NETCOM/9th SIGNAL COMMAND (ARMY) LANDWARNET NETOPS ARCHITECTURE (LNA) ANTI-VIRUS MANAGEMENT SYSTEM COMPLIANCE CHECKLIST #1 Vendors Certification of Product Meeting LNA PRODUCT Requirements Name: Title: Name: CHECKLIST TO BE COMPLETED BY VENDOR Version: Signature: FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y Add, Delete and Register Agents The system shall add and delete agents to/from managed clients/assets. This is needed in order to perform basic management Whenever a new agent is added, the manager triggers inventory data functions on agent managed assets and services. collection for the affected asset/agent. Whenever an agent is removed, the 1 pertinent data is removed from the manager. Analyze Events by Multiple Criteria The system shall enable administrators to analyze system events by multiple This is essential to support root cause analyses, criteria. It shall enable tem to analyze events relating to two or more troubleshooting, and in order to assess progress in improving administrator designated criteria, to include (but not limited to) specific times, support/services - all necessary to operate, maintain and assets (hardware, software, Agents), Command, Control, Communications, defend the LandWarNet. It also reduces the amount of time Computers, and Information Management/Information Technology (C4IM/IT) administrators will spend in isolating the underpinning cause services, users, administrators, threat signatures, behavioral profiles, of an outage. 2 asset/threat type, management system transactions/job, Capacity, Availability, Performance (CAP) data, business impact, data source, and/or configuration items. Analyze Events by Time The system shall analyze system events by time. It shall enable This helps administrators associate related events during administrators to extract and report event data by reception time, report trouble-shooting, fine tune rules/profiles for alarms/Intrusion generation time, or a specific time window. It shall enable administrators to Prevention System (IPS)/firewalls, and reduce administrator 2 schedule these queries (to implement recurring time-based event workload (e.g., produce reports to support shift-changes). analysis/reports). Assign Privileges to Administrative Groups The system shall provide the ability to assign privileges (read, write, execute, This is needed for administrators to quickly and securely add access to, restrictions from) to administrative groups. Administrative groups and remove access permissions to management platforms. are composed of administrative accounts used to manage the platform. 2 Collect Agent Configuration Data The system shall obtain information from managed agents about their This is required to reduce administrative workloads and client's configuration and status. The reported data includes agent network traffic burdens (during peak operational periods), identification, addresses, and agent/client computing platform's operational while providing the data needed to operate, manage and status data. The system enables administrators to schedule these data defend the LandWarNet remotely. 2 collections. The reported information is stored in the Manager. Collect Agent Inventory The system shall provide the capability to query agents to obtain information This reduces administrator workloads, facilitates network about their operational software version. The manager shall include the optimization, and increases the probability and speed of capability to identify software changes that have occurred within an agent, detecting illicit changes and incomplete/failed updates to based on previously collected data. The manager shall support the agents; all combine to improve LandWarNet security, 2 definition of a schedule for the collection of information from agents. This availability and reliability. information is stored in the Software Repository. Collect Software/Firmware Inventory and The system shall query manage components, agents, or sensors and obtain This is necessary in order to baseline, manage, and defend Configuration Data information about the operational software/ firmware inventory on the the underlying software existing within the LandWarNet. managed asset(s). This information is stored in the Software Repository. 1 Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 1 6/25/2011 FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y Configure Communication Resources The system shall have configurable communication parameters. These This is needed to securely configure communication channels parameters can be set between component-to- management consoles, between agents and management platforms ensures secure manager-to-agent and manager-to-management consoles; client-to-server, transfer of data between the two elements. client-to-client, Virtual Private Network (VPN) Device-to-remote user, and 1 server-to-server components. This include configuring ports, Internet Protocol (IP) address. Customize Knowledge Base The system should enable administrators to customize its digital documents N/A knowledge bases for its managed clients/agents/applications, and supported customers, organizations, or services. This enables administrators to add Army specific documents (approval to operate, tailored Standard Operating Procedure (SOP)/Tactics, Techniques, and Procedures (TTPs), Army-refined Frequently Asked Questions (FAQs), IPS Policy/Behavior-Based Rule 3 Implementation Instructions, Field Manuals (FMs)/Behavior-Based Rules, etc.) to standard Enterprise documents and links within the knowledge base. Define Access Privileges The system shall enable designated administrators to define, and This is critical for securing LandWarNet resources and subsequently enforce access privileges for other administrators, users and preventing unauthorized users from making changes that assets to the management platform its data and any managed assets. could lead to false alarms, failure of vital system functions, 2 and corruption of data used to operate, manage and defend the LandWarNet. Delete Infected Files The system shall enable administrators to either remotely or locally delete This is necessary to delete files containing malicious code in infected files from systems. order to defend the LandWarNet; infected files will then be replaced with uncorrupted versions by Systems Management, 2 Secure Configuration Remediation (SCR) Management System Manager, or other means. Detect and Report Login Credential The system shall identify when users/ administrators have changed, or This is needed to track user activity and identify those types Changes attempted to change, their login credentials (user name, password, domain) of activities that may indicate unauthorized changes to 2 and report this change. accounts. Detect Hardware Configuration Changes The system shall track the configuration changes made to managed This provides administrators with the ability to quickly identify platforms. Configuration changes to hardware may include such things are a changes to assets in the LandWarNet and analyze as to hard drive being partitioned differently, or a NIC card having a different whether they were authorized changes, thus validating configuration, an EPROM being updated. authorized changes. It also enables management systems to 3 tailor software/signature updates to meet the reconfigured device's needs. Detect Software/Firmware Changes The system shall identify software/ firmware changes that have occurred This is needed to ensure authorized changes are effected within a device, agent, or sensor, based on the previous collection of and that unauthorized changes are identified. 