trail where available.


DG0053 V0003809    II   A single database
                        connection configuration file
                        should not be used to
                        configure all database clients.


DG0054 V0015611   III   The audit logs should be
                        periodically monitored to
                        discover DBMS access
                        using unauthorized
                        applications.

DG0060 V0002424    II   All database non-interactive,
                        n-tier connection, and
                        shared accounts that exist
                        should be documented and
                        approved by the IAO.

DG0063 V0015107    II   DBMS privileges to restore
                        database data or other
                        DBMS configurations,
                        features or objects should be
                        restricted to authorized
                        DBMS accounts.
DG0064 V0015120    II   DBMS backup and
                        restoration files should be
                        protected from unauthorized
                        access.


DG0065 V0003810    II   DBMS authentication should
                        require use of a DoD PKI
                        certificate.
DG0066 V0003811    II   Procedures for establishing
                        temporary passwords that
                        meet DoD password
                        requirements for new
                        accounts should be defined,
                        documented and
                        implemented.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0067 V0003812    I    Database passwords used
                        by batch and job processes
                        should be stored in
                        encrypted format.


DG0068 V0003813    II   DBMS tools or applications
                        that echo or require a
                        password entry in clear text
                        should be protected from
                        password display.

DG0069 V0015140    II   Procedures and restrictions
                        for import of production data
                        to development databases
                        should be documented,
                        implemented and followed.

DG0070 V0002508    II   Unauthorized user accounts
                        should not exist.
DG0071 V0003815    II   New passwords should be
                        required to differ from old
                        passwords by more than four
                        characters.
DG0073 V0003817    II   Database accounts should
                        not specify account lock
                        times less than the site-
                        approved minimum.
DG0074 V0015130    II   Unapproved inactive or
                        expired database accounts
                        should not be found on the
                        database.
DG0075 V0003818    II   Unauthorized database links
                        should not be defined and
                        active.
DG0076 V0003819    II   Sensitive information from
                        production database exports
                        should be modified after
                        import to a development
                        database.
DG0077 V0003820    II   Production databases should
                        be protected from
                        unauthorized access by
                        developers on shared
                        production/development host
                        systems.
DG0078 V0015613    II   Each database user,
                        application or process
                        should have an individually
                        assigned account.
DG0079 V0015152    II   DBMS login accounts
                        require passwords to meet
                        complexity requirements.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DG0080 V0003821    II   Application user privilege
                        assignment should be
                        reviewed monthly or more
                        frequently to ensure
                        compliance with least
                        privilege and documented
                        policy.
DG0083 V0015102    II   Automated notification of
                        suspicious activity detected
                        in the audit trail should be
                        implemented.


DG0085 V0015615    II   The DBA role should not be
                        assigned excessive or
                        unauthorized privileges.
DG0086 V0015106    II   DBA roles should be
                        periodically monitored to
                        detect assignment of
                        unauthorized or excess
                        privileges.

DG0087 V0015616   III   Sensitive data should be
                        labeled.
DG0088 V0015112   III   The DBMS should be
                        periodically tested for
                        vulnerability management
                        and IA compliance.


DG0089 V0015114   III   Developers should not be
                        assigned excessive
                        privileges on production
                        databases.
DG0090 V0015131    II   Sensitive information stored
                        in the database should be
                        protected by encryption.



DG0091 V0003823   III   Custom and GOTS
                        application source code
                        stored in the database
                        should be protected with
                        encryption or encoding.
DG0092 V0015132    II   Database data files
                        containing sensitive
                        information should be
                        encrypted.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DG0093 V0003825    II   Remote adminstrative
                        connections to the database
                        should be encrypted.



DG0095 V0003827    II   Audit trail data should be
                        reviewed daily or more
                        frequently.



DG0096 V0015138   III   The DBMS IA policies and
                        procedures should be
                        reviewed annually or more
                        frequently.


DG0097 V0015139    II   Plans and procedures for
                        testing DBMS installations,
                        upgrades, and patches
                        should be defined and
                        followed prior to production
                        implementation.

DG0098 V0015617    II   Access to external objects
                        should be disabled if not
                        required and authorized.
DG0099 V0015618    II   Access to external DBMS
                        executables should be
                        disabled or restricted.



DG0100 V0015619    II   Replication accounts should
                        not be granted DBA
                        privileges.
DG0101 V0015620    II   OS accounts used to
                        execute external procedures
                        should be assigned
                        minimum privileges.


DG0102 V0015141    II   DBMS processes or services
                        should run under custom,
                        dedicated OS accounts.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0103 V0015621    II   The DBMS listener should
                        restrict database access by
                        network address.



DG0104 V0015622   III   DBMS service identification
                        should be unique and clearly
                        identifies the service.



DG0105 V0015128    II   DBMS application user roles
                        should not be assigned
                        unauthorized privileges.

DG0106 V0015143    II   Database data encryption
                        controls should be
                        configured in accordance
                        with application
                        requirements.

DG0107 V0015144    II   Sensitive data is stored in
                        the database and should be
                        identified in the System
                        Security Plan and AIS
                        Functional Architecture
                        documentation.
DG0108 V0015145   III   The DBMS restoration
                        priority should be assigned.




DG0109 V0015146    II   The DBMS should not be
                        operated without
                        authorization on a host
                        system supporting other
                        application services.

DG0110 V0015179    II   The DBMS should not share
                        a host supporting an
                        independent security service.



DG0111 V0015147    II   The DBMS data files,
                        transaction logs and audit
                        files should be stored in
                        dedicated directories or disk
                        partitions separate from
                        software or other application
                        files.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DG0112 V0015623    II   DBMS system data files
                        should be stored in
                        dedicated disk directories.
DG0113 V0015624    II   DBMS data files should be
                        dedicated to support
                        individual applications.
DG0115 V0015625    II   Recovery procedures and
                        technical system features
                        exist to ensure that recovery
                        is done in a secure and
                        verifiable manner.

DG0116 V0015626    II   Database privileged role
                        assignments should be
                        restricted to IAO-authorized
                        DBMS accounts.

DG0117 V0015627    II   Administrative privileges
                        should be assigned to
                        database accounts via
                        database roles.
DG0118 V0015127    II   The IAM should review
                        changes to DBA role
                        assignments.



DG0119 V0015628    II   DBMS application users
                        should not be granted
                        administrative privileges to
                        the DBMS.
DG0120 V0015105    II   Unauthorized access to
                        external database objects
                        should be removed from
                        application user roles.


DG0121 V0015629    II   Application users privileges
                        should be restricted to
                        assignment using application
                        user roles.
DG0122 V0015630    II   Access to sensitive data
                        should be restricted to
                        authorized users identified
                        by the Information Owner.
DG0123 V0015631    II   Access to DBMS system
                        tables and other
                        configuration or metadata
                        should be restricted to DBAs.

DG0124 V0015632    II   Use of DBA accounts should
                        be restricted to
                        administrative activities.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DG0125 V0015153    II   DBMS account passwords
                        should be set to expire every
                        60 days or more frequently.

DG0126 V0015633    II   Password reuse should be
                        prevented where supported
                        by the DBMS.
DG0127 V0015634    II   DBMS account passwords
                        should not be set to easily
                        guessed words or values.
DG0128 V0015635    I    DBMS default accounts
                        should be assigned custom
                        passwords.
DG0129 V0015636    I    Passwords should be
                        encrypted when transmitted
                        across the network.



DG0130 V0015637    II   DBMS passwords used by
                        batch jobs or executables
                        should not be stored in the
                        job or executable files.
DG0133 V0015639    II   Unlimited account lock times
                        should be specified for
                        locked accounts.
DG0135 V0015641    II   Users should be alerted
                        upon login of previous
                        successful connections or
                        unsuccessful attempts to
                        access their account.
DG0138 V0015642    II   Access grants to sensitive
                        data should be restricted to
                        authorized user roles.
DG0140 V0015643    II   Access to DBMS security
                        should be audited.




DG0141 V0015644    II   Attempts to bypass access
                        controls should be audited.

DG0142 V0015645    II   Changes to configuration
                        options should be audited.
DG0145 V0015646    II   Audit records should contain
                        required information.

DG0146 V0015647    II   Audit records should include
                        the reason for blacklisting or
                        disabling DBMS connections
                        or accounts.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0152 V0015148    II   DBMS network
                        communications should
                        comply with PPS usage
                        restrictions.


DG0153 V0015149   III   DBA roles assignments
                        should be assigned and
                        authorized by the IAO.
DG0154 V0015150   III   The DBMS requires a
                        System Security Plan
                        containing all required
                        information.


DG0155 V0015649    II   The DBMS should verify
                        trustworthiness of data and
                        configuration files at startup.



DG0157 V0015651    II   Remote DBMS
                        administration should be
                        documented and authorized
                        or disabled.


DG0158 V0015652    II   DBMS remote administration
                        should be audited.




DG0159 V0015118    II   Remote administrative
                        access to the database
                        should be monitored by the
                        IAO or IAM.


DG0161 V0015103    II   An automated tool that
                        monitors audit data and
                        immediately reports
                        suspicious activity should be
                        employed for the DBMS.

DG0165 V0015654    II   DBMS symmetric keys
                        should be protected in
                        accordance with NSA or
                        NIST-approved key
                        management technology or
                        processes.
 PDI    VMSID     CAT          Requirement             Vulnerability   Status   Finding Notes

DG0166 V0015142    II   Asymmetric keys should use
                        DoD PKI Certificates and be
                        protected in accordance with
                        NIST (unclassified data) or
                        NSA (classified data)
                        approved key management
                        and processes.

DG0167 V0015104    I    Sensitive data served by the
                        DBMS should be protected
                        by encryption when
                        transmitted across the
                        network.

DG0171 V0015656    II   The DBMS should not have
                        a connection defined to
                        access or be accessed by a
                        DBMS at a different
                        classification level.

DG0172 V0015657    II   Changes to DBMS security
                        labels should be audited.

DG0175 V0015116    II   The DBMS host platform
                        and other dependent
                        applications should be
                        configured in compliance
                        with applicable STIG
                        requirements.
DG0176 V0015117    II   The DBMS audit logs should
                        be included in backup
                        operations.



DG0179 V0015658    II   The DBMS warning banner
                        should meet DoD policy
                        requirements.



DG0186 V0015122    II   The database should not be
                        directly accessible from
                        public or unauthorized
                        networks.


DG0187 V0015121    II   DBMS software libraries
                        should be periodically
                        backed up.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DG0190 V0015154    II   Credentials stored and used
                        by the DBMS to access
                        remote databases or
                        applications should be
                        authorized and restricted to
                        authorized users.
DG0191 V0015659    II   Credentials used to access
                        remote databases should be
                        protected by encryption and
                        restricted to authorized users.


DG0192 V0015660    II   Remote database or other
                        external access should use
                        fully-qualified names.
DG0194 V0015108    II   Privileges assigned to
                        developers on shared
                        production and development
                        DBMS hosts and the DBMS
                        should be monitored every
                        three months or more
                        frequently for unauthorized
                        changes.
DG0195 V0015109    II   DBMS production application
                        and data directories should
                        be protected from
                        developers on shared
                        production/development
                        DBMS host systems.

DG0198 V0015662    II   Remote administration of the
                        DBMS should be restricted
                        to known, dedicated and
                        encrypted network
                        addresses and ports.

DO0120 V0003842    II   The Oracle software
                        installation account should
                        not be granted excessive
                        host system privileges.


DO0140 V0002511    II   Access to the Oracle SYS
                        and SYSTEM accounts
                        should be restricted to
                        authorized DBAs.
DO0145 V0003845   III   OS DBA group membership
                        should be restricted to
                        authorized accounts.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DO0155 V0003846    II   Only authorized system
                        accounts should have the
                        SYSTEM tablespace
                        specified as the default
                        tablespace.
DO0157 V0003847   III   Database application user
                        accounts should be denied
                        storage usage for object
                        creation within the database.

DO0190 V0002515    II   The audit table should be
                        owned by SYS or SYSTEM.

DO0210 V0002516    II   Access to default accounts
                        used to support replication
                        should be restricted to
                        authorized DBAs.

DO0220 V0002517    II   Oracle instance names
                        should not contain Oracle
                        version numbers.
DO0221 V0003848   III   The Oracle SID should not
                        be the default SID.
DO0231 V0003849    II   Application owner accounts
                        should have a dedicated
                        application tablespace.

DO0233 V0015747    II   The directory assigned to the
                        DIAGNOSTIC_DEST
                        parameter should be
                        protected from unauthorized
                        access.
DO0234 V0003850    II   The directory assigned to the
                        AUDIT_FILE_DEST
                        parameter should be
                        protected from unauthorized
                        access.
DO0235 V0003851    II   The directory assigned to the
                        USER_DUMP_DEST
                        parameter should be
                        protected from unauthorized
                        access.
DO0236 V0003852    II   The directory assigned to the
                        BACKGROUND_DUMP_DE
                        ST parameter should be
                        protected from unauthorized
                        access.

DO0237 V0003853    II   The directory assigned to the
                        CORE_DUMP_DEST
                        parameter should be
                        protected from unauthorized
                        access.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DO0238 V0003854    II   The directories assigned to
                        the LOG_ARCHIVE_DEST*
                        parameters should be
                        protected from unauthorized
                        access.

DO0240 V0002519   III   The Oracle OS_ROLES
                        parameter should be set to
                        FALSE.
DO0243 V0003857    II   The Oracle
                        _TRACE_FILES_PUBLIC
                        parameter if present should
                        be set to FALSE.
DO0250 V0002520    II   Fixed user and public
                        database links should be
                        authorized for use.
DO0260 V0002521    II   A minimum of two Oracle
                        control files should be
                        defined and configured to be
                        stored on separate, archived
                        physical disks or archived
                        partitions on a RAID device.

DO0270 V0002522    II   A minimum of two Oracle
                        redo log groups/files should
                        be defined and configured to
                        be stored on separate,
                        archived physical disks or
                        archived directories on a
                        RAID device.

DO0286 V0003862    II   The Oracle
                        INBOUND_CONNECT_TIME
                        OUT and
                        SQLNET.INBOUND_CONNE
                        CT_TIMEOUT parameters
                        should be set to a value
                        greater than 0.
DO0287 V0003863    II   The Oracle
                        SQLNET.EXPIRE_TIME
                        parameter should be set to a
                        value greater than 0.


DO0320 V0003437    II   Application role permissions
                        should not be assigned to
                        the Oracle PUBLIC role.

DO0340 V0003438    II   Oracle application
                        administration roles should
                        be disabled if not required
                        and authorized.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DO0350 V0003439    II   Oracle system privileges
                        should not be directly
                        assigned to unauthorized
                        accounts.
DO0360 V0003440    II   Connections by mid-tier web
                        and application systems to
                        the Oracle DBMS should be
                        protected, encrypted and
                        authenticated according to
                        database, web, application,
                        enclave and network
                        requirements.

DO0420 V0003865   III   The XDB Protocol server
                        should be uninstalled if not
                        required and authorized for
                        use.
DO0430 V0003866   III   The Oracle Management
                        Agent should be uninstalled
                        if not required and
                        authorized or is installed on
                        a database accessible from
                        the Internet.

DO3440 V0002527    II   The DBA role should not be
                        granted to unauthorized user
                        accounts.
DO3447 V0002531   III   The Oracle
                        OS_AUTHENT_PREFIX
                        parameter should be
                        changed from the default
                        value of OPS$.
DO3451 V0002533    II   The Oracle WITH GRANT
                        OPTION privilege should not
                        be granted to non-DBA or
                        non-Application
                        administrator user accounts.

DO3475 V0002539    II   Execute permission should
                        be revoked from PUBLIC for
                        restricted Oracle packages.

DO3536 V0002552    II   The IDLE_TIME profile
                        parameter should be set for
                        Oracle profiles IAW DoD
                        policy.
DO3538 V0002554    I    The Oracle
                        REMOTE_OS_AUTHENT
                        parameter should be set to
                        FALSE.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DO3539 V0002555    I    The Oracle
                        REMOTE_OS_ROLES
                        parameter should be set to
                        FALSE.
DO3540 V0002556    II   The Oracle
                        SQL92_SECURITY
                        parameter should be set to
                        TRUE.
DO3546 V0002558    II   The Oracle
                        REMOTE_LOGIN_PASSWO
                        RDFILE parameter should
                        be set to EXCLUSIVE or
                        NONE.
DO3609 V0002561    II   System privileges granted
                        using the WITH ADMIN
                        OPTION should not be
                        granted to unauthorized user
                        accounts.
DO3610 V0002562    II   Required object auditing
                        should be configured.
DO3612 V0002564    II   System Privileges should not
                        be granted to PUBLIC.
DO3622 V0002574    II   Oracle roles granted using
                        the WITH ADMIN OPTION
                        should not be granted to
                        unauthorized accounts.
DO3630 V0002608    I    The Oracle Listener should
                        be configured to require
                        administration authentication.



DO3685 V0002586   III   The Oracle
                        O7_DICTIONARY_ACCESSI
                        BILITY parameter should be
                        set to FALSE.
DO3686 V0002587    I    Oracle accounts should not
                        have permission to view the
                        table SYS.LINK$ which
                        contain unencrypted
                        database link passwords.
DO3689 V0002589    II   Object permissions granted
                        to PUBLIC should be
                        restricted.
DO3696 V0002593    II   The Oracle
                        RESOURCE_LIMIT
                        parameter should be set to
                        TRUE.
DO3847 V0002607    II   Oracle passwords should not
                        be stored unencrypted in the
                        spoolmain.log file.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

DO5037 V0002612    II   Oracle SQLNet and listener
                        log files should not be
                        accessible to unauthorized
                        users.


DO6740 V0003497    II   The Oracle Listener
                        ADMIN_RESTRICTIONS
                        parameter if present should
                        be set to ON.


DO6746 V0016031   III   The Oracle listener.ora file
                        should specify IP addresses
                        rather than host names to
                        identify hosts.


DO6747 V0016032    II   Remote administration
                        should be disabled for the
                        Oracle connection manager.



DO6748 V0016033    II   Case sensitivity for
                        passwords should be
                        enabled.
DO6749 V0016035    II   The Oracle
                        SEC_MAX_FAILED_LOGIN_
                        ATTEMPTS parameter
                        should be set to an IAO-
                        approved value between 1
                        and 3.
DO6750 V0016053    II   The Oracle
                        SEC_PROTOCOL_ERROR_
                        FURTHER_ACTION
                        parameter should be set to a
                        value of DELAY or DROP.
DO6751 V0016057    II   The SQLNet
                        SQLNET.ALLOWED_LOGO
                        N_VERSION parameter
                        should be set to a value of
                        10 or higher.
DO6752 V0016054    II   The Oracle
                        SEC_PROTOCOL_ERROR_
                        TRACE_ACTION parameter
                        should not be set to NONE.

DO6753 V0016055    II   Oracle Application Express
                        or Oracle HTML DB should
                        not be installed on a
                        production database.
 PDI    VMSID     CAT          Requirement          Vulnerability   Status   Finding Notes

DO6754 V0016056    II   Oracle Configuration
                        Manager should not remain
                        installed on a production
                        system.
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation



Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
     Section

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB


Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB




Oracle 9i DB




Oracle 9i DB
      Section

Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB




Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation




Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation


Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB




Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB
      Section

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB



Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i DB,
Oracle 11g DB


Oracle 9i DB




Oracle 9i DB,
Oracle 11g DB

Oracle 9i DB,
Oracle 11g DB


Oracle 9i
Installation
      Section

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation

Oracle 11g
Installation

Oracle 11g
Installation




Oracle 11g
Installation



Oracle 10g
Installation, Oracle
11g Installation


Oracle 11g
Installation



Oracle 10g
Installation, Oracle
11g Installation
      Section

Oracle 10g
Installation, Oracle
11g Installation
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement                   Vulnerability   Status   Finding Notes      Section
DG0001 V0005658 I Vendor supported software                                                       SQL7
                  is evaluated and patched                                                        Installation,
                  against newly found                                                             SQL8 2000
                  vulnerabilities.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0002 V0004758     II   An upgrade/migration plan                                                SQL7
                         should be developed to                                                   Installation,
                         address an unsupported                                                   SQL8 2000
                         DBMS software version.                                                   Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0003 V0005659     II   The latest security patches                                              SQL7
                         should be installed.                                                     Installation,
                                                                                                  SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0004 V0005683     II   Application object owner                                                 SQL7
                         accounts should be disabled                                              Database,
                         when not performing                                                      SQL8 2000
                         installation or maintenance                                              Database,
                         actions.                                                                 SQL9 2005
                                                                                                  Database


DG0005 V0006756     II   Only necessary privileges to                                             SQL7
                         the host system should be                                                Installation,
                         granted to DBA OS accounts.                                              SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              206 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes      Section
DG0007 V0006767 II The database should be                                                           SQL7
                   secured in accordance with                                                       Installation,
                   DoD, vendor and/or                                                               SQL8 2000
                   commercially accepted                                                            Installation,
                   practices where applicable.                                                      SQL9 2005
                                                                                                    Installation


DG0008 V0015607     II    Application objects should                                                SQL7
                          be owned by accounts                                                      Database,
                          authorized for ownership.                                                 SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database


DG0009 V0015608     II    Access to DBMS software                                                   SQL7
                          files and directories should                                              Installation,
                          not be granted to                                                         SQL8 2000
                          unauthorized users.                                                       Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation


DG0010 V0002420     III   Database executable and                                                   SQL7
                          configuration files should be                                             Installation,
                          monitored for unauthorized                                                SQL8 2000
                          modifications.                                                            Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation


DG0011 V0003726     III   Configuration management                                                  SQL7
                          procedures should be                                                      Installation,
                          defined and implemented for                                               SQL8 2000
                          database software                                                         Installation,
                          modifications.                                                            SQL9 2005
                                                                                                    Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                207 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes      Section
DG0012 V0004754 II Database software                                                              SQL7
                   directories including DBMS                                                     Installation,
                   configuration files are stored                                                 SQL8 2000
                   in dedicated directories                                                       Installation,
                   separate from the host OS                                                      SQL9 2005
                   and other applications.                                                        Installation


DG0013 V0015126     II    Database backup                                                         SQL7
                          procedures should be                                                    Installation,
                          defined, documented and                                                 SQL8 2000
                          implemented.                                                            Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0014 V0015609     II    Default demonstration and                                               SQL7
                          sample database objects                                                 Installation,
                          and applications should be                                              SQL8 2000
                          removed.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0015 V0003727     III   Database applications                                                   SQL7
                          should be restricted from                                               Database,
                          using static DDL statements                                             SQL8 2000
                          to modify the application                                               Database,
                          schema.                                                                 SQL9 2005
                                                                                                  Database


DG0016 V0003728     III   Unused database                                                         SQL7
                          components, database                                                    Installation,
                          application software and                                                SQL8 2000
                          database objects should be                                              Installation,
                          removed from the DBMS                                                   SQL9 2005
                          system.                                                                 Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              208 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes      Section
DG0017 V0003803 II A production DBMS                                                              SQL7
                   installation should not                                                        Installation,
                   coexist on the same DBMS                                                       SQL8 2000
                   host with other, non-                                                          Installation,
                   production DBMS                                                                SQL9 2005
                   installations.                                                                 Installation


DG0019 V0003805     III   Application software should                                             SQL7
                          be owned by a Software                                                  Installation,
                          Application account.                                                    SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0020 V0015129     II    Backup and recovery                                                     SQL7
                          procedures should be                                                    Installation,
                          developed, documented,                                                  SQL8 2000
                          implemented and                                                         Installation,
                          periodically tested.                                                    SQL9 2005
                                                                                                  Installation


DG0021 V0003806     II    A baseline of database                                                  SQL7
                          application software should                                             Installation,
                          be documented and                                                       SQL8 2000
                          maintained.                                                             Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0025 V0015610     II    DBMS should use NIST                                                    SQL7
                          FIPS 140-2, validated                                                   Installation,
                          cryptography.                                                           SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              209 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes      Section
DG0029 V0005685 II Required auditing                                                              SQL8 2000
                   parameters for database                                                        Installation,
                   auditing should be set.                                                        SQL9 2005
                                                                                                  Installation


DG0030 V0002507     II   Audit trail data should be                                               SQL7
                         retained for one year.                                                   Installation,
                                                                                                  SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0031 V0015133     II   Transaction logs should be                                               SQL7
                         periodically reviewed for                                                Installation,
                         unauthorized modification of                                             SQL8 2000
                         data. Users should be                                                    Installation,
                         notified of time and date of                                             SQL9 2005
                         the last change in data                                                  Installation
                         content.

DG0032 V0005686     II   Audit records should be                                                  SQL7
                         restricted to authorized                                                 Installation,
                         individuals.                                                             SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0040 V0002422     II   The DBMS software                                                        SQL7
                         installation account should                                              Installation,
                         be restricted to authorized                                              SQL8 2000
                         users.                                                                   Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              210 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DG0041 V0015110 II Use of the DBMS installation                                                    SQL7
                   account should be logged.                                                       Installation,
                                                                                                   SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0042 V0015111     II   Use of the DBMS software                                                  SQL7
                         installation account should                                               Installation,
                         be restricted to DBMS                                                     SQL8 2000
                         software installation,                                                    Installation,
                         upgrade and maintenance                                                   SQL9 2005
                         actions.                                                                  Installation


DG0050 V0002423     II   Database software,                                                        SQL7
                         applications and                                                          Installation,
                         configuration files should be                                             SQL8 2000
                         monitored to discover                                                     Installation,
                         unauthorized changes.                                                     SQL9 2005
                                                                                                   Installation


DG0051 V0003808     II   Database job/batch queues                                                 SQL7
                         should be reviewed regularly                                              Installation,
                         to detect unauthorized                                                    SQL8 2000
                         database job submissions.                                                 Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0052 V0003807     II   All applications that access                                              SQL7
                         the database should be                                                    Installation,
                         logged in the DBMS audit                                                  SQL8 2000
                         trail where available.                                                    Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               211 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DG0054 V0015611 III The audit logs should be                                                       SQL7
                    periodically monitored to                                                      Installation,
                    discover DBMS access                                                           SQL8 2000
                    using unauthorized                                                             Installation,
                    applications.                                                                  SQL9 2005
                                                                                                   Installation


DG0060 V0002424     II   All database non-interactive,                                             SQL7
                         n-tier connection, and                                                    Installation,
                         shared accounts that exist                                                SQL8 2000
                         should be documented and                                                  Installation,
                         approved by the IAO.                                                      SQL9 2005
                                                                                                   Installation


DG0063 V0015107     II   DBMS privileges to restore                                                SQL7
                         database data or other                                                    Installation,
                         DBMS configurations,                                                      SQL8 2000
                         features or objects should be                                             Installation,
                         restricted to authorized                                                  SQL9 2005
                         DBMS accounts.                                                            Installation


DG0064 V0015120     II   DBMS backup and                                                           SQL7
                         restoration files should be                                               Installation,
                         protected from unauthorized                                               SQL8 2000
                         access.                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0065 V0003810     II   DBMS authentication should                                                SQL7
                         require use of a DoD PKI                                                  Installation,
                         certificate.                                                              SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               212 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement                    Vulnerability   Status   Finding Notes      Section
DG0066 V0003811 II Procedures for establishing                                                     SQL7
                   temporary passwords that                                                        Installation,
                   meet DoD password                                                               SQL8 2000
                   requirements for new                                                            Installation,
                   accounts should be defined,                                                     SQL9 2005
                   documented and                                                                  Installation
                   implemented.

DG0067 V0003812     I    Database account                                                          SQL7
                         passwords should be stored                                                Installation,
                         in encoded or encrypted                                                   SQL8 2000
                         format whether stored in                                                  Installation,
                         database objects, external                                                SQL9 2005
                         host files, environment                                                   Installation
                         variables or any other
                         storage locations.
DG0068 V0003813     II   DBMS tools or applications                                                SQL7
                         that echo or require a                                                    Installation,
                         password entry in clear text                                              SQL8 2000
                         should be protected from                                                  Installation,
                         password display.                                                         SQL9 2005
                                                                                                   Installation


DG0069 V0015140     II   Procedures and restrictions                                               SQL7
                         for import of production data                                             Installation,
                         to development databases                                                  SQL8 2000
                         should be documented,                                                     Installation,
                         implemented and followed.                                                 SQL9 2005
                                                                                                   Installation


DG0070 V0002508     II   Unauthorized user accounts                                                SQL7
                         should not exist.                                                         Installation,
                                                                                                   SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               213 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes      Section
DG0071 V0003815 II New passwords should be                                                        SQL7
                   required to differ from old                                                    Installation,
                   passwords by more than                                                         SQL8 2000
                   four characters.                                                               Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0072 V0015612     II   Database password                                                        SQL7
                         changes by users should be                                               Installation,
                         limited to one change within                                             SQL8 2000
                         24 hours where supported                                                 Installation,
                         by the DBMS.                                                             SQL9 2005
                                                                                                  Installation


DG0073 V0003817     II   Database accounts should                                                 SQL7
                         not specify account lock                                                 Database,
                         times less than the site-                                                SQL8 2000
                         approved minimum.                                                        Database,
                                                                                                  SQL9 2005
                                                                                                  Database


DG0074 V0015130     II   Unapproved inactive or                                                   SQL7
                         expired database accounts                                                Installation,
                         should not be found on the                                               SQL8 2000
                         database.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0075 V0003818     II   Unauthorized database links                                              SQL7
                         should not be defined and                                                Installation,
                         active.                                                                  SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              214 of 1286
   ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                 Vulnerability   Status   Finding Notes      Section
DG0076 V0003819 II Sensitive information from                                                    SQL7
                   production database exports                                                   Installation,
                   should be modified after                                                      SQL8 2000
                   import to a development                                                       Installation,
                   database.                                                                     SQL9 2005
                                                                                                 Installation


DG0077 V0003820     II   Production databases                                                    SQL7
                         should be protected from                                                Installation,
                         unauthorized access by                                                  SQL8 2000
                         developers on shared                                                    Installation,
                         production/development host                                             SQL9 2005
                         systems.                                                                Installation


DG0078 V0015613     II   Each database user,                                                     SQL7
                         application or process                                                  Installation,
                         should have an individually                                             SQL8 2000
                         assigned account.                                                       Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation


DG0079 V0015152     II   DBMS login accounts                                                     SQL8 2000
                         require passwords to meet                                               Installation,
                         complexity requirements.                                                SQL9 2005
                                                                                                 Installation


DG0080 V0003821     II   Application user privilege                                              SQL7
                         assignment should be                                                    Installation,
                         reviewed monthly or more                                                SQL8 2000
                         frequently to ensure                                                    Installation,
                         compliance with least                                                   SQL9 2005
                         privilege and documented                                                Installation
                         policy.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                             215 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DG0083 V0015102 II Automated notification of                                                       SQL7
                   suspicious activity detected                                                    Installation,
                   in the audit trail should be                                                    SQL8 2000
                   implemented.                                                                    Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0084 V0015614     III   The DBMS should be                                                       SQL9 2005
                          configured to clear residual                                             Installation
                          data from memory, data
                          objects and files, and other
                          storage locations.
DG0085 V0015615     II    The DBA role should not be                                               SQL7
                          assigned excessive or                                                    Installation,
                          unauthorized privileges.                                                 SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0086 V0015106     II    DBA roles should be                                                      SQL7
                          periodically monitored to                                                Installation,
                          detect assignment of                                                     SQL8 2000
                          unauthorized or excess                                                   Installation,
                          privileges.                                                              SQL9 2005
                                                                                                   Installation


DG0087 V0015616     III   Sensitive data should be                                                 SQL9 2005
                          labeled.                                                                 Installation

DG0088 V0015112     III   The DBMS should be                                                       SQL7
                          periodically tested for                                                  Installation,
                          vulnerability management                                                 SQL8 2000
                          and IA compliance.                                                       Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               216 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes      Section
DG0089 V0015114 III Developers should not be                                                       SQL7
                    assigned excessive                                                             Installation,
                    privileges on production                                                       SQL8 2000
                    databases.                                                                     Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0090 V0015131     II    Sensitive information stored                                             SQL7
                          in the database should be                                                Installation,
                          protected by encryption.                                                 SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0091 V0003823     III   Custom and GOTS                                                          SQL7
                          application source code                                                  Database,
                          stored in the database                                                   SQL8 2000
                          should be protected with                                                 Database,
                          encryption or encoding.                                                  SQL9 2005
                                                                                                   Database


DG0092 V0015132     II    Database data files                                                      SQL7
                          containing sensitive                                                     Installation,
                          information should be                                                    SQL8 2000
                          encrypted.                                                               Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0093 V0003825     II    Remote adminstrative                                                     SQL7
                          connections to the database                                              Installation,
                          should be encrypted.                                                     SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               217 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DG0095 V0003827 II Audit trail data should be                                                      SQL7
                   reviewed daily or more                                                          Installation,
                   frequently.                                                                     SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0096 V0015138     III   The DBMS IA policies and                                                 SQL7
                          procedures should be                                                     Installation,
                          reviewed annually or more                                                SQL8 2000
                          frequently.                                                              Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0097 V0015139     II    Plans and procedures for                                                 SQL7
                          testing DBMS installations,                                              Installation,
                          upgrades, and patches                                                    SQL8 2000
                          should be defined and                                                    Installation,
                          followed prior to production                                             SQL9 2005
                          implementation.                                                          Installation


DG0098 V0015617     II    Access to external objects                                               SQL7
                          should be disabled if not                                                Installation,
                          required and authorized.                                                 SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0099 V0015618     II    Access to external DBMS                                                  SQL7
                          executables should be                                                    Installation,
                          disabled or restricted.                                                  SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               218 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DG0100 V0015619 II Replication accounts should                                                     SQL7
                   not be granted DBA                                                              Installation,
                   privileges.                                                                     SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0101 V0015620     II    OS accounts used to                                                      SQL7
                          execute external procedures                                              Installation,
                          should be assigned                                                       SQL8 2000
                          minimum privileges.                                                      Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0102 V0015141     II    DBMS processes or                                                        SQL7
                          services should run under                                                Installation,
                          custom, dedicated OS                                                     SQL8 2000
                          accounts.                                                                Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0104 V0015622     III   DBMS service identification                                              SQL7
                          should be unique and clearly                                             Installation,
                          identifies the service.                                                  SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0105 V0015128     II    DBMS application user roles                                              SQL7
                          should not be assigned                                                   Database,
                          unauthorized privileges.                                                 SQL8 2000
                                                                                                   Database,
                                                                                                   SQL9 2005
                                                                                                   Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               219 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes      Section
DG0106 V0015143 II Database data encryption                                                         SQL7
                   controls should be                                                               Installation,
                   configured in accordance                                                         SQL8 2000
                   with application                                                                 Installation,
                   requirements.                                                                    SQL9 2005
                                                                                                    Installation


DG0107 V0015144     II    Sensitive data is stored in                                               SQL7
                          the database and should be                                                Installation,
                          identified in the System                                                  SQL8 2000
                          Security Plan and AIS                                                     Installation,
                          Functional Architecture                                                   SQL9 2005
                          documentation.                                                            Installation


DG0108 V0015145     III   The DBMS restoration                                                      SQL7
                          priority should be assigned.                                              Installation,
                                                                                                    SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation


DG0109 V0015146     II    The DBMS should not be                                                    SQL7
                          operated without                                                          Installation,
                          authorization on a host                                                   SQL8 2000
                          system supporting other                                                   Installation,
                          application services.                                                     SQL9 2005
                                                                                                    Installation


DG0110 V0015179     II    The DBMS should not share                                                 SQL7
                          a host supporting an                                                      Installation,
                          independent security service.                                             SQL8 2000
                                                                                                    Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                220 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DG0111 V0015147 II The DBMS data files,                                                            SQL7
                   transaction logs and audit                                                      Installation,
                   files should be stored in                                                       SQL8 2000
                   dedicated directories or disk                                                   Installation,
                   partitions separate from                                                        SQL9 2005
                   software or other application                                                   Installation
                   files.

