Get documents about "Checklist V R PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section AC31 010 II Before granting access to
W
Description
Web Designer Non Disclosure Agreement document sample
Document Sample
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC31.010 II Before granting access to
non-public information
systems (e.g., Privacy Act,
FOUO, classified), the IAM,
will ensure all personnel are
properly identified according
to applicable DoD policy (as
required for level of access
and information sensitivity).
AC31.020 II The Security Manager and
IAM will ensure authorized
users are trained to exercise
care in the protection of their
identity credentials (e.g,
CAC, visitor badges).
AC31.030 III The IAM will ensure DoD-
approved PKI is used to
authenticate logical access
to Information Technology
systems and applications
that access the
Department‟s computer
networks. If certificate-based
authentication is not used, a
documented migration plan
is required. The DoDI 8520.2
policy provides for
exceptions for systems that
have communities not
eligible to be issued PKI
(e.g., dependants, retirees).
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 1 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC31.035 III The Security Manager and
IAM will ensure compliance
with the following out
processing requirements: -A
program exists to ensure
personnel out process
through the security section.
(Traditional Security
Checklist). NOTE: Includes
turning in of all access
badges, classified or
sensitive information and
signing of SF 312
acknowledging debriefing.
Also, revoking and reporting
of electronic credentials in
accordance with DoD policy
for the DoD CAC, DoD-
approved PKI, and disable
system accounts. User‟s
CAC is not captured unless
the person is leaving DoD.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 2 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC31.045 II The Security Manager will
ensure badges and
credentials for Foreign
Nationals comply with the
following: - Ensure foreign
visit requests is processed
through DIA and then
referred to the DISA Security
Division (MPS6). (Traditional
Security Checklist) A contact
officer is appointed to control
the activities of foreign
visitors, FLO, and exchange
personnel (Traditional
Security Checklist) Foreign
nationals assigned to the
command are issued badges
or passes that clearly
identify them as foreign
nationals. Proper guidelines
are being followed when the
badges or passes are
issued. (Traditional Security
Checklist)
AC31.050 I The Security Manager will
ensure authorized personnel
validate the identity of any
person prior to issuing an
authentication token (such
as an unescorted visitor‟s
badge, a CAC or local
identity credential) to that
person.
AC32.010 I For information systems
processing sensitive
information, the IAO will
authenticate identity
credentials using multi-factor
authentication prior to
allowing access..
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 3 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC33.010 II Before granting access to
sensitive, restricted
information, the IAM will
ensure users have a
demonstrated need-to-know
as determined by the data
owner. Access is granted in
accordance with clearance
levels, IT level and DoD
5200.2-R.
AC33.015 III The IAO or Security
Manager, in coordination
with the data owner, will
document rules for who is
authorized to access the
system. Access rules allow
the system or attendant to
determine who or why
access is needed (e.g.,
allow all DoD employees; all
members of a specific
community of interest; all
entities that are assigned to
a specific role; or by physical
or logical access control list.
AC33.020 II When applicable, ensure
mechanisms are in place to
allow appropriate users to
access information that has
been cleared for release to
the represented foreign
nation, coalition, or
international organization in
accordance with related
policy (e.g., DoDD 5230.11,
DoDD 5230.20, DoDI
5230.27).
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 4 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC33.025 I The Security Manager or
IAM will ensure a program
exists to ensure personnel
out process through the
security section.) (Traditional
Security Checklist). NOTE:
This includes that
mechanisms are in place to
verify individuals are still
authorized access to
information systems and
permissions have not been
revoked. A rules-based
process will be established
for determining how
personnel are authorized, for
linking personal certificate
information to
authorization(s), and for
removing authorizations
when access is no longer
needed.