2 software configuration and version data. Detect Threats The system shall detect, recognize, and classify viral, spyware and adware This is needed for automatic detection and subsequent threats - to include any unauthorized and/or hostile programs that can detailed reporting of known (Common Vulnerabilities and compromise the security of the system. Exploitations and customized) threats that are a critical part of the LandWarNet's defenses; it helps focus manual troubleshooting and remediation efforts, while simultaneously 1 reducing human error. When coupled to prevention/blocking features, this can substantially reduce administrative workloads and mission disruption by preventing further attacks. Display Available Diagnostic Routines The system should present a list of available diagnostic routines that can be N/A executed on either the management platform or managed asset. 3 Display Change History The system shall display information regarding historical changes to the This is needed to enable administrators to verify authorized system and its managed objects or applications. changes and identify unauthorized changes to the management system and any managed devices and 1 applications. Display Events The system shall display dynamic near-real-time events based on alarm This is needed for the operation, maintenance, and defense severity, time, hierarchical importance, client groups, etc. The system shall of the Global Information Grid (GIG) and LandWarNet. support drill down capabilities to display the underlying events behind larger 1 alarms/incidents. Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 2 6/25/2011 FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y Display Help The system should provide the ability to view help files specific to the N/A application or management system. 3 Display Knowledge Base Information The system should display requested information from a particular N/A knowledge base, in response to administrator queries. It should support information retrieval and display from authorized (administratively-linked) external knowledge bases (e.g., a vendor maintained knowledge base. This 3 facilitates rapid trouble-shooting and insightful decision making, particularly by less experienced administrators. Display Logging Information The system shall present logging information received from an asset or Enables administrators to view activity logs to identify agent/sensor. unauthorized events per Army Regulation (AR) 25-2. 2 Display Results of Diagnostics The system shall present results of diagnostic routines executed on a This is needed to facilitate trouble shooting. network device. 2 Distribute Configuration The system shall distribute configuration information to managed This is needed to set/change the configuration of an asset. components/assets. Also supports rollbacks to an authorized current baseline 2 following an unauthorized change/information attack. Distribute Current Software/Firmware The system shall distribute current baseline software releases from the This is needed to ensure current versions of software and Version Current Software Versions (i.e., management software, applications, patches can be installed. It also supports rapid rollbacks to patches, etc.) area within the Software Repository. an authorized current software/firmware baseline following an 2 unauthorized change/information attack. Distribute Historic Software/Firmware The system should distribute a previous version of software (i.e., This is critical to support rollbacks of software, signatures, Version applications, patches, etc.) from the Historical Software Information area profiles and/or processing rules following from a faulty update 3 within the Software Repository. or implementation of a flawed rule/process. Distribute New Software/Firmware The system shall distribute new software releases (i.e., applications, This is needed to ensure that those systems will not be patches, etc.) from the New Software Versions staging area within the compromised. Remediation of systems on the LandWarNet Software Repository. Once installed and verified, the system changes the contributes to security in depth. Retaining prior baseline data 2 new release's status to current baseline status, and the previous current as described enables rollbacks in the event of a faulty update. baseline software to historical baseline status. Distribute Software/ Firmware Based on The system should distribute software (i.e., applications, patches, agents, N/A Profiles etc.) based on client profiles and managed/ defended IT assets and network segments. The system is essential for the correct software installation, configuration and maintenance of network operations devices and their 3 managed/defended networks and Information technology assets. Encrypt Data Exchanges The system shall provide secure (encrypted) data exchange between a Secures Network Operations (NetOps) management data manager and clients. Certain types of data being exchanged require used to control management platforms on the LandWarNet. encryption (e.g., logon credentials). The system shall provide the capability to encrypt data transferred between the system and assets using Secure 1 Socket Layer (SSL) and Transport Layer Security (TLS) that is Federal Information Processing Standards (FIPS) Publication 140-2 compliant. Filter Events The system shall filter or limit the events being generated from the managed This is needed to filter events being generated from the asset. Examples of filter criteria are event name, type, identification number, managed assets the console will receive to prevent more source, and type of event (i.e., security, system, application). events that can be processed. This could cause the console 2 to lock up, and could also result in loss of pertinent event data. Forward Infected Files The system shall forward infected files to the appropriate repository, central This is essential for rapid, follow on forensics analysis, console/manager, or designated expert administrator's email account. behavior policy/ signature development (giving protection until security patches are provided), and/or to identify which file needs to be replaced from the baseline set (recovery). This also enables the appropriate Program Manager/vendor to 2 develop security patches for systems (e.g., Army Battle Command Systems) attacked by custom threats not found on the internet. Manage Administrator Accounts The system shall provide the ability to manage (add, modify, verify, delete) This is needed to ensure that access to management accounts that are used to administrate the system. This also includes the systems is controlled and secure. 