DG0114 V0015119     II   DBMS files critical for DBMS                                              SQL7
                         recovery should be stored                                                 Installation,
                         on RAID or other high-                                                    SQL8 2000
                         availability storage devices.                                             Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0115 V0015625     II   Recovery procedures and                                                   SQL7
                         technical system features                                                 Installation,
                         exist to ensure that recovery                                             SQL8 2000
                         is done in a secure and                                                   Installation,
                         verifiable manner.                                                        SQL9 2005
                                                                                                   Installation


DG0116 V0015626     II   Database privileged role                                                  SQL7
                         assignments should be                                                     Installation,
                         restricted to IAO-authorized                                              SQL8 2000
                         DBMS accounts.                                                            Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0117 V0015627     II   Administrative privileges                                                 SQL7
                         should be assigned to                                                     Installation,
                         database accounts via                                                     SQL8 2000
                         database roles.                                                           Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               221 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement                   Vulnerability   Status   Finding Notes      Section
DG0118 V0015127 II The IAM should review                                                          SQL7
                   changes to DBA role                                                            Installation,
                   assignments.                                                                   SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0119 V0015628     II   DBMS application users                                                   SQL7
                         should not be granted                                                    Installation,
                         administrative privileges to                                             SQL8 2000
                         the DBMS.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0120 V0015105     II   Unauthorized access to                                                   SQL7
                         external database objects                                                Installation,
                         should be removed from                                                   SQL8 2000
                         application user roles.                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0121 V0015629     II   Application users privileges                                             SQL7
                         should be restricted to                                                  Database,
                         assignment using application                                             SQL8 2000
                         user roles.                                                              Database,
                                                                                                  SQL9 2005
                                                                                                  Database


DG0122 V0015630     II   Access to sensitive data                                                 SQL7
                         should be restricted to                                                  Database,
                         authorized users identified                                              SQL8 2000
                         by the Information Owner.                                                Database,
                                                                                                  SQL9 2005
                                                                                                  Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              222 of 1286
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement           Vulnerability   Status   Finding Notes      Section
DG0123 V0015631 II Access to DBMS system                                                   SQL7
                   tables and other                                                        Installation,
                   configuration or metadata                                               SQL8 2000
                   should be restricted to DBAs.                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DG0124 V0015632     II   Use of DBA accounts should                                        SQL7
                         be restricted to                                                  Installation,
                         administrative activities.                                        SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DG0125 V0015153     II   DBMS account passwords                                            SQL9 2005
                         should be set to expire every                                     Installation
                         60 days or more frequently.

DG0127 V0015634     II   DBMS account passwords                                            SQL7
                         should not be set to easily                                       Installation,
                         guessed words or values.                                          SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DG0128 V0015635     I    DBMS default accounts                                             SQL7
                         should be assigned custom                                         Installation,
                         passwords.                                                        SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DG0129 V0015636     I    Passwords should be                                               SQL7
                         encrypted when transmitted                                        Installation,
                         across the network.                                               SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       223 of 1286
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement          Vulnerability   Status   Finding Notes      Section
DG0130 V0015637 II DBMS passwords should not                                              SQL7
                   be stored in compiled,                                                 Installation,
                   encoded or encrypted batch                                             SQL8 2000
                   jobs or compiled, encoded or                                           Installation,
                   encrypted application source                                           SQL9 2005
                   code.                                                                  Installation


DG0131 V0015638     III   DBMS default account                                            SQL9 2005
                          names should be changed.                                        Installation

DG0133 V0015639     II    Unlimited account lock times                                    SQL7
                          should be specified for                                         Installation,
                          locked accounts.                                                SQL8 2000
                                                                                          Installation,
                                                                                          SQL9 2005
                                                                                          Installation


DG0138 V0015642     II    Access grants to sensitive                                      SQL7
                          data should be restricted to                                    Database,
                          authorized user roles.                                          SQL8 2000
                                                                                          Database,
                                                                                          SQL9 2005
                                                                                          Database


DG0140 V0015643     II    Access to DBMS security                                         SQL7
                          should be audited.                                              Installation,
                                                                                          SQL8 2000
                                                                                          Installation,
                                                                                          SQL9 2005
                                                                                          Installation


DG0141 V0015644     II    Attempts to bypass access                                       SQL7
                          controls should be audited.                                     Installation,
                                                                                          SQL8 2000
                                                                                          Installation,
                                                                                          SQL9 2005
                                                                                          Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      224 of 1286
   ____ Checklist _V_R_ (<date>)                                               <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                       Vulnerability   Status   Finding Notes      Section
DG0142 V0015645 II Changes to configuration                                                            SQL9 2005
                   options should be audited.                                                          Installation

DG0145 V0015646     II    Audit records should contain                                                 SQL8 2000
                          required information.                                                        Installation,
                                                                                                       SQL9 2005
                                                                                                       Installation


DG0151 V0015648     II    Access to the DBMS should                                                    SQL9 2005
                          be restricted to static, default                                             Installation
                          network ports.

DG0152 V0015148     II    DBMS network                                                                 SQL7
                          communications should                                                        Installation,
                          comply with PPS usage                                                        SQL8 2000
                          restrictions.                                                                Installation,
                                                                                                       SQL9 2005
                                                                                                       Installation


DG0153 V0015149     III   DBA roles assignments                                                        SQL7
                          should be assigned and                                                       Installation,
                          authorized by the IAO.                                                       SQL8 2000
                                                                                                       Installation,
                                                                                                       SQL9 2005
                                                                                                       Installation


DG0154 V0015150     III   The DBMS requires a                                                          SQL7
                          System Security Plan                                                         Installation,
                          containing all required                                                      SQL8 2000
                          information.                                                                 Installation,
                                                                                                       SQL9 2005
                                                                                                       Installation


DG0155 V0015649     II    The DBMS should have                                                         SQL7
                          configured all applicable                                                    Installation,
                          settings to use trusted files,                                               SQL8 2000
                          functions, features, or other                                                Installation,
                          components during startup,                                                   SQL9 2005
                          shutdown, aborts, or other                                                   Installation
                          unplanned interruptions.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   225 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DG0157 V0015651 II Remote DBMS                                                                     SQL7
                   administration should be                                                        Installation,
                   documented and authorized                                                       SQL8 2000
                   or disabled.                                                                    Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0158 V0015652     II   DBMS remote administration                                                SQL7
                         should be audited.                                                        Installation,
                                                                                                   SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0159 V0015118     II   Remote administrative                                                     SQL7
                         access to the database                                                    Installation,
                         should be monitored by the                                                SQL8 2000
                         IAO or IAM.                                                               Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DG0161 V0015103     II   An automated tool that                                                    SQL7
                         monitors audit data and                                                   Installation,
                         immediately reports                                                       SQL8 2000
                         suspicious activity should be                                             Installation,
                         employed for the DBMS.                                                    SQL9 2005
                                                                                                   Installation


DG0165 V0015654     II   DBMS symmetric keys                                                       SQL9 2005
                         should be protected in                                                    Database
                         accordance with NSA or
                         NIST-approved key
                         management technology or
                         processes.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               226 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes     Section
DG0166 V0015142 II Asymmetric keys should use                                                     SQL9 2005
                   DoD PKI Certificates and be                                                    Database
                   protected in accordance with
                   NIST (unclassified data) or
                   NSA (classified data)
                   approved key management
                   and processes.

DG0167 V0015104     I    Sensitive data served by the                                             SQL7
                         DBMS should be protected                                                 Installation,
                         by encryption when                                                       SQL8 2000
                         transmitted across the                                                   Installation,
                         network.                                                                 SQL9 2005
                                                                                                  Installation


DG0171 V0015656     II   The DBMS should not have                                                 SQL7
                         a connection defined to                                                  Installation,
                         access or be accessed by a                                               SQL8 2000
                         DBMS at a different                                                      Installation,
                         classification level.                                                    SQL9 2005
                                                                                                  Installation


DG0172 V0015657     II   Changes to DBMS security                                                 SQL9 2005
                         labels should be audited.                                                Database

DG0175 V0015116     II   The DBMS host platform                                                   SQL7
                         and other dependent                                                      Installation,
                         applications should be                                                   SQL8 2000
                         configured in compliance                                                 Installation,
                         with applicable STIG                                                     SQL9 2005
                         requirements.                                                            Installation


DG0176 V0015117     II   The DBMS audit logs should                                               SQL7
                         be included in backup                                                    Installation,
                         operations.                                                              SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              227 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement                   Vulnerability   Status   Finding Notes      Section
DG0179 V0015658 II The DBMS warning banner                                                        SQL7
                   should meet DoD policy                                                         Installation,
                   requirements.                                                                  SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0186 V0015122     II   The database should not be                                               SQL7
                         directly accessible from                                                 Installation,
                         public or unauthorized                                                   SQL8 2000
                         networks.                                                                Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0187 V0015121     II   DBMS software libraries                                                  SQL7
                         should be periodically                                                   Installation,
                         backed up.                                                               SQL8 2000
                                                                                                  Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DG0190 V0015154     II   Credentials stored and used                                              SQL7
                         by the DBMS to access                                                    Installation,
                         remote databases or                                                      SQL8 2000
                         applications should be                                                   Installation,
                         authorized and restricted to                                             SQL9 2005
                         authorized users.                                                        Installation


DG0194 V0015108     II   Privileges assigned to                                                   SQL7
                         developers on shared                                                     Installation,
                         production and development                                               SQL8 2000
                         DBMS hosts and the DBMS                                                  Installation,
                         should be monitored every                                                SQL9 2005
                         three months or more                                                     Installation
                         frequently for unauthorized
                         changes.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              228 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes      Section
DG0195 V0015109 II DBMS production                                                                SQL7
                   application and data                                                           Installation,
                   directories should be                                                          SQL8 2000
                   protected from developers                                                      Installation,
                   on shared                                                                      SQL9 2005
                   production/development                                                         Installation
                   DBMS host systems.

DG0198 V0015662     II   Remote administration of the                                             SQL7
                         DBMS should be restricted                                                Installation,
                         to known, dedicated and                                                  SQL8 2000
                         encrypted network                                                        Installation,
                         addresses and ports.                                                     SQL9 2005
                                                                                                  Installation


DM0510 V0002426     II   C2 Audit mode should be                                                  SQL8 2000
                         enabled or custom audit                                                  Installation,
                         traces defined.                                                          SQL9 2005
                                                                                                  Installation


DM0530 V0002427     II   Fixed Server roles should                                                SQL7
                         have only authorized users                                               Installation,
                         or groups assigned as                                                    SQL8 2000
                         members.                                                                 Installation,
                                                                                                  SQL9 2005
                                                                                                  Installation


DM0531 V0015151     II   Fixed Database roles should                                              SQL7
                         have only authorized users                                               Database,
                         or groups as members.                                                    SQL8 2000
                                                                                                  Database,
                                                                                                  SQL9 2005
                                                                                                  Database


DM0660 V0002436     II   MS SQL Server Instance                                                   SQL8 2000
                         name should not incude a                                                 Installation,
                         SQL Server or other                                                      SQL9 2005
                         software version number.                                                 Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              229 of 1286
   ____ Checklist _V_R_ (<date>)                                <Test> - TN <Ticket Number>
  PDI   VMSID CAT         Requirement         Vulnerability   Status   Finding Notes      Section
DM0900 V0003335 II SQL Mail, SQL Mail                                                   SQL7
                   Extended Stored Procedures                                           Installation,
                   (XPs) and Database Mail                                              SQL8 2000
                   XPs are required and                                                 Installation,
                   enabled.                                                             SQL9 2005
                                                                                        Installation


DM0901 V0003336     II   SQL Server Agent email                                         SQL7
                         notification usage if enabled                                  Installation,
                         should be documented and                                       SQL8 2000
                         approved by the IAO.                                           Installation,
                                                                                        SQL9 2005
                                                                                        Installation


DM0919 V0015170     II   SQL Server services should                                     SQL7
                         be assigned least privileges                                   Installation,
                         on the SQL Server Windows                                      SQL8 2000
                         host.                                                          Installation,
                                                                                        SQL9 2005
                                                                                        Installation


DM0920 V0003832     II   A Windows OS DBA group                                         SQL7
                         should exist.                                                  Installation,
                                                                                        SQL8 2000
                                                                                        Installation,
                                                                                        SQL9 2005
                                                                                        Installation


DM0921 V0003833     II   Windows OS DBA group                                           SQL7
                         should contain only                                            Installation,
                         authorized users.                                              SQL8 2000
                                                                                        Installation,
                                                                                        SQL9 2005
                                                                                        Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                    230 of 1286
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement          Vulnerability   Status   Finding Notes      Section
DM0924 V0003835 II The SQL Server service                                                  SQL7
                   should use a least-privileged                                           Installation,
                   local or domain user account.                                           SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DM0927 V0003838     II   SQL Server registry keys                                          SQL7
                         should be properly secured.                                       Installation,
                                                                                           SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DM0928 V0015169     II   The SQL Server services                                           SQL7
                         should not be assigned                                            Installation,
                         excessive user rights.                                            SQL8 2000
                                                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DM0929 V0015134     II   The Integration Services                                          SQL9 2005
                         service account should not                                        Installation
                         be assigned excess host
                         system privileges.
DM0933 V0015155     II   The SQL Server Agent                                              SQL7
                         service account should not                                        Installation,
                         be assigned excess user                                           SQL8 2000
                         rights.                                                           Installation,
                                                                                           SQL9 2005
                                                                                           Installation


DM1709 V0002451     II   The guest user account                                            SQL7
                         should be disabled.                                               Database,
                                                                                           SQL8 2000
                                                                                           Database,
                                                                                           SQL9 2005
                                                                                           Database




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       231 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes     Section
DM1715 V0002457 II Object permission                                                                SQL7
                   assignments should be                                                            Database,
                   authorized.                                                                      SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database


DM1749 V0002458     II   Permissions on system                                                      SQL7
                         tables should be restricted to                                             Database,
                         authorized accounts.                                                       SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database


DM1757 V0002460     II   Direct access to system                                                    SQL7
                         table updates should be                                                    Installation,
                         disabled.                                                                  SQL8 2000
                                                                                                    Installation

DM1758 V0002461     I    Extended stored procedure                                                  SQL7
                         xp_cmdshell should be                                                      Installation,
                         restricted to authorized                                                   SQL8 2000
                         accounts.                                                                  Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation


DM1760 V0002463     II   DDL permissions should be                                                  SQL7
                         granted only to authorized                                                 Database,
                         accounts.                                                                  SQL8 2000
                                                                                                    Database,
                                                                                                    SQL9 2005
                                                                                                    Database


DM1761 V0002464     II   Execute stored procedures                                                  SQL7
                         at startup, if enabled, should                                             Installation,
                         have a custom audit trace                                                  SQL8 2000
                         defined.                                                                   Installation,
                                                                                                    SQL9 2005
                                                                                                    Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                232 of 1286
   ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                Vulnerability   Status   Finding Notes      Section
DM2095 V0002472 II OLE Automation extended                                                       SQL7
                   stored procedures should be                                                   Installation,
                   restricted to sysadmin                                                        SQL8 2000
                   access.                                                                       Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation


DM2119 V0002473     II   Registry extended stored                                                SQL7
                         procedures should be                                                    Installation,
                         restricted to sysadmin                                                  SQL8 2000
                         access.                                                                 Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation


DM2142 V0002485     II   Remote access should be                                                 SQL7
                         disabled if not authorized.                                             Installation,
                                                                                                 SQL8 2000
                                                                                                 Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation


DM3566 V0002487     II   SQL Server authentication                                               SQL7
                         mode should be set to                                                   Installation,
                         Windows authentication                                                  SQL8 2000
                         mode or Mixed mode.                                                     Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation


DM3763 V0002488     II   SQL Server Agent CmdExec                                                SQL7
                         or ActiveScripting jobs                                                 Installation,
                         should be restricted to                                                 SQL8 2000
                         sysadmins.                                                              Installation,
                                                                                                 SQL9 2005
                                                                                                 Installation




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                             233 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DM3930 V0015137 II Error log retention shoud be                                                    SQL7
                   set to meet log retention                                                       Installation,
                   policy.                                                                         SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DM5144 V0002498     II   Permissions using the WITH                                                SQL7
                         GRANT OPTION should be                                                    Database,
                         granted only to DBA or                                                    SQL8 2000
                         application administrator                                                 Database,
                         accounts.                                                                 SQL9 2005
                                                                                                   Database


DM5267 V0002500     II   Trace Rollover should be                                                  SQL8 2000
                         enabled for audit traces that                                             Installation,
                         have a maximum trace file                                                 SQL9 2005
                         size.                                                                     Installation


DM6015 V0015124     II   The Named Pipes network                                                   SQL7
                         protocol should be                                                        Installation,
                         documented and approved if                                                SQL8 2000
                         enabled.                                                                  Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DM6030 V0015176     II   SQL Server event                                                          SQL7
                         forwarding, if enabled,                                                   Installation,
                         should be operational.                                                    SQL8 2000
                                                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DM6045 V0015125     II   Only authorized users                                                     SQL9 2005
                         should be assigned                                                        Installation
                         permissions to SQL Server
                         Agent proxies.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               234 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes      Section
DM6065 V0015113 II SQL Server replications                                                         SQL9 2005
                   agents should be run under                                                      Installation
                   separate and dedicated OS
                   accounts.
DM6070 V0015178 II Replication databases                                                           SQL7
                   should have authorized                                                          Installation,
                   db_owner role members.                                                          SQL8 2000
                   The replication monitor role                                                    Installation,
                   should have authorized                                                          SQL9 2005
                   members.                                                                        Installation


DM6075 V0015182     II   Replication snapshot folders                                              SQL9 2005
                         should be protected from                                                  Installation
                         unauthorized access.
DM6085 V0015183     II   The Analysis Services ad                                                  SQL9 2005
                         hoc data mining queries                                                   Installation
                         configuration option should
                         be disabled if not required.
DM6086 V0015184     II   Analysis Services                                                         SQL9 2005
                         Anonymous Connections                                                     Installation
                         should be disabled.
DM6087 V0015204     II   Analysis Services Links to                                                SQL9 2005
                         Objects should be disabled if                                             Installation
                         not required.
DM6088 V0015186     II   Analysis Services Links                                                   SQL9 2005
                         From Objects should be                                                    Installation
                         disabled if not required.
DM6099 V0015181     II   Analysis Services user-                                                   SQL9 2005
                         defined COM functions                                                     Installation
                         should be disabled if not
                         required.
DM6101 V0015188     I    Analysis Services Required                                                SQL9 2005
                         Protection Level should be                                                Installation
                         set to 1.
DM6103 V0015190     II   Analysis Services Security                                                SQL9 2005
                         Package List should be                                                    Installation
                         disabled if not required.
DM6108 V0015193     II   The Analysis Services                                                     SQL9 2005
                         server role should be                                                     Installation
                         restricted to authorized
                         users.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               235 of 1286
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement            Vulnerability   Status   Finding Notes      Section
DM6109 V0015194  II Only authorized accounts                                                 SQL9 2005
                    should be assigned to one or                                             Installation
                    more Analysis Services
                    database roles.
DM6120 V0015199 III Reporting Services Web                                                   SQL9 2005
                    service requests and HTTP                                                Installation
                    access should be disabled if
                    not required.
DM6121 V0015205 III Reporting Services                                                       SQL9 2005
                    scheduled events and report                                              Installation
                    delivery should be disabled if
                    not required.
DM6122 V0015203  II Reporting Services Windows                                               SQL9 2005
                    Integrated Security should                                               Installation
                    be disabled.

DM6123 V0015202     III   Use of Command Language                                            SQL9 2005
                          Runtime objects should be                                          Installation
                          disabled if not required.

DM6126 V0015206     II    Only authorized XML Web                                            SQL9 2005
                          Service endpoints should be                                        Installation
                          configured on the server.
DM6128 V0015165     II    Only authorized service                                            SQL9 2005
                          broker endpoints should be                                         Installation
                          configured on the server.
DM6130 V0015198     II    The Web Assistant                                                  SQL9 2005
                          procedures configuration                                           Installation
                          option should be disabled if
                          not required.
DM6140 V0015197     II    Dedicated accounts should                                          SQL9 2005
                          be designated for SQL                                              Installation
                          Server Agent proxies.
DM6145 V0015196     II    Only authorized SQL Server                                         SQL9 2005
                          proxies should be assigned                                         Installation
                          access to subsystems.

DM6150 V0015201     II    Cross database ownership                                           SQL9 2005
                          chaining, if required, should                                      Installation
                          be documented and
                          authorized by the IAO.
DM6155 V0015187     II    Linked server providers                                            SQL9 2005
                          should not allow ad hoc                                            Installation
                          access.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         236 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI   VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes      Section
DM6160 V0015166 II Database Engine Ad Hoc                                                          SQL9 2005
                   distributed queries should be                                                   Installation
                   disabled.
DM6175 V0015159 II The Database Master key                                                         SQL9 2005
                   encryption password should                                                      Database
                   meet DoD password
                   complexity requirements.

DM6179 V0015161     II   The Database Master Key                                                   SQL9 2005
                         should be encrypted by the                                                Database
                         Service Master Key where
                         required.
DM6180 V0015162     II   Database Master Key                                                       SQL9 2005
                         passwords shoud not be                                                    Database
                         stored in credentials within
                         the database.
DM6183 V0015168     II   Symmetric keys should use                                                 SQL9 2005
                         a master key, certificate, or                                             Database
                         asymmetric key to encrypt
                         the key.
DM6184 V0015164     II   Asymmetric keys should be                                                 SQL9 2005
                         derived from DoD PKI                                                      Database
                         certificates.
DM6185 V0015185     II   Asymmetric private key                                                    SQL9 2005
                         encryption should use an                                                  Database
                         authorized encryption type.
DM6188 V0015177     II   The Service Master Key                                                    SQL9 2005
                         should be backed up, stored                                               Database
                         offline and off site.
DM6189 V0015167     II   The data directory should                                                 SQL7
                         specify a dedicated disk                                                  Installation,
                         partition and restricted                                                  SQL8 2000
                         access.                                                                   Installation,
                                                                                                   SQL9 2005
                                                                                                   Installation


DM6193 V0015180     II   Only authorized users                                                     SQL9 2005
                         should be granted access to                                               Installation
                         Analysis Services data
                         sources.
DM6195 V0015173     II   Database TRUSTWORTHY                                                      SQL9 2005
                         status should be authorized                                               Installation
                         and documented or set to off.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                               237 of 1286
   ____ Checklist _V_R_ (<date>)                                          <Test> - TN <Ticket Number>
  PDI   VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes     Section
DM6196 V0015172 II Object permissions should                                                      SQL7
                   not be assigned to PUBLIC                                                      Database,
                   or GUEST.                                                                      SQL8 2000
                                                                                                  Database,
                                                                                                  SQL9 2005
                                                                                                  Database


DM6197 V0015171     II   Predefined roles should not                                              SQL7
                         be assigned to GUEST.                                                    Database,
                                                                                                  SQL8 2000
                                                                                                  Database

DM6198 V0015210     II   The Agent XPs option                                                     SQL9 2005
                         should be set to disabled if                                             Installation
                         not required.
DM6199 V0015211     II   The SMO and DMO SPs                                                      SQL9 2005
                         option should be set to                                                  Installation
                         disabled if not required.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              238 of 1286
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DNS0100 V0013032    II   A name server is not
                         protected by equivalent or
                         better physical access
                         controls than the clients it
                         supports.
DNS0110 V0013034    II   The DNS log archival
                         requirements do not meet or
                         exceed the log archival
                         requirements of the
                         operating system on which
                         the DNS software resides.
DNS0115 V0013035    II   DNS logs are not reviewed
                         daily or a real-time log
                         analysis or network
                         management tool is not
                         employed to immediately
                         alert an administrator of
                         critical DNS system
                         messages.
DNS0120 V0013036   III   A list of personnel authorized
                         to administer each zone and
                         name server is not
                         maintained.
DNS0125 V0013314    II   A zone or name server does
                         not have a backup
                         administrator.
DNS0130 V0013037   III   A patch and DNS software
                         upgrade log; to include the
                         identity of the administrator,
                         date and time each patch or
                         upgrade was implemented,
                         is not maintained.

DNS0135 V0013038    II   Operating procedures do not
                         require that DNS
                         configuration, keys, zones,
                         and resource record data are
                         backed up on any day on
                         which there are changes.

DNS0140 V0013039    II   Configuration change logs
                         and justification for changes
                         are not maintained.

DNS0145 V0013040    II   Written procedures for the
                         replacement of cryptographic
                         keys used to secure DNS
                         transactions does not exist.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DNS0150 V0013041    II   The IAO has not established
                         written procedures for the
                         process of updating zone
                         records, who is authorized to
                         submit and approve update
                         requests, how the DNS
                         administrator verifies the
                         identity of the person from
                         whom he/she received the
                         request, and how the DNS
                         administrator documents any
                         changes made.

DNS0160 V0013050   III   The DNS architecture is not
                         documented to include
                         specific roles for each DNS
                         server, the security controls
                         in place, and what networks
                         are able to query each
                         server.
DNS0170 V0013313    II   The underlying operating
                         system of the DNS server is
                         not in compliance with the
                         appropriate OS STIG.
DNS0175 V0013051    I    The DNS server software is
                         either installed on or enabled
                         on an operating system that
                         is no longer supported by the
                         vendor.
DNS0185 V0013053   III   The contents of zones are
                         not reviewed at least
                         annually.
DNS0190 V0013052   III   The SA has not subscribed
                         to ISC's mailing list "bind
                         announce" for updates on
                         vulnerabilities and software
                         notifications.
DNS0200 V0013042    I    An authoritative master
                         name server does not have
                         at least one and preferably
                         two or more active slave
                         servers for each of its zones.
                         The slave server does not
                         reside on a separate host.

DNS0205 V0013043    I    Name servers authoritative
                         for a zone are not located on
                         separate network segments
                         if the host records described
                         in the zone are themselves
                         located across more than
                         one network segment.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DNS0210 V0013044    II   A zone includes hosts
                         located in more than one
                         building or site, yet at least
                         one of the authoritative
                         name servers supporting the
                         zone is not as geographically
                         and topologically distributed
                         as the most remote host.

DNS0215 V0013045   III   Private IP space is used
                         within an Enclave without the
                         use of split DNS to prevent
                         private IPs from leaking into
                         the public DNS system.

DNS0220 V0013046   III   The DNS database
                         administrator has not
                         documented the owner of
                         each zone (or group of
                         related records) and the date
                         the zone was created, last
                         modified, or verified. This
                         documentation will preferably
                         reside in the zone file itself
                         through comments, but if this
                         is not feasible, the DNS
                         database administrator will
                         maintain a separate
                         database for this purpose.

DNS0225 V0004467   III   Record owners will validate
                         their zones no less than
                         annually. The DNS database
                         administrator will remove all
                         zone records that have not
                         been validated in over a year.

DNS0230 V0004468   III   Resource records for a host
                         in a zone file are included
                         and their fully qualified
                         domain name resides in
                         another zone. The exception
                         is a glue record or CNAME
                         record supporting a system
                         migration.

DNS0235 V0004469   III   Zone-spanning CNAME
                         records, that point to a zone
                         with lesser security, are
                         active for more than six
                         months.
  PDI    VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

DNS0240 V0004470    I    The DNS database
                         administrator has not
                         ensured each NS record in a
                         zone file points to an active
                         name server authoritative for
                         the domain specified in that
                         record.
DNS0250 V0012440   III   A unique TSIG key is not
                         generated and utilized for
                         each type of transaction.
DNS0260 V0012479    II   Computer accounts for
                         DHCP servers are members
                         of the DNSUpdateProxy
                         group.
DNS0400 V0013047    II   The name server software
                         on production name servers
                         is not BIND, Windows 2000
                         or later DNS, or alternatives
                         with equivalent security
                         functionality and support,
                         configured in a manner to
                         satisfy the general security
                         requirements listed in the
                         STIG. The only currently
                         approved alternative is
                         CISCO CSS DNS.

DNS0402 V0014763    I    The name server software
                         on production name servers
                         is not BIND, Windows 2003
                         or later DNS, or alternatives
                         with equivalent vendor
                         support, configured in a
                         manner to satisfy the general
                         security requirements listed
                         in the STIG. The only
                         currently approved
                         alternative is CISCO CSS
                         DNS.
DNS0405 V0013048    II   Hosts outside an enclave
                         can directly query or request
                         a zone transfer from a name
                         server that resides on the
                         internal network (i.e., not in a
                         DMZ).
  PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DNS0415 V0004473    II   DNS software does not run
                         on dedicated (running only
                         those services required for
                         DNS) hardware. The only
                         currently accepted exception
                         of this requirement is
                         Windows 2000/2003 DNS,
                         which must run on a domain
                         controller that is integrated
                         with Active Directory
                         services.

DNS0420 V0004475    II   Permissions on files
                         containing DNS encryption
                         keys are inadequate.
DNS0425 V0004476    II   Users and/or processes
                         other than the DNS software
                         Process ID (PID) and/or the
                         DNS database administrator
                         have edit/write access to the
                         zone database files.

DNS0430 V0004477    II   Users or processes other
                         than the DNS software
                         administrator and the DNS
                         software PID have read
                         access to the DNS software
                         configuration files and/or
                         users other than the DNS
                         software administrator have
                         write access to these files.