AC34.010 III The IAM will ensure newly
purchased information
systems intended for use as
or integration into access
control solutions which
protect DoD information
assets are evaluated using
the required evaluation
processes.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 5 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC34.015 II The IAO will ensure the
Enclave architecture and
components are in
compliance with the Enclave
and the Network
Infrastructure STIGs. NOTE:
Comply with this
requirement by conducting
self-assessments or Security
Readiness Reviews using
the applicable STIG security
checklists that apply to the
various technologies used
as part of the Enclave
architecture.
AC44.010 I The IAO will ensure NSA
approved, Type 1 device is
used to protect remote
access to classified
networks.
AC44.015 I The IAO will ensure remote
administration of network
devices, servers, and
applications are protected by
NIST FIPS 140-2 validated
cryptography to implement
encryption for
communication.
AC44.020 I Remote access to NIPRNet
and SIPRNet resources
must be approved by the
DAA and must comply with
NSA and DoD policies and
guidelines.
AC44.025 I The IAO/NSO will ensure an
NSA approved remote
access security solution
(such as a HARA solution) is
used for remote access to a
classified network.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 6 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC44.030 II The IAO will ensure remote
access configuration and
user training is compliant
with the Secure Remote
Computing STIG.
AC34.020 III The IAO/NSO will ensure
disabled ports are placed in
an unused VLAN.
AC34.025 I The IAO/NSO will ensure
either MAC security (with
profiling) or 802.1X port
authentication is used on all
network access ports and
configured in accordance
with the Network
Infrastructure STIG.
AC34.030 III The IAO/NSO will ensure if
logical Port Security is
implemented using MAC
filtering, then the MAC
addresses are statically
configured on all access
ports.
AC34.035 II The IAO/NSO will ensure
directory authentication
services (e.g., Active
Directory) use PKI or
encrypted passwords for
administrative access on
production systems.
AC34.040 II The IAO/NSO will ensure
when utilizing 802.1X, a
secure EAP method (e.g.,
EAP-TLS or EAP-TTLS)
resides on the authentication
server and within the
operating system or
application software on the
client devices.
AC34.041 III The IAO/NSO will ensure
802.1X port security
violations are sent to an
audit log.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 7 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC34.045 I The IAO/NSO will ensure if
802.1X Port Authentication
is implemented, all access
ports start in the
unauthorized state
AC34.050 II The IAO/NSO will ensure if
802.1X Port Authentication
is implemented, re-
authentication occurs every
60 minutes.
AC34.051 II The IAO/NSO will ensure if
Port Authentication is
implemented, all access
ports are configured in
single-host mode.
AC34.031 III The IAO/NSO will ensure if
NAC is implemented it is in
accordance with the
minimum standards set
below.
AC34.055 II The IAO/NSO will ensure
communication for privileged
access (i.e., administrative
access) to network devices
is secured using products
with FIPS 140-2 validated
cryptographic module and
configured in accordance
with the Network
Infrastructure STIG.
AC34.060 II For sensitive but
unclassified information
systems, the remote user
will use a FIPS 140-2
validated cryptographic
module configured to use
NIST approved encryption
algorithm to encrypt
sensitive government files,
folders and/or storage
devices on remote or mobile
client devices.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 8 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC34.065 II For sensitive but
unclassified information
systems, the IAM will ensure
a FIPS 140-2 validated
cryptographic module
configured to use a NIST
approved file encryption
algorithm is used to protect
DoD sensitive data in transit
over non-DoD networks or
when transmitted wirelessly.
AC34.066 I For classified information
systems, the IAM will ensure
use of an NSA approved,
Type 1 device to implement
cryptographic services.
AC34.067 II The IAM will ensure
cryptographic-based security
systems are implemented in
accordance with the vendor-
specified security policies
required to ensure the
cryptographic module, as
implemented by the site or
organization, satisfies the
security requirements of the
FIPS or NSA
standard/requirements (i.e.,
configuration of operating
system, physical security, or
other security rules)
AC34.070 II The IAM will ensure
certificates are used for
authentication IAW DoDI
8520.2, PKI and Public Key
(PK) Enabling.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 9 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC34.075 I The IAM will ensure use of
DoD-approved PKI digital
certificates to authenticate
requests for access to
government information not
approved for public release.