2 ability add and remove users from groups. Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 3 6/25/2011 FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y Manage Agent/Client Configuration Settings The system shall manage agent/client related configuration settings. To This is needed to be able to manage any LandWarNet asset. include 'auto-install' new definitions, files to exclude, reporting criteria, 2 reporting times, etc. Manage Anti-Virus Client Profiles The system shall manage (create, modify, delete, and archive) anti-virus This is needed to greatly reduce the amount of time spent client application and configuration profiles for different types of administering platforms and thus increase the time spent administrators and platforms. Profiles define what baseline anti-virus client identifying potential security threats on the LandWarNet. application, virus/threat definition, and configuration settings are assigned to 2 administratively defined platform and/or user types. This data is stored in the Anti-Virus Client Profile Repository. Manage Behavior Blocking Rules The system should enable administrators to manage (create, modify, and N/A delete) behavior blocking rules. It should provide a means to measure/monitor activities during initial implementation to determine normal rates and sequence patterns (heuristics) for employing specific ports, protocols, services, and/or executable files (behaviors) within the protected network/computing host. It should support generating, adjusting, and 3 deleting rules used to block malicious/unauthorized behaviors, using the generated heuristics data. [Behavior blocking stops malicious or unauthorized types of behavior, even if a specific threat signature has not been matched.] Manage Component Grouping The system shall allow administrators to define groups of assets. Groups This is needed to enable the administrators to perform may be created using different characteristics, including hierarchical, common operations upon them (loading patches, signatures, organizational, geographical, or functional (e.g., Email Servers). Also, the profiles, access control list, etc.) - speeding implementation of system shall enable administrators to assign specific assets/components to security measures during an attack, reducing the chances of 2 defined groups. error, and reducing overall administrator workloads. Manage Configuration Profiles The system shall manage (create, modify, archive, and delete) sets of This speeds asset configuration (during installation/updates), configuration profiles for specific classes of devices, agent/clients, and reduces administrator burdens, and reduces human error by applications. A configuration profile contains all the configuration information establishing standard configuration sets to apply for specific about a specific asset. It shall support both the current configuration profile assets. It also provides a means to assess compliance to an of a managed asset as well as a baseline configuration profile. approved Enterprise configuration standard for common 2 systems/devices (e.g., an Active Directory (AD) server should have specific agents, signatures and profiles loaded at any given time). Manage Event Filter Criteria The system shall enable administrators to create, modify, archive, and This is needed to the effective application of the filter to the delete filtering criteria used to control what events are generated (sent) or asset. Event filtering prevents the console from receiving permitted (accepted) from each managed element/asset. It shall support more events that can be processed. This could cause the different filters for sending events, receiving/processing events, and console to lock up, and could also result in loss of pertinent alerts/notifications arising from events. The system shall support temporary event data. filters, enabling administrators to select default/administrator defined filters from a pick list to adjust and activate. The supported filtering criteria shall 2 address standards/Protocol based variables/thresholds (e.g., Simple Network Management Protocol (SMNP), computer input multiplexer) as well as system unique ones (e.g., vendor provided SNMP, manual input buffer extensions). Manage Groups The system shall manage (create, modify, delete) User Groups, with user The system is critical to the operations and security of this roles and privileges. It shall support User Group creation, data entry/ Network Operations system and the LandWarNet. User modification, and deletion by authorized system users. This includes the accounts and their associated User Group(s) will be used ability to remove multiple groups/super groups (groups that contain other throughout the Enterprise to control privilege-based access to groups) within a single action. various resources/assets and services, track trouble 1 calls/service requests, provide alerts/notifications, and to maintain audit/transaction logs (In Accordance With (IAW) AR 25-1 and AR 25-2). Obtain Software/Firmware Updates from The system shall obtain software/firmware (i.e., software/firmware patches, Updates to assets in the LandWarNet are required in order to Authoritative Source signature/profile updates, rules updates) updates from a specified location in prevent compromise of the assets. 2 either an on-demand or scheduled fashion. Perform Local Authentication The system shall authenticate users, administrators, and assets from data This is needed for the authentication of users to access and stored locally within the management application or device. resources on the LandWarNet and is required by AR 25-1, 1 and AR 25-2. Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 4 6/25/2011 FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y Perform Operations on Multiple Assets The system shall permit administrators to interact with multiple managed This is needed to save the administrators considerable time, assets on a single screen. It allows them to select and perform operations enable central management and maintenance of large on individual assets, and groups of assets (Hardware, Software, Agents), network - enhancing overall reliability and security. from administratively defined (pick) lists of available assets/asst groups and 2 operations. The system shall enable the administrator to define and save groups of assets for future pick list displays (to perform future operations upon). Perform Remote Authentication The system shall authenticate users, administrators, and assets from a This is the core function for the authentication of users to remote authentication service on the network. access and resources on the LandWarNet and is required by 1 AR 25-1, and AR 25-2. Provide Ability to Drill-Down The system shall provide in-depth detailed information about any monitored This enables rapid trouble-shooting or identification of key asset, service, or function depicted on the GUI. This enables the user to drill- information necessary for operations, maintenance or down on any graphical representation (e.g., icon) to obtain specific relevant defense actions. 