DNS0435 V0004478    II   The name server's IP
                         address is NOT statically
                         defined and configured
                         locally on the server. The
                         name server has a DHCP
                         address.
DNS0440 V0004479    II   An integrity checking tool is
                         not installed or not
                         monitoring for modifications
                         to the root.hints and
                         named.conf files.

DNS0445 V0004480    II   A cryptographic key used to
                         secure DNS transactions
                         has been utilized on a name
                         server for more than one
                         year.
DNS0450 V0004481    I    Dynamic updates are not
                         cryptographically
                         authenticated.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

DNS0455 V0004482    I    The DNS software
                         administrator will configure
                         each master/slave server
                         supporting a zone to
                         cryptographically
                         authenticate zone transfers.
DNS0460 V0004483    II   A zone master server does
                         not limit zone transfers to a
                         list of active slave name
                         servers authoritative for that
                         zone.
DNS0470 V0004485    II   A name server is not
                         configured to only accept
                         notifications of zone changes
                         from a host authoritative for
                         that zone.
DNS0475 V0004486    II   Recursion is not prohibited
                         on an authoritative name
                         server.
DNS0480 V0004487    II   A caching name server does
                         not restrict recursive queries
                         to only the IP addresses and
                         IP address ranges of known
                         supported clients.

DNS0482 V0012774    II   The forwarding configuration
                         of DNS servers allows the
                         forwarding of queries to
                         servers controlled by
                         organizations outside of the
                         U.S. Government.

DNS0485 V0004488    I    The DNS software does not
                         log, at a minimum, success
                         and failure of starting and
                         stopping of the name server
                         service daemon, zone
                         transfers, zone update
                         notifications, and dynamic
                         updates.
DNS0490 V0004489    II   The DNS software
                         administrator has not
                         configured the DNS software
                         to send all log data to either
                         the system logging facility
                         (e.g., UNIX syslog or
                         Windows Application Event
                         Log) or an alternative logging
                         facility with security
                         configuration equivalent to or
                         more restrictive than the
                         system logging facility.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DNS0495 V0004490   III   Entries in the name server
                         logs do not contain
                         timestamps and severity
                         information.
DNS0500 V0004491    I    Valid root name servers do
                         not appear in the local root
                         zone file. G and H root
                         servers, at a minimum, do
                         not appear in the local root
                         zone files.
DNS0505 V0004492   III   The DNS software
                         administrator has not
                         removed the root hints file on
                         an authoritative name server
                         in order for it to resolve only
                         those records for which it is
                         authoritative, and ensure
                         that all other queries are
                         refused.
DNS0705 V0004493   III   The DNS software
                         administrator has not utilized
                         at least 160 bit HMAC-SHA1
                         keys if available.

DNS0710 V0004494    II   A TSIG key is not in its own
                         dedicated file.
DNS0715 V0004511    II   A BIND name server is not
                         configured to accept control
                         messages only when the
                         control messages are
                         cryptographically
                         authenticated and sent from
                         an explicitly defined list of
                         DNS administrator
                         workstations.

DNS0720 V0004495    II   A unique TSIG key is not
                         utilized for communication
                         between name servers
                         sharing zone information.
DNS0805 V0004501    I    The DHCP server service is
                         not disabled on any
                         Windows 2000/2003 DNS
                         server that supports dynamic
                         updates.
  PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

DNS0810 V0004502    I    Zone transfers are not
                         prohibited or a VPN solution
                         is not implemented that
                         requires cryptographic
                         authentication of
                         communicating devices and
                         is used exclusively by name
                         servers authoritative for the
                         zone.

DNS0815 V0004503    II   Forwarders on an
                         authoritative Windows
                         2000/2003 DNS server are
                         not disabled.
DNS0825 V0004505    I    WINS lookups is not
                         prohibited on a Windows
                         2000 DNS server.
DNS0900 V0004506   III   The shared secret in the
                         APP session(s) was not a
                         randomly generated 32
                         character text string.
DNS0905 V0004507    II   The Cisco CSS DNS is
                         utilized to host the
                         organizations authoritative
                         records and DISA
                         Computing Services does
                         not support that host in its
                         csd.disa.mil domain and
                         associated high-availability
                         server infrastructure.
DNS0910 V0004508   III   Zones are delegated with the
                         CSS DNS.
DNS0915 V0004512    I    CSS DNS does not
                         cryptographically
                         authenticate APP sessions.

DNS0920 V0004509   III   The CSS DNS does not
                         transmit APP session data
                         over an out-of-band network
                         if one is available.
DNS0925 V0004510    II   Forwarders are not disabled
                         on the CSS DNS.
DNS4440 V0003617   III   BIND is not configured to run
                         as a dedicated non-
                         privileged user account.
                         BIND is running as a root
                         user.
DNS4445 V0012967   III   The SA has not configured
                         BIND in a chroot(ed)
                         directory structure.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DNS4450 V0003618    II   A UNIX or UNIX-based
                         name server is running
                         unnecessary
                         daemon/services and/or is
                         configured to start an
                         unnecessary daemon,
                         service, or program upon
                         boot up.
DNS4460 V0003619   III   It is possible to obtain a
                         command shell by logging
                         on to the DNS user account.

DNS4470 V0003620    II   Permissions on critical UNIX
                         name server files are not as
                         restrictive as required.

DNS4480 V0012966    II   Inadequate file permissions
                         on BIND name servers.
DNS4530 V0003621    II   ISC BIND is not configured
                         to run as a dedicated non-
                         privileged service user
                         account.
DNS4540 V0003622   III   The ISC BIND service user
                         is a member of a group other
                         than Everyone and
                         Authenticated Users.
DNS4550 V0003623   III   The ISC BIND service does
                         not have the appropriate
                         user rights required for the
                         proper configuration and
                         security of ISC BIND.
DNS4570 V0003624    II   The appropriate encryption
                         software is not correctly
                         installed and configured on
                         Windows ISC BIND name
                         servers and it is required that
                         in-band remote management
                         be performed from hosts
                         outside the enclave in which
                         the name server resides.

DNS4580 V0003625    II   Shares other than the default
                         administrative shares are
                         enabled on a name server.

DNS4590 V0003626    II   The ownership and
                         permissions on all Windows
                         ISC BIND name servers are
                         not as restrictive as required.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DNS4600 V0014756   III   The DNS administrator will
                         ensure non-routeable IPv6
                         link-local scope addresses
                         are not configured in any
                         zone. Such addresses begin
                         with the prefixes of "FE8",
                         "FE9", "FEA", or "FEB".

DNS4610 V0014757   III   AAAA addresses are
                         configured on a host that is
                         not IPv6 aware.

DNS4620 V0014758    II   The DNS software
                         administrator will ensure the
                         named.conf options
                         statement does not include
                         the option "listen-on-v6 { any;
                         };" when an IPv6 interface is
                         not configured and enabled.

DNS4630 V0014768    II   The IPv6 protocol is installed
                         and the server is only
                         configured to respond to
                         IPv4 A records.
DNS4640 V0014759   III   The DNS administrator,
                         when implementing
                         DNSSEC, will create and
                         maintain separate key-pairs
                         for key signing and zone
                         signing.
DNS4650 V0014760   III   The DNSSEC algorithm for
                         digital signatures is not
                         RSASHA1.
DNS4660 V0014761   III   The DNSSEC key signing
                         key is not at least 2048 bits.

DNS4670 V0014762   III   The DNSSEC key signing
                         key does not have a
                         minimum roll over period of
                         one year.
DNS4680 V0014764   III   The DNSSEC zone signing
                         key size is not at least 1024
                         bits.
DNS4690 V0014765   III   The DNSSEC zone signing
                         key minimum roll over period
                         is not at least 60 days.

DNS4700 V0014766    I    The DNSSEC private key file
                         is not owned by the DNS
                         administrator or the
                         permissions are not set to a
                         minimum of 600.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

DNS4710 V0014767    II   DNSSEC is not enabled for
                         signing files between names
                         servers with DNSSEC
                         capabilities.
DNS4720 V0024996    I    The DNS server will not use
                         a statically configured source
                         port for all DNS query traffic.

DNS4730 V0024997    II   All DNS caching resolvers
                         (A/K/A "recursive name
                         servers") will have port and
                         Query ID randomization
                         enabled for all DNS
                         querypackets/frames.
EN540   V0004027    II   Servers do not employ Host
                         Based Intrusion Detection
                         (HIDS).
    Section

DNS Policy




DNS Policy




DNS Policy




DNS Policy



DNS Policy


DNS Policy




DNS Policy




DNS Policy



DNS Policy
    Section

DNS Policy




DNS Policy




DNS Policy



DNS Policy




DNS Policy


DNS Policy




DNS Policy




DNS Policy
    Section

DNS Policy




DNS Policy




DNS Policy




BIND DNS, Cisco
CSS DNS,
Windows DNS




BIND DNS,
Windows DNS




BIND DNS, Cisco
CSS DNS,
Windows DNS
    Section

BIND DNS,
Windows DNS




BIND DNS


Windows DNS



DNS Policy




DNS Policy




DNS Policy
    Section

BIND DNS,
Windows DNS




BIND DNS,
Windows DNS

BIND DNS,
Windows DNS




BIND DNS,
Windows DNS




BIND DNS,
Windows DNS




BIND DNS,
Windows DNS




BIND DNS




BIND DNS,
Windows DNS
    Section

BIND DNS,
Windows DNS




BIND DNS,
Windows DNS



BIND DNS,
Windows DNS



BIND DNS,
Windows DNS

BIND DNS,
Windows DNS




BIND DNS,
Windows DNS




BIND DNS,
Windows DNS




BIND DNS,
Windows DNS
    Section

BIND DNS,
Windows DNS


BIND DNS,
Windows DNS




BIND DNS,
Windows DNS




BIND DNS




BIND DNS

BIND DNS




BIND DNS



Windows DNS
    Section

Windows DNS




Windows DNS



Windows DNS


Cisco CSS DNS



Cisco CSS DNS




Cisco CSS DNS

Cisco CSS DNS



Cisco CSS DNS



Cisco CSS DNS

BIND DNS




BIND DNS
    Section

BIND DNS




BIND DNS



BIND DNS



BIND DNS

BIND DNS



BIND DNS



BIND DNS




BIND DNS




Windows DNS



BIND DNS
    Section

BIND DNS, Cisco
CSS DNS,
Windows DNS




BIND DNS, Cisco
CSS DNS,
Windows DNS

BIND DNS




Windows DNS



BIND DNS




BIND DNS


BIND DNS


BIND DNS



BIND DNS


BIND DNS



BIND DNS
    Section

BIND DNS



BIND DNS



BIND DNS




DNS Policy
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
APPNET00 V0007022 II The File IO permission
01                   allows an application to
                     access system files directly.

APPNET00 V0007023      II   The Isolated Storage
03                          permission is used to allow
                            applications to store
                            temporary data to a local
                            user data store.
APPNET00 V0007024      II   The User Interface
04                          Permission for windowing
                            controls access to user
                            interface windows.
APPNET00 V0007025      II   The User Interface
05                          Permission for clipboard
                            controls application access
                            to clipboards used by the
                            user or other applications.

APPNET00 V0007026      II   The Reflection permission
06                          controls an application's
                            discovery of other system
                            resources and applications.
APPNET00 V0007027      II   The Printing permission
07                          controls application access
                            to system printing resources.

APPNET00 V0007028      II   The DNS permission
08                          controls application access
                            to DNS resources available
                            to the host system.

APPNET00 V0007029      II   The Socket Access
09                          permission controls
                            application access to
                            network ports defined on the
                            host system.
APPNET00 V0007030      II   The Web Access permission
10                          controls application access
                            to HTTP requests to
                            designated URLs or the
                            configuration of HTTP
                            settings.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                261 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
APPNET00 V0007031 II The Message Queue
11                   permission controls
                     application access to
                     communications across the
                     network.
APPNET00 V0007033 II The Service Controller
12                   permission controls
                     application access to the
                     control of Windows services.

APPNET00 V0007034      II   The Database permissions
13                          control application access to
                            databases defined on the
                            host system.
APPNET00 V0007035      II   The Security permission
14                          Extend Infrastructure
                            controls application access
                            to message processing.

APPNET00 V0007037      II   The Security permission
15                          Enable Remoting
                            Configuration defines the
                            communication channels
                            available to an application.
APPNET00 V0007038      II   The Security permission
16                          Enable Serialization
                            Formatter controls access to
                            serialized data. Serialized
                            data is data formatted into a
                            series of bits for storing or
                            transmitting.

APPNET00 V0007039      II   The Security permission
17                          Enable Thread Control is
                            used to control application
                            access to abort, suspend, or
                            resume its threads.
APPNET00 V0007040      II   The Security permission
18                          Allow Principal control
                            controls application access
                            to Windows user information.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                262 of 1286
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
APPNET00 V0007041 II The Security permission
19                   Enable Assembly Execution
                     allows applications to
                     execute.
APPNET00 V0007042 II The Security permission
20                   Skip Verification controls the
                     execution of code that is
                     verified as being type safe.

APPNET00 V0007043      II   The Security permission
21                          Allow Calls to Unmanaged
                            Assemblies controls
                            application access to
                            applications not managed by
                            the .Net Framework.
APPNET00 V0007044      II   The Security permission
22                          Allow Policy Control controls
                            application access to it's the
                            current security policy
                            configuration.

APPNET00 V0007045      II   The Security permission
23                          Allow Domain Policy
                            controls defines application
                            access to its own application
                            domain security policy.

APPNET00 V0007046      II   The Security permission
24                          Allow Evidence Control is
                            used to control an
                            application's access to
                            supply or modify evidence
                            used to determine access to
                            system resources.
APPNET00 V0007048      II   The Security permission
25                          Assert any Permission that
                            Has Been Granted controls
                            application access to
                            permissions assigned to any
                            code in the assembly that
                            called it.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 263 of 1286
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement          Vulnerability   Status   Finding Notes
APPNET00 V0007049 II The Performance Counter
26                   permission controls
                     application access to system
                     performance monitoring
                     resources.
APPNET00 V0007051 II The Environment Variables
27                   permission controls
                     application access to system
                     environment variables and to
                     other system resource
                     names.
APPNET00 V0007052 II The Event Log permission
28                   controls application access
                     to event log resources
                     defined on the system.

APPNET00 V0007053      II   The Registry permission
29                          controls application access
                            to the Windows registry.

APPNET00 V0007054      II   The Directory Services
30                          permission controls
                            application access to the
                            system Directory Service
                            resources.
APPNET00 V0007055      II   The Strong Name
31                          Membership Condition
                            establishes the requirement
                            for all code defined in the
                            group to be configured with
                            a Strong Name. Strong
                            Name verification should not
                            be omitted in a production
                            environment.

APPNET00 V0007056      II   The First Match Code Group
32                          is used to control the depth
                            to which a branch of the
                            code group tree is traversed
                            when assigning membership
                            to assemblies.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                      264 of 1286
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
   PDI    VMSID CAT           Requirement          Vulnerability   Status   Finding Notes
APPNET00 V0007057 II The File Code Groups and
33                   Net Code Groups are used
                     to establish directory access
                     and web site connections
                     respectively by the
                     application.
APPNET00 V0007058 II The Level Final Code Group
35                   Attribute prevents
                     permission sets farther down
                     in the Code Group hierarchy
                     from being applied to the
                     assembly.
APPNET00 V0007059 II The Zone Membership
41                   Condition determines policy
                     level based on the URL zone
                     of the application origin.

APPNET00 V0007060      I    The use of the CAS policy
45                          can be enabled or disabled
                            on the system.
APPNET00 V0007061      II   The Windows system may
46                          be configured to allow use of
                            certificates that are
                            designated as being for test
                            use.
APPNET00 V0007062      II   The Windows system may
47                          be configured to check the
                            application for use of expired
                            certificates.
APPNET00 V0007063      II   The Publisher Member
48                          Condition requires member
                            code to be certified using
                            certificates originating from a
                            trusted source.
APPNET00 V0007064      II   This checks the setting that
49                          determines whether
                            certificates are checked for
                            revocation status.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       265 of 1286
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI    VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes
APPNET00 V0007065 II The settings reviewed in this
50                   check determine the
                     handling of certificates with
                     differing unknown statuses
                     due to temporary
                     unavailability of a certificate
                     verification service. For
                     example, certificate
                     verification that is dependent
                     on real-time access to a
                     certificate status server
                     could be unavailable due to
                     a break in network
                     communications.

APPNET00 V0007066      II    This Windows setting
51                           determines whether the
                             system requires certificates
                             to be time stamped to verify
                             the certificate is current.

APPNET00 V0007067      II    The Strong Name
52                           Membership condition
                             requires that member
                             assemblies be defined with
                             Strong Names.
APPNET00 V0007068      III   The use of duplicate code
54                           group names within a level
                             of the CAS policy can lead to
                             mis-assignment of
                             permissions.
APPNET00 V0007069      II    CAS Policy and CAS Policy
55                           Configuration files are
                             required for a complete
                             system baseline and
                             disaster recovery event.
APPNET00 V0007070      II    The typefilterlevel="Full"
60                           attribute allows unfiltered
                             code to access system
                             resources.
APPNET00 V0018395      II    Verify the installed .Net
61                           Frameworks are still
                             supported by Microsoft.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 266 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI    VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes
DRSN1001 V0004661 III An IAO must be appointed in
                      writing.
DRSN1002 V0004669 III There must be a separation
                      of duties between the
                      Special Security Officer
                      (SSO) and the Information
                      Assurance Officer

DRSN1003 V0004681      III   DRSN Collateral switch
                             nodes must be located in an
                             approved TS exclusion area.

DRSN1004               II    A facility housing DRSN end
                             terminals or instruments
                             must be certified and
                             approved for operations at
                             the highest classification of
                             the instrument.

DRSN1005               III   No policy and/or procedure
                             is defined and enforced that
                             provides for inspection of
                             unattended facilities upon
                             entry and/or there is no
                             procedure for providing
                             granular documentation of
                             the inspection and/or there
                             is no defined reporting
                             procedures for detected
                             incidents.
DRSN1006               III   No means of detection or
                             reporting of physical
                             tampering has been
                             provided for equipment
                             cabinets and/or devices.
DRSN1007               III   The IAO must conduct
                             and/or document self-
                             inspections of the DRSN
                             components at least semi-
                             annually for security risks.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 267 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                       <Test> - TN <Ticket Number>
   PDI      VMSID    CAT          Requirement                 Vulnerability   Status   Finding Notes
DRSN1008              II Facilities housing DRSN
                         switches and/or peripheral
                         and OAM&P/NM systems
                         have NO access controls or
                         they are improperly used.

DRSN1009               II    There is no personnel
                             security program defined,
                             documented, and/or enforced

DRSN1010               II    Personnel working on and in
                             areas housing DRSN
                             switches as well as
                             peripheral and OAM&P/NM
                             systems must possess a
                             current security clearance
                             appropriate to the area.
DRSN1011               II    Personnel physical access
                             to facilities housing DRSN
                             switches, peripheral, and
                             OAM&P/NM systems must
                             be properly controlled.
DRSN1012 V0004615      II    A non-disclosure agreement
                             (NDA) required for access to
                             classified information must
                             be on file.
DRSN1014               II    All personnel supporting a
                             DRSN switch must be
                             briefed (or “read on”)
                             regarding the security
                             requirements relating to all
                             missions supported by the
                             switch.
DRSN1015 V0004660      III   Personnel accessing the
                             DRSN must possess the
                             appropriate need-to-know.
DRSN1016 V0004677      II    Visit Authorization Letters
                             must be on file for contractor
                             personnel.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  268 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                     <Test> - TN <Ticket Number>
   PDI      VMSID    CAT          Requirement               Vulnerability   Status   Finding Notes
DRSN1017              II Contractor personnel
                         performing hardware or
                         software installation or
                         maintenance, must possess
                         a verified individual
                         clearance and need-to-know
                         or are not escorted

DRSN1018               II   Cleaning crews must be
                            properly cleared for the
                            area(s) to be cleaned and/or
                            perform janitorial services
                            during normal working hours.

DRSN1019 V0004676      II   Users must have their status
                            and affiliation displayed as
                            part of their e-mail address.

DRSN1020               II   Temporary Foreign/Local
                            National personnel must be
                            properly supervised or
                            escorted.
DRSN1021               II   Foreign/Local National
                            personnel hired by a
                            base/post/camp/station for
                            the purpose of operating or
                            performing OAM&P / NM
                            functions on DRSN switches
                            and subsystems must be
                            properly cleared.
DRSN1022               II   Foreign/Local National
                            personnel must not have
                            duties or access privileges
                            that exceed those allowed
                            by DoDI 8500.2 E3.4.8.
DRSN1023 V0004616      I    Foreign National access to
                            DRSN must be approved in
                            writing by the DoD
                            Component Head IAW DoD,
                            DOS, and DCI policies.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                269 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                     <Test> - TN <Ticket Number>
   PDI      VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes
DRSN1024            I DRSN terminals accessible
                      by properly cleared non-U.S.
                      citizens, authorized for
                      unsupervised access, must
                      be assigned “foreign-
                      access” SALs.
DRSN1025           II Allied or foreign national
                      personnel authorized for
                      unsupervised access to
                      network terminals must be
                      authorized in writing by the
                      commander who is
                      responsible for the network
                      terminals.
DRSN1026 V0004668 III Site personnel must receive
                      the proper security training.

DRSN1027               II    Site personnel must receive
                             the proper security training
                             and/or be familiar with the
                             documents located in the
                             security library.

DRSN1028 V0004675      II    Authorized personnel must
                             be assigned an appropriate
                             ADP Access Level.
DRSN1029 V0004618      II    Personnel with IA
                             responsibilities must be
                             trained and certified.
DRSN1030               III   The IAO must maintain an
                             up-to-date IA policy and
                             information library.
DRSN1031               II    Users of classified
                             communications systems
                             must verify the clearance
                             and need-to-know of the
                             distant parties with whom
                             they communicate.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                270 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement               Vulnerability   Status   Finding Notes
DRSN1032             II Personnel authorized
                        uncontrolled access to the
                        physical area in which
                        classified communications
                        systems, are located,
                        mustensure only authorized
                        persons access the
                        equipment.
DRSN1033              I Foreign nationals who are
                        authorized for unsupervised
                        access to classified
                        communications systems,
                        located in U.S.-controlled
                        areas, must be properly
                        cleared.
DRSN1035             II A DRSN Approved Products
                        List (APL) must be
                        implemented/maintained
                        and/or must test systems for
                        IO and IA.

DRSN1036              II    A DRSN system in operation
                            must be listed on the DRSN
                            APL or in the process of
                            being tested.
DRSN1037              III   All applicable STIGs and
                            deployment limitations must
                            be applied to installed
                            systems.
DRSN1038              III   A DRSN system must be
                            implemented as APL listed
                            using the configuration that
                            was approved and for the
                            approved purpose.
DRSN1039              III   DSN/DRSN APL, NIAP
                            CCEVS, and/or FIPS CMVP
                            listing must be considered
                            for products being
                            considered for procurement,
                            installation, or upgrade and
                            connection to the DISN.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                271 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI      VMSID    CAT           Requirement               Vulnerability   Status   Finding Notes
DRSN1040               I Interfaces to DRSN RED
                          switch must be properly
                          approved by OSD, JS,
                          and/or DRSN PMO
                          appropriate in accordance
                          with CJCSI 6215.01B.
DRSN1041              III Ongoing “compliance with all
                          applicable STIGs and
                          checklists” requirements and
                          validation measures must be
                          included in RFPs,
                          specifications, and contracts
                          for procured or leased
                          systems or services.

DRSN1042               III   Support for C&A
                             requirements must be
                             included in RFPs,
                             specifications, and contracts
                             for procured systems.

DRSN1043               III   Vendor testing and approval
                             of STIG or checklist or IAVM
                             required security patches
                             and other configuration
                             changes must be included in
                             RFPs, specifications, and
                             contracts for support of
                             procured systems.

DRSN1044               III   Commercially contracted
                             (leased or procured)
                             systems and services must
                             comply with all applicable
                             STIGs
DRSN1045 V0004674       I    The local switch site must be
                             accredited.
DRSN1046 V0004665      III   A formal system security
                             baseline must exist.
DRSN1047               II    Security related SOPs have
                             must be established and
                             followed.
DRSN1048 V0004666      II    A site specific SSAA must
                             exist.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 272 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement              Vulnerability   Status   Finding Notes
DRSN1049             II Deviations from program
                        directed or published
                        standard system baseline
                        security configurations must
                        be approved
DRSN1051             II PMO must maintain overall
                        site/system/network
                        documentation and topology
                        diagrams and must include
                        all site level documentation.

DRSN1052              II    IAVM notices must be
                            responded to within the time
                            period specified within the
                            notice.
DRSN1053              II    IAVMs must be addressed
                            using RTS system vendor
                            approved or provided
                            patches.
DRSN1054              II    DRSN assets must be
                            registered in a VMS and/or
                            DISA owned assets are not
                            registered in the DISA VMS

DRSN1055              III   DRSN SAs must be
                            registered in the DISA or
                            similar VMS as the assets
                            for which they are
                            responsible are.
DRSN1056              III   Systems/devices must be
                            IAVM compliant before
                            connection to the network
DRSN1057              II    The PMO has no or has a
                            deficient configuration
                            management process.
DRSN1058              II    DRSN IAO must be involved
                            in the configuration
                            management process and/or
                            does not ensure adherence
                            to the security requirements
                            of the STIG(s).




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                273 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement               Vulnerability   Status   Finding Notes
DRSN1059             III The NOCs and IAOs must
                         be aware of the
                         configuration management
                         process and/or must adhere
                         to the documented process.

DRSN1060              II   Testing procedures for all
                           new or upgraded hardware
                           and software have not been
                           created and/or are not
                           maintained
DRSN1061              II   Site staff does not verify
                           and/or record the identity of
                           individuals installing or
                           modifying a device or
                           software.
DRSN1063              II   Public domain software
                           products are in use.
DRSN1064              II   A standard software or OS
                           release version must be
                           tested and designated for
                           use on all similar systems
DRSN1065              II   All similar devices are NOT
                           deployed or upgraded to the
                           most current tested and
                           certified software versions
                           as directed by the PMO.

DRSN1066              II   The latest software loads
                           and patches are NOT
                           applied to all systems to
                           take advantage of security
                           enhancements.
DRSN1067              II   Installed maintenance and/or
                           security patches are not
                           tested and/or approved

DRSN1068              II   System software has been
                           upgraded to a major new
                           software version that has
                           NOT been tested, certified,
                           and placed on the
                           DSN/DRSN APL before
                           installatioN.


  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                274 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                   <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement             Vulnerability   Status   Finding Notes
DRSN1069              II Baseline configurations for
                         all similar systems and
                         devices in the network are
                         not tested, certified,
                         identified, documented,
                         and/or maintained by the
                         PMO.
DRSN1070             III The appropriate current /
                         standard PMO approved
                         baseline configuration is not
                         used on all systems and
                         devices
DRSN1071             III The current and previous
                         device configurations are not
                         “backed up” and/or are not
                         stored in a secured location
                         that is not collocated with
                         the system/device.

DRSN1072              III   A network-addressing plan
                            that addresses logical
                            address grouping to
                            enhance routing and
                            flexibility has not been
                            developed, documented,
                            maintained, and/or enforced
                            by the PMO.
DRSN1073              III   The current approved
                            network addressing plan is
                            not implemented.
DRSN1074              III   A naming convention for all
                            network devices has not
                            been developed,
                            documented, maintained,
                            and/or enforced.
DRSN1075              III   Network devices are not
                            named in accordance with
                            the documented and
                            approved naming convention.

DRSN1076              III   The DNS names of network
                            devices are not coordinated
                            with the device names.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                               275 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN1077             II No procedures are in place
                        and/or followed that ensure
                        the integrity of master copies
                        of all operational software,
                        operational backup files,
                        audit information and current
                        hardware/firmware
                        configuration data.

DRSN1078              II    System configurations and
                            data for all devices are not
                            backed up at a minimum on
                            a weekly basis and/or
                            backups are not properly
                            stored.
DRSN1079              III   A COOP/Disaster recovery
                            plan has not been
                            developed, documented,
                            tested, periodically
                            exercised, and/or maintained.

DRSN1080              III   No software
                            upgrade/deployment
                            procedure has been defined
                            and/or do not include testing
                            and validation of the
                            upgrade.
DRSN1081              III   Upgrade procedures are not
                            referenced in change
                            management documentation.

DRSN1082              II    Up-to-date back-up media is
                            not available prior to
                            software or configuration
                            modification
DRSN1083              III   Current operating and saved
                            configurations are NOT
                            synchronized locally within
                            one hour of configuration
                            changes




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                            276 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                 <Test> - TN <Ticket Number>
   PDI      VMSID    CAT         Requirement            Vulnerability   Status   Finding Notes
DRSN1084              II Configurations are not
                         backed up to a different local
                         system, or offline, one hour
                         following software or
                         configuration modification.

DRSN1085               I    DRSN links and trunks are
                            NOT encrypted using NSA-
                            approved cryptographic
                            interface configurations
                            approved by the PMO.
DRSN1086               I    Unencrypted DRSN lines,
                            links, and trunks (i.e., those
                            carrying classified red
                            signals), are NOT protected
                            by a PDS or SDS
DRSN1088               I    Distribution System(s)
                            (PDSs) are NOT inspected
                            and/or certified as required,
                            initially, periodically, and
                            when modified, by the
                            appropriate designated
                            Certified TEMPEST
                            Technical Authority (CTTA).
DRSN1089               I    COMSEC keying material is
                            not properly handled or
                            stored IAW NSTISSI 4010
                            and/or DoD component
                            directives.
DRSN1090 V0004672      I    COMSEC material is not
                            being stored in a GSA
                            approved container.
DRSN1091               II   COMSEC Keying Material is
                            not changed in accordance
                            with the approved schedule.

DRSN1092               II   COMSEC Keying Materials
                            are not properly managed

DRSN1094               II   Encryption software used to
                            protect sensitive information
                            (not classified) is not Federal
                            Information Processing
                            Standard (FIPS) 140-2
                            validated.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                            277 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes
DRSN1095 V0004680 I Instruments located in local
                    commanders quarters
                    operate at SCI level and are
                    not limited to TS or Secret.

DRSN1096                I    DRSN information not
                             properly classified and/or
                             handled IAW established
                             policies
DRSN1097 V0004683      II    Documents associated with
                             DRSN switches are not
                             properly classified and/or
                             class marked (labeled).

DRSN1098 V0004685      II    Systems, devices, terminals,
                             and/or storage devices are
                             not properly marked with the
                             highest security level of the
                             information being stored,
                             displayed, or processed.

DRSN1099                I    DRSN information not
                             properly classified and/or
                             handled IAW established
                             policies.
DRSN1101               II    No SOP exists or is followed
                             that ensures all suspected or
                             actual security compromises
                             are properly reported to all
                             appropriate authorities,
                             investigated, and repaired
                             IAW DRSN and national
                             security policy.

DRSN2001               III   A DoD Voice/Video/RTS
                             system or device is NOT
                             configured in substantial
                             compliance with all
                             applicable STIGs or the
                             appropriate STIGs have not
                             been applied to the fullest
                             extent possible.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 278 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI     VMSID    CAT            Requirement             Vulnerability   Status   Finding Notes
DRSN2002              II Critical systems,
                         subsystems, and/or
                         components share the
                         general use data network.
DRSN2003              II Critical DRSN/RTS
                         servers/devices are not
                         dedicated to their main
                         purpose and contain
                         applications not required for
                         the critical operations.
DRSN2004             III Unused device connections
                         or physical ports on
                         backbone communications
                         devices such as routers,
                         ATM switches, and other
                         network elements, are not
                         disabled or removed.