For unclassified sensitive
assets, the PKI certificate
will be considered necessary
but insufficient to provide
authorized access.
AC34.080 II The IAM will ensure
implementation of certificate-
based logon to the NIPRNet
using DoD-approved PKI as
required by DoD policy. DoD-
approved PKI will be
required for SIPRNet when
implemented in the future.
AC34.085 I The IAM will ensure a DoD-
approved PKI certificate is
used for logon to DoD
Enclaves, networks, servers,
desktop, laptops, and other
network capable client
devices. If PKI logon cannot
be used, then a DoD
compliant ID/password
combination may be used
and a migration plan
implemented IAW JTF-GNO
exception reporting
requirements. NOTE: The
PKI certificate is necessary
but insufficient for access.
Access must also require an
active account and
authorization.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 10 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC34.090 I The IAM will ensure PKI is
required for the exchange of
FOUO information with
vendors and contractors, the
DoD will only accept PKI
certificates obtained from a
DoD-approved internal or
external certificate authority.
AC34.095 I The IAM will ensure DoD
contractors who are not
eligible for a DoDapproved
PKI get and use digital
certificates issued by
approved external PKIs
when interacting with DoD
PK-Enabled information
systems or accessing DoD
restricted information and
logical assets.
AC34.100 III The IAM will ensure Sas are
trained on administration
and implementation of PKI
and PKE. At a minimum, this
training will include: PKI
awareness training How to
configure systems for
certificate-based logon How
to configure systems for
digital signature How to
configure systems for email
encryption How to configure
systems for Web server
certificates DoD-approved
PKI will be used for email
and web services in
accordance with the
following.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 11 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC34.105 II The IAM will require
certificate-based client
authentication to restricted
access (not public) DoD web
servers using certificates
issued by DoD-approved
PKI certificate authorities.
AC34.110 II The IAO will ensure
Browsers, including those
that support software
tokens, support the use of
DoD-approved PKI, High
Assurance Remote Access
(HARA) solution (as
appropriate for the
classification level), or NSA
certified solution for storing
the user‟s certificates.
AC34.115 II The IAO will ensure DoD e-
mail systems support
sending and receiving e-mail
signed by DoD-approved
certificates. E-mail
containing DoD sensitive or
restricted information, are
signed using DoD-approved
certificates.
AC34.140 II The IAM will ensure new
Commercial-off-the-Shelf
(COTS) software to be used
in information systems that
require PK-Enabling have
passed interoperability
testing performed by a DoD-
approved PKI Program
Management Office (PMO)-
approved testing facility prior
to procurement.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 12 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC34.168 III The DAA will ensure ID and
password access for system
and network access is used
only where use of DoD PKI
is not technologically
feasible, cost prohibitive, or
is deemed unwarranted.
Exceptions to the PKI policy
must be documented; DAA
approved; and coordinated
with the service/agency PKI
PMO as well as the DOD
PKI PMO.
AC34.170 II The IAM will ensure where
passwords are used for
access to DoD restricted
assets (i.e., networks,
workstations, or
applications), at a minimum,
passwords are created and
changed in accordance with
current DoD policy. Users
must be trained on this
requirement and, if possible,
an automated procedure
must be in place to enforce
these rules.
AC34.175 I The IAO will ensure default
installation passwords are
removed from installed
devices used for production
such as communications,
databases, applications, or
operating systems.
AC34.180 II The IAO will ensure
individual users and system,
application, and database
administrators use
individually assigned
accounts rather than a group
or shared accounts or
authenticators.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 13 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC34.181 II The IAO will ensure group or
shared authenticators for
application or network
access are used only in
conjunction with an
individual authenticator. Any
use of group authenticators
not based on the DoD-
approved PKI has been
explicitly approved by the
DAA.