2 detailed information regarding its status. Provide Access/Control Web The system should provide all functions needed to enable web application N/A interfaces and access controls. For example, it should enable an expert administrator to securely log onto and operate a management console from 3 another computer (with web browsers) anywhere on the LandWarNet. Provide Administrator Audit Log The system shall provide administrator audit log information, to include the This is required in accordance with Department of Defense administrator's identification, time stamp, the specific activity/transaction Instruction (DoDI) 8500.2, AR 25-1 and AR 25-2. performed, changes in permissions, and any other specified data of interest 2 related to administrator transactions on the system. Provide Behavior Blocking The system shall provide behavior blocking based on heuristic rules and This is needed in order to identify and block/prevent malicious pattern matching (e.g., block an executable from accessing other activity not previously defined in signatures or profiles. executables, ports, protocols, and/or services that it is not cleared/historically Behavior blocking analyzes the actions and activities of known to access/leverage). executed software looking for suspicious/malicious type 2 behavior, even if a specific threat signature has not been matched. Provide Configuration Management Data This system shall integrate with an external Configuration Management Data This is required to provide critical NetOps inventory and Base/Service Support Integration Base/Service Support (CMDB/SS) system; which includes components such configuration item data, health/welfare status as: Service Desk, Incident Management, Problem Management, Change information/events, and other administrative information Management, Configuration Management, Asset Management, Project necessary to monitor and manage the health, welfare, and 1 Management, etc. This includes enabling the user to access the manual operational status of the LandWarNet. Work Flow Report (Trouble Ticket) features of the CMDB/SS. Provide Command Line Interface The system shall use a command line interface for system or account This is needed to enable administrators to execute changes administration locally and remotely. on large groups of configuration items via a single command. 2 Provide Command Line Interface and The system should provide security mechanisms for Command Line N/A Application Program Interface Security Interface (CLI) and Application Program Interface access to the system. The system should enforce security for command line input that is functionally identical to Graphical User Interface access restrictions and controls; security 3 for Advanced Programming Interfaces that are functionally identical to graphical user interface access restrictions and controls. Provide Communication Ports Security The system shall provide the capability to designate a limited set of ports for This is necessary to configure management platforms to communication between management platforms and managed components. communicate across routers and switches (considering port restrictions that may be applied to network devices) within the 1 LandWarNet. Provide Configuration Change Reports The system should produce reports on a managed client’s configuration N/A 3 changes based on inventory scans. Provide Definable Report Filters The system should provide filters that can be created and modified. Filters N/A provide a way to produce reports that provide data on a specific attribute(s). 3 Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 5 6/25/2011 FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y Provide Device and Media Configuration The system shall store all configuration information about devices and media This is needed to maintain and defend LandWarNet systems Information Repository that is generated by the management system or its sub-systems/agents, to via their configurations. It supports restoring and include any unique communications/encryption settings. This also includes reconstitution of vital assets and applications. 2 new/staged, current, and multiple copies of historical configuration data. Provide Event Aggregation The system should aggregate/fuse similar events into a single event N/A record/report. [Aggregation/Fusion is the combination of data from multiple 3 sources into a single location/report.] Provide Event Correlation The system shall correlate events. [Correlation is the establishment of This is needed to enable administrators to rapidly discern relationships between events from various sources. The combination of new computer network attacks, installation of a bad lot of these events will provide increased information about possible events.] components, or other related failures/transactions requiring 2 immediate attention to ensure the LandWarNet continues to operate. Provide Event Escalation The system shall raise the priority or severity of an event based on This ensures rapid responses to events that can disrupt the predefined rules established within the system. LandWarNet if not addressed quickly. 2 Provide Event Log Reports The system shall produce reports containing event and associated user This is needed to meet AR requirements for reporting on activity logs. potential security breeches. 2 Provide Event Reduction The system should reduce the number of events generated. [Reduction of N/A events is the process of removing duplicate and repetitive events.] It should have the ability to automatically adjust the combined timestamp information, 3 provide/update any event duration time entries, and note the number of times it had been reported. Provide Frequently Asked Questions The system should support a FAQ capability, providing searchable, quick N/A Feature solutions for common problems for both administrators and customers/users. 3 Provide Graphical Interface The system shall provide a GUI enabling users and/or administrators to This is needed to simplify the use of the management access and operate the system from their terminal or via a web-accessible system. interface. The system functionality should be the same whether the operator 2 accesses the system via the terminal or at the server/system's native interface. Provide Help Feature The system should provide help functionality. This can be an on-line N/A functionality or provided locally on the platform. It should provide a search 3 and index capability. Provide Hostile Application Treatment The system should provide the ability to quarantine or delete hostile This is needed in order to identify and remove unauthorized applications (root kits, key loggers, trojan agents, malware, spyware). This and potentially hostile applications intended to compromise is an application and includes all files, executables, and associated services. LandWarNet assets. 2 Provide Import Digital Documents For The system should import vendor supplied Digital Documentation N/A Knowledge Bases Knowledge Base information. 