DRSN2005              III   Unused network access
                            device connections or
                            physical ports are not
                            appropriately secured from
                            unauthorized use
DRSN2006              II    An unclassified speaker
                            system is improperly
                            designed/implemented such
                            that speakers located in
                            classified areas can pick up
                            classified conversations and
                            transmit them out of the
                            classified area.
DRSN2007              II    Voice/Video/RTS devices
                            located in SCIFs do not
                            prevent on-hook audio pick-
                            up and/or do not have a
                            speakerphone feature
                            disabled or are not
                            implemented in accordance
                            with DCID 6/9 or TSG
                            Standard 2.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                279 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                  <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement             Vulnerability   Status   Finding Notes
DRSN2008             II A classified speaker system
                        is improperly
                        designed/implemented such
                        that speakers located in
                        classified areas can pick up
                        classified conversations and
                        transmit them, or broadcast
                        the carried classified
                        information out of the
                        classified area.
DRSN2009             II No policy for speakerphones
                        on classified systems

DRSN2010              II   A policy is NOT in place
                           and/or enforced regarding
                           the placement and use of
                           speakerphones connected to
                           secure telephone systems
                           (e.g., the DRSN) that are
                           located SCIFs.
DRSN2011              I    A policy is NOT in place
                           and/or enforced regarding
                           the placement and use of
                           speakerphones connected to
                           secure telephone systems
                           (e.g., the DRSN) that are
                           located SCIFs.
DRSN2101              II   The out-of-band or direct
                           connection method for
                           system device management
                           is not used.
DRSN2102              II   An OOB management
                           network is not dedicated to
                           device management.
DRSN2104              II   System management access
                           (in-band or OOB) does not
                           enforce DoD policy for role
                           based access, two-factor
                           authentication, encrypted
                           sessions, and/or auditing.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                              280 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                   <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement              Vulnerability   Status   Finding Notes
DRSN2105             II Network management traffic
                        and/or session login is NOT
                        encrypted, or is not using
                        FIPS 140-2 validated crypto
                        modules.
DRSN2106             II The use of in-band
                        management is NOT limited
                        to emergency situations,
                        and/or is not approved and
                        documented on a case by
                        case basis.
DRSN2107             II The use of in-band
                        management is NOT
                        restricted to a limited
                        number of authorized IP
                        addresses (10 or less).
DRSN2108             II Idle connections DO NOT
                        disconnect in 15 min.
DRSN2109             II The component is not
                        configured to be unavailable
                        for 60 seconds after 3
                        consecutive failed logon
                        attempts.
DRSN2110             II A Management network
                        DOES NOT comply with the
                        Enclave and/or Network
                        Infrastructure STIGs.

DRSN2111              I    Access to systems or
                           devices and/or management
                           networks is granted to non-
                           government employees or
                           contractors that is not
                           controlled or monitored.

DRSN2112              II   OOB management routers
                           and terminal servers DO
                           NOT limit the source of any
                           management connection to
                           authorized source addresses.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                               281 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN2113             II OOB management routers
                        and terminal servers DO
                        NOT maintain separation
                        between the management
                        and production networks.
DRSN2115              I Unapproved modems are
                        used against policy for
                        management of DRSN
                        switches, assets, and/or
                        communications devices.
DRSN2116             II Modems do not comply with
                        the requirements for user
                        authentication and access to
                        connected devices,
                        management access, and
                        encryption.
DRSN2117             II Modem authentication dose
                        not use a separate
                        authentication server located
                        within the extended enclave
                        and/or encryption is not used.

DRSN2118              II   Modems are not physically
                           protected to prevent
                           unauthorized device
                           changes.
DRSN2119              II   A detailed listing of all
                           modems is not being
                           maintained.
DRSN2120              II   Unauthorized modems are
                           installed.
DRSN2121              II   Modem phone lines are not
                           restricted and configured to
                           their mission required
                           purpose (i.e. inward/outward
                           dial only).
DRSN2122              II   Modem phone lines are not
                           restricted to single-line
                           operation
DRSN2123              II   The option of Automatic
                           Number Identification (ANI)
                           is available but not being
                           used.
DRSN2125              I    SSH version 1, or version 1
                           compatibility mode is used

  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                            282 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)               <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement         Vulnerability   Status   Finding Notes
DRSN2126              II A vulnerable version of SSH
                         is in use
DRSN2127               I SNMP V1 or V2 has been
                         enabled on the network
                         infrastructure. SNMP V3 has
                         been enabled on the
                         network infrastructure
                         without the V3 User-based
                         Security Model
                         authentication and privacy.
DRSN2128              II A standard operating
                         procedure for SNMP
                         community string
                         management is not establish
                         and/or maintained
DRSN2129             III Both privileged and non-
                         privileged SNMP modes are
                         used on all devices SNMP
                         but different community
                         names are not used for read-
                         only access and read-write
                         access.
DRSN2130              II NM servers and/or NM
                         systems do not restrict
                         access to them from
                         authorized IP addresses
DRSN2131               I SNMP community strings
                         are not changed from the
                         default values.
DRSN2133              II The finger service is not
                         disabled
DRSN2134               I HTTP, and/or TELNET, is
                         not disabled or secured
DRSN2136              II TFTP usage is not justified
                         and/or documented
DRSN2138              II FTP username and
                         password are NOT
                         configured
DRSN2139              II Encryption protocols are
                         used to transmit traffic
                         directly to a host a host
                         based but a host intrusion
                         detection (HID) system is
                         not in use.


  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                           283 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                  <Test> - TN <Ticket Number>
   PDI     VMSID    CAT           Requirement            Vulnerability   Status   Finding Notes
DRSN2140              II VPN traffic bypasses the
                         Network IDS
DRSN2150              II FTP user IDs do not expire
                         and/or passwords are not
                         changed every 90 days.
DRSN2151               I FTP or Telnet is used with a
                         userid (UID)/password that
                         has administrative or root
                         privileges.
DRSN2152             III “Anonymous” FTP is used
                         within the enclave.
DRSN2153               I Remote control software is
                         used to allow access to
                         systems, servers, or network
                         devices from non-DoD non-
                         secure networks outside the
                         enclave.
DRSN2154               I Unrestricted remote control
                         access to DoD systems,
                         servers, or network devices
                         is permitted or is in use.
DRSN2155              II Remote control software is
                         not properly secured and or
                         is not DAA approved
DRSN2157              II A properly worded Login
                         Banner is not used on all
                         management access ports
                         and/or OAM&P/NM
                         workstations.
DRSN2201               I Administrative/management
                         ports on a device or system
                         does not use the strongest
                         password method available
                         on the device

DRSN2202              II   Access to all management
                           system workstations and
                           administrative / management
                           ports is NOT remotely
                           authenticated




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                              284 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)               <Test> - TN <Ticket Number>
   PDI      VMSID    CAT          Requirement         Vulnerability   Status   Finding Notes
DRSN2204              III Strong two-factor
                          authentication is NOT used
                          to access all management
                          system workstations and
                          administrative / management
                          ports on all devices or
                          systems.
DRSN2205               I Default accounts/passwords,
                          and manufacturer backdoor
                          accounts have not been
                          removed or changed prior to
                          connection to the network.


DRSN2207 V0004658      II    Switch personnel are not
                             assigned individual userids
                             and passwords.
DRSN2208             II-III- Shared user/SA accounts
                       IV are used and not
                             documented.
DRSN2209               III Passwords must meet
                             complexity requirements.
DRSN2210                II The option to use passwords
                             that are randomly generated
                             by the DSN/DRSN
                             component is available but
                             not being used.

DRSN2211               II   Users/SAs are not required
                            to change their password
                            during their first session
                            logon or following a reset.
DRSN2212 V0004663      II   Passwords are not changed
                            every 90 days, after
                            departure of personnel, and
                            after suspected compromise.

DRSN2213               II   Users/SA are permitted to
                            change their passwords at
                            an interval of less than 24
                            hours without ISSO/IAO
                            intervention.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          285 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                       <Test> - TN <Ticket Number>
   PDI      VMSID    CAT           Requirement                Vulnerability   Status   Finding Notes
DRSN2214              III Password reuse/history is
                          not set to 8 or greater of the
                          previous passwords used.

DRSN2215               III   User/SA accounts are not
                             disabled after 35 days of
                             inactivity.
DRSN2216               II    A users/SAs account is not
                             automatically disabled after
                             three notifications of
                             password expiration.
DRSN2217                I    User/SA passwords can be
                             retrieved and viewed in clear
                             text by another user/SA.

DRSN2218                I    Users’/SA’s passwords are
                             displayed in the clear when
                             logging into the
                             system/device.
DRSN2219               II    Passwords are viewable in
                             the clear in configuration
                             files viewable online or in
                             offline storage
DRSN2220                I    Password lists are not
                             encrypted when stored on
                             management workstations or
                             systems that manage device
                             login for a SA (single sign-on
                             systems etc) or on the
                             system/device itself

DRSN2221               II    All system administrative
                             and maintenance user
                             accounts are not
                             documented and/or stored in
                             a secure or controlled
                             manner (e.g., in a safe).
DRSN2222 V0004662      II    The ISSO/IAO has not
                             recorded the passwords of
                             high level users (ADMIN)
                             used on DSN/DRSN
                             components and stored
                             them in a secure or
                             controlled manner.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  286 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI     VMSID    CAT         Requirement                Vulnerability   Status   Finding Notes
DRSN2223             II User names and passwords
                        must be encrypted when
                        logging into system devices
                        remotely across a network.

DRSN2225              II    Un-needed device
                            management accounts have
                            not been removed or
                            disabled.
DRSN2226              II    More than 2 emergency
                            accounts are configured on
                            a device.
DRSN2227              II    Local emergency usernames
                            and passwords are not
                            stored in a locked container
                            (safe) at the NOC or access
                            to the container is not
                            controlled and/or logged.

DRSN2228              II    Local emergency accounts
                            are use to access devices
                            under non emergency
                            conditions.
DRSN2229              II    Local emergency
                            management accounts are
                            not changed and
                            documented following use.
DRSN2230              II    A device is capable of
                            encrypting the local
                            emergency password,
                            however this feature is not
                            being used.
DRSN2231              II    Roll Based DAC not
                            employed or availavle
DRSN2232              II    System administrative and
                            maintenance users are
                            assigned accounts with
                            privileges that are not
                            commensurate with their
                            assigned responsibilities.
DRSN2233              III   Unauthorized SAs have the
                            ability to access stored
                            configuration files




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                287 of 1286
    DoD Defense Red Switch Network Checklist (28 Mar 06)                    <Test> - TN <Ticket Number>
   PDI       VMSIDCAT            Requirement                Vulnerability   Status   Finding Notes
DRSN2234           III The option to restrict user
                       access based on duty hours
                       is available but is not being
                       utilized.
DRSN2235 V0004664   II An audit trail is not being
                       maintained for all access
                       requests to DRSN RED
                       switch operating information,
                       control functions, and
                       software.
DRSN2236            II System auditing does not
                       capture all events that are
                       required to be recorded
DRSN2237            II System auditing does not
                       capture all information
                       required to be recorded for
                       each event
DRSN2238           III A centralized audit server is
                       not used to collect audit
                       records from system and
                       network devices
DRSN2239           III The audit collection server is
                       not restricted by IP address
                       and can accept/poll devices
                       that are not with in its scope

DRSN2240               II   Audit data files and
                            directories are readable by
                            personnel NOT authorized
                            by the IAO.
DRSN2241               II   Audit logs not
                            stored/archived per policy.
                            i.e., 90 days online and 9
                            months offline for a total of
                            12 months
DRSN2242               II   Audit logs are not reviewed
                            daily or completely
DRSN2350               I    RED/BLACK isolation is not
                            maintained between red and
                            black switch nodes or their
                            management systems




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                288 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)            <Test> - TN <Ticket Number>
   PDI    VMSID CAT         Requirement            Vulnerability   Status   Finding Notes
DRSN2351 V0004682 I RED and BLACK distribution
                    systems do not maintaining
                    required separation/isolation.

DRSN2352               I    RED switch network
                            originated audio is not
                            encrypted on an unclassified
                            network before the crypto
                            equipment enters secure
                            mode.
DRSN2353               I    The RED/BLACK mgmt.
                            LAN is not properly protected

DRSN2354               II   BLACK switch
                            implementations are not
                            approved in writing by the
                            local commander.
DRSN2358               I    DRSN consoles and/or
                            terminals do not maintain
                            RED/BLACK isolation.
DRSN2359 V0004684      I    There is no fail-safe design
                            of the red/black interface in
                            place to preclude switching
                            from operating in both black
                            and red modes
                            simultaneously.
DRSN2360               I    DRSN Console operator
                            intervention not implemented
                            per policy.
DRSN2361 V0004670      I    Switch subscriber terminals
                            are configured for automatic
                            answering.
DRSN2362               II   Interfaces configured for
                            auto-answer are not
                            approved by the appropriate
                            DAA and the DRSN PMO
                            and/or are not certified for IO
                            and IA under DoDI 8100.3.

DRSN2363               II   Speaker(s) or
                            speakerphone(s) are not
                            approved by all parties as
                            required.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       289 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI      VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
DRSN2364           I External device(s) used with
                      a DRSN RED switch user
                      instrument is not configured
                      to operate at the security
                      level of its associated
                      terminal, and/or is not
                      approved by the appropriate
                      DAA.
DRSN2365 V0004678  I DRSN phones are enabled
                      when not under the
                      immediate control of cleared
                      personnel.
DRSN2366           I RED Switch must permit
                      instrument disablement for
                      when appropriately cleared
                      personnel do not man them.

DRSN2367               I    Each DRSN Terminal does
                            not have unique enable code.

DRSN2368 V0004673      I    DRSN terminal enable
                            codes are not changed
                            every 90 days, or when
                            there is a suspected
                            compromise, or when an
                            instrument and/or
                            Subscriber Directory
                            Number (SDN) is reassigned
                            to another user.
DRSN2369               I    Enable codes are not treated
                            as classified SECRET

DRSN2370 V0004673      I    Subscriber terminals do not
                            have labels affixed showing
                            highest security level
                            authorized for the instrument.

DRSN2372               II   PushTo-Talk (PTT) handsets
                            have been removed without
                            DAA approval and/or there is
                            no procedure for maintaining
                            the secure integrity of the
                            instrument.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 290 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement           Vulnerability   Status   Finding Notes
DRSN2373              I Participants of ongoing
                        conferences established
                        through DRSN RED
                        Switches are NOT informed
                        of a change in the
                        classification, SCI character,
                        or foreign access of the
                        conference.
DRSN2375             II Recording equipment is not
                        approved by the DRSN PMO
                        and/or as applicable, by the
                        DAA/INSCI if installed in a
                        SCIF.
DRSN2376             II No SOP for the handling of
                        call or conference
                        recordings exists and/or is
                        not followed to ensure their
                        proper handling, storage,
                        dissemination, and/or
                        destruction.
DRSN2377             II Recordings of calls and/or
                        conferences are not handled
                        per the SOP that details
                        their proper handling,
                        storage, dissemination,
                        and/or destruction.

DRSN2383              I   A “Barge in Tone” and visual
                          indication is not provided to
                          all parties in a call when the
                          security level of the call is
                          downgraded or upgraded
                          during normal calls or during
                          call forwarding, call transfer,
                          and when adding or deleting
                          conferees to/from a
                          conference call.

DRSN2384              I   DRSN RED switch
                          Terminals must display
                          proper classification level or
                          SAL of terminals with which
                          they communicate.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                            291 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                      <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement                 Vulnerability   Status   Finding Notes
DRSN2385             I A DRSN Terminal does not
                        properly display the self-
                        authenticating security level
                        of the call or conference in
                        progress, and/or does not
                        properly display the identity
                        data of the distant terminal
                        or identify the network
                        and/or equipment type
                        associated with the distant
                        party and/or when a
                        conference call is in
                        progress.
DRSN2371             I Manual Override of Security
                        Features is permitted and/or
                        is not audited

DRSN2386              II   A DRSN RED telephone that
                           is enabled for Flash, Flash-
                           Override, and Flash-
                           Override-Override
                           precedence is not
                           documented as having Joint
                           Staff approval.
DRSN2387              II   Documentation on SAL
                           assignments for the DRSN
                           switch and its access lines is
                           not maintained and/or
                           available for inspection.
DRSN2388              II   The approved and
                           documented SAL
                           assignments are not those
                           implemented on the switch.
DRSN2389              II   A cryptographic-interface
                           that is in addition to the
                           primary trunk interface has
                           not been reported to the
                           DRSN PMO and/or identified
                           on the configuration listing of
                           the accreditation package,
                           and/or the documentation is
                           not available for inspection.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                  292 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)                     <Test> - TN <Ticket Number>
   PDI     VMSID    CAT          Requirement                Vulnerability   Status   Finding Notes
DRSN2390             II Insufficient quantity -
                        cryptographic-interface
                        (STU-III/R, STE-R, etc) per
                        SAL or SALs improperly
                        assigned.
DRSN2400             II A VoIP/VoSIP security
                        architecture is missing or is
                        inadequate and/or does not
                        comply with all applicable
                        STIGs.
DRSN2401             II WAN based VoIP/VoSIP
                        service core equipment is
                        not in a dedicated enclave
                        that can be protected.
DRSN2402             II WAN based VoIP/VoSIP
                        service delivery is not
                        redundant in core equipment
                        or delivery circuits.

DRSN2403              II   A WAN based VoIP/VoSIP
                           service provider’s
                           customer’s VoIP/VoSIP
                           enclave is not properly
                           implemented or protected.
DRSN2404              II   WAN based VoIP/VoSIP
                           implementation does not
                           utilize out of band
                           management methods or
                           networks.
DRSN2405              II   VoIP/VoSIP implementation
                           is not substantially compliant
                           with all applicable OS and
                           application STIGs.

DRSN2406              II   The VoIP/VoSIP
                           implementation has not been
                           tested and certified in
                           compliance with DoDI
                           8100.3 requirements, and
                           not placed on the DRSN
                           APL.




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                                 293 of 1286
   DoD Defense Red Switch Network Checklist (28 Mar 06)             <Test> - TN <Ticket Number>
   PDI     VMSID    CAT         Requirement         Vulnerability   Status   Finding Notes
DRSN2407             II Inter-enclave VoIP/VoSIP
                        communications is used as
                        the primary C2
                        communications system




  Legend:
  R or RAE = Required Ancillary Equipment
  NF = Not a Finding
  NA = Not Applicable                                                         294 of 1286
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes Section
DS00.0100 V0008527 III There is no policy to ensure                                                  AD,
                       that changes to the directory                                                 Generic
                       schema are subject to a
                       configuration management
                       process.
DS00.0110 V0008550  II For a directory service used                                                   AD,
                       by e-mail components                                                           Generic
                       (server or client), the
                       contractor abbreviation (ctr)
                       or country code (for foreign
                       nationals) is not maintained
                       for the *DoD* e-mail address
                       and display name attributes.

DS00.0120 V0008316      I    Directory service data files                                             AD,
                             do not have proper access                                                Generic
                             permissions.
DS00.0130 V0002370      I    Directory service data                                                   AD,
                             objects do not have proper                                               Generic
                             access permissions.
DS00.0140 V0004243     II    Directory service data                                                   AD,
                             objects do not have proper                                               Generic
                             audit settings.
DS00.0150 V0008322     II    A time synchronization tool                                              AD,
                             is not implemented on the                                                Generic
                             directory server.
DS00.0151 V0008324     III   The time synchronization                                                 AD,
                             tool does not log changes to                                             Generic
                             the time source.
DS00.0160 V0002369     II    Directory data is not backed                                             AD,
                             up on a daily or weekly basis.                                           Generic




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  295 of 1286
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI      VMSID    CAT            Requirement              Vulnerability   Status   Finding Notes Section
DS00.1100             III Note: At this time there is a                                             Generic
                          Common Criteria Protection
                          Profile for directory products
                          titled, “US Government
                          Directory Protection Profile
                          For Medium Robustness
                          Environments”. However,
                          there are no products that
                          have been evaluated for
                          conformance to this
                          Protection Profile. Therefore
                          this check is not currently
                          active.

DS00.1120 V0008530     III   Appropriate documentation                                               AD,
                             is not maintained for each                                              Generic
                             cross-directory
                             authentication configuration.

DS00.1130 V0014834     II    An encryption, signing, or                                              Generic
                             other cryptographic
                             algorithm used in a directory
                             server application is not
                             FIPS 140-2, validated.

DS00.1140 V0008522     II    A directory service                                                     AD,
                             implementation that spans                                               Generic
                             enclave boundaries does not
                             use a VPN to protect
                             directory network traffic.
DS00.1150 V0008320     II    Directory program or                                                    AD,
                             configuration files do not                                              Generic
                             have proper access
                             permissions.
DS00.1155 V0014775     II    Directory server software                                               Generic
                             files are not monitored for
                             unauthorized modifications.
DS00.1160 V0014836      I    A non-vendor supported                                                  Generic
                             directory server product
                             release is in use.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 296 of 1286
    ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes Section
DS00.1165 V0014776  II A migration plan has not                                               Generic
                       been developed to remove
                       or upgrade a directory server
                       product for which vendor
                       security patch support is
                       soon being or already has
                       been dropped.
DS00.1170 V0014779 III The directory server product                                            Generic
                       is not documented in the
                       CCB and C&A software
                       inventory or the inventory
                       backup copy is not subject
                       to adequate physical
                       protections.
DS00.1180 V0008326  II A directory server supporting                                           AD,
                       (directly or indirectly) system                                         Generic
                       access or resource
                       authorization is not running
                       on a machine dedicated to
                       that function. The same host
                       is running an application
                       such as a database server,
                       e mail server, e mail client,
                       web server, or DHCP server.

DS00.1190 V0008317     II   The directory server data                                          AD,
                            files are located on the same                                      Generic
                            logical partition as data files
                            owned by users.
DS00.2100 V0014838     II   The directory server is not                                        AD,
                            configured or is not capable                                       Generic
                            of supporting version 3 of
                            the LDAP protocol.

DS00.2110 V0014813     II   Passwords used with or                                             Generic
                            stored in the directory do not
                            adhere to complexity
                            requirements for length or
                            composition according to the
                            parameters of the DoD
                            policy currently in effect.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           297 of 1286
    ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement                 Vulnerability   Status   Finding Notes Section
DS00.2115 V0014814  II Passwords used with or                                                      Generic
                       stored in the directory do not
                       expire, or a history of
                       previously used passwords
                       is not kept according to the
                       parameters of the DoD
                       policy currently in effect.
DS00.2120 V0014815   I Factory set, default, or                                                     Generic
                       standard passwords are
                       defined in the directory.
DS00.2121 V0014805 III Factory set, default, or                                                     Generic
                       standard accounts or groups
                       that could be renamed or
                       removed are defined in the
                       directory.
DS00.2130 V0014816   I Passwords stored in the                                                      Generic
                       directory are not encrypted.
DS00.2140 V0014820   I PKI certificates used in a                                                   AD,
                       directory service are not                                                    Generic
                       issued by the DoD PKI or an
                       approved External
                       Certificate Authority (ECA).
DS00.3130 V0014798   I Directory data (outside the                                                  AD,
                       root DSE) of a non-public                                                    Generic
                       directory can be read
                       through anonymous access.

DS00.3131 V0014797     III   The root DSE of a non-                                                 Generic
                             public directory can be read
                             through anonymous access.

DS00.3140 V0014799      I    Update access to the                                                   Generic
                             directory schema is not
                             restricted to appropriate
                             accounts.
DS00.3150 V0014807     III   The number of accounts is                                              Generic
                             excessive or documentation
                             does not exist for the
                             accounts that are assigned
                             proxy authorization
                             permission.
DS00.3170 V0014800     III   Tools are not installed to                                             Generic
                             support reviewing audit data
                             from a directory server.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                298 of 1286
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes Section
DS00.3175 V0014790 III Audit data from a directory                                                  Generic
                       server is not backed up at
                       least weekly on external
                       media or on a system other
                       than where the server
                       executes.
DS00.3180 V0014791 III Audit data from a directory                                                   Generic
                       server is not retained for at
                       least one year.
DS00.3185 V0014804  II Directory server audit data                                                   Generic
                       files do not have proper
                       access permissions.
DS00.3190 V0014810  II The number of accounts is                                                     Generic
                       excessive or documentation
                       does not exist for the
                       accounts that are members
                       of locally defined privileged
                       groups in the directory.

DS00.3200 V0008549     II   Accounts from another                                                    AD,
                            directory are members of                                                 Generic
                            privileged groups and the
                            other directory is not under
                            the control of the same
                            organization or subject to the
                            same security policies.
DS00.3210 V0008344     I    An account used to execute                                               Generic
                            the directory server or a
                            directory service process is
                            a member of a privileged
                            group on the OS or is
                            assigned administrative
                            privileges and the level of
                            privilege assigned exceeds
                            what is needed.

DS00.3220 V0014808     II   An account used for a                                                    Generic
                            directory server or process
                            application is not dedicated
                            to that function.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 299 of 1286
    ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                     Vulnerability   Status   Finding Notes Section
DS00.3230 V0008553 II Replication is not enabled to                                                   AD,
                      occur at least daily for a                                                      Generic
                      directory service in which
                      identification, authentication,
                      or authorization data is
                      replicated.

DS00.3240 V0014839     II    Available options of the                                                  Generic
                             directory server are not
                             configured to enforce the
                             referential integrity of
                             identification, authentication,
                             and authorization data.

DS00.3250 V0014812     II    Accounts are not locked out                                               Generic
                             after multiple, consecutive,
                             unsuccessful logon (bind)
                             attempts according to the
                             parameters of the DoD
                             policy currently in effect.

DS00.3260 V0008327     II    OS services that are critical                                             AD,
                             for the directory server are                                              Generic
                             not configured for automatic
                             startup.
DS00.3270 V0014780     III   There is no policy to ensure                                              AD,
                             that code that is not vendor-                                             Generic
                             provided and is used in a
                             directory server
                             implementation that updates
                             identification, authentication,
                             or authorization data is
                             subject to a configuration
                             management process.

DS00.3280 V0014782     II    A directory service                                                       Generic
                             implementation that
                             transfers replication data
                             over wireless or non-DoD
                             networks does not use
                             encryption to protect the
                             network traffic.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   300 of 1286
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes Section
DS00.3281 V0014783 II A directory service                                                            AD,
                      implementation at a                                                            Generic
                      classified confidentiality
                      level, that transfers
                      replication data through a
                      network cleared to a lower
                      level than the data or
                      includes SAMI data, does
                      not use separate, NSA-
                      approved cryptography.
DS00.3290 V0014828 II Directory administration                                                        Generic
                      sessions over a network are
                      not encrypted.
DS00.3300 V0014824 II A replication implementation                                                    Generic
                      does not include
                      authentication of the source
                      *and* target directory
                      servers (mutual
                      authentication).
DS00.3310 V0014809 II An account used for                                                             Generic
                      directory replication is not
                      dedicated to that function.
DS00.3320 V0014826  I The password of the                                                             Generic
                      replication account is not
                      encrypted in transit.
DS00.3330 V0014822 II Directory administration                                                        Generic
                      does not include
                      authentication of the target
                      directory server *and*
                      administration client (mutual
                      authentication).
DS00.3340 V0014823 II Directory updates performed                                                     Generic
                      under proxy credentials do
                      not include authentication of
                      the target directory server
                      *and* proxy client (mutual
                      authentication).

DS00.3350 V0014794     III   A directory server that                                                  Generic
                             utilizes PKI certificates does
                             not perform certificate
                             validation that includes CRL
                             or OCSP checking.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  301 of 1286
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement           Vulnerability   Status   Finding Notes Section
DS00.3360 V0014830 III A directory service                                                   Generic
                       implementation does not use
                       data signing or other
                       methods to ensure the
                       integrity of directory
                       administration and
                       replication traffic over a
                       network.
DS00.3370 V0014831 III The directory server does                                              AD,
                       not have a default to                                                  Generic
                       terminate LDAP network
                       connections that have been
                       inactive five (5) minutes or
                       more.
DS00.3375 V0014795 III Accounts are defined with                                              Generic
                       inactivity timeout values
                       higher than five (5) minutes
                       and the accounts are not
                       listed in local documentation.

DS00.4100 V0014785     III   Privileged remote access to                                      Generic
                             a directory server is not
                             implemented through a
                             managed access control
                             point and with increased
                             session security
                             mechanisms.
DS00.4110 V0014786     III   Sessions for privileged                                          Generic
                             remote access to a directory
                             server are not logged or the
                             logs are not reviewed at
                             least weekly.
DS00.4120 V0014787     III   Non-privileged remote                                            Generic
                             access to a directory server
                             is not implemented through
                             a managed access control
                             point.
DS00.4130 V0014788     II    Remote access to a                                               Generic
                             directory server is not
                             encrypted.
DS00.4140 V0008523     II    The VPN used to protect                                          AD,
                             directory network traffic does                                   Generic
                             not support visibility to an
                             IDS.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          302 of 1286
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes Section
DS00.6110 V0014789 III Code used in a directory                                                      AD,
                       service implementation that                                                   Generic
                       is not vendor-provided is not
                       backed up periodically.

DS00.6120 V0008525     III   Disaster recovery plans do                                               AD,
                             not include sufficient                                                   Generic
                             directory service architecture
                             information such as
                             hierarchy and replication
                             structure.
DS00.6130 V0014793     III   Disaster recovery plans do                                               Generic
                             not include identification of
                             software products used in
                             directory server operations.
DS00.6140 V0008524     II    Only one directory server                                                AD,
                             supports a directory service.                                            Generic

DS00.7100 V0008526     III   Cross-directory                                                          AD,
                             authentication configurations                                            Generic
                             have not been evaluated
                             with respect to possible
                             INFOCON procedures.

DS00.7110 V0014777     II    Security related patches for                                             Generic
                             directory server products are
                             not applied or the application
                             status is not documented.

DS05.0100              III   Note: At this time there is no                                           Generic
                             Common Criteria Protection
                             Profile for directory
                             synchronization products.
                             Therefore this check is not
                             currently active.

DS05.0110              III   Note: At this time there is no                                           Generic
                             Common Criteria Protection
                             Profile for directory
                             synchronization products.
                             Therefore this check is not
                             currently active.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  303 of 1286
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes Section
DS05.0120 V0011782 II An encryption, signing, or                                                     Generic
                      other cryptographic
                      algorithm used in a directory
                      synchronization application
                      is not FIPS 140-2, validated.

DS05.0130 V0011760     II   A synchronization                                                         Generic
                            implementation that spans
                            enclave boundaries and
                            uses LDAP or HTTP
                            protocol does not use a VPN
                            to protect the network traffic.

DS05.0140 V0011761     II   A synchronization                                                         Generic
                            implementation that spans
                            enclave boundaries and
                            uses LDAPS or HTTPS
                            protocol does not use a
                            DoDI 8551.1-compliant
                            solution to protect the
                            network traffic.
DS05.0150 V0011787     II   Directory synchronization                                                 Generic
                            program or configuration
                            files do not have proper
                            access permissions.
DS05.0155 V0014772     II   Synchronization application                                               Generic
                            software files are not
                            monitored for unauthorized
                            modifications.
DS05.0160 V0011784     I    A non-vendor supported                                                    Generic
                            directory synchronization
                            product is in use.
DS05.0170 V0011762     II   A migration plan has not                                                  Generic
                            been developed to remove
                            or upgrade a
                            synchronization product for
                            which vendor security patch
                            support is soon being or
                            already has been dropped.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  304 of 1286
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                    Vulnerability   Status   Finding Notes Section
DS05.0180 V0011763 III A synchronization product                                                     Generic
                       used in routine, scheduled
                       operations is not
                       documented in the CCB and
                       C&A software inventory or
                       the inventory backup copy is
                       not subject to adequate
                       physical protections.

DS05.0190 V0011785     II    Public domain software is                                                Generic
                             used to perform directory
                             synchronization operations.
DS05.0200 V0011786     III   The source code for a                                                    Generic
                             directory synchronization
                             application is located in the
                             same directory as data that
                             is input to or output from the
                             application.
DS05.0210 V0011764      I    A password used in the                                                   Generic
                             execution of a
                             synchronization
                             implementation is embedded
                             in a script or stored in an
                             unencrypted file.

DS05.0220 V0011783     II    PKI certificates used in a                                               Generic
                             directory synchronization
                             application are not issued by
                             the DoD PKI or an approved
                             External Certificate Authority
                             (ECA).
DS05.0230 V0011788      I    Directory synchronization                                                Generic
                             data files do not have proper
                             access permissions.
DS05.0240 V0011789     II    A directory synchronization                                              Generic
                             data file that contains a
                             substantial aggregate of the
                             directory data for an entire
                             geographic command is not
                             encrypted.

DS05.0250 V0011790     II    A directory synchronization                                              Generic
                             application is not configured
                             to collect audit data.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  305 of 1286
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes Section
DS05.0260 V0011791 III Tools are not installed to                                          Generic
                       support reviewing audit data
                       from a directory
                       synchronization application.
DS05.0270 V0011765 III Audit data from a                                                    Generic
                       synchronization
                       implementation is not
                       backed up at least weekly on
                       external media or on a
                       system other than where the
                       implementation executes.

DS05.0280 V0011766     III   Audit data from a                                              Generic
                             synchronization
                             implementation is not
                             retained for at least one year.

DS05.0290 V0011792     II    Directory synchronization                                      Generic
                             audit data files do not have
                             proper access permissions.
DS05.0320 V0011767     III   There is no policy to ensure                                   Generic
                             that code that is not vendor-
                             provided and is used in a
                             synchronization
                             implementation that updates
                             security principal accounts is
                             subject to a configuration
                             management process.

DS05.0330 V0011769     II    A synchronization                                              Generic
                             implementation that
                             transfers data over wireless
                             or non-DoD networks does
                             not use encryption to protect
                             the network traffic.
DS05.0331 V0014773     II    A synchronization                                              Generic
                             implementation at a
                             classified confidentiality
                             level, that transfers data
                             through a network cleared to
                             a lower level than the
                             synchronization data or
                             transfers SAMI data, does
                             not use separate, NSA-
                             approved cryptography.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        306 of 1286
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
   PDI     VMSID CAT             Requirement                 Vulnerability   Status   Finding Notes Section
DS05.0340 V0011771  II A synchronization                                                            Generic
                       implementation that
                       transfers a substantial
                       aggregate of the directory
                       data for an entire geographic
                       command does not use
                       encryption to protect the
                       network traffic.
DS05.0350 V0011772 III A synchronization product                                                     Generic
                       that utilizes PKI certificates
                       does not perform certificate
                       validation that includes CRL
                       or OCSP checking.

DS05.0360 V0011770     III   A synchronization                                                       Generic
                             implementation does not use
                             data signing or other
                             methods to ensure the
                             integrity of directory data
                             network traffic.
DS05.0370 V0011773     II    A synchronization                                                       Generic
                             implementation does not
                             perform authentication of the
                             synchronization client *and*
                             target directory server
                             (mutual authentication).

DS05.0380 V0011774     II    Privileged remote access to                                             Generic
                             a synchronization
                             implementation is not
                             implemented through a
                             managed access control
                             point and with increased
                             session security
                             mechanisms.
DS05.0390 V0011775     II    Sessions for privileged                                                 Generic
                             remote access to a
                             synchronization
                             implementation are not
                             logged or the logs are not
                             reviewed at least weekly.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 307 of 1286
   ____ Checklist _V_R_ (<date>)                                              <Test> - TN <Ticket Number>
   PDI     VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes Section
DS05.0400 V0011776 III Non-privileged remote                                                         Generic
                       access to a synchronization
                       implementation is not
                       implemented through a
                       managed access control
                       point.

DS05.0410 V0011777     II    Remote access to a                                                       Generic
                             synchronization
                             implementation is not
                             encrypted.
DS05.0420 V0011778     II    Physical access to a host                                                Generic
                             used in routine, scheduled
                             synchronization operations
                             is not restricted to
                             authorized personnel.
DS05.0430 V0011779     II    Production data from                                                     Generic
                             routine, scheduled
                             synchronization operations
                             is not backed up periodically.

DS05.0440 V0011768     III   Code used in a                                                           Generic
                             synchronization
                             implementation that is not
                             vendor-provided is not
                             backed up periodically.
DS05.0450 V0011780     III   Disaster recovery plans do                                               Generic
                             not include identification of
                             products used in routine,
                             scheduled synchronization
                             operations.
DS05.0460 V0011781     II    Security related patches for                                             Generic
                             synchronization products are
                             not applied or the application
                             status is not documented.

DS10.0150 V0008303     II    The Directory Services                                                   AD
                             Restore Mode (DSRM)
                             password does not meet
                             complexity standards.
DS10.0151 V0008310     II    There is no policy to ensure                                             AD
                             that the DSRM password is
                             changed often enough.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  308 of 1286
   ____ Checklist _V_R_ (<date>)                                               <Test> - TN <Ticket Number>
   PDI     VMSID CAT           Requirement                     Vulnerability   Status   Finding Notes Section
DS10.0160 V0008551 III An AD domain that has no                                                       AD
                       Windows NT domain
                       controllers is at a domain
                       functional level that allows
                       the addition of new Windows
                       NT domain controllers.

DS10.0170 V0008533     II   An external, forest, or realm                                              AD
                            AD trust relationship is
                            defined where access
                            requirements do not support
                            the need.
DS10.0180 V0008534     I    An external, forest, or realm                                              AD
                            AD trust relationship is
                            defined between systems at
                            different classification levels.

DS10.0181 V0008536     I    An external, forest, or realm                                              AD
                            AD trust relationship is
                            defined between a DoD
                            system and a non-DoD
                            system without explicit
                            approval of the DAA and
                            appropriate documentation
                            of the external network
                            connection(s).
DS10.0190 V0008538     II   An outgoing external or                                                    AD
                            forest trust is configured
                            without SID filtering.
DS10.0200 V0008540     II   An outgoing forest trust is                                                AD
                            configured without Selective
                            Authentication.
DS10.0210 V0012780     I    The Synchronize Directory                                                  AD
                            Service Data user right has
                            been assigned to an account.

DS10.0220 V0008547     II   The Pre-Windows 2000                                                       AD
                            Compatible Access group
                            includes the Everyone or
                            Anonymous Logon groups.
DS10.0230 V0008555     II   The dsHeuristics option is                                                 AD
                            not configured to prevent
                            anonymous access to AD.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                   309 of 1286
   ____ Checklist _V_R_ (<date>)                                             <Test> - TN <Ticket Number>
   PDI     VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes Section
DS10.0240 V0008548 II The number of accounts is                                                     AD
                      excessive or documentation
                      does not exist for the
                      accounts that are members
                      of the Domain Admins,
                      Enterprise Admins, Schema
                      Admins, Group Policy
                      Creator Owners, or
                      Incoming Forest Trust
                      Builders groups.

DS10.0260 V0008521     II    The number of accounts is                                               AD
                             excessive or documentation
                             does not exist for the
                             accounts that have been
                             delegated AD object
                             ownership or update
                             permissions and are *not*
                             members of Windows built-
                             in administrative groups.
DS10.0295 V0008557     II    The domain controller                                                   AD
                             holding the forest
                             authoritative time source is
                             not configured to use a DoD-
                             authorized external time
                             source.
DS10.0310 V0008313     II    Physical access to the AD                                               AD
                             forest root FSMO domain
                             controllers is not restricted
                             to specifically authorized
                             personnel.
DS10.0320 V0008311     II    The offline copy of the                                                 AD
                             DSRM password is not
                             subject to adequate physical
                             protections.
DS10.9100 V0012778     III   The AD domain and forest in                                             AD
                             which the domain controller
                             resides have not been
                             reviewed for vulnerabilities.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 310 of 1286
   ____ Checklist _V_R_ (<date>)                                    <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement           Vulnerability   Status   Finding Notes Section
DSN01.01 V0007921 III The IAO does not conduct
                      and document self-
                      inspections of the DSN
                      components at least semi-
                      annually for security risks.
DSN01.02 V0007922 III The sites telephone switch is
                      not frequently monitored for
                      changing calling patterns
                      and system uses for
                      possible security concerns.

DSN01.03 V0007923     II    The ISSO/IAO does not
                            ensure that administration
                            and maintenance personnel
                            have proper access to the
                            facilities, functions,
                            commands, and calling
                            privileges required to
                            perform their job.
DSN02.01 V0007924     III   DSN systems are not
                            registered in the DISA VMS
DSN02.02 V0007925     III   System Administrators (SAs)
                            responsible for DSN
                            information systems are not
                            registered with the DISA
                            VMS.
DSN02.03 V0007926     II    The ISSO/IAO and
                            ISSM/IAM, in coordination
                            with the SA, will be
                            responsible for ensuring that
                            all IAVM notices are
                            responded to within the
                            specified time period.
DSN02.04 V0008338     II    IAVMs are not addressed
                            using RTS system vendor
                            approved or provided
                            patches.
DSN02.05 V0008339     III   DoD voice/video/RTS
                            information system assets
                            and vulnerabilities are not
                            tracked and managed using
                            any vulnerability
                            management system as
                            required by DoD policy.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         311 of 1286
    ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes Section
DSN03.01 V0008340 III A DoD Voice/Video/RTS
                      system or device is NOT
                      configured in compliance
                      with all applicable STIGs or
                      the appropriate STIGs have
                      not been applied to the
                      fullest extent possible.
DSN03.02 V0008341 III The purchase / maintenance
                      contract, or specification, for
                      the Voice/Video/RTS system
                      under review does not
                      contain verbiage requiring
                      compliance and validation
                      measures for all applicable
                      STIGs.

DSN03.03 V0008342     III   The DAA, IAM, IAO, or SA
                            for the system DOES NOT
                            enforce contract
                            requirements for STIG
                            compliance and validation
DSN03.04 V0008345      II   A Voice/Video/RTS system
                            is in operation but is not
                            listed on the DSN APL nor is
                            it in the process of being
                            tested.
DSN03.05 V0008346     III   A Voice/Video/RTS system
                            or device is NOT installed
                            according to the deployment
                            restrictions and/or
                            mitigations contained in the
                            IA test report, Certifying
                            Authoritys recommendation
                            and/or DSAWG approval
                            documentation.


DSN03.06 V0008347     III   A Voice/Video/RTS system
                            or device is NOT installed in
                            the same configuration and
                            being used for the same
                            purpose that was tested for
                            prior to DSAWG approval
                            and DSN APL listing.


   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 312 of 1286
   ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  PDI     VMSID CAT             Requirement          Vulnerability   Status   Finding Notes Section
DSN03.07 V0008348 III The requirement of DSN
                      APL listing is not being
                      considered during the
                      procurement, installation,
                      connection, or upgrade to
                      the sites Voice/Video/RTS
                      infrastructure.
DSN04.01 V0007930  II Switch administration,
                      ADIMSS, or other Network
                      Management terminals are
                      not located on a dedicated
                      LAN.
DSN04.02 V0007931  II Network Management
                      routers located at switch
                      sites are not configured to
                      provide IP and packet level
                      filtering/protection.
DSN04.03 V0007932  II Administration terminals are
                      used for other day-to-day
                      functions (i.e. email, web
                      browsing, etc).
DSN04.04 V0007933  II Switch Administration
                      terminals do not connect
                      directly to the switch
                      administration port or
                      connect via a controlled,
                      dedicated, out of band
                      network used for switch
                      administration support.
DSN04.05 V0007934 III Attendant console ports are
                      available to unauthorized
                      users by not allowing any
                      instrument other than the
                      Attendant console to
                      connect to the Attendant
                      console port.
DSN04.06 V0007935 III The ISSO/IAO has not
                      established Standard
                      Operating Procedures.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                          313 of 1286
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement          Vulnerability   Status   Finding Notes Section
DSN04.07 V0008545 II OAM&P / NM and CTI
                     networks are NOT dedicated
                     to the system that they serve
                     in accordance with their
                     separate DSN APL
                     certifications.

DSN04.08 V0008544     II   An OAM&P / NM and CTI
                           network/LAN is connected to
                           the local general use (base)
                           LAN without appropriate
                           boundary protection.

DSN04.09 V0008542     II   An OAM&P / NM and CTI
                           network/LAN is connected to
                           the local general use (base)
                           LAN without appropriate
                           boundary protection.

DSN04.10 V0008541     II   An OAM&P / NM or CTI
                           network DOES NOT comply
                           with the Enclave and/or
                           Network Infrastructure
                           STIGs.
DSN05.01 V0007936     II   Applicable security
                           packages have not been
                           installed on the system.
DSN06.01 V0007937     II   The IAO DOES NOT ensure
                           that all temporary
                           Foreign/Local National
                           personnel given access to
                           DSN switches and
                           subsystems for the purpose
                           of installation and
                           maintenance, are controlled
                           and provided direct
                           supervision and oversight
                           (e.g., escort) by a
                           knowledgeable and
                           appropriately cleared U.S.
                           citizen.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        314 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes Section
DSN06.02 V0008519 II Foreign/Local National
                     personnel hired by a
                     base/post/camp/station for
                     the purpose of operating or
                     performing OAM&P / NM
                     functions on DSN switches
                     and subsystems have not
                     been vetted through the
                     normal process for providing
                     SA clearance as dictated by
                     the local Status of Forces
                     Agreement (SOFA).

DSN06.03 V0008520     II    Foreign/Local National
                            personnel have duties or
                            access privileges that
                            exceed those allowed by
                            DODI 8500.2 E3.4.8.
DSN06.04 V0007940     III   The option to restrict user
                            access based on duty hours
                            is available but is not being
                            utilized.
DSN06.05 V0008558     II    System administrative and
                            maintenance users are
                            assigned accounts with
                            privileges that are not
                            commensurate with their
                            assigned responsibilities.
DSN06.06 V0008556     III   All system administrative
                            and maintenance user
                            accounts are not
                            documented.
DSN06.07 V0008554     III   The available option of
                            Command classes or
                            command screening is NOT
                            being used to limit system
                            privileges
DSN07.01 V0007941     III   The Direct Inward System
                            Access feature and/or
                            access to Voice Mail is not
                            controlled by either class of
                            service, special
                            authorization code, or PIN.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 315 of 1286
   ____ Checklist _V_R_ (<date>)                                   <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement         Vulnerability   Status   Finding Notes Section
DSN07.02 V0007942 III Direct Inward System
                      Access and Voice Mail
                      access codes are not
                      changed semi-annually.
DSN07.03 V0007943 III Personal Identification
                      Numbers (PIN) assigned to
                      special subscribers used to
                      control Direct Inward System
                      Access and Voice Mail
                      services are not being
                      controlled like passwords
                      and deactivated when no
                      longer required.
DSN07.04 V0007944 III Privilege authorization,
                      Direct Inward System
                      Access and/or Voice Mail
                      special authorization codes
                      or individually assigned
                      PINS are not changed when
                      compromised.

DSN08.01 V0007945     III   Equipment, cabling, and
                            terminations that provide
                            emergency life safety
                            services such as 911 (or
                            European 112) services
                            and/or emergency
                            evacuation paging systems
                            are NOT clearly identified
                            and marked.
DSN08.02 V0008537     III   There is no system installed
                            that can provide emergency
                            life safety or security
                            announcements
DSN08.03 V0008539     II    A policy is NOT in place
                            and/or NOT enforced
                            regarding the use of
                            unclassified telephone/RTS
                            instruments located in areas
                            or rooms where classified
                            meetings, conversations, or
                            work normally occur.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                        316 of 1286
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT             Requirement                  Vulnerability   Status   Finding Notes Section
DSN08.04 V0008543  II Voice/Video/RTS devices
                       located in SCIFs do not
                       prevent on-hook audio pick-
                       up and/or do not have a
                       speakerphone feature
                       disabled or are not
                       implemented in accordance
                       with DCID 6/9 or TSG
                       Standard 2.
DSN09.01 V0007946 III SS7 links are not clearly
                       identified and routed
                       separately from termination
                       point to termination point.
DSN09.02 V0007947 IIII The SS7 termination blocks
                       are not clearly identified at
                       the MDF.
DSN09.03 V0007948 III Power cabling that serves
                       SS7 equipment is not
                       diversely routed to separate
                       Power Distribution Frames
                       (PDF) and identified.

DSN09.04 V0007949     III   Power cabling that serves
                            SS7 equipment is not clearly
                            identified at both the
                            termination point and at the
                            fusing position.
DSN09.05 V0007950      II   Links within the SS7 network
                            are not encrypted.
DSN10.02 V0007952      II   A DoD VoIP system, device,
                            or network is NOT
                            configured in compliance
                            with all applicable STIGs or
                            the appropriate STIGs have
                            not been applied to the
                            fullest extent possible.
DSN11.01 V0007953      II   Transport circuits are not
                            encrypted.
DSN11.02 V0007954     III   Physical access to
                            commercial Add/Drop
                            Multiplexers (ADMs) is not
                            restricted.
DSN12.01 V0007955     III   The ISSO/IAO does not
                            maintain a library of security
                            documentation.

   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                  317 of 1286
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes Section
DSN13.01 V0007956  II Users are not required to
                      change their password
                      during their first session.
DSN13.02 V0007957   I Default passwords and user
                      names have not been
                      changed.
DSN13.03 V0007958  II Shared user accounts are
                      used and not documented
                      by the ISSO/IAO.
DSN13.04 V0007959 III The option to disable user
                      accounts after 30 days of
                      inactivity is not being used.
DSN13.05 V0007960   I Management access points
                      (i.e.
                      administrative/maintenance
                      ports, system access, etc.)
                      are not protected by
                      requiring a valid username
                      and a valid password for
                      access.
DSN13.06 V0007961 III Passwords do not meet
                      complexity requirements.
DSN13.07 V0007962  II Maximum password age
                      does not meet minimum
                      requirements.
DSN13.08 V0007963  II Users are permitted to
                      change their passwords at
                      an interval of less than 24
                      hours without ISSO/IAO
                      intervention.
DSN13.09 V0007964 III Password reuse is not set to
                      8 or greater.
DSN13.10 V0007966  II User passwords can be
                      retrieved and viewed in clear
                      text by another user.
DSN13.11 V0007967  II User passwords are
                      displayed in the clear when
                      logging into the system.
DSN13.12 V0007968 III The option to use passwords
                      that are randomly generated
                      by the DSN component is
                      available but not being used.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           318 of 1286
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement         Vulnerability   Status   Finding Notes Section
DSN13.13 V0007969 II The system is not configured
                     to disable a users account
                     after three notifications of
                     password expiration.

DSN13.14 V0007965     II   The ISSO/IAO has not
                           recorded the passwords of
                           high level users (ADMIN)
                           used on DSN components
                           and stored them in a secure
                           or controlled manner.

DSN13.15 V0007970     II   Crash-restart vulnerabilities
                           are present on the DSN
                           system component.
DSN13.16 V0008560     II   Access to all management
                           system workstations and
                           administrative / management
                           ports is NOT remotely
                           authenticated
DSN13.17 V0008559     II   Strong two-factor
                           authentication is NOT used
                           to access all management
                           system workstations and
                           administrative / management
                           ports on all devices or
                           systems
DSN14.01 V0007971     II   The DSN system component
                           is not installed in a
                           controlled space with visitor
                           access controls applied.

DSN14.02 V0007972     II   Documented procedures do
                           not exist that will prepare for
                           a suspected compromise of
                           a DSN component.

DSN15.01 V0007973     II   Audit records are NOT
                           stored in an unalterable file
                           and can be accessed by
                           individuals not authorized to
                           analyze switch access
                           activity.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       319 of 1286
   ____ Checklist _V_R_ (<date>)                                  <Test> - TN <Ticket Number>
  PDI     VMSID CAT          Requirement          Vulnerability   Status   Finding Notes Section
DSN15.02 V0007974 II Audit records do not record
                     the identity of each person
                     and terminal device having
                     access to switch software or
                     databases.
DSN15.03 V0007975 II Audit records do not record
                     the time of the access.
DSN15.04 V0007976 II The auditing records do not
                     record activities that may
                     change, bypass, or negate
                     safeguards built into the
                     software.
DSN15.05 V0007977 II Audit record archive and
                     storage do not meet
                     minimum requirements.
DSN15.06 V0007978 II Audit records are not being
                     reviewed by the ISSO/IAO
                     weekly.
DSN15.07 V0008546 II The auditing process DOES
                     NOT record security relevant
                     actions such as the
                     changing of security levels
                     or categories of information

DSN16.01 V0007979     II    An Information Systems
                            Security Officer/Information
                            Assurance Officer
                            (ISSO/IAO) is not
                            designated for each
                            telecommunications
                            switching system or DSN
                            Site.
DSN16.02 V0007980     II    Site personnel have not
                            received the proper security
                            training and/or are not
                            familiar with the documents
                            located in the security library.

DSN16.03 V0007981     III   The ISSO/IAO does not
                            maintain a DSN Personnel
                            Security Certification letter
                            on file for each person
                            involved in DSN A/NM duties.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                       320 of 1286
   ____ Checklist _V_R_ (<date>)                                           <Test> - TN <Ticket Number>
  PDI     VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes Section
DSN16.04 V0007982 II System administrators are
                     NOT appropriately cleared.
DSN17.01 V0007983 II Site staff does not verify and
                     record the identity of
                     individuals installing or
                     modifying a device or
                     software.
DSN17.02 V0007984 II System images are not
                     being backed up on a
                     weekly basis to the local
                     system and a copy is not
                     being stored on a removable
                     storage device and/or is not
                     being stored off site.

DSN17.03 V0007985     II   Site staff does not ensure
                           backup media is available
                           and up to date prior to
                           software modification.
DSN17.04 V0008531     II   The latest software loads
                           and patches are NOT
                           applied to all systems to
                           take advantage of security
                           enhancements.
DSN17.05 V0008532     II   Maintenance and security
                           patches are NOT approved
                           by the local DAA prior to
                           installation in the system
DSN17.06 V0008535     II   Major software version
                           upgrades have NOT been
                           tested, certified, and placed
                           on the DSN APL before
                           installation.
DSN18.01 V0007986     II   Modems are not physically
                           protected to prevent
                           unauthorized device
                           changes.
DSN18.02 V0007987     II   A detailed listing of all
                           modems is not being
                           maintained.
DSN18.03 V0007988     II   Unauthorized modems are
                           installed.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                321 of 1286
   ____ Checklist _V_R_ (<date>)                                      <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement            Vulnerability   Status   Finding Notes Section
DSN18.04 V0007989  II Modem phone lines are not
                      restricted and configured to
                      their mission required
                      purpose (i.e. inward/outward
                      dial only).
DSN18.05 V0007990  II Modem phone lines are not
                      restricted to single-line
                      operation.
DSN18.06 V0007991 III The option of Automatic
                      Number Identification (ANI)
                      is available but not being
                      used.
DSN18.07 V0007992  II Authentication is not
                      required for every session
                      requested.
DSN18.08 V0007993 III The option to use the
                      callback feature for remote
                      access is not being used.
DSN18.09 V0007994 III FIPS 140-2, validated Link
                      encryption mechanisms are
                      not being used to provide
                      end-to-end security of all
                      data streams entering the
                      remote access port of a
                      telephone switch.
DSN18.10 V0007995 III The option to use two-factor
                      authentication when
                      accessing remote access
                      ports is not being used.
DSN18.11 V0007996  II Administrative/maintenance
                      ports are not being
                      controlled by deactivating or
                      physically disconnecting
                      remote access devices
                      when not in use.
DSN18.12 V0007997  II Idle connections DO NOT
                      disconnect in 15 min.
DSN18.13 V0007998  II The DSN component is not
                      configured to be unavailable
                      for 60 seconds after 3
                      consecutive failed logon
                      attempts.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                           322 of 1286
   ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes Section
DSN18.14 V0007999 III Serial
                      management/maintenance
                      ports are not configured to
                      force out or drop any
                      interrupted user session.
DSN18.15 V0008518  II An OOB Management
                      DOES NOT comply with the
                      Enclave and/or Network
                      Infrastructure STIGs.

DSN18.16 V0008517     II    OOB management network
                            are NOT dedicated to
                            management of like or
                            associated systems
DSN18.17 V0008516     II    Network
                            management/maintenance
                            ports are not configured to
                            force out or drop any user
                            session that is interrupted
                            for more than 15 seconds.
DSN19.01 V0008000     II    A properly worded Login
                            Banner is not used on all
                            system/device management
                            access ports and/or
                            OAM&P/NM workstations.

DSN20.01 V0008515      I    A SMU component is not
                            installed in a controlled
                            space with visitor access
                            controls applied.
DSN20.02 V0008514     III   The SMU ADIMSS
                            connection is NOT dedicated
                            to the ADIMSS network

DSN20.03 V0008513     II    The ADIMSS server
                            connected to the SMU is
                            NOT dedicated to ADIMSS
                            functions.
DSN20.04 V0008512     II    The SMU management port
                            or management workstations
                            is improperly connected to a
                            network that is not dedicated
                            to management of the SMU.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 323 of 1286
  PDI    VMSID CAT             Requirement                  Vulnerability   Status   Finding Notes
EN005   V0016162 II PKI usage and
                     implementation is not
                     compliant with DoD
                     Instruction 8520.02, Public
                     Key Infrastructure (PKI) and
                     Public Key (PK) Enabling, 1
                     April 2004.
EN010   V0003914 II Enclave assets and/or
                     systems that support
                     enclave protection are not
                     registered with an IAVM
                     tracking mechanism (e.g.,
                     Vulnerability Management
                     System (VMS) and AVTR).
EN020   V0003915 III System Administrators (SAs)
                     are not responsible for
                     critical assets or are not
                     registered with a vulnerability
                     management tracking
                     system and therefore are not
                     aware of critical patch
                     releases or vulnerabilities.

EN030   V0003916    II    IAVM notices are not
                          responded to within the
                          specified period of time.
EN040   V0003917    II    Security related patches
                          have not been applied to all
                          systems.
EN041   V0004712    II    A documented security patch
                          management process is not
                          in place or cannot be
                          validated.
EN042   V0004713    III   Workstations do not use an
                          automated patch distribution
                          process from a trusted site
                          or secure source (i.e., tools
                          such as Windows Update
                          Services (WUS), scripts,
                          Tivoli, etc.) to distribute and
                          apply security related
                          patches.
EN043   V0007572    III   Patch testing is not
                          performed, prior to
                          deployment, in a non-
                          production environment.
EN050   V0003920    II    INFOCON procedures are
                          not followed in accordance
                          with Strategic Command
                          Directive SD 527-1, 27
                          January 2006.
EN070   V0014264    III   Supplemental SA INFOCON
                          procedures are not available
                          as required.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes
EN080   V0003922   III   IA or IA enabled products do
                         not meet the minimum EAL
                         and robustness level
                         requirements as established
                         by the Designated Approving
                         Authority (DAA).

EN090   V0003923   III   The acquisition of IA or IA-
                         enabled products does not
                         meet the requirements as
                         set forth by NSTISSP 11 and
                         the DODI 8500.2.
EN100   V0003924   III   Enclave assets are not
                         assigned a Mission
                         Assurance Category (MAC)
                         or not assigned the correct
                         MAC.
EN270   V0004001    II   Low assurance/risky (red
                         port) PPS traffic is allowed
                         through a virtual private
                         network (VPN) without
                         addressing the risk to the
                         other enclaves and is not
                         approved by the DAA.
EN280   V0014265   III   Exceptions to the minimum
                         Enclave requirements have
                         not been approved by the
                         appropriate authority.

EN290   V0014266    II   An external intrusion
                         detection system (IDS) is not
                         present at the enclave
                         perimeter as directed by the
                         Computer Network Defense
                         Service Provider (CNDSP).

EN300   V0004004    II   The external NID is not
                         under the operational control
                         of the CNDSP and is not
                         located outside of a local
                         firewall.
EN360   V0004010   III   Permitted IPs and ports,
                         protocols and services are
                         not documented.
EN430   V0004016    II   The DNS server and
                         architecture is not configured
                         in accordance with the DNS
                         STIG.
EN440   V0004017    I    Privileged level user remote
                         access is not encrypted.
  PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes
EN460   V0004019   III   Content security checking is
                         not employed for email, ftp,
                         or http data.
EN465   V0014276    II   A policy and procedure is not
                         in place to monitor all virus
                         alerts (to include desktop
                         clients) and/or reporting any
                         malicious activity to
                         appropriate personnel is not
                         being accomplished.

EN480   V0004021    II   A policy is not in place to
                         ensure a DMZ is established
                         within the Enclave Security
                         Architecture to host any
                         remotely or publicly
                         accessible system.

EN520   V0004025   III   Major new device
                         configuration or operating
                         systems changes are
                         installed without security
                         guidance.
EN540   V0004027    II   Servers do not employ Host
                         Based Intrusion Detection
                         (HIDS).
EN550   V0004122   III   The SA is not responding to
                         initial real time HIDs alarms
                         and do not perform analysis
                         of reports.
EN560   V0004123    II   Significant events are not
                         reported to the sites
                         Computer Network Defense
                         Service Provider (CNDSP)
                         and/or auditing requirements
                         are not met in accordance
                         with the DoDI 8500.2.

EN610   V0004128   III   Local policies have not been
                         developed to ensure
                         information posted to the
                         Internet/Intranet is reviewed
                         by a duly appointed PAO or
                         authorized content reviewer
                         for sensitive information.

EN620   V0004129    II   The web servers are not
                         configured in accordance
                         with the Web Server STIG.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes
EN670   V0004134    I    Classified or sensitive
                         information is transmitted
                         over unapproved
                         communications systems or
                         non-DOD systems.
EN710   V0004138   III   DOD policy on mobile code
                         is not being followed.

EN730   V0004139    II   The Database Management
                         System (DBMS) is not
                         secured in accordance with
                         the Database STIG.

EN735   V0004756    II   Wireless Local Area
                         Networks (LANS) and/or
                         devices are not secured in
                         accordance with the
                         Wireless STIG.
EN795   V0014305    II   Annual assessments are not
                         being performed in
                         accordance with DoD 8500.2
                         IA Control DCAR1.
EN800   V0014283   III   The site does not coordinate
                         access for the Classified
                         Connection Approval Office
                         (CCAO) to perform random
                         assessments within the
                         Enclave.

EN805   V0004755    II   The application infrastructure
                         is not in compliance with the
                         Application Security and
                         Development and
                         Application Services STIGs.

EN890   V0015748    I    FTP and/or telnet from
                         outside the enclave into the
                         enclave is permitted, without
                         applying the appropriate
                         security requirements.

EN900   V0015749    II   FTP user IDs do not expire
                         and/or passwords are not
                         changed every 90 days.
EN910   V0015750    I    FTP or Telnet is used with a
                         userid (UID)/password that
                         has administrative or root
                         privileges.
EN920   V0015751   III   An anonymous FTP
                         connection within the
                         enclave is established.
  PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes
ENCTO-   V0016161    II   The site is not in compliance
0712                      with the JTF-GNO issued
                          CTO-07-12, Deployment of
                          the Host Based Security
                          System .
ENCTO-   V0011939    II   The site is not in compliance
0715                      with JTF-GNO
                          Communications Tasking
                          Order 07-15, PKI
                          Implementation Phase 2.
ENCTO-   V0004145    II   Scanning, remediation, and
08005                     reporting of vulnerabilities
                          are not maintained in
                          accordance with JTF CTO
                          08-005.
ENCTO-   V0016160    II   The site is not in compliance
08008A                    with JTF-GNO issued CTO-
                          08-008A which requires the
                          use of the standardized DoD
                          Warning Banner and user
                          agreement. Compliance has
                          not been reported as
                          outlined in CTO 08-008A

ENDC130 V0012060     II   The architecture must not
                          leak RFC 1918 address
                          space onto the public
                          Internet or NIPRNet and this
                          must be tested and
                          documented on a continual
                          basis.
ENDC150 V0012062     II   Devices in the production
                          network must allow for
                          failover to other production
                          network sites in accordance
                          with DoD IA control backup
                          and redundancy
                          requirements dependant on
                          Mission Assurance Category.

ENDC200 V0012295     II   An access control solution
                          must be in place for access
                          to the management network
                          and to isolate and/or
                          disconnect any privileged
                          level access client that is not
                          compliant with security
                          requirements.

ENDC220 V0012307     II   The management and
                          production networks must be
                          separate and distinct from
                          any other network.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes
ENDC230 V0012311   III   A DMZ must be utilized to
                         access production hosts for
                         non-administrative purposes.
                         For sites/networks that have
                         a DMZ, all external access to
                         production assets will
                         traverse a DMZ. There will
                         be no direct access from
                         external devices.

ENDC310 V0019225    II   SA system or host access
                         for management purposes or
                         performance of any
                         privileged level function must
                         be performed via a
                         management network.
ENDC370 V0019205    I    Changes to the configuration
                         of any network element that
                         manages the network must
                         be documented and
                         approved by the Information
                         Assurance Manager.


ENDC400 V0019275    II   The private, encrypted,
                         management network must
                         be utilized to administer and
                         manage devices in the
                         infrastructure.
ENDC410 V0019253    II   A client must use a policy
                         enforcement client/agent on
                         thier computer to access the
                         management network.

ENDC460 V0019254    II   Access Control Lists (ACL)
                         must be employed to
                         separate security domains,
                         based on the sensitivity and
                         classification of the data,
                         within the production
                         networks.

ENDC480 V0019255    II   A system/application that
                         has the capability to tier
                         separate, must be separated.