3 Provide Knowledge Base The system should provide a knowledge base. Knowledge bases are N/A searchable (via queries) repository of information about a specific topic or product. The knowledge base should contain at a minimum; frequently 3 asked questions, trouble-shooting wizards, Uniform Resource Locators (URL) for additional help/information. Provide Knowledge Base Repository The system should store NetOps Knowledge Base information. This This is essential for the basic operation of the NetOps includes all information stored in the Knowledge Base used primarily by Systems Knowledge Base management capabilities. administrators in the operations and maintenance of systems and services. 3 Provide Multiple Component Access The system shall control the administrator's ability to only perform operations This is needed to enable automated administrative access Controls to those assets/asset groups they are authorized to manage. controls - enhancing overall reliability and security. 2 Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 6 6/25/2011 FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y Provide Operational Reports The system shall provide operational NetOps reports, to include those on This is needed to allow the element manager to combine and component and aggregated asset/system utilization (or usage); failed summarize device/storage information, Job Status, Job components/assets; configuration settings for all/designated components/ Volume, Device Utilization, media verification, job failures, job 2 assets; and asset/device/storage information. schedules, report alerts. Provide Predefined Display Formats The system shall display predefined formats/displays to make the system This is needed for basic operation of the system out of the usable immediately after the initial installation. box, reducing configuration and implementation time. 2 Provide Predefined Reporting Filters The system should display filters to reduce displayed data based on N/A relevancy and provide predefined display filters to support analysis of 3 reported data. Provide Quarantined Files Repository The system shall provide safe, queriable storage of quarantine files at the This is necessary to prevent the spread of malicious files client and/or manager, based upon administratively-defined rules. It shall across the LandWarNet, by enabling administrators and ensure that the quarantined files are not able to infect other files or authorized Program Managers/vendors to analyze propagate themselves any further. suspect/malicious files in order to update threat signature/behavior profiles, host/network filters, and 2 eventually develop new security patches for the attacked system/application/files (to include those for Government-off- the-Shelf (GOTS)/Battle Command Systems). Provide Remote Administration The system shall provide secure, IP-based remote administration of the This is required to secure the LandWarNet and operate large manager and its managed assets. networks. 2 Provide Scanning Based on Protocol This system shall enables virus scanning of network traffic. It includes the This is essential for the identification of viruses on systems capability to scan traffic transferred on the following protocols: HyperText and thus the operation of all general-purpose platforms on Transfer Protocol (HTTP), File Transfer Protocol, Point of Presence 3, and the LandWarNet. 2 Simple Mail Transfer Protocol (SMTP). Provide Security Event Repository The system shall provide timely storage for security event information This data is essential for the basic operation of this system's relating to the management console and any managed assets/services. management console, which is used to defend the This includes expired passwords, user lock outs, numerous faulty log on LandWarNet. The ability to query its data is essential for attempts, transaction logs of changes to system permissions, unauthorized forensic analyses on computer network attacks and others transactions (e.g., user/administrator access escalations), and similar security incidents. 2 alarms/alerts. It shall record all reported event information, with time-stamp data, as textual data in a database. It shall support queries. It shall capture and store all managed agents/sensors reported security events/logs. Provide Security Information Management This system shall integrate with the external Security Information This is needed for the SIMS to get data from systems. System Integration Management System (SIMS). This includes data received from managed Security Information Management System depends upon this assets as well as events generated on the security management platform data in order to do it's analysis of security related information. 2 itself (i.e., user unsuccessfully tried to log onto management platform more than three times). Provide Single Component Access The system shall enable administrators to interact with a single monitored This is needed to facilitate defensive actions, maintenance, asset or service on a single screen. This includes enabling them to view and and operational management of core components and manipulate the asset/service's status, type, capacity, utilization, allocation, services underpinning the entire LandWarNet. 2 and location. Provide Software Inventory Repository The system shall store software inventory data collected and analyzed by the This is needed to support baseline determinations and data management system. This includes historic, current, and staged inventory restoral operations. 2 data. Provide Software Repository The system shall provide a repository for storage of software or firmware, by This repository is essential for the operation of the version. It shall store the current version of profiles; and store multiple management system and in order to install, restore, and historical versions. It shall stage new versions within the repository for trouble-shoot faulty software/firmware versions. It also subsequent distribution/installation. Once a new version is deployed, it provides a baseline of authorized software that may be used 1 becomes the current version and the old current version becomes a during forensic analysis to identify unauthorized changes historical version. It shall enable administrators to control the number and/or arising from a computer network attack. age of historical versions retained. Provide Software/Firmware Distribution The system should verify a software/firmware distribution was successful. N/A Verification 3 Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 7 6/25/2011 FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y Provide Standard and Predefined Reports The system should predefined/standard reports and views. The system N/A should also provide graphics within text reports (e.g., Trending Reports may contain pie charts, bar charts, line charts and other standard graphics). The system should publish reports in Hyper Text Markup Language (HTML), eXtensible Markup Language (XML), Sequential Query Language (SQL), American Standard Code for Information Interchange (ASCII), Joint 3 Photographic Experts Group (JPEG) and other standard languages/formats; be able to print and email all generated reports. The system should be able to provide displays and