ENDC570 V0019223    II   Publicly accessible systems
                         currently residing in the
                         production computing
                         environment will be moved
                         to the DoD DMZ.
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes
ENDC710 V0019212    I    Logical segregation must be
                         employed to protect
                         production traffic, via a DMZ
                         or Community of Interest
                         (COI) network. There will be
                         no direct connections from
                         the NIPRNet or other
                         networks to production
                         assets.
ENDC730 V0019277    II   Split tunneling will not be
                         configured on VPN client
                         connections entering an out-
                         of-band or management
                         network.
ENDC740 V0019279    II   There is not a Memorandum
                         of Understanding (MOU) or
                         Service Level Agreement
                         (SLA) in place to identify the
                         security requirements (by IA
                         control) to be shared across
                         accreditation boundaries.


ENTD100 V0003918    II   Test and development
                         systems are not connected
                         to an isolated network
                         separated from production
                         systems.

ENTD110 V0003919    II   Out of band access is not
                         utilized to access a test and
                         development enclave
                         remotely.


ENTD120 V0014306    II   Development is performed
                         on platforms that are not
                         STIG compliant and/or within
                         a non-STIG compliant
                         infrastructure.

ENTD130 V0014307    II   Network infrastructure
                         devices, such as router,
                         switches, firewalls, etc., that
                         support the
                         Test/Development enclave
                         are not STIG compliant.
  PDI    VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes
ENTD140 V0014308    II   Documentation which details
                         the description and function
                         of each system, the zone the
                         system resides in, the SA of
                         the system, applications,
                         OS, and hardware of the
                         system is incomplete or
                         missing.

ENTD150 V0014309    II   Systems in test and
                         development zones are
                         connected to a DoD
                         production network without
                         security controls, as required
                         by the appropriate STIGs. A
                         Connection Approval
                         Process (CAP) has not been
                         used prior to connection to a
                         DoD network.

ENTD160 V0014310    II   Test and development
                         systems are not physically
                         disconnected or blocked at
                         the firewall from external
                         networks during the
                         installation of an operating
                         system.
ENTD170 V0014311    II   Development is performed in
                         a Zone D test enclave.
ENTD180 V0014312    I    Zone D systems have direct
                         connectivity to a DoD
                         network.
ENTD190 V0014371    I    Zone D systems contain
                         production or "live" DoD data
                         or privacy act information
                         and are connected to an
                         external network.

ENTD200 V0014372    I    DoD client
                         workstations/laptops, used
                         for DoD official business,
                         interact or connect (to
                         include remote access) to a
                         Zone D system or network.

ENTD210 V0014373    I    Zone C systems have
                         external connectivity to a
                         network other than that of an
                         additional testing facility with
                         the same security
                         requirements (e.g. Zone C to
                         Zone C).
  PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes
ENTD220 V0014472    II   Zone C systems are not
                         tightly restricted and/or
                         controlled via network
                         resources to avoid T&D
                         systems traffic or data from
                         entering the DoD network.

ENTD230 V0014380    II   Zone B network connections
                         (all incoming/outgoing traffic)
                         are not strictly controlled via
                         network infrastructure
                         devices to include the
                         establishment of a VPN,
                         VLAN or TACLANE.

ENTD240 V0014381    II   A Network Infrastructure
                         STIG compliant DMZ has
                         not been established for the
                         downloading of applicable
                         software for a Zone B
                         environment.
ENTD250 V0014434    II   External to internal (ingress)
                         network initiated connections
                         are permitted for Zone B
                         environments.
ENTD260 V0014457    II   Zone B egress traffic is not
                         restricted via source and
                         destination filtering as well
                         and ports, protocols and
                         services. Zone B traffic is not
                         restricted to facilitate system
                         testing.
ENTD270 V0014458    II   Systems residing in a Zone
                         A test/development
                         environment are not STIG
                         compliant. POA&Ms are not
                         in place to address any open
                         findings for systems.
ENTD280 V0014459    II   Zone A systems are not
                         separated/isolated from
                         production assets via
                         network infrastructure
                         devices, e.g., VLANs,
                         separate subnets.
ENTD290 V0014460    II   Zone A systems do not
                         comply with the
                         requirements in the DoD
                         PPS Assurance Category
                         Assignments List (CAL) for
                         PPS utilization.
  PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes
ENTD300 V0014461    II   Zone A systems do not
                         utilize a Connection Approval
                         Process to include
                         assessment and scanning
                         for security baselines, and
                         final ATC.
ENTD310 V0014464    II   The IAO will ensure, if
                         remote access is required to
                         a non STIG compliant
                         system in Zone B, dedicated
                         clients (non-production) are
                         utilized to access Zone B
                         systems from a VPN or
                         dialup connection. No
                         connectivity will occur from a
                         production STIG compliant
                         client (e.g., STIG'd
                         Government Furnished
                         Equipment) to a non-STIG'd
                         system in Zone B.


ENTD320 V0014465    II   Non-STIG'd systems
                         connect or communicate
                         with STIG compliant
                         production systems via a
                         remote access solution.
ENTD330 V0014466    I    Virtual machine guest
                         operating systems (OS)
                         which are used to access a
                         T&D zone communicate with
                         the host OS or a production
                         OS.
ENTD340 V0014467    I    In a virtual machine remote
                         access solution, T&D client
                         traffic is not restricted such
                         that all network traffic can
                         only flow to and from the
                         T&D zone.

ENTD350 V0014468    II   Non-production "guests"
                         communicate with DoD
                         networks via the LAN.
    Section
General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave

General Business
LAN Enclave

General Business
LAN Enclave


General Business
LAN Enclave




General Business
LAN Enclave


General Business
LAN Enclave



General Business
LAN Enclave
    Section
General Business
LAN Enclave




General Business
LAN Enclave



General Business
LAN Enclave



General Business
LAN Enclave




General Business
LAN Enclave



General Business
LAN Enclave




General Business
LAN Enclave



General Business
LAN Enclave

General Business
LAN Enclave


General Business
LAN Enclave
    Section
General Business
LAN Enclave

General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave



General Business
LAN Enclave

General Business
LAN Enclave


General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave
    Section
General Business
LAN Enclave



General Business
LAN Enclave

General Business
LAN Enclave



General Business
LAN Enclave



General Business
LAN Enclave


General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave

General Business
LAN Enclave


General Business
LAN Enclave
    Section
General Business
LAN Enclave



General Business
LAN Enclave



General Business
LAN Enclave



General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave
    Section
General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave




General Business
LAN Enclave



General Business
LAN Enclave



General Business
LAN Enclave




General Business
LAN Enclave


General Business
LAN Enclave
     Section
General Business
LAN Enclave




General Business
LAN Enclave



General Business
LAN Enclave




Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
     Section
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D



Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D




Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D

Test Enclave -
Zone D
Test Enclave -
Zone D

Test Enclave -
Zone D




Test Enclave -
Zone D




Test Enclave -
Zone C
     Section
Test Enclave -
Zone C




Test Enclave -
Zone B




Test Enclave -
Zone B




Test Enclave -
Zone B


Test Enclave -
Zone B




Test Enclave -
Zone A




Test Enclave -
Zone A




Test Enclave -
Zone A
     Section
Test Enclave -
Zone A




Test Enclave -
Zone B




Test Enclave -
Zone B, Test
Enclave - Zone D


Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D

Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
    PDI      VMSID CAT         Requirement                   Vulnerability   Status   Finding Notes
7.035       V0003765 I IAVM Alert 2002-A-0003,
                       Apache Web Server Chunk
                       Handling Vulnerability, has
                       not been applied.
1999-0001   V0005749 I Mountd Remote Buffer
                       Overflow Vulnerability
1999-0003   V0005751 I Remote FTP Vulnerability
1999-A-     V0005753 I Statd and Automountd
0006                   Vulnerabilities
2000-A-     V0005777 I Cross-Site Scripting
0001                   Vulnerability
2000-A-     V0005778 I Gauntlet Firewall for Unix
0003                   and WebShield
                       Cyberdaemon Buffer
                       Overflow Vulnerability
2000-B-     V0005780 I Bind NXT Buffer Overflow
0001
2000-B-     V0005781   I    Netscape Navigator
0002                        Improperly Validates SSL
                            Sessions
2000-B-     V0005782   I    Multiple Buffer Overflows in
0003                        Kerberos Authenticated
                            Services
2000-B-     V0005783   I    Washington University FTP
0004                        Daemon (wu-ftpd) Site Exec
                            Vulnerability and
                            setproctitle() Vulnerabilty
2000-B-     V0005784   I    Input Validation Problem in
0005                        rpc.statd
2000-T-0006 V0005791   II   Frame Domain Cverification,
                            Unauthorized Cookie Access
                            and Malformed Component
                            Attribute Vulnerabilities

2000-T-0015 V0005798   II   BMC Best/1 Version 6.3
                            Performance Management
                            System Vulnerability
2001-A-     V0005799   I    Multiple Vulnerabilities in
0001                        BIND
2001-A-     V0005803   I    IPlanet Web Servers Expose
0007                        Sensitive Data via Buffer
                            Overflow.
2001-A-     V0005804   I    Gauntlet Firewall for Unix
0009                        and WebShield CSMAP and
                            smap/smapd Buffer
                            Overflow Vulnerability
2001-A-     V0005805   I    Format String Vulnerability in
0011                        CDE ToolTalk
2001-A-     V0005807   I    SSH CRC32 Remote Integer
0013                        Overflow Vulnerability
    PDI     VMSID CAT        Requirement                      Vulnerability   Status   Finding Notes
2001-B-    V0005811 I Encoding Intrusion Detection
0003                  System Bypass Vulnerability

2001-B-     V0005812   I    WU-FTPd Remote Code
0004                        Execution Vulnerability
2001-T-0004 V0005816   II   MySQLd Vulnerability

2001-T-0005 V0005817   II   Input Validation Problems in
                            LPRng
2001-T-0008 V0005820   II   Buffer Overflow in telnetd

2001-T-0009 V0005821   II   Symantec Norton Antivirus
                            LiveUpdate Host Verification
                            Vulnerability
2001-T-0015 V0005825   II   Multiple Vulnerabilities in lpd
                            Daemon
2001-T-0017 V0005826   II   OpenSSH UseLogin Multiple
                            Vulnerabilities
2001-T-0018 V0005827   II   Short Password Vulnerability
                            in SSH Communications
                            Security
2002-A-    V0005830    I    Apache Web Server Chunk
0003                        Handling Vulnerability
2002-A-    V0005837    I    Multiple Simple Network
SNMP-003                    Management Protocol
                            Vulnerabilities in Servers and
                            Applications
2002-A-    V0005838    I    Multiple Simple Network
SNMP-004                    Management Protocol
                            Vulnerabilities in Perimeter
                            Devices
2002-A-    V0005839    I    Multiple Simple Network
SNMP-005                    Management Protocol
                            Vulnerabilities in Enclave
                            Devices
2002-A-    V0005840    I    Multiple Simple Network
SNMP-006                    Management Protocol
                            Vulnerabilities in Servers and
                            Applications
2002-B-    V0005842    I    Multiple Vulnerabilities in
0003                        PHP
2002-B-    V0005847    I    Multiple Simple Network
SNMP-002                    Management Protocol
                            Vulnerabilities in Servers and
                            Applications
2002-T-0004 V0005851   II   Kerberos Telnet Protocol
                            Vulnerability
2002-T-0005 V0005852   II   Multiple Vulnerabilities in
                            Oracle Database Server
2002-T-0006 V0005853   II   Multiple Vulnerabilities in
                            Oracle9i Application Server
    PDI      VMSID CAT           Requirement           Vulnerability   Status   Finding Notes
2002-T-0015 V0005862 II Integer Overflow
                        Vulnerability in SunRPC
                        derived XDR Libraries
2002-T-0016 V0005863 II Multiple Vendor kadmind
                        Remote Buffer Overflow
                        Vulnerability
2002-T-     V0005867 II Multiple Simple Network
SNMP-003                Management Protocol
                        Vulnerabilities in Servers and
                        Applications
2003-A-     V0005873  I Multiple Vulnerabilities in
0006                    Multiple Versions of Oracle
                        Database Server
2003-A-     V0005908  I Multiple Vulnerabilities in
0015                    OpenSSL
2003-B-     V0005877  I Multiple Buffer Overflow
0001                    Vulnerabilities in Various
                        DNS Resolver Libraries
2003-B-     V0005879  I Sendmail Memory
0003                    Corruption Vulnerability
2003-B-     V0005906  I Sendmail Prescan Variant
0005                    Remote Buffer Overrun
                        Vulnerability
2003-T-0004 V0005883 II Multiple Vulnerabilities in
                        Oracle 9i Application Server
2003-T-0007 V0005886 II Sun RPC XDR Library
                        Integer Overflow Vulnerability

2003-T-0015 V0005896    II   Multiple Vendor PDF
                             Hyperlinks Arbitrary
                             Command Execution
                             Vulnerability
2003-T-0018 V0005900    II   Real Networks Helix
                             Universal Server Vulnerability

2003-T-0020 V0005904    II   OpenSSH Buffer
                             Mismanagement and
                             Multiple Portable OpenSSH
                             PAM Vulnerabilities

2003-T-0024 V0005916    II   RSync Daemon Mode
                             Undisclosed Remote Heap
                             Overflow Vulnerability
2004-A-     V0005923    I    Multiple Vulnerabilities in
0002                         Check Point Firewall
2004-A-     V0005929    I    ISS Internet Security
0004                         Systems ICQ Parsing Buffer
                             Overflow Vulnerability
2004-B-     V0005921    I    Cisco Voice Product
0003                         Vulnerabilities on IBM
                             Servers
    PDI        VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
2004-B-       V0005946  I HP Web Jetadmin Multiple
0007                      Vulnerabilities
2004-B-       V0005954  I Oracle E-Business Suite
0009                      Multiple SQL Injection
                          Vulnerability
2004-T-0002   V0005924 II Oracle 9i
                          Application/Database Server
                          Denial Of Service
                          Vulnerability
2004-T-0003   V0005925 II Apache-SSL Client
                          Certificate Forging
                          Vulnerability
2004-T-0005   V0005928 II Oracle9i Lite Mobile Server
                          Multiple Vulnerabilities
2004-T-0008   V0005934 II TCPDump ISAKMP
                          Decoding Routines Multiple
                          Remote Buffer Overflow

2004-T-0011 V0005940     II   Oracle Application Server
                              Web Cache HTTP Request
                              Method Heap Overrun
                              Vulnerability
2004-T-0018 V0005955     II   Multiple Vulnerabilities in ISC
                              DHCP 3
2004-T-0022 V0005964     II   Check Point VPN-1, ASN.1
                              Buffer Overflow Vulnerabilty

2004-T-0038 V0005988     II   Sun Java System Web And
                              Application Servers Remote
                              Denial Of Service
                              Vulnerability
2005-A-       V0006033   I    Multiple Vulnerabilities in
0014                          Oracle E-Business and
                              Application Suite
2005-A-       V0011666   I    Multiple Vulnerabilities in
0019                          Oracle E-Business and
                              Applications Suite
2005-A-       V0011700   I    Multiple Vulnerabilities in
0034                          Oracle E-Business and
                              Applications Suite
2005-A-       V0011703   I    VERITAS NetBackup Java
0037                          User-Interface Remote
                              Format String Vulnerability
2005-A-       V0011709   I    VERITAS NetBackup
0041                          Volume Manager Daemon
                              Buffer Overflow Vulnerability
2005-B-       V0006015   I    Symantec UPX Parsing
0007                          Engine Remote Heap
                              Overflow Vulnerability
    PDI        VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
2005-B-       V0006016  I Trend Micro VSAPI ARJ
0008                      Handling Heap Overflow
                          Vulnerability
2005-T-0007   V0006018 II Multiple Vulnerabilities in
                          Computer Associates
                          Products
2005-T-0010   V0006021 II Multiple Vulnerabilities in
                          Sybase Software
2005-T-0013   V0011646 II Computer Associates
                          BrighStor ARCserve Backup
                          UniversalAgent Remote
                          Buffer Overflow
2005-T-0031   V0011680 II Multiple Vulnerabilities in
                          Computer Associates
                          Message Queuing
                          (CAM/CAFT)
2005-T-0035   V0011684 II Check Point SecurePlatform
                          NGX Firewall Rules Bypass
                          Vulnerability

2005-T-0038 V0011687     II   Sun Java System Application
                              Server Web Application JAR
                              Disclosure
2006-A-       V0011723   I    Multiple Vulnerabilities in
0007                          Oracle E-Business Suite and
                              Applications
2006-A-       V0011724   I    Computer Associates (CA)
0008                          iTechnology iGateway
                              Service Vulnerability
2006-A-       V0011732   I    Oracle E-Business Suite
0011                          Unspecified Vulnerability
2006-A-       V0011737   I    Sendmail Asynchronous
0013                          Signal Handling Remote
                              Code Execution Vulnerability

2006-A-       V0011748   I    Multiple Vulnerabilities in
0020                          Oracle E-Business Suite and
                              Applications
2006-A-       V0011756   I    Multiple Vulnerabilities in
0023                          Macromedia Flash
2006-A-       V0012321   I    Multiple Vulnerabilities in
0032                          Oracle E-Business Suite and
                              Applications
2006-A-       V0012899   I    Multiple Vulnerabilities in
0050                          Oracle E-Business Suite and
                              Applications
2006-T-0002 V0011726     I    Multiple Vulnerabilities within
                              BEA WebLogic Software
    PDI      VMSID CAT         Requirement                 Vulnerability   Status   Finding Notes
2006-T-0008 V0011750 II HP Color LaserJet
                        2500/4600 Toolbox Directory
                        Traversal Vulnerability

2006-T-0013 V0011805   I    RealVNC Remote
                            Authentication Bypass
                            Vulnerability
2006-T-0016 V0012055   II   Sun ONE and Sun Java
                            System Application Server
                            Cross-Site Scripting
                            Vulnerability
2007-A-    V0013583    I    Multiple Vulnerabilities in
0010                        Oracle E-Business Suite and
                            Applications
2007-A-    V0013605    I    Trend Micro Antivirus UPX
0013                        Compressed PE File Buffer
                            Overflow Vulnerability
2007-A-    V0013996    I    Multiple Vulnerabilities in
0025                        Oracle E-Business Suite and
                            Applications
2007-A-    V0014480    I    Symantec AntiVirus
0038                        Malformed CAB and RAR
                            Compression Remote
                            Vulnerabilities
2007-B-    V0014462    I    RPC Remote Code
0012                        Execution Vulnerabilities in
                            MIT Kerberos
2007-B-    V0014587    I    Multiple Vulnerabilities in
0018                        Oracle E-Business Suite
2007-B-    V0015376    II   Multiple RealPlayer Remote
0035                        Code Execution
                            Vulnerabilities
2007-T-0025 V0014383   I    Multiple Vulnerabilities in
                            MIT Kerberos
2007-T-0033 V0014842   I    Hewlett-Packard Openview
                            Multiple Remote Buffer
                            Overflow Vulnerabilities
2007-T-0037 V0015097   I    MIT Kerberos Administration
                            Daemon Remote Code
                            Execution Vulnerabilities

2008-A-    V0015746    II   SQL Injection in Cisco
0011                        Unified Communications
                            Manager Vulnerability
2008-A-    V0015966    I    Multiple Vulnerabilities in
0020                        Oracle E-Business Suite
2008-A-    V0016019    I    Cisco Unified
0032                        Communications Manager
                            Denial of Service
                            Vulnerabilities
    PDI      VMSID CAT           Requirement              Vulnerability   Status   Finding Notes
2008-A-     V0016023  I IBM Lotus Sametime
0034                    Multiplexer Buffer Overflow
                        Vulnerability
2008-A-     V0016039  I Multiple Security
0038                    Vulnerabilities in Sun Java
                        ASP
2008-A-     V0016170  I DNS Protocol Cache
0045                    Poisoning Vulnerability
2008-A-     V0016172 II Multiple Vulnerabilities in
0049                    Oracle E-Business Suite
2008-A-     V0016319  I Multiple Vulnerabilities in the
0052                    Oracle WebLogic Server
                        component in BEA Product
                        Suite
2008-A-     V0016523 II Multiple RealPlayer Remote
0053                    Code Execution
                        Vulnerabilities
2008-A-     V0017786  I Multiple Vulnerabilities in
0075                    Oracle E-Business Suite
2008-B-     V0015753 II Multiple Apache HTTP
0017                    Server Vulnerabilities
2008-B-     V0015755  I Multiple Symantec
0020                    Decomposer Denial of
                        Service Vulnerabilities
2008-B-     V0015780  I Multiple MIT Kerberos
0024                    Vulnerabilities
2008-B-     V0015994  I Sun Java System Directory
0041                    Server Remote
                        Unauthorized Access
                        Vulnerability
2008-B-     V0016022  I Multiple CA ARCserve
0043                    Backup Remote
                        Vulnerabilities
2008-B-     V0016025 II Multiple Sun Java System
0045                    Application Server and Web
                        Server Vulnerabilities
2008-B-     V0017414  I Multiple Vulnerabilities in
0064                    Openwsman (VMWare)
2008-B-     V0017742  I Multiple HP OpenView
0073                    Network Node Manager
                        Vulnerabilities
2008-B-     V0017874  I Multiple Vulnerabilities in
0078                    VMware
2008-T-0003 V0015665 II Sun Java Web Proxy Server
                        and Sun Java Web Server
                        Multiple Cross-Site Scripting
                        Vulnerabilities
2008-T-0010 V0015935 II CA BrightStor ARCserve
                        Backup ListCtrl ActiveX
                        Control Buffer Overflow
                        Vulnerability
    PDI      VMSID CAT           Requirement            Vulnerability   Status   Finding Notes
2008-T-0017 V0015995 II CA Products DSM
                         gui_cm_ctrls ActiveX Control
                         Code Execution
2008-T-0026 V0016046  I SNMP Remote
                         Authentication Bypass
                         Vulnerability
2008-T-0046 V0017144 II Red Hat OpenSSH
                         Vulnerability
2008-T-0048 V0017352 II Apache mod_proxy_ftp
                         Cross-Site Scripting
                         Vulnerability
2008-T-0049 V0017350  I Multiple Vulnerabilities in
                         RedHat Fedora Directory
                         Server
2008-T-0050 V0017465  I Denial of Service
                         Vulnerabilities in Cisco
                         Unified Communications
                         Manager
2008-T-0052 V0017542 III MySQL Command-Line
                         Client HTML Injection
                         Vulnerability
2008-T-0054 V0017737  I Cisco Unity Remote
                         Administration
                         Authentication Bypass
                         Vulnerability
2008-T-0063 V0017904 II Multiple Vulnerabilities in
                         Symantec Backup Exec
2008-T-0064 V0017917  I Bzip2 Remote Denial-of-
                         Service Vulnerability
2009-A-     V0018000 II Vulnerability in Oracle
0006                     Collaboration Suite
2009-A-     V0018005  I Multiple Oracle/BEA
0009                     Weblogic Security
                         Vulnerabilities
2009-A-     V0018613  I Multiple Vulnerabilities in
0023                     OpenSSL
2009-A-     V0019765 II Multiple Vulnerabilities in
0057                     Oracle Enterprise Manager
2009-A-     V0019802  I ISC BIND Denial of Service
0060                     Vulnerability
2009-A-     V0021637  I Snort Remote Denial Of
0089                     Service Vulnerability
2009-B-     V0018295  I Multiple Vulnerabilities in
0006                     VMware
2009-B-     V0018638  I Multiple Vulnerabilities in
0015                     VMware
2009-B-     V0018766  I VMware Hosted Products
0016                     Code Execution Vulnerability

2009-B-     V0018751    I   Multiple MIT Kerberos
0017                        Vulnerabilities
    PDI      VMSID CAT           Requirement               Vulnerability   Status   Finding Notes
2009-B-     V0019297  I Multiple Vulnerabilities in
0021                    VMware Products
2009-B-     V0019438 II Multiple Vulnerabilities in
0026                    Apache Tomcat
2009-B-     V0019859  I Multiple Apache HTTP
0034                    Server Vulnerabilities
2009-B-     V0021686  I Multiple Vulnerabilities in
0051                    Apache
2009-T-0024 V0018983  I Multiple Vulnerabilities in
                        Linux Kernel
2009-T-0050 V0021503  I Multiple Vulnerabilities in
                        Wireshark
2009-T-0051 V0021537  I PHP 5.2.10 Denial of
                        Service Vulnerability
ESX0010     V0015783 II ESX Server is not configured
                        in accordance with the UNIX
                        STIG.
ESX0020     V0015784 II An NFS Server is running on
                        the ESX Server host
ESX0030     V0015785 II VMotion virtual switches are
                        not configured with a
                        dedicated physical network
                        adapter
ESX0040     V0015786 II There is no dedicated VLAN
                        or network segment
                        configured for virtual disk file
                        transfers.
ESX0050     V0015787 II Permissions on the
                        configuration and virtual disk
                        files are incorrect.
ESX0055     V0016881 II Permissions on the virtual
                        disk files are incorrect.
ESX0060     V0015788 II ISCSI VLAN or network
                        segment is not configured
                        for iSCSI traffic.
ESX0070     V0015789 II CHAP authentication is not
                        configured for iSCSI traffic.
ESX0080     V0015790 II ISCSI storage equipment is
                        not configured with the latest
                        patches and updates.
ESX0090     V0015791 II ISCSI passwords are not
                        compliant with DoD policy.
ESX0100     V0015792 II Static discoveries are not
                        configured for hardware
                        iSCSI initiators.
ESX0110     V0015793 II USB drives automatically
                        load when inserted into the
                        ESX Server host.
   PDI     VMSID CAT             Requirement              Vulnerability   Status   Finding Notes
ESX0120   V0015801 III The ESX Server does not
                       meet the minimum
                       requirement of two network
                       adapters.
ESX0130   V0015802 II The service console and
                       virtual machines are not on
                       dedicated VLANs or network
                       segments.
ESX0140   V0015803 III Notify Switches feature is not
                       enabled to allowfor
                       notifications to be sent to
                       physical switches.
ESX0150   V0015804 II The ESX Server external
                       physical switch ports are
                       configured to VLAN 1.
ESX0160   V0015805 II Permissions have been
                       changed on the
                       /usr/sbin/esx* utilities
ESX0170   V0015806 II Virtual machines are
                       connected to public virtual
                       switches and are not
                       documented.
ESX0180   V0015807 II Virtual switch port group is
                       configured to VLAN 1
ESX0190   V0015808 II Virtual switch port group is
                       configured to VLAN 1001 to
                       1024.
ESX0200   V0015809 II Virtual switch port group is
                       configured to VLAN 4095.
ESX0210   V0015810 II Port groups are not
                       configured with a network
                       label.
ESX0220   V0015811 II Unused port groups have not
                       been removed
ESX0230   V0015812 II Virtual switches are not
                       labeled.
ESX0240   V0015813 II Virtual switch labels begin
                       with a number.
ESX0250   V0015815  I The MAC Address Change
                       Policy is set to "Accept" for
                       virtual switches.
ESX0260   V0015817  I Forged Transmits are set to
                       "Accept" on virtual switches

ESX0270   V0015818    I   Promiscuous Mode is set to
                          "Accept" on virtual switches.

ESX0280   V0015819    I   Promiscuous mode is
                          enabled for virtual switches
                          during the ESX Server boot
                          process.
   PDI     VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
ESX0290   V0015820 II External physical switch
                      ports configured for EST
                      mode are configured with
                      spanning-tree enabled.
ESX0300   V0015821 II The non-negotiate option is
                      not configured for trunk links
                      between external physical
                      switches and virtual switches
                      in VST mode.

ESX0310   V0015822    II    Undocumented VLANs are
                            configured on ESX Server in
                            VST mode.
ESX0320   V0015824    II    ESX Server firewall is not
                            configured to High Security.
ESX0330   V0015825    II    A third party firewall is
                            configured on ESX Server.
ESX0340   V0015826    II    IP tables or internal
                            router/firewall is not
                            configured to restrict IP
                            addresses to services.
ESX0350   V0015827    III   ESX Server required
                            services are not documented.

ESX0360   V0015828    II    ESX Server service console
                            administrators are not
                            documented
ESX0370   V0015829    II    Hash signatures for the /etc
                            files are not stored offline.

ESX0380   V0015833    II    Hash signatures for the /etc
                            files are not reviewed
                            monthly.
ESX0390   V0015835    II    The setuid and setgid flags
                            have been disabled.
ESX0400   V0015836    II    ESX Server is not
                            authenticating the time
                            source with a hashing
                            algorithm.
ESX0410   V0015840    II    ESX Server does not record
                            log files.
ESX0420   V0015841    II    ESX Server log files are not
                            reviewed daily.
ESX0430   V0015842    II    Log file permissions have
                            not been configured to
                            restrict unauthorized users
ESX0440   V0015843    III   ESX Server does not send
                            logs to a syslog server.
ESX0450   V0015844    II    Auditing is not configured on
                            the ESX Server.
   PDI     VMSID CAT             Requirement                Vulnerability   Status   Finding Notes
ESX0460   V0015845 III The IAO/SA does not
                       subscribe to vendor security
                       patches and update
                       notifications.
ESX0470   V0015846 II The ESX Server software
                       version is not at the latest
                       release.
ESX0480   V0015847 II ESX Server updates are not
                       tested.
ESX0490   V0015848 II VMware tools are not used
                       to update the ESX Server.
ESX0500   V0015849  I ESX Server software version
                       is not supported.
ESX0510   V0015850  I VMware and third party
                       applications are not
                       supported.
ESX0520   V0015851 III There are no procedures for
                       the backup and recovery of
                       the ESX Server,
                       management servers, and
                       virtual machines.
ESX0530   V0015852 II The ESX Servers and
                       management servers are not
                       backed up in accordance to
                       the MAC level of the servers.

ESX0540   V0015853    II   Disaster recovery plan does
                           not include ESX Servers,
                           VirtualCenter servers, virtual
                           machines, and necessary
                           peripherals associated with
                           the system.

ESX0550   V0015854    II   Backups are not located in
                           separate logical partitions
                           from production data.
ESX0560   V0015855    II   VI client sessions to the ESX
                           Server are unencrypted.

ESX0570   V0015856    II   VI Web Access sessions to
                           the ESX Server are
                           unencrypted.
ESX0580   V0015857    II   VirtualCenter
                           communications to the ESX
                           Server are unencrypted.

ESX0590   V0015858    II   SNMP write mode is enabled
                           on ESX Server.
   PDI     VMSID CAT          Requirement                  Vulnerability   Status   Finding Notes
ESX0600   V0015859 II VirtualCenter server is
                      hosting other applications
                      such as database servers, e-
                      mail servers or clients, dhcp
                      servers, web servers, etc.

ESX0610   V0015860    II   Patches and security
                           updates are not current on
                           the VirtualCenter Server.
ESX0650   V0015864    II   VirtualCenter virtual machine
                           is not configured in an ESX
                           Server cluster with High
                           Availability enabled.

ESX0660   V0015865    II   VirtualCenter virtual machine
                           does not have a CPU
                           reservation.
ESX0670   V0015866    II   VirtualCenter virtual machine
                           does not have a memory
                           reservation.
ESX0680   V0015867   III   VirtualCenter virtual machine
                           CPU alarm is not configured.

ESX0690   V0015868   III   VirtualCenter virtual machine
                           memory alarm is not
                           configured.
ESX0700   V0015869    II   Unauthorized users have
                           access to the VirtualCenter
                           virtual machine.

ESX0710   V0015870    II   No dedicated VirtualCenter
                           administrator created within
                           the Windows Administrator
                           Group on the Windows
                           Server for managing the
                           VirtualCenter environment.

ESX0720   V0015871    II   No logon warning banner is
                           configured for VirtualCenter
                           users.
ESX0725   V0017020    II   VirtualCenter is not using
                           DoD approved certificates.
ESX0730   V0015872    II   VI Client sessions with
                           VirtualCenter are
                           unencrypted.
ESX0740   V0015873    II   VI Web Access sessions
                           with VirtualCenter are
                           unencrypted.
ESX0750   V0015874    I    VirtualCenter vpxuser has
                           been modified.
   PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes
ESX0760   V0015875 III Users assigned to
                       VirtualCenter groups are not
                       documented.
ESX0770   V0015876 III Users in the VirtualCenter
                       Server Windows
                       Administrators group are not
                       documented.
ESX0780   V0015877 II VirtualCenter Server groups
                       are not reviewed monthly

ESX0790   V0015878    II   No documented
                           configuration management
                           process exists for
                           VirtualCenter changes.
ESX0800   V0015879    II   There is no VirtualCenter
                           baseline configuration
                           document for users, groups,
                           permissions, and roles.

ESX0810   V0015880    II   VirtualCenter does not log
                           user, group, permission or
                           role changes.
ESX0820   V0015881    II   VirtualCenter logs are
                           reviewed daily.
ESX0828   V0016851   III   ESX administrators have not
                           received proper training to
                           administer the ESX Server.