reports on all on the following: a) audit reports that detail modifications and upgrades to the system, b) identifying all major problems (per pre-defined service level agreement/service support program, per period), c) resolution time for incidents/problems, d) closed incidents/problems, e) problems that result in the highest percentage of resource utilization, f) first contact to closure for incidents or problems, g) first call closure for incidents or problems, h) open incidents or problems, i) incidents or problems that violate Service Level Agreement (SLA)/service support program, Service Level Indicators, j) closed incidents and problems, k) resolved incidents and problems, l) escalated incidents and problems, m) based on each individual support staff for the number of incidents or problems that they turned over to other support staff during a shift change, n) based on department/group for the number of incidents or problems that are turned over to other support staff during a shift change, o) trends by agent/support staff for number of incidents and problems opened per day, week, and month, p) trends by agent/support staff for number of incidents and problems resolved per day, week, and month q) trends by agent/support staff for number of incidents and problems escalated per day, week, and month, r) trends by agent/support staff on the average time taken for incidents and problems to move from open to resolved status, s) trends by agent/support staff on the average time spent talking to customers/ users regarding an incident or problem, 3 t) trends by agent/support staff on percent of first contact to resolution regarding incidents and problems, u) trends (daily, weekly, monthly) by agent/support staff on percent of first call resolution regarding incidents and problems, v) trends (daily, weekly, monthly) by agent/support staff on the average first contact to resolution regarding incidents and problems, w) trends (daily, weekly, monthly) by agent/support staff on the average first call to resolution regarding incidents and problems, x) trends by group/department for number of incidents and problems opened per day, week, and month, y) trends by group/department for number of incidents and problems resolved per day, week, and month, Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 8 6/25/2011 FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y z) trends by group/department for number of incidents and problems escalated per day, week, and month, aa) trends by group/department on the average time taken for incidents and problems to move from open to resolved status, bb) trends by group/department on the average time spent talking to customers/ users regarding an incident or problem, cc) trends by group/department on percent of first contact to resolution regarding incidents and problems, dd) trends by group/department on percent of first call to resolution regarding incidents and problems, ee) trends by group/department on the average first contact to resolution regarding incidents and problems, ff) trends (daily, weekly, monthly) by group on the average first call to resolution regarding incidents and problems, gg) Incident/Problem rollups by LandWarNet C4IM/IT service or product, hh) Users that access a specific asset, ii) users that own a specific asset, jj) operational assets which have exceeded their life-cycle (to identify equipment that needs to be replaced), kk) minimum, maximum, and averages for all time and numeric based reports, ll) number of users that access a defined service, mm) customers and their associated users, nn) specify the concentration and distribution of vendors and their related products within the enterprise (allows the organization to more clearly understand the impact of issues related to specific products or vendors), oo) life-cycle plans (projections) for an asset, pp) service or product defect status, qq) service or product enhancement request/Request For Change reports. Provide Synchronous Event Polling The system should collect event logs based on synchronous polling. N/A 3 Provide System Documentation The system should support documentation for a specific technology/ N/A capabilities. This includes system design, implementation and user guides. 3 Provide Threat Categorization The system shall categorize threats with sufficient detail to automatically This is needed to classify and subsequently correlate separate them from each other for further action. It shall be capable of identified threats reducing the amount of time administrators matching them to the appropriate Common Vulnerabilities and Exploitations spend in addressing LandWarNet threats. 2 identifier. Provide Threat Detection The system shall detect viral and non-viral threats. It shall recognize viruses This is needed to enable follow-on automatic corrective to include, trojan horses/back doors, zombies, key loggers, spyware, actions and enables administrators to focus upon more trackware, adware, and other unauthorized and/or hostile programs that can complex infections and general maintenance. 1 compromise the security of the system(s). Provide Threat Scans The system shall scan for virus threats. It shall be able to scan incoming This is essential for the identification of viruses on systems files from email, downloads, external storage, floppy drives, etc. It shall be and thus the operation of all GP platforms on the able to scan system memory and stored files, including system files. It shall LandWarNet. enable administrators/users to select specific files, or groups of files to scan. 2 It shall enable scheduling the aforementioned scans. It shall be able to recognize authorized applications as NON-threats. Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 9 6/25/2011 FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y Provide Threat Signatures Repository The system shall store standard and custom threat definitions/signatures (for This data is essential for the proper functioning of anti- viruses, worms, back doors, spyware, malicious adware, etc.). It shall be virus/spyware/mal-ware components/systems/applications, able to store new, current and multiple historical versions of these used to identify known threats for subsequent defensive signatures. It shall support pick-lists (e.g., for Threat Profile creation) and blocking/repair/quarantine action prior to their attacking the system queries of this data. LandWarNet. Storing custom signatures enable administrators to use Commercial-off-the-Shelf (COTS) 1 systems to defend Army Battle Command systems and other unique Department of Defense (DoD)/GOTS systems. Provide Threat Signatures to Clients The system shall update virus threat signatures to clients/agents and This is needed in order to update the clients with new threat subordinate managers. definitions thus helping to increase the security posture of the 1 assets residing on the LandWarNet. Provide User Account Repository The system shall store user and administrator account information for the This is needed to control access to the management system management system. and to support addressing for notification messages/alerts. 2 Provide User Activity Log The system shall create and manage the User Activity (Audit) Log, recording This is required per Army Regulatory requirements and all user transactions, and changes to permissions on the system in provides a means to verify NetOps staff actions, conduct roll- accordance with AR 25-2. backs, and conduct post-mortems/After-Action-Reviews 1 (AAR) to improve NetOps procedures. Provide User Defined Display Filters The system shall enable administrators to define filtering criteria to view a This is needed to enable administrators to quickly view all subset of the available information. data based upon specific criteria, facilitating analyses, trouble- 2 shooting, work scheduling, etc. Provide User Defined Display Formats The system should allow users to create, add, modify, or delete display N/A formats. 3 Provide User Defined Report Format The system should allow for defined presentation formats to view available N/A information. It should enable the customization of the fields in a report template or system-provided default report. The system should provide report creation tools and support ability to customize reports. The system 3 should enable the user to define output report formats in XML, HTTP, ASCII, SQL, and American JPEG. Provide User Log Data Repository The system shall store User Activity Log data collected for analyses by the This is needed to trace user logon activity and to meet AR 25- management system. 1 and AR 25-2 requirements (punitive requirement). 1 Provide Web Accessible Display The system shall interact with devices via a web based interface. The This is needed to support Army requirements to provide web functionality shall be equivalent to the capability provided by non-web based accessible interface. 2 user interfaces. Quarantine Infected Files The system shall quarantine infected files. Quarantined files reside on the This is needed to be able to secure the LandWarNet from infected client or the manager's internal repository and are kept there until an infected filed until such time as they can be deleted or 2 administrator removes or cleans them. cleaned. Receive Events from Log Files (Passive) The system shall receive events from log files or logging systems. (Passive This is needed in order for the management platform to listening). This includes log files created by agents residing on managed receive health, status, and security posture of managed 2 client assets. systems in the LandWarNet. Receive Events in Standard Protocols The system shall receive events via industry standard protocols (Storage This is needed to reduce the amount of time spent integrating Management Initiative - Specifications, SNMP v2/3, common information products. 2 model, XML, User Datagram Protocol, etc.) Repair Infected Files The system shall repair infected files. Once repaired the files should still be This is needed to remove viruses from files while leaving the readable and accessible. file intact. 2 Report Inactive Administrator Accounts The system shall detect and report inactive administrator accounts. Inactive This is needed for enforcing secure access controls over the administrators are those who have not accessed a specific system for a NetOps systems used to secure, operate, and manage the predefined amount of time. Inactive administrators shall be flagged for LandWarNet and its supported Army and Business systems. administrative attention and possible action (i.e., account suspension, 2 deletion, etc.). The system shall provide alert and report mechanisms to system administrators to act on flagged files. Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 10 6/25/2011 FUNCTIONAL REQUIREMENTS PRODUCT COMPLIANCE MET SUPPORTING DOCUMENTATION TO INCLUDE: NOT-MET PR RI FUNCTION SYSTEM DESCRIPTION JUSTIFICATION DESCRIPTION COMMENTS IO URL, NAME OF SOURCE DOCUMENT AND RI RI √ √ PAGE NUMBER TY Y Reset Administrator Account Parameters The system shall establish the capabilities expected from a Manager to reset This is to provide the ability to lock accounts and unlock Administrator Account/Group parameters of an application. A reset is the administrative accounts allowing for the securing of the ability to lock or unlock, make active or disable, or change any of the settings LandWarNet. 2 of an account. Schedule Event Collection The system should schedule the collection (polling) of agents/clients for N/A event logs. 3 Schedule Scans The system shall enable administrators to schedule partial and full scans on This is needed to enable administrators to support the protected/managed general purpose computing platforms. It shall support LandWarNet's defense-in-depth by enforcing periodic scans, scheduling partial scans of specific files, folders, systems, and/or asset while conducting them at non-peak hours for minimal groups - as well as full scans of designated assets/asset groups. disruption to the scanned devices, services, and users. Partial scans enables tailoring the scans for specific 2 threats/vulnerabilities - or recurring problem' users/applications - speeding overall scan times and speeding corrective actions. Schedule Software/Firmware Distribution The system should allow an administrator to define a schedule for the N/A distribution of software (i.e., applications, patches, signatures, remediation's) to managed assets (e.g., sensors, agents, applications, devices, etc.). 3 Schedule Software/ Firmware Inventory The system should define a schedule for the collection of software/firmware N/A Collection inventory information from devices, agent, adapter, or sensors. 3 Schedule Synchronization With The system should schedule synchronization of manager's software and files N/A Authoritative Source with an authoritative source. 3 Schedule the Production of Reports The system should support the ability schedule the production of reports. N/A Scheduling will allow for monthly, daily, and hourly configuration such that 3 reports can be run automatically. Send Incident/Problem Data The system shall transmit Incident and Problem data. The system shall, This is necessary for ensuring that assets in the LandWarNet upon triggering of operational or security related problems, send or transmit are operating optimally. the data (time of event, Internet Protocol address, category of event, etc.) 1 needed to create a WFR. Support Multiple Concurrent Administrators The system shall support multiple administrators performing management This is needed to support the ability for multiple operations concurrently. administrators to perform operations concurrently reducing 2 the Total Cost of Ownership (TCO). Synchronize Signatures with Authoritative The system shall synchronize the manager's virus/threat This is needed to identify intrusions. Updating them is Source definitions/signatures with an authoritative source such as the anti-virus necessary in order to ensure assets on the LandWarNet are 1 vendor or Department of Defense (DoD) server. secure. Track Logon Attempts The system shall detect and log user logon attempts (successful or This is needed for enforcing AR 25-1 and AR 25-2 security otherwise). The system shall provide alerts/reports to system administrators regulations and enforcing secure access controls over the to act on multiple failed attempts. systems used to secure, operate, and manage the LandWarNet and its supported Army and Business systems. 