ESX0860   V0015882    II   There is no up-to-date
                           documentation of the
                           virtualization infrastructure.
ESX0863   V0015973    II   ESX Server is not properly
                           registered in VMS.
ESX0866   V0015974    II   ESX Server assets are not
                           configured with the correct
                           posture in VMS.
ESX0869   V0015975    II   VirtualCenter Server assets
                           are not properly registered in
                           VMS.
ESX0872   V0015984    II   VirtualCenter Server assets
                           are not configured with the
                           correct posture in VMS.

ESX0880   V0015884    II   ISO images are not
                           restricted to authorized users.

ESX0890   V0015885    II   ISO images do not have
                           hash checksums.
ESX0900   V0015886    II   ISO images are not verified
                           for integrity when moved
                           across the network.
   PDI     VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes
ESX0910   V0015887 III Master templates are not
                       stored on a separate
                       partition.
ESX0920   V0015888 II Master templates are not
                       restricted to authorized users
                       only.
ESX0930   V0015889 III The VMware-converter utility
                       is not used for VMDK
                       imports or exports.
ESX0940   V0015890 II Nonpersistent disk mode is
                       set for virtual machines.
ESX0950   V0015891 III No policy exists to assign
                       virtual machines to
                       personnel.
ESX0960   V0015892 III VI Console is used to
                       administer virtual machines.
ESX0970   V0015893 II Clipboard capabilities (copy
                       and paste) are enabled for
                       virtual machines.

ESX0980   V0015894    II    VMware Tools drag and drop
                            capabilities are enabled for
                            virtual machines.

ESX0990   V0015895    II    The VMware Tools setinfo
                            variable is enabled for virtual
                            machines.
ESX1000   V0015896    III   Configuration tools are
                            enabled for virtual machines.

ESX1010   V0015897    II    Virtual machines are not
                            time synchronized with the
                            ESX Server or an
                            authoritative time server.
ESX1020   V0015898    III   The IAO/SA does not
                            document and approve
                            virtual machine renames.
ESX1030   V0015899    II    Test and development virtual
                            machines are not logically
                            separated from production
                            virtual machines.
ESX1040   V0015900    III   No policy exists to restrict
                            copying and sharing virtual
                            machines over networks and
                            removable media.
ESX1050   V0015901    II    Virtual machine moves are
                            not logged from one physical
                            server to another.
ESX1060   V0015902    II    Virtual machine moved to
                            removable media are not
                            documented.
   PDI     VMSID CAT            Requirement           Vulnerability   Status   Finding Notes
ESX1070   V0015903 II Virtual machines are
                       removed from the site
                       without approval
                       documentation.
ESX1080   V0015904 II Production virtual machines
                       are not located in a
                       controlled access area.
ESX1090   V0015905 III Virtual machine rollbacks are
                       performed when virtual
                       machine is connected to the
                       network.
ESX1100   V0015906 II Virtual machine OS log files
                       are not saved before rollback.

ESX1110   V0015907    II    Virtual machine log files do
                            not have a size limit.
ESX1120   V0015908    II    ESX Server is not configured
                            to maintain a specific
                            number of log files via log
                            rotation.
ESX1130   V0015909    II    Virtual machine log files are
                            not maintained for 1 year.

ESX1140   V0015913    II    Virtual machines are not
                            backed up in accordance
                            with the MAC level.
ESX1150   V0015972    II    Virtual machines are not
                            registered in VMS.
ESX1160   V0015919    III   Virtual machine
                            requirements are not
                            documented before creating
                            a virtual machine.
ESX1170   V0015921    II    Unused hardware is enabled
                            in virtual machines.
ESX1180   V0015924    II    Guest OS selection does not
                            match installed OS.
ESX1190   V0015926    I     Guest operating system is
                            not supported by ESX Server.

ESX1200   V0015931    II    Anti-virus software and
                            signatures are out of date for
                            "off" and "suspended" virtual
                            machines
ESX1210   V0015932    II    OS patches and updates are
                            out of date on "off" and
                            "suspended" virtual
                            machines.
ESX1220   V0017043    II    Virtual machines are not
                            configured with the correct
                            posture in VMS.
   PDI     VMSID CAT            Requirement                     Vulnerability   Status   Finding Notes
GEN000020 V0000756 II The UNIX host is bootable in
                      single user mode without a
                      password.
GEN000040 V0000757 II The UNIX host is not
                      configured to require a
                      password when booted to
                      single-user mode and is not
                      documented.
GEN000060 V0000758 II The UNIX host cannot be
                      configured to require a
                      password when booted to
                      single-user mode and is not
                      located in a controlled
                      access area.
GEN000260 V0000759 II A shared account is not
                      justified and documented by
                      the IAO.
GEN000280 V0000760 II A shared, i.e., default,
                      application, or utility -account
                      is logged into directly.

GEN003320 V0000986      II    Default system accounts
                              (with the exception of root)
                              are listed in the at.allow file
                              or excluded from the
                              cron.deny file if cron.allow
                              does not exist.
GEN003680 V0000972      III   Network services required
                              for operations have not been
                              documented by the IAO.

GEN003700 V0012005      II    All inetd/xinetd services are
                              disabled and inetd (xinetd for
                              Linux) is not disabled.

GEN003820 V0004687      I     A system has a vulnerable
                              trust relationship through rsh
                              or remsh.
GEN003840 V0004688      I     A system has the rexec
                              service active.
GEN003860 V0004701      III   A system has the finger
                              service active.
GEN003865 V0012049      II    Network Analysis tools are
                              enabled.
GEN003960 V0004369      II    The traceroute command
                              owner is NOT root.
GEN003980 V0004370      II    The traceroute command
                              group owner is not sys, bin,
                              or root.
   PDI     VMSID CAT          Requirement                    Vulnerability   Status   Finding Notes
GEN004000 V0004371 II Traceroute file permissions
                      are less restrictive than 700.

GEN004020 V0004372     III   The browser is NOT capable
                             of 128-bit encryption.

GEN004040 V0004373     II    A browser SmartUpdate, or
                             software update feature, is
                             enabled.
GEN004060 V0004374     II    The browser has
                             unencrypted secure content
                             caching enabled.
GEN004100 V0004376     III   The browser is configured to
                             allow active scripting.
GEN004120 V0004377     II    The browser is not
                             configured to give a warning
                             when form data is redirected.

GEN004160 V0004379     II    The browser gives no
                             warning before viewing
                             remote data with a security
                             certificate that does not
                             match the remote address.
GEN004180 V0004380     II    The browser home page is
                             not configured for a blank
                             page or a locally generated
                             page.
GEN004200 V0004381     II    The browser is NOT
                             configured for Secure
                             Socket Layer (SSL) v2 and
                             SSL v3.
GEN004220 V0004382      I    An SA browses the WEB as
                             root.
GEN004240 V0001038     II    The browser is not a
                             supported version.
GEN004260 V0001039     III   The browser does not issue
                             a warning prior to accepting
                             a cookie from a remote site.

GEN004280 V0001041     III   A browser does not issue a
                             warning when submitting
                             non encrypted form data.
GEN004300 V0001042     III   The browser does not issue
                             a warning prior to viewing a
                             document with both secure
                             and non-secure content.

GEN004320 V0001043     III   The browser does not issue
                             a warning prior to leaving an
                             encrypted or secure site.
   PDI     VMSID CAT            Requirement        Vulnerability   Status   Finding Notes
GEN004540 V0012006 II The sendmail help command
                       is not disabled.
GEN004560 V0004384 III The O Smtp greeting in
                       sendmail.cf, or equivalent,
                       has not been changed to
                       mask the version.
GEN004580 V0004385  I .forward files were found.
GEN004600 V0004689  I A sendmail server has an
                       out-of-date version of
                       sendmail active.
GEN004620 V0004690  I A UNIX sendmail server has
                       the debug feature active.

GEN004640 V0004691     I    A UNIX sendmail server has
                            a uudecode alias active.

GEN004660 V0004692    III   A sendmail server has the
                            EXPN feature active.
GEN004680 V0004693    III   A sendmail server has the
                            VRFY feature active.
GEN004700 V0004694    III   A UNIX sendmail server has
                            the wizard backdoor active.

GEN004720 V0012007     II   FTP or telnet within an
                            enclave is not behind the
                            premise router and protected
                            by a firewall and router
                            access control lists.
GEN004760 V0012008     I    FTP or telnet from outside
                            the enclave into the enclave
                            is enabled and not within
                            requirements.
GEN004780 V0012009     I    FTP or telnet
                            userids/passwords have
                            administrative or root
                            privileges.
GEN004800 V0012010     II   An AORL is not used to
                            document the use of
                            unencrypted FTP or telnet or
                            the risk is not accepted as
                            part of the accreditation
                            package.
GEN004840 V0004702     II   A system allows anonymous
                            FTP access.
GEN005020 V0004388     I    An anonymous ftp account
                            does not implement STIG
                            security guidance.
GEN005040 V0012011     II   An FTP user's umask is not
                            077.
GEN005060 V0012013     I    FSP is enabled.
   PDI     VMSID CAT            Requirement                   Vulnerability   Status   Finding Notes
GEN005140 V0004695  I TFTP is active and it is not
                      justified and documented
                      with the IAO.
GEN005180 V0012014 II .Xauthority files are more
                      permissive than 600.
GEN005200 V0004697  I A system is exporting X
                      displays to the world.
GEN005220 V0012016 II Authorized X clients are not
                      listed in the X*.hosts (or
                      equivalent) file(s) if the
                      .Xauthority utility is not used.

GEN005240 V0012017      II   Access to the X-terminal
                             host is not limited to
                             authorized X clients.
GEN005260 V0012018      II   The X Window System
                             connections are not required
                             and the connections are not
                             disabled.

GEN005280 V0004696      II   A UNIX system has the
                             UUCP service active.
GEN005360 V0012019      II   The snmpd.conf file is not
                             owned by root and group
                             owned by sys or the
                             application.
GEN005380 V0004392      II   An snmp server runs more
                             than network management
                             and DBMS software and
                             there is no IAO justifying
                             documentation.
GEN005400 V0004393      II   Either /etc/syslog.conf is not
                             owned by root or is more
                             permissive than 640.
GEN005420 V0004394      II   The /etc/syslog.conf group
                             owner is NOT root, bin, or
                             sys.
GEN005440 V0012020      II   Local hosts are used as
                             loghosts for systems outside
                             the local network.
GEN005460 V0004395      II   A system is using a remote
                             log host not justified and
                             documented with the IAO.

GEN005480 V0012021      II   The syslog deamon accepts
                             remote messages and is not
                             an IAO documented loghost.

GEN005500 V0004295       I   SSH, or a similar utility, is
                             running and SSHv1 protocol
                             is used.
   PDI     VMSID CAT            Requirement                  Vulnerability   Status   Finding Notes
GEN005540 V0012022 II Encrypted communications
                      are not configured for IP
                      filtering and logon warning
                      banners.
GEN005560 V0004397 II The system is not a router
                      but has no default gateway
                      defined.
GEN005580 V0004398 II A system used for routing
                      also uses other applications
                      and/or utilities.
GEN005600 V0012023 II IP forwarding is not disabled.

GEN005620 V0004703     III   A Lotus Domino 5.0.5 Web
                             Application was found
                             vulnerable to the .nsf, .box,
                             and .ns4 directory traversal
                             exploit.
GEN005640 V0004706     III   A system running Squid
                             Web Proxy Cache server
                             was found vulnerable to the
                             authentication header
                             forwarding exploit.
GEN005660 V0004707     II    A system running Squid
                             Web Proxy Cache was
                             found vulnerable to the
                             MSNT auth helper buffer
                             overflow exploit.
GEN005680 V0004709     III   The SA will ensure the Squid
                             Proxy Cache server is not a
                             vulnerable version.
GEN005700 V0004708     III   An iPlanet Web Server was
                             found with the search engine
                             NS-query-pat file viewing
                             vulnerability.
GEN006000 V0012024     II    A public instant messaging
                             client is installed.
GEN006040 V0012025     II    A peer-to-peer file-sharing
                             application is installed and
                             not authorized and
                             documented with the DAA.
GEN006060 V0004321     II    Samba is running and is not
                             being used.
GEN006080 V0001026     II    The Samba Web
                             Administration tool is not
                             used with ssh port
                             forwarding.
GEN006100 V0001027     II    The /etc/smb.conf file is not
                             owned by root.
GEN006120 V0001056     II    The /etc/smb.conf file does
                             not have a group owner of
                             root.
   PDI     VMSID CAT          Requirement                   Vulnerability   Status   Finding Notes
GEN006140 V0001028 II The /etc/smb.conf file is
                      more permissive than 644.
GEN006160 V0001029 II The smbpasswd file is not
                      owned by root.
GEN006180 V0001058 II The /etc/smbpasswd file
                      does not have a group
                      owner of root.
GEN006200 V0001059 II The /etc/smbpasswd file has
                      permissions more
                      permissive than 600.
GEN006220 V0001030 II The smb.conf file is not
                      configured correctly.
GEN006240 V0001023 II A Linux Internet Network
                      News server is not
                      authorized and documented
                      by the IAO.
GEN006260 V0004273 II A Linux /etc/news/hosts.nntp
                      is more permissive than 600.

GEN006280 V0004274    II   A Linux
                           /etc/news/hosts.nntp.nolimit
                           is more permissive than 600.

GEN006300 V0004275    II   A Linux
                           /etc/news/nnrp.access is
                           more permissive than 600.
GEN006320 V0004276    II   Linux /etc/news/passwd.nntp
                           is more permissive than 600.

GEN006340 V0004277    II   Linux files in /etc/news are
                           not owned by root or news.
GEN006360 V0004278    II   Linux /etc/news files group
                           owner is not root or news.
GEN006380 V0004399     I   NIS/NIS+ is implemented
                           under UDP.
GEN006420 V0012026    II   NIS maps are not protected
                           through hard-to-guess
                           domain names.
GEN006560 V0012028    II   The system vulnerability
                           assessment tool, host-based
                           intrusion detection tool, and
                           file system integrity baseline
                           tool does not notify the SA
                           and the IAO of a security
                           breach or a suspected
                           security breach.

GEN006620 V0012030    II   The access control program
                           is not configured to grant
                           and deny system access to
                           specific hosts.
    PDI    VMSID CAT          Requirement                     Vulnerability   Status   Finding Notes
GEN006640 V0012765 II An approved DOD virus
                      scan program in not used
                      and/or updated.
IAVA0010  V0001002  I A TCP_WRAPPERS Trojan
                      exists on the system.

IAVA0020   V0001006   II    There are Internet Message
                            Access Protocol (IMAP) or
                            Post Office Protocol (POP)
                            vulnerabilities.

IAVA0025   V0001007   II    A vulnerability exists in mime-
                            aware mail and news clients.

IAVA0150   V0007520   II    There are multiple
                            vulnerabilities in Sybase
                            Software.
IAVA0295   V0003612   III   There are multiple SSH
                            vulnerabilities.
IAVA0380   V0004547   II    A vulnerable version of the
                            H.323 Protocol is in use.
IAVA0510   V0004699   I     A BSD system has the FTP
                            RNFR command
                            vulnerability.
LNX00060   V0004246   II    A Linux system Password
                            Configuration Table has the
                            User Password set to ON.
LNX00080   V0004247   I     A Linux system is using a
                            boot diskette as the boot
                            loader.
LNX00100   V0004248   I     A Linux system has not been
                            configured with GRUB as the
                            default boot loader and the
                            boot loader in use has not
                            been authorized, justified,
                            and documented with the
                            IAO.
LNX00120   V0004255   I     The Linux /boot partition is
                            on removable media and is
                            not stored in a secure
                            container.
LNX00140   V0004249   I     The Linux boot-loader does
                            not use an MD5 encrypted
                            password.
LNX00160   V0004250   II    Linux /boot/grub/grub.conf is
                            more permissive than 600.

LNX00180   V0004252   I     A Linux system authorized to
                            use LILO does not have a
                            global password in
                            /etc/lilo.conf.
   PDI      VMSID CAT         Requirement                    Vulnerability   Status   Finding Notes
LNX00200   V0012036 I The LILO Boot Loader
                      password is not encrypted.
LNX00220   V0004253 I A Linux /etc/lilo.conf file is
                      more permissive than 600.
LNX00260   V0004256 I A site SOP does not restrict
                      the use of Kickstart to
                      isolated development LANs.

LNX00300   V0004262    II   A Linux system does not
                            have the rpc.ugidd daemon
                            disabled.
LNX00320   V0004268    I    A Linux system has special
                            privilege accounts, such as
                            shutdown and halt.
LNX00340   V0004269    II   A Linux system has
                            unnecessary accounts.
LNX00360   V0001021    II   A Linux X server does not
                            have the correct options
                            enabled.
LNX00380   V0001022    II   A Linux X server has one of
                            the following options
                            enabled: -ac, -core (except
                            for debugging purposes), or -
                            nolock.
LNX00400   V0001025    II   The /etc/login.access file is
                            not owned by root.
LNX00420   V0001054    II   The /etc/login.access file
                            does not have a privileged
                            group owner.
LNX00440   V0001055    II   The /etc/login.access
                            permissions are more
                            permissive than 640.
LNX00480   V0004334    II   Linux /etc/sysctl.conf is not
                            owned by root.
LNX00500   V0004335    II   Linux /etc/sysctl.conf group
                            owner is not root.
LNX00520   V0004336    II   Linux /etc/sysctl.conf file is
                            more permissive than 600.

LNX00540   V0012037    I    The insecure option is set.
LNX00560   V0004339    I    A Linux NFS Server has the
                            insecure file locking option.

LNX00580   V0004342    I    The Linux x86 CTRL-ALT-
                            DELETE key sequence has
                            not been disabled.
LNX00600   V0004346    II   Linux PAM grants sole
                            access to admin privileges to
                            the first user who logs into
                            the console.
   PDI      VMSID CAT           Requirement                  Vulnerability   Status   Finding Notes
LNX00620   V0012038 II The /etc/securetty file is not
                       group owned by root, sys, or
                       bin.
LNX00640   V0012039 II The /etc/securetty file is not
                       owned by root.
LNX00660   V0012040 II The /etc/securetty file is
                       more permissive than 640.
LNX00680   V0012041 II A vulnerable RealPlayer
                       version is installed.
SOL00040   V0004353 II /etc/security/audit_user has
                       a different auditing level for
                       specific users.
SOL00060   V0004352 II /etc/security/audit_user is
                       not owned by root.
SOL00080   V0004351 II The /etc/security/audit_user
                       group is not root, sys, or bin.


SOL00100   V0004245    II    /etc/security/audit_user is
                             more permissive than 640.
SOL00400   V0004300    II    An NFS server does not
                             have logging implemented.
USB00.001. V0006764    III   There is no document
00                           instructing users that USB
                             devices be powered off for at
                             least 60 seconds prior to
                             being connected to an IS.

USB01.001. V0006765    II    MP3 players, camcorders, or
00                           digital cameras are being
                             attached to ISs without prior
                             DAA approval.
USB01.002. V0006766    II    USB devices are attached to
00                           a DoD IS without prior IAO
                             approval.
USB01.003. V0006768    II    Disguised jump drives are
00                           not banned from locations
                             containing DOD ISs.
USB01.004. V0006769    II    Notices are not prominently
00                           displayed informing
                             everyone of the ban of
                             disguised jump drives.
   PDI      VMSID CAT           Requirement                 Vulnerability   Status   Finding Notes
USB01.005. V0006770 II Persistent memory USB
00                     devices are not treated as
                       removable media and
                       contrary to DODD 5200.1-R;
                       the devices are not secured,
                       transported, and sanitized in
                       a manner appropriate for the
                       classification level of the
                       data they contain.

USB01.006. V0006771    II    Persistent memory USB
00                           devices are not labeled in
                             accordance with the
                             classification level of the
                             data they contain.
USB01.007. V0006772    II    Sensitive data stored on a
00                           USB device with persistent
                             memory, that the data owner
                             requires encryption is not
                             encrypted using NIST-
                             certified cryptography.
USB01.008. V0006773    II    USB devices with persistent
00                           memory are not formatted in
                             a manner to allow the
                             application of Access
                             Controls to files or data
                             stored on the device.
USB01.009. V0006774    II    There is no section within
00                           the SFUG, or equivalent
                             documentation, describing
                             the correct usage and
                             handling of USB
                             technologies.
USB01.010. V0006775    III   The USB usage section of
00                           the SFUG, or equivalent
                             document, does not contain
                             a discussion of the devices
                             that contain persistent non-
                             removable memory.
 Section
ESX Server



ESX Server

ESX Server
ESX Server

ESX Server

ESX Server



ESX Server

ESX Server


ESX Server


ESX Server



ESX Server

ESX Server




ESX Server


ESX Server

ESX Server


ESX Server



ESX Server

ESX Server
 Section
ESX Server


ESX Server

ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

ESX Server

ESX Server


ESX Server

ESX Server



ESX Server



ESX Server



ESX Server



ESX Server

ESX Server



ESX Server

ESX Server

ESX Server
 Section
ESX Server


ESX Server


ESX Server



ESX Server


ESX Server

ESX Server


ESX Server

ESX Server


ESX Server

ESX Server


ESX Server



ESX Server


ESX Server




ESX Server


ESX Server

ESX Server


ESX Server
 Section
ESX Server

ESX Server


ESX Server



ESX Server


ESX Server

ESX Server



ESX Server



ESX Server

ESX Server


ESX Server



ESX Server


ESX Server


ESX Server


ESX Server


ESX Server


ESX Server
 Section
ESX Server


ESX Server


ESX Server

ESX Server



ESX Server



ESX Server



ESX Server


ESX Server


ESX Server


ESX Server

ESX Server



ESX Server


ESX Server

ESX Server


ESX Server


ESX Server
 Section
ESX Server



ESX Server


ESX Server



ESX Server


ESX Server


ESX Server


ESX Server



ESX Server


ESX Server

ESX Server


ESX Server

ESX Server


ESX Server



ESX Server


ESX Server

ESX Server
 Section
ESX Server


ESX Server


ESX Server

ESX Server

ESX Server



ESX Server


ESX Server

ESX Server

ESX Server


ESX Server

ESX Server



ESX Server


ESX Server


ESX Server

ESX Server


ESX Server

ESX Server



ESX Server
 Section
ESX Server


ESX Server


ESX Server

ESX Server


ESX Server


ESX Server



ESX Server


ESX Server



ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server


ESX Server
 Section
ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

Virtual
Center


Virtual
Center


ESX Server


ESX Server

Virtual
Center

Virtual
Center
ESX Server


ESX Server

Virtual
Center

ESX Server
 Section
ESX Server



Virtual
Center


Virtual
Center


ESX Server


ESX Server


Virtual
Center


Virtual
Center
Virtual
Center

Virtual
Center
Virtual
Center

ESX Server

Virtual
Center
Virtual
Center
Virtual
Center

Virtual
Center

Virtual
Center

ESX Server
 Section
ESX Server



ESX Server




ESX Server


ESX Server

ESX Policy

ESX Server



ESX Server


ESX Server


ESX Server


ESX Policy


ESX Server

ESX Server



ESX Server

ESX Policy

ESX Server


ESX Server

ESX Server
 Section
ESX Policy



ESX Server


ESX Server

ESX Server

ESX Server

ESX Server


ESX Policy




ESX Server




ESX Policy




ESX Server


ESX Server


ESX Server


ESX Server



ESX Server
  Section
Virtual
Center




Virtual
Center

Virtual
Center



Virtual
Center

Virtual
Center

Virtual
Center

Virtual
Center

Virtual
Center


Virtual
Center




Virtual
Center

Virtual
Center
Virtual
Center

Virtual
Center

ESX Server
 Section
ESX Policy


ESX Policy



ESX Policy


ESX Policy



ESX Policy




Virtual
Center

ESX Policy

ESX Policy



ESX Policy


ESX Server

ESX Server


Virtual
Center

Virtual
Center


ESX Server


ESX Server

ESX Server
 Section
ESX Server


ESX Server


ESX Policy


Virtual
Center
ESX Policy


ESX Policy

Virtual
Center


Virtual
Center


Virtual
Center

Virtual
Center

Virtual
Center


ESX Policy


Virtual
Center


ESX Policy



ESX Server


ESX Policy
 Section
ESX Policy



ESX Server


ESX Policy



ESX Server


ESX Server

ESX Server



ESX Server


ESX Server


ESX Server

ESX Policy



Virtual
Machine
Virtual
Machine
Virtual
Machine

Virtual
Machine


Virtual
Machine


Virtual
Machine
 Section
ESX Server


ESX Server




ESX Server




ESX Server


ESX Server



ESX Server




ESX Server



ESX Server



ESX Server


ESX Server

ESX Server

ESX Server

ESX Server

ESX Server
 Section
ESX Server


ESX Server


ESX Server


ESX Server


ESX Server

ESX Server



ESX Server




ESX Server



ESX Server



ESX Server

ESX Server

ESX Server



ESX Server


ESX Server




ESX Server
 Section
ESX Server

ESX Server



ESX Server
ESX Server


ESX Server


ESX Server


ESX Server

ESX Server

ESX Server


ESX Server




ESX Server



ESX Server



ESX Server




ESX Server

ESX Server


ESX Server

ESX Server
 Section
ESX Server


ESX Server

ESX Server

ESX Server




ESX Server


ESX Server




ESX Server

ESX Server



ESX Server




ESX Server


ESX Server


ESX Server


ESX Server



ESX Server



ESX Server
 Section
ESX Server



ESX Server


ESX Server


ESX Server

ESX Server




ESX Server




ESX Server




ESX Server


ESX Server



ESX Server

ESX Server



ESX Server

ESX Server



ESX Server

ESX Server
 Section
ESX Server

ESX Server

ESX Server


ESX Server


ESX Server

ESX Server



ESX Server


ESX Server



ESX Server


ESX Server


ESX Server

ESX Server

ESX Server

ESX Server


ESX Server




ESX Server
 Section
ESX Server


ESX Server


ESX Server




ESX Server


ESX Server


ESX Server

ESX Server

ESX Server


ESX Server


ESX Server


ESX Server




ESX Server



ESX Server


ESX Server


ESX Server
 Section
ESX Server

ESX Server

ESX Server



ESX Server


ESX Server


ESX Server

ESX Server


ESX Server




ESX Server

ESX Server


ESX Server


ESX Server

ESX Server

ESX Server


ESX Server
ESX Server


ESX Server


ESX Server
 Section
ESX Server


ESX Server

ESX Server

ESX Server

ESX Server


ESX Server

ESX Server



ESX Server

ESX Server

ESX Server




ESX Server



ESX Server


ESX Server


ESX Server
 Section
ESX Server




ESX Server




ESX Server




ESX Server




ESX Server




ESX Server
  PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

EMG0-056 V0018865   III   The E-mail Administrator
                          role is not assigned and
                          authorized by the IAO.
EMG0-075 V0018877    II   E-mail Administrator Groups
                          do not ensure least privilege.

EMG0-090 V0018885   III   E-mail acceptable use policy
                          is not documented in the
                          System Security Plan or
                          does not require annual user
                          review.
EMG0-092 V0018886   III   E-mail Acceptable Use
                          Policy does not contain
                          required elements.
EMG1-002 V0018681   III   Unneeded OMA E-mail Web
                          Virtual Directory is not
                          removed.
EMG1-004 V0018682   III   Unneeded Active Sync E-
                          mail Web Virtual Directory is
                          not removed.
EMG1-007 V0018759    II   Default web site allows
                          anonymous access.
EMG1-012 V0018683   III   Unneeded "Public" E-mail
                          Virtual Directory is not
                          removed.
EMG1-103 V0018786    I    Public Folder access does
                          not require secure channels
                          and encryption.
EMG1-105 V0018787    I    Outlook Web Access (OWA)
                          does not require secure
                          channels and encryption.

EMG1-110 V0018733    II   E-mail web applications are
                          operating on non-standard
                          ports.
EMG2-005 V0018666    II   E-mail Server Global
                          Sending or Receiving
                          message size is set to
                          Unlimited.
EMG2-006 V0018671   III   The Global Recipient Count
                          limit is set to “Unlimited”.

EMG2-010 V0018667   III   Sending or Receiving
                          message size is not set to
                          Unlimited on the SMTP
                          virtual server.
EMG2-013 V0018661    II   Mailbox server is not
                          protected by E-mail Edge
                          Transport role (E-mail
                          Secure Gateway) performing
                          Global Accept/Deny list
                          filtering.
  PDI     VMSID     CAT          Requirement             Vulnerability   Status   Finding Notes

EMG2-015 V0018663    II   The Mailbox server is not
                          protected by an Edge
                          Transport Server Role (E-
                          mail Secure Gateway)
                          performing 'Block List'
                          filtering.
EMG2-017 V0018664    II   Mailbox server is not
                          protected by an Edge
                          Transport Server role (E-
                          mail Secure Gateway)
                          performing Block List
                          exception filtering at the
                          perimeter.
EMG2-021 V0018675    II   The E-Mail server is not
                          protected by having
                          connections from “Sender
                          Filter” sources dropped by
                          the Edge Transport Server
                          role (E-Mail Secure
                          Gateway) at the perimeter.
EMG2-024 V0018673    II   The Mailbox server is not
                          protected by having filtered
                          messages archived by the
                          Edge Transport Role server
                          (E-mail Secure Gateway) at
                          the perimeter.
EMG2-026 V0018674    II   The Mailbox server is not
                          protected by having blank
                          sender messages filtered by
                          the Edge Transport Role
                          server (E-mail Secure
                          Gateway) at the perimeter.
EMG2-029 V0018662    II   Mailbox Server is not
                          protected by an Edge
                          Transport Server (E-mail
                          Secure Gateway) performing
                          SPAM evaluation.

EMG2-030 V0018721    II   E-mail servers are not
                          protected by an Edge
                          Transport Server role (E-
                          mail Secure Gateway)
                          removing disallowed
                          message attachments at the
                          network perimeter.
EMG2-031 V0018672    II   The Exchange E-mail
                          Services environment is not
                          protected by an Edge
                          Transport Server (E-Mail
                          Secure Gateway) performing
                          Non-existent recipient
                          filtering at the perimeter.
  PDI     VMSID     CAT           Requirement                Vulnerability   Status   Finding Notes

EMG2-038 V0018818    II   E-mail Services are not
                          protected by having an Edge
                          Transport Server (E-mail
                          Secure Gateway) performing
                          outbound message signing
                          at the perimeter.

EMG2-043 V0018665    II   Mailbox Server is not
                          protected by an Edge
                          Transport Server (E-mail
                          Secure Gateway) performing
                          Sender Authentication at the
                          perimeter.

EMG2-046 V0018660    II   Automated Response
                          Messages are Enabled.
EMG2-105 V0018734    II   E-mail SMTP services are
                          using Non-PPSM compliant
                          ports.
EMG2-107 V0018670    II   Message Recipient Count
                          Limit is not limited on the
                          SMTP virtual server.
EMG2-109 V0018735    II   SMTP Virtual Server is not
                          bound to the PPSM
                          Standard Port.
EMG2-111 V0018780    II   Exchange Server is not
                          protected by an Edge
                          Transport Server (E-mail
                          Secure Gateway) that
                          performs Anonymous
                          Connections interaction with
                          Internet-based E-mail
                          servers.
EMG2-114 V0018690   III   Maximum outbound
                          connection timeout limit is
                          not at 10 minutes or less.
EMG2-117 V0018693   III   Maximum Inbound
                          Connection Timeout Limit is
                          not 10 or less.
EMG2-120 V0018691   III   Outbound Connection Limit
                          per Domain Count is not 100
                          or less.
EMG2-123 V0018687   III   The Outbound Delivery Retry
                          Values are not at the
                          Defaults, or do not have
                          alternate values documented
                          in the System Security Plan.