1 It also supports post-mortems on IT outages/attacks. Verify Agent Account Data The system shall manage agents to verify user account data, to include This is a core functionality of the Backup and Recovery which permissions, assets, services, and applications the user is authorized system and is needed by administrators to ensure proper to activate/possess. User account data may be modified and pushed back usage of the system 2 to the platform if necessary using the Manage Agent User Accounts system function. 10/28/2009 Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 11 6/25/2011 NETCOM/9TH SIGNAL COMMAND (ARMY) LANDWARNET NETOPS ARCHITECTURE (LNA) COMPLIANCE CHECKLIST #2 ANTI-VIRUS MANAGEMENT SYSTEM PRODUCT COMPLIANCE INTERACTION WITH OTHER LNA CAPABILITIES TO BE COMPLETED BY VENDOR SUPPORTING DOCUMENTATION COMPLIANCE TO INCLUDE: URL, SOURCE DOCUMENT FROM TO DATA FLOW TEXT DESCRIPTION DATA ELEMENT DEFINITION YES/NO NAME AND PAGE NUMBERS DESCRIPTION COMMENTS Anti-Virus Management System Anti-Virus Management System Contains Update data sent from the External Source to Update: This generic data exchange is used to send an update to an a External Support Site the Anti-virus Management System. LandWarNet Network Operations Architecture (LNA) management system from its respective external authoritative support site. For example, the Anti- Virus system receiving an updated list of virus signatures or the Internet Protocol (IP) Network Management system requesting an update to the known device catalog. Anti-Virus Management System Anti-Virus Management System Request for the data, files, updates etc. from an external Request Update: This generic data exchange is used to request an update External Support Site authoritative source that are necessary to update the Anti- from a LNA management system to its respective external authoritative Virus Management System. support site. For example, the Anti-Virus system requesting an updated list of virus signatures or the IP Network Management system requesting an update to the known device catalog. Anti-Virus Management System Configuration Management Contains Anti-Virus Event Reporting, Inventory and Address: Address that this protocol end point represents, for example, Database/Service Support configuration data that is passed from the Anti-Virus 22.214.171.124 or FE:ED:FE:ED:00:11. The address format, such as IP, Management System to the Configuration Management Internetwork Packet Exchange, or Ethernet, depends on the Protocol Type Database/Service Support System value. It can be further refined in subclasses. Alerting Managed Element: Name of the alerting computer as known by the management system. Configuration: Contains all the information on how an asset (CI) is presently configured (e.g., parameter settings, ports & protocols enabled, filters set, version of IOS/firmware, etc.). Description: Textual description of the instance. Event Time: Date and time of the event or occurrence within the LandWarNet. Host Name: Contains alphanumeric data reflecting the name of LandWarNet Asset. Inventory: Contains the full descriptive inventory of managed assets - to include all known/discoverable metadata about the asset. Submitter: Unique account identifier of the user that created the instance. This attribute is automatically populated and can be an actual individual or a system that auto-generated instance. System Type: Type of computer system. If the computer is Windows- based, this attribute must have a value. Values are: X86-based Personal Computer (PC) Millions of Instructions Per Second (MIPS) -based PC Alpha-based PC Power PC SH-x PC StrongARM PC 64-bit Intel PC 64-bit Alpha PC Unknown (default) X86-Nec98 PC Anti-Virus Management System Network Access Control Contains messages from the Anti-Virus Management Last Scan Date: Attribute used by applications to specify the last date and System about the latest scans being conducted by that time the instance was scanned. system. This will enable the Network Access Control to verify how recently the latest virus-scan was run on the endpoints. Anti-Virus Management System Security Information Management Contains Security related data sent from the Anti-Virus Security Event Data: This is a report of one or more security events System Management system to the SIMS. detected by a managed object or NetOps management system. It includes all pertinent data about the event and/or consolidation of multiple events. Enterprise NetOps Planning Division ESTA-OSC I-ENPD 2133 Cushing St. Ft. Huachuca, AZ 85613-7070 Compliance.Team@conus.army.mil 12 6/25/2011 NETCOM/9th SIGNAL COMMAND (ARMY) LANDWARNET NETOPS ARCHITECTURE (LNA) ANTI-VIRUS MANAGEMENT SYSTEM TO BE COMPLETED BY ARMY REQUIRING ACTIVITY ARMY PROPONENT VENDOR PRODUCT COMPLIANCE CHECKLIST SUBMITTED TO NETCOM DOES THIS PRODUCT ( VERSION ) HAVE A CERTIFICATE OF NETWORTHINESS (CoN) ORGANIZATION: COMPANY NAME: NAME: YES: CoN DATE: DATE: VERSION: NO: DATE REQUEST SUBMITTED: POINT OF CONTACT: POINT OF CONTACT: INTENDED USE OF THIS PRODUCT PHONE: PHONE: E-MAIL: E-MAIL: TARGETED ECHELON(S) FOR IMPLEMENTATION OF THIS PRODUCT (Please Check ( √ ) Army Area Processing Center (APC): Army CIO G-6: Army Computer Emergency Response Team (ACERT) Tactical Operations Center (TOC): Army Global Network Operations and Security Center (Army-GNOSC) TOC: Army Operations Center - Pentagon: Army Service Component Commands: Army Strategic Command (ARSTRAT): Battalion (II) S-6: Battalion (II) Signal Company: Battalion Command Assistance Team (BCAT): Brigade (X) Combat Team (BCT): Brigade (X) S-6: Brigade (X) Signal Company: Communications-Electronics Research Development & Engineering Center (CERDEC): Company Signal Support: Corps (XXX) G-6: Corps (XXX) Signal Company: Department of the Army (DA): Division (XXX) G-6: Division (XX) Signal Company: Expeditionary Signal Battalion (ESB) BATCON: Installation, Garrison, Post, Camp, Station NEC (formally DOIM): NETCOM / 9th Signal Command (Army): NSC Operations Center (OC): Regional Computer Emergency Response Team (RCERT): Regional Hub Node: Signal Command (Theater) HQ and CIO: Theater Network Operations (NetOps) Center (TNC) - DISA: Theater Network Operations (NetOps) Control Center (TNCC): Theater Network Operations and Security Center (TNOSC): Theater Tactical Signal Brigade (TTSB): U.S. Army National Guard NOSC: U.S. Strategic Command (STRATCOM): Other (Please Identify): NOTE: a) Completed LNA Compliance Checklists and supporting documentation are to be e-mailed to the NETCOM 9th Signal Command, LNA Compliance Team at the following: .- - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - - - - firstname.lastname@example.org b) These LNA Checklists and supporting documentation will be utilized by the LNA Compliance Team in their assessment of this NetOps products compliance to the Army LNA, prior to a CoN being granted by NETCOM/9th Signal Command.