EMG2-124 V0018770    II   SMTP Virtual Server
                          Auditing is not active.
EMG2-125 V0018692   III   Inbound Connection Count
                          Limit is not set to "Unlimited".
  PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

EMG2-126 V0018689   III   SMTP Maximum outbound
                          connections are not at 1000,
                          or an alternate value is not
                          documented in System
                          Security Plan.
EMG2-129 V0018668   III   The SMTP Virtual Server
                          Session Size is not set to
                          "Unlimited".
EMG2-130 V0018688   III   SMTP Maximum Hop Count
                          is not 30.
EMG2-131 V0018701    II   “Smart-Host” is specified at
                          the Virtual Server level.
EMG2-133 V0018762    I    One or more SMTP Virtual
                          Servers do not have a Valid
                          Certificate.
EMG2-136 V0018643   III   E-mail user mailboxes do
                          not have Storage Quota
                          Limitations.
EMG2-139 V0018644   III   E-mail Public Folders do not
                          have Storage Quota
                          Limitations.
EMG2-143 V0018704   III   The SMTP Virtual Server is
                          configured to perform DNS
                          lookups for anonymous E-
                          mails.
EMG2-144 V0018782    II   SMTP Virtual Servers do not
                          Require Secure Channels
                          and Encryption.
EMG2-146 V0018700    II   SMTP virtual Server does
                          not Restrict Relay Access.
EMG2-148 V0018702   III   The SMTP Virtual Server
                          performs reverse DNS
                          lookups for anonymous
                          message delivery.
EMG2-149 V0018669   III   The SMTP Virtual Server
                          Message Count Limit is not
                          20.
EMG2-250 V0018694    II   SMTP Connection
                          Restrictions do not use the
                          "Deny All" strategy.
EMG2-251 V0018696    II   ExAdmin Virtual Directory is
                          not Configured for Integrated
                          Windows Authentication.

EMG2-255 V0018805    II   Scripts are Permitted to
                          Execute in the ExAdmin
                          Virtual Server.
EMG2-256 V0018760    I    OWA does not require only
                          Integrated Windows
                          Authentication.
EMG2-259 V0018803    II   Scripts are permitted to
                          execute in the OWA Virtual
                          Server.
  PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

EMG2-263 V0018806    II   Users do not have correct
                          permissions in the OWA
                          Virtual Server.
EMG2-266 V0018719    II   Users do not have correct
                          permissions in the Public
                          Virtual Server.
EMG2-269 V0018807    II   ExAdmin does not have
                          correct permissions in the
                          ExAdmin Virtual Server.
EMG2-271 V0018745    I    OWA Virtual Server has
                          Forms-Based Authentication
                          enabled.
EMG2-272 V0018695   III   SMTP Sender, Recipient, or
                          Connection Filters are not
                          engaged.
EMG2-275 V0018804    II   Scripts are permitted to
                          execute in the Public Folder
                          web server.
EMG2-303 V0018812   III   Exchange application
                          memory is not zeroed out
                          after message deletion.
EMG2-305 V0018788   III   ExAdmin is configured for
                          Secure Channels and
                          Encryption.
EMG2-307 V0018725   III   Mailbox Stores Restore
                          Overwrite is enabled.
EMG2-311 V0018726   III   Public Folder Stores Restore
                          Overwrite is enabled.

EMG2-313 V0018641    II   User mailboxes are hosted
                          on non-Mailbox Server role.
EMG2-317 V0018727   III   E-mail message copies are
                          not archived.
EMG2-318 V0018646   III   Mailbox Stores "Do Not
                          Mount at Startup" is enabled.

EMG2-320 V0018655    II   Public Folder Stores "Do not
                          Mount at Startup" is enabled.

EMG2-323 V0018642    I    E-mail Server does not
                          require S/MIME capable
                          clients.
EMG2-327 V0018744    I    E-mail Public Folders do not
                          require S/MIME capable
                          clients.
EMG2-333 V0018705   III   E-mail Server "Circular
                          Logging" is not set
                          appropriately.
EMG2-340 V0018723    II   Mailboxes and messages
                          are not retained until
                          backups are complete.
  PDI     VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

EMG2-344 V0018724    II   Public Folder stores and
                          documents are not retained
                          until backups are complete.

EMG2-507 V0018645   III   Public Folders Store storage
                          quota limits are overridden.

EMG2-511 V0018658   III   Public Folder “Send on
                          Behalf of” feature is in use.
EMG2-710 V0018686    II   Message size restrictions
                          are specified on routing
                          group connectors.
EMG2-713 V0018685   III   Connectors are not clearly
                          named as to direction or
                          purpose.
EMG2-718 V0019198    II   Message size restriction is
                          specified at the SMTP
                          connector level. .
EMG2-721 V0018698    II   The SMTP connectors do
                          not specify use of a “Smart
                          Host”.
EMG2-730 V0018697    II   Routing Group is not
                          selected as the SMTP
                          connector scope.
EMG2-736 V0018699    I    SMTP connectors allow
                          unauthenticated relay.
EMG2-743 V0018784    I    SMTP Connectors perform
                          outbound anonymous
                          connections.
EMG2-803 V0018703    II   Virtual Server default
                          outbound security is not
                          anonymous and TLS.
EMG2-806 V0018715    II   SMTP Queue Monitor is not
                          configured with a threshold
                          and alert.
EMG2-807 V0018713    II   CPU Monitoring Notifications
                          are not configured with
                          threshold and action.

EMG2-810 V0018707    II   E-mail “Subject Line” logging
                          is enabled during production
                          operations.
EMG2-811 V0018706    II   E-mail Diagnostic Logging is
                          enabled during production
                          operations.
EMG2-813 V0018714    II   Virtual memory monitoring
                          notifications are not
                          configured with threshold
                          and action.
EMG2-815 V0018716    II   Windows 2003 Services
                          Monitoring Notifications are
                          not configured with
                          thresholds and actions.
  PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

EMG2-817 V0018717    II   Exchange Core Services
                          Monitors are not configured
                          with threshold and actions.
EMG2-825 V0018710    II   SMTP Virtual Server Audit
                          Records are not directed to a
                          separate partition.
EMG2-831 V0018711    II   Exchange sends fatal errors
                          to Microsoft.
EMG2-833 V0018767    II   The “Disable Server
                          Monitoring” feature is
                          enabled.
EMG2-835 V0018712    II   Disk Space Monitoring is not
                          Configured with Threshold
                          and Action.
EMG2-840 V0018763   III   Audit Records do not contain
                          all required fields.
EMG2-863 V0019186    II   Mailbox access control
                          mechanisms are not audited
                          for changes.
EMG3-005 V0018881   III   The E-mail backup and
                          recovery strategy is not
                          documented or is not tested
                          on an INFOCON compliant
                          frequency.
EMG3-006 V0018880    II   Audit logs are not included in
                          backups.
EMG3-007 V0018883    II   E-mail backups do not meet
                          schedule or storage
                          requirements.
EMG3-009 V0018882    II   E-mail backup and recovery
                          data is not protected.

EMG3-010 V0018884    II   E-mail critical software
                          copies are not stored offsite
                          in a fire rated container.

EMG3-015 V0018857    II   Annual procedural reviews
                          are not conducted at the site.

EMG3-020 V0018858    II   Exchange with Outlook Web
                          Access is not deployed as
                          Front-end/Back-end
                          Architecture.
EMG3-028 V0018868   III   E-mail software installation
                          account usage is not logged.

EMG3-037 V0018869   III   E-mail audit trails are not
                          reviewed daily.
EMG3-045 V0018864    II   E-Mail Configuration
                          Management (CM)
                          procedures are not
                          implemented.
  PDI     VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

EMG3-050 V0018867    II   E-mail Services are not
                          documented in System
                          Security Plan.
EMG3-058 V0018741    II   E-mail software is not
                          monitored for change on
                          INFOCON frequency
                          schedule.
EMG3-071 V0018879    II   E-mail audit records are not
                          retained for 1 year.
EMG3-079 V0018878    II   Automated audit reporting
                          tools are not available.
EMG3-106 V0019546    I    E-mail services and servers
                          are not protected by routing
                          all SMTP traffic through an
                          Edge Transport Server.

EMG3-108 V0019548    I    E-mail web services are not
                          protected by having an
                          application proxy server
                          outside the enclave.
EMG3-115 V0018731    II   E-mail application installation
                          is sharing a partition with
                          another application.

EMG3-116 V0018792    II   SMTP service banner
                          response reveals
                          configuration details.
EMG3-119 V0018795    II   E-mail Services accounts
                          are not restricted to named
                          services.
EMG3-121 V0018801    II   Services permissions do not
                          reflect least privilege.
EMG3-145 V0018796    II   E-Mail service accounts are
                          not operating at least
                          privilege.
EMG3-150 V0018819    II   E-Mail audit trails are not
                          protected against
                          unauthorized access.
EMG3-801 V0018676    II   E-Mail server has unneeded
                          processes or services active.

EMG3-802 V0018742    II   Security support data or
                          process is sharing a
                          directory or partition with
                          Exchange.
EMG3-805 V0018743    II   Exchange software baseline
                          copy does not exist.

EMG3-817 V0018684    II   VRFY command is resident
                          on Exchange 2003 server.
  PDI     VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

EMG3-823 V0018732    II   Audit data is sharing
                          directories or partitions with
                          the E-mail application.
EMG3-824 V0018802    II   Exchange application
                          permissions are not at
                          vendor recommended
                          settings.
EMG3-828 V0018799    II   E-mail restore permissions
                          are not restricted to E-mail
                          administrators.
EMG3-829 V0018820    I    E-mail servers do not have E-
                          mail aware virus protection.
    Section

Email Services
Policy

Email Services
Policy

Email Services
Policy



Email Services
Policy

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003
Exchange Server
2003

Exchange Server
2003

Exchange Server
2003


Exchange Server
2003

Exchange Server
2003


Exchange Server
2003

Exchange Server
2003


Exchange Server
2003
    Section

Exchange Server
2003




Exchange Server
2003




Exchange Server
2003




Exchange Server
2003




Exchange Server
2003




Exchange Server
2003




Exchange Server
2003




Exchange Server
2003
    Section

Exchange Server
2003




Exchange Server
2003




Exchange Server
2003
Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003




Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003




Exchange Server
2003
Exchange Server
2003
    Section

Exchange Server
2003



Exchange Server
2003

Exchange Server
2003
Exchange Server
2003
Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003


Exchange Server
2003

Exchange Server
2003
Exchange Server
2003


Exchange Server
2003

Exchange Server
2003

Exchange Server
2003


Exchange Server
2003

Exchange Server
2003

Exchange Server
2003
    Section

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003
Exchange Server
2003

Exchange Server
2003
Exchange Server
2003
Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003
    Section

Exchange Server
2003


Exchange Server
2003

Exchange Server
2003
Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003
Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003


Exchange Server
2003

Exchange Server
2003

Exchange Server
2003


Exchange Server
2003
    Section

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003
Exchange Server
2003

Exchange Server
2003

Exchange Server
2003
Exchange Server
2003

Email Services
Policy



Email Services
Policy
Email Services
Policy

Email Services
Policy

Email Services
Policy


Email Services
Policy

Email Services
Policy


Email Services
Policy

Email Services
Policy
Email Services
Policy
    Section

Email Services
Policy

Exchange Server
2003


Email Services
Policy
Email Services
Policy
Email Services
Policy



Email Services
Policy


Exchange Server
2003


Exchange Server
2003

Exchange Server
2003

Exchange Server
2003
Exchange Server
2003

Exchange Server
2003

Exchange Server
2003

Exchange Server
2003


Exchange Server
2003

Exchange Server
2003
    Section

Exchange Server
2003

Exchange Server
2003


Exchange Server
2003

Exchange Server
2003
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

H20100 V0014282    II   (U) A static IP address exists
                        for the ePO server.




H20120 V0014483    II   (U) The ePO server is
                        located in a protected
                        Enclave Security Services
                        DMZ or screened subnet.


H20140 V0014484    II   (U//FOUO) The ePO server's
                        management workstations,
                        outside the enclave, use
                        NIST certified encrypted
                        VPNs for access and the
                        traffic is logged.

H20160 V0014485    II   (U) VPN traffic into the ePO
                        is visible to a network
                        intrusion detection system.



H20180 V0014488    II   (U) The ePO server is being
                        protected by a local network
                        IDS.



H20200 V0014486    I    (U) The ePO server
                        perimeter protection is in
                        deny by default with
                        allowable exceptions.


H20260 V0014489    II   (U) The site has registered
                        the HBSS server within the
                        Ports and Protocols
                        database.


H20280 V0014843    II   (U) The site is using a proxy
                        for http/https traffic.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

H30100 V0014491   III   (U) The HBSS is under
                        direct control of a site CCB.




H30120 V0017882    II   (U) HBSS is using the
                        approved WSUS HBSS site
                        for Microsoft patches.



H30140 V0014493    II   (U) The ePO server uses
                        only the DoD-controlled
                        source repository.



H30160 V0014494   III   (U) A DoD-controlled DNS
                        server is used for resolution
                        for the ePO server.



H30200 V0014496    II   (U) HBSS is not operating on
                        different classification levels
                        or across mixed DoD and
                        non-DoD systems or
                        networks.

H30220 V0014497    I    (U) The ePO server is
                        dedicated to HBSS.




H30240 V0014498    II   (U) The ePO is using the
                        correct port assignments.

H30241 V0024170    II   (U) Agent-to-server
                        communication port is set
                        correctly.
H30242 V0024171    II   (U) Agent-to-server
                        communication secure port
                        is set correctly.
H30243 V0024172    II   (U) Agent wake-up
                        communication port set
                        correctly.
H30244 V0024173    II   (U) Agent broadcast port is
                        set correctly.
 PDI    VMSID     CAT           Requirement            Vulnerability   Status   Finding Notes

H30245 V0024174    II   (U) Console-to-application
                        server communication port is
                        set correctly.
H30246 V0024175    II   (U) Client-to-server
                        authenticated
                        communication port is set
                        correctly.
H30247 V0024024    II   (U//FOUO) Port used for
                        Console-to-Server
                        communication is set
                        correctly.


H30250 V0025504    II   (U//FOUO) The notification
                        connector is set to the
                        loopback adapter.



H30260 V0014499    II   (U) The ePO software
                        directories are adequately
                        protected from unauthorized
                        modification.


H30280 V0014500    II   (U) HBSS has the current
                        security patches installed.




H30290 V0017880    II   (U) HBSS application has a
                        DoD certificate installed.




H30300 V0014501    I    (U) The ePO server is not
                        using the default keys.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

H30400 V0014502    II   (U) The ePO server has all
                        clients using non-default
                        keys.



H30500 V0014503    II   (U) The ePO server has a
                        scheduled task to pull
                        updates daily from the
                        authorized source repository.


H30540 V0014504    II   (U) The ePO server has a
                        scheduled task to replicate
                        changes to distributed
                        repositories daily.
H30560 V0014505    II   (U) The ePO server does not
                        have a scheduled task to do
                        complete repository updates
                        at least weekly.
H30580 V0014506    II   (U) The ePO server has a
                        scheduled task to identify
                        Inactive Agents daily.
H30620 V0014508    II   (U//FOUO) Only a dedicated
                        machine can be use to
                        manage the ePO server.



H30640 V0014507    I    (U//FOUO) The ePO server
                        cannot be part of a domain.




H30700 V0014509    II   (U) The ePO server is
                        regularly checked for file
                        integrity.



H30720 V0017885    II   (U) The ePO server has
                        MyAverts disabled.




H30740 V0017886    II   (U) The ePO server displays
                        the correct warning banner.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

H30760 V0017887    II   (U) The ePO server has user
                        timeout parameter set
                        properly.



H30780 V0017888    II   (U//FOUO) The HBSS
                        console tabbed browsing is
                        disabled.




H30800 V0017889    II   (U//FOUO) HBSS does not
                        have vendor site supplied
                        data dashboards in use.



H30820 V0017890    II   (U//FOUO) The HBSS
                        dashboard refresh rate is set
                        properly.



H31100 V0014510    I    (U//FOUO) The ePO SQL
                        database installation is
                        dedicated to HBSS.



H31120 V0014511   III   (U//FOUO) The SQL
                        database installation partition
                        is separated from the other
                        parts of the application.


H31160 V0014939    II   (U) The SQL database is
                        configured as least privilege
                        or only authorized users
                        have access to data.


H33100 V0014513    II   (U//FOUO) The workstation
                        used for administrative
                        access is dedicated to HBSS.

H33120 V0014514    I    (U//FOUO) The workstation
                        used for remote access is
                        blocked from other
                        connections.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

H33130 V0014515    II   (U//FOUO) The workstation
                        used for remote access is
                        protected both logically and
                        physically by a DoD enclave.

H33140 V0014516    II   (U//FOUO) The ePO server's
                        management workstation
                        outside the enclave uses
                        VPNs for access and logs
                        VPN traffic.

H33150 V0014517    I    (U//FOUO) The ePO server's
                        remote console machine
                        cannot be part of a domain.

H33160 V0014518    II   (U//FOUO) The ePO server's
                        remote console machine
                        must have a static IP
                        address.
H34100 V0014519    II   (U) Rogue System Detection
                        is in place.

H35000 V0015346    II   (U//FOUO) The site scans
                        hosts before installation of
                        the HBSS client.
H35100 V0014520    II   (U//FOUO) The ePO agent
                        is configured for Agent
                        Wakeup.
H35110 V0017884    II   (U//FOUO) The ePO agent
                        is configured to only accept
                        connections from the ePO
                        server.
H35120 V0014521    II   (U//FOUO) The ePO agent
                        is configured correctly for the
                        policy enforcement interval.

H35140 V0014522    I    (U//FOUO) The ePO agent
                        to server communication is
                        enabled.
H35160 V0014523    II   (U//FOUO) The ePO agent
                        to server communication
                        interval is set correctly.
H35180 V0014524    II   (U//FOUO) The ePO agent
                        policy age parameter interval
                        is set correctly.
H35200 V0014525    II   (U//FOUO) The ePO agent
                        property type is set correctly.

H35220 V0014526    II   (U//FOUO) The ePO agent
                        is configured to upload
                        events immediately.
H35300 V0014527    II   (U//FOUO) The ePO agent
                        is configured for logging.
 PDI    VMSID     CAT           Requirement             Vulnerability   Status   Finding Notes

H35320 V0014528    I    (U//FOUO) The ePO agent
                        is configured to disallow
                        remote access to logs.
H35400 V0014529    II   (U//FOUO) The ePO agent
                        is configured to use ePO
                        repositories.
H35420 V0014530    II   (U//FOUO) The ePO agent
                        is configured to use multiple
                        ePO repositories.
H35440 V0014531    II   (U) The ePO agent is
                        configured to use DoD-
                        controlled ePO repositories.
H35500 V0017891    II   (U) The ePO component is
                        not in enforcement mode.



H36000 V0015363    II   (U//FOUO) The HIPS
                        module is deployed.
H36100 V0014532    II   (U//FOUO) The HIPS
                        parameter that controls the
                        'add and remove' programs'
                        option is disabled.
H36110 V0017892    II   (U) The HIPS error reporting
                        feature is disabled.

H36120 V0014534    I    (U) The Host Intrusion
                        Prevention System (HIPS)
                        Admin password for the
                        User Interface (UI) is known
                        and protected.
H36140 V0014533    I    (U) The Host Intrusion
                        Prevention System (HIPS)
                        Admin password for the
                        User Interface (UI) has been
                        changed from the default.

H36160 V0014535    II   (U//FOUO) The HIPS User
                        Interface Admin password
                        meets password complexity
                        requirements.
H36180 V0014536    II   (U//FOUO) The HIPS Admin
                        password for the User
                        Interface (UI) time-based
                        password is disabled.

H36200 V0014537    II   (U//FOUO) The HIPS User
                        Interface (UI) parameter for
                        disabling features from the
                        tray is set correctly.
H36210 V0017893    II   (U//FOUO) The HIPS IPS
                        engines are active.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

H36220 V0014538    II   (U//FOUO) The ePO
                        Server's HIPS Trusted
                        Network address list allows
                        only acceptable networks.


H36260 V0014540    II   (U//FOUO) The HIPS
                        Trusted Network address list
                        allows only acceptable
                        networks.
H36280 V0014541    II   (U//FOUO) The HIPS
                        Trusted Network address list
                        does not include the local
                        subnet automatically.
H36300 V0014542    II   (U//FOUO) The HIPS trusted
                        application list is reviewed
                        against the machine's
                        expected baseline.

H36400 V0014543    I    (U//FOUO) The HIPS policy
                        has enabled Host IPS.

H36410 V0014546    II   (U//FOUO) The HIPS policy
                        disallows the retention of
                        existing client rules.

H36420 V0014544    I    (U//FOUO) The HIPS policy
                        enables Network IPS.

H36440 V0014545    I    (U//FOUO) The HIPS policy
                        enables the automatic
                        blocking of network intruders.

H36500 V0014547    I    (U//FOUO) The HIPS policy
                        for High Severity is set
                        correctly.
H36510 V0014548    II   (U//FOUO) The HIPS policy
                        for Medium Severity is set
                        properly.



H36640 V0014552    II   (U//FOUO) The HIPS policy
                        implements an appropriate
                        rules hierarchy.
H36660 V0014553    II   (U//FOUO) The HIPS policy
                        includes the signature for
                        protection of the ePO
                        registry.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

H36661 V0014554    II   (U//FOUO) The HIPS policy
                        includes the signature for
                        protection of the ePO Server
                        KeyStore.


H36662 V0014555    II   (U//FOUO) The HIPS policy
                        includes the signature for
                        protection of the INFOCON
                        registry key.
H36663 V0014556    II   (U//FOUO) The HIPS policy
                        includes the signature for
                        protection of Server.ini.




H36664 V0014557    II   (U//FOUO) The HIPS policy
                        includes the signature for
                        protection of HIPS
                        preferences.
H36665 V0017894    II   (U//FOUO) The HIPS policy
                        includes the signature for
                        protection of ePO Server
                        Agent Keystore.


H36666 V0017895    II   (U//FOUO) The HIPS policy
                        includes the signature for
                        protection of Protect Product
                        Folders.


H36900 V0014560    II   (U) The HIPS for the ePO
                        server has the firewall
                        installed and enabled.



H36920 V0014561    II   (U//FOUO) The HIPS for the
                        ePO server has the firewall
                        set for regular protection.



H36940 V0014562    II   (U//FOUO) The HIPS for the
                        ePO server has the firewall
                        set not to retain client rules.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

H36960 V0014495    II   (U//FOUO) The ePO server
                        firewall rules are set
                        correctly.




H37100 V0014563    II   (U//FOUO) The Assets
                        Module Baseline has been
                        installed.
H37500 V0024305    II   (U) The ePO server, if
                        hosting Symantec AV, will
                        only use the DoD-controlled
                        SEPM server, when
                        available.

H38100 V0014565    II   (U) The distributed
                        repository is a Super Agent
                        Repository.
H39200 V0019885    II   (U//FOUO) Policy Auditor
                        has been installed.
H40100 V0014566    I    (U) Default operating system
                        passwords do not exist on
                        the HBSS server.



H40120 V0014567    I    (U) Default passwords do
                        not exist within the HBSS
                        application.



H40140 V0014568    II   (U) The ePO has users
                        assigned in appropriate roles.




H40160 V0014569    II   (U) The ePO users are
                        granted access with proper
                        procedures and/or
                        verification of need to know.


H40180 V0014570    II   (U//FOUO) The ePO has a
                        comprehensive account
                        management process.
 PDI    VMSID     CAT           Requirement           Vulnerability   Status   Finding Notes

H40200 V0014868    II   (U//FOUO) The account
                        management process
                        enforces password
                        complexity.


H40220 V0014571    II   (U//FOUO) The account
                        used for vulnerability
                        scanning on the ePO server
                        meets creation and deletion
                        requirements.

H40300 V0024169    I    (U//FOUO) Credentials
                        cannot be stored outside
                        HBSS.


H41110 V0017897    II   (U) ePO accounts are not
                        configured with shared
                        Windows accounts.



H42100 V0024011    II   (U) HBSS Client
                        Authentication Module is
                        enabled.



H42110 V0024012    II   (U) HBSS Client
                        Authentication is set to
                        current version.



H42120 V0024013    II   (U) Limit number of non-PK
                        enabled accounts.




H42130 V0024014    II   (U) Remove all user
                        certificates after import.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

H42155 V0024017    II   (U) Certificate Authority
                        folder populated for
                        Intermediate CAs.



H42180 V0024020    II   (U) Permissions on the CRL
                        directory must be set
                        correctly.



H42185 V0024021    II   (U) CRL directory content is
                        complete.




H42190 V0024022    II   (U) Local CRL checking is
                        enabled.




H42195 V0024023    II   (U) OCSP Responder URL
                        configured.




H42200 V0024161    II   (U) The HBSS keystore
                        permissions are set correctly.




H50100 V0014572    II   (U) SA account is not used
                        within the application.




H50110 V0014512    II   (U) The SQL database
                        connection account is
                        configured as least privilege.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

H50120 V0014573    II   (U//FOUO) A plan for
                        grouping of machines for
                        updates and alerts is in
                        place.


H50240 V0014574    II   (U) Procedures exist and are
                        followed to mark classified or
                        sensitive data.



H50260 V0017898    II   (U) Application Report
                        Header is configured
                        correctly.



H51100 V0024162    II   (U//FOUO) SSL in use for
                        SQL Server.




H51110 V0024165    II   (U//FOUO) A DoD certificate
                        is used for encryption.




H51200 V0024307    II   (U) The Site ePO server has
                        the account used by the
                        Rollup server to pull data
                        from the Site ePO to be
                        configured with read-only
                        access to the ePO data.

H51210 V0024308    II   (U) Staging server will have
                        the account used by the
                        Rollup Server to pull data
                        from the Staging Server to
                        be configured with Read only
                        access to the ePO data.

H51220 V0024309    II   (U) The staging server has
                        separate account for each
                        site ePO that is being
                        serviced.
 PDI    VMSID     CAT           Requirement               Vulnerability   Status   Finding Notes

H51230 V0024310    II   (U) The Rollup server will
                        have a separate account for
                        each staging server or Site
                        ePO that it is servicing.

H51240 V0024311    II   (U) The staging server
                        accounts used for site ePOs
                        to push data to the staging
                        server have write access
                        only in the database for the
                        ePO's site.
H52000 V0024167    II   (U) ePO Rollup server does
                        not control clients.

H60100 V0014575    II   (U) HBSS Audit Logs are
                        retained for at least one year.




H60120 V0014577    II   (U) HBSS audit log reviews
                        are performed at least
                        weekly.



H60140 V0014578    II   (U) HBSS audit data is
                        backed up at least weekly to
                        a different system or media.



H60160 V0014579    II   (U) The HBSS audit data is
                        properly protected from
                        unauthorized access.



H60180 V0014580    II   (U) The Remote Admin
                        access of ePO is reviewed.




H62100 V0017899    II   (U) HBSS Event Logs are
                        being retained for at least
                        one year.
 PDI    VMSID     CAT           Requirement              Vulnerability   Status   Finding Notes

H80100 V0014581    II   (U) The disaster recovery
                        plan includes HBSS.




H80120 V0014582    II   (U) The ePO Data Backup
                        Frequency or content is
                        complete.



H80200 V0015354    II   (U//FOUO) Offline copies of
                        the HBSS database are
                        encrypted.



H80300 V0024306    II   (U) Sensitive data is not
                        included in e-mail
                        notifications.



H90120 V0014583    II   (U//FOUO) The ePO server
                        is registered in VMS.




H90140 V0014584    II   (U//FOUO) The ePO has the
                        correct attributes within VMS.




H90160 V0014585    II   (U//FOUO) HBSS is
                        incorporated into the site's
                        incident response plan.



H90200 V0015357    II   (U//FOUO) The HBSS SAs
                        or Analysts have completed
                        training.



H90300 V0015358    II   (U//FOUO) The site
                        incorporates the installation
                        of HBSS agents on new
                        hosts prior to network
                        connection.
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
     Section

McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Mcafee Rogue
Sensor, McAfee
Policy Auditor,
McAfee HIPS,
McAfee ePO 4.5
Site, McAfee Asset
Module, McAfee
Agent

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site

McAfee ePO 4.0
Site, McAfee ePO
4.5 Site

McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Remote Console,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
Remote Console



Remote Console
     Section

Remote Console




Remote Console




Remote Console



Remote Console



McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
McAfee Agent


McAfee Agent



McAfee Agent



McAfee Agent


McAfee Agent


McAfee Agent


McAfee Agent


McAfee Agent


McAfee Agent
     Section

McAfee Agent


McAfee Agent


McAfee Agent


McAfee Agent


Mcafee Rogue
Sensor, McAfee
HIPS, McAfee
Asset Module,
McAfee Agent
McAfee Agent

McAfee HIPS



McAfee HIPS


McAfee HIPS




McAfee HIPS




McAfee HIPS



McAfee HIPS




McAfee HIPS



McAfee HIPS
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee HIPS



McAfee HIPS



McAfee HIPS




McAfee HIPS


McAfee HIPS



McAfee HIPS


McAfee HIPS



McAfee HIPS


McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee HIPS


McAfee HIPS
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee HIPS



McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Remote Console,
McAfee ePO 4.5
Site
McAfee HIPS



McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Staging Server,
McAfee ePO 4.5
Site
McAfee Agent


McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee Distributed
Repository

McAfee Agent

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Remote Console,
McAfee ePO 4.5
Site
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Staging Server,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Staging Server,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site




Staging Server




Staging Server
     Section

McAfee ePO 4.0
Rollup, McAfee
ePO 4.5 Rollup


Staging Server




McAfee ePO 4.0
Rollup, McAfee
ePO 4.5 Rollup
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
     Section

McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
    ____ Checklist _V_R_ (<date>)                                            <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement               Vulnerability       Status   Finding Notes Systems Components
                                                                                                         Affected  Affected

R3-6[4]                Low A process (e.g., an NSC,         An administrator
                           service, or application) that    will not be able to
                           is invoked by a user, shall      distinguish
                           be associated with the           between entities
                           identifier (e.g., userID) of     that are
                           that user. When the invoked      accessing the
                           process invokes another          system. The
                           process, the invoked             system will not
                           process shall be associated      provide enough
                           with the identifier of the       information to
                           invoking process.                facilitate after
                           Autonomous processes (i.e.,      incident audits, or
                           processes running without        investigations.
                           user invocation, such as
                           print spoolers, database
                           management servers,
                           translation process monitors,
                           etc.) shall be associated with
                           a system defined unique
                           identification code (e.g.,
                           system ownership).


R3-17[42]             Medi The access point shall
                      um perform the entire user
                           authentication procedure
                           even if the user-ID that is
                           entered is not valid.
R3-18[43]             Medi The error feedback
                      um generated by the access
                           point after the user
                           authentication procedure,
                           shall provide no information
                           other than “invalid,” i.e., it
                           shall not reveal which part of
                           the user-entered information
                           (user-ID and/or
                           authenticator) is incorrect.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                                 444 of 1286
    ____ Checklist _V_R_ (<date>)                                         <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement              Vulnerability     Status   Finding Notes Systems Components
                                                                                                      Affected  Affected

R3-25[13]             Medi Access points that provide a
                      um login service shall not
                           prevent a user from
                           choosing (e.g., unknowingly)
                           a password that is already
                           associated with another user-
                           ID. (Otherwise, an existing
                           password may be divulged.)

R3-26[14]             High The NE/FS/NS shall store
                           passwords in a one-way
                           encrypted form.
R3-30[18]             Medi The NE/FS/NS shall provide      The system is
                      um a mechanism for a password        vulnerable to
                           to be user changeable. This     unauthorized
                           mechanism shall require re-     access and
                           authentication of user          masquerading. At
                           identity.                       the time that the
                                                           password is
                                                           issued, both the
                                                           user and the
                                                           issuing authority
                                                           know the user
                                                           name and
                                                           password. The
                                                           issuing authority
                                                           could
                                                           masquerade as
                                                           the user and
                                                           perform malicious
                                                           acts on the
                                                           system.
R3-61[236]            Medi An SS7 Signaling Transfer
                      um Point (STP) shall provide
                           gateway screening
                           capabilities for operations
                           and services functions and
                           for all types of messages.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                              445 of 1286
    ____ Checklist _V_R_ (<date>)                                     <Test> - TN <Ticket Number>
  GR-815              CAT           Requirement           Vulnerability   Status   Finding Notes Systems Components
                                                                                                 Affected  Affected

R3-62[237]            Medi An NGN Signaling Gateway
                      um (SGW) shall provide
                           gateway screening
                           capabilities for operations
                           and services functions and
                           for all types of messages.
CR3-65[240]           Medi NE/FS/NSs that support
                      um remote network
                           management applications
                           and/or critical network
                           services shall provide data
                           integrity services to enable
                           the access point to
                           determine if all received
                           messages /operations
                           requests have been modified
                           since being sent from an
                           authorized entity.
CR3-69[244]           Low NE/FS/NSs that support
                           remote network
                           management applications
                           and/or critical network
                           services shall provide
                           support for message replay
                           detection services to enable
                           the NSC to detect message
                           replay attacks.




   Legend:
   R or RAE = Required Ancillary Equipment
   NF = Not a Finding
   NA = Not Applicable                                                         446 of 1286
    ____ Checklist _V