AC34.185 II The IAO will ensure
shared/group PINs and
passwords are used only in
accordance with the DoDI
8500.2. Auditing procedures
are implemented in
conjunction with these
methods to support
nonrepudiation and
accountability.
AC34.189 II For information systems with
DoD sensitive information
that are not currently
capable of connection to
NIPRNet (cannot use PKI
authentication), the IAM will
ensure, at a minimum, users
are authenticated to their
CAC, DBIDS, or other DoD
issued identification card
prior to issuance of a non-
CAC hardware token for use
to login to DoD sensitive
information assets.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 14 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC34.190 II The DAA must document
and certify that the system is
incapable of connecting to
the NIPRNet; ensure the
system is compliant with all
applicable STIGs; document
coordination with the
service/agency PKI PMO;
and document plan for
migration and mitigation of
residual risk.
AC34.160 I The IAM will ensure if the
hardware token is used as
an identity credential to
support access to classified
assets, it is combined with,
at a minimum, a PIN and/or
a biometric verification.
AC34.205 II The IAO will ensure the
information system (network
device, desktop, laptop,
handheld, etc.) is configured
to lock the device when the
session is left unattended.
AC34.210 II The IAO will ensure users
are trained on the proper
handling and security
procedures for DoD-issued
hardware tokens, used to
enable access to sensitive
information.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 15 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC34.215 II For authentication to
NIPRNet and NIPRNet
connected systems where
DoD-approved PKI issued
on an alternative (non-CAC)
hardware token is required,
the IAM will ensure use of a
DoD-approved hardware
token. Use of alternative
hardware tokens are limited
to particular categories of
uses approved by the DoD
PKI PMO and documented
in the service/agency
Certificate Practice
Statement (CPS) and
addendum.
AC35.025 III The Security Manager will
ensure all physical security
controls, including security
marking, handling, and
facility procedures required
for the protection of
information systems and
associated hardware
devices comply with the
requirements of the DISA
Traditional Security
Checklist.
AC35.010 II The Security Manager will
ensure attended access
control (e.g., guards and
video surveillance systems
are implemented in
compliance with the policies
of DoD 5200.1-R.
AC35.053 II When using locally issued
badges, the Security
Manager will comply with
applicable DoD policies
governing identity cards and
with policies in the
Identification Credentials
section of this STIG.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 16 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC35.055 I The IAM or Security
Manager will ensure DoD
personnel and contractors
are positively authenticated
before granting access to
DoD protected assets or
prior to issuance of any
locally issued or
supplementary
authentication credential
used to support access
control.
AC35.056 II The Security Manager will
ensure supplementary
badges, memory cards, and
smart cards issued to
individuals without a
completed National Agency
Check with NACI are
electronically distinguishable
from those credentials
revealing a completed NACI
(IAW Draft DoD 5200.8-R).
AC35.060 II The Security Manager will
use badges, memory cards,
and smart cards (something
you have) to protect
unclassified, non-sensitive
assets. This requirement
includes use of the CAC
when used only as a badge
without requiring
authentication by PIN or
biometric.
AC35.065 II The Security Manager will
ensure audit logs of badge,
memory card, and smart
card issuance, revocation,
and collection.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 17 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC35.010 II The Security Manager will
ensure, at a minimum, PINs
and combinations are
created and changed in
accordance with the DoDI
8500.2. Users are trained on
this requirement and, if
possible, an automated
procedure is in place to
enforce these rules. (This is
not applicable for PKI PIN).
AC35.015 I The IAO will ensure default
installation PINs or
combinations are changed
when installing devices used
for production such as GSA-
approved safes or
combination locks.
AC35.020 II The Security Manager and
IAO will ensure
shared/group PINs and
combinations are used only
in accordance with the DoDI
8500.2. Auditing procedures
are implemented in
conjunction with these
methods to support
accountability.
AC35.025 III The Security Manager will
ensure all physical security
controls for the protection of
information systems and
associated hardware
devices comply with the
DISA Traditional Security
Checklist.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 18 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
BIO1010 II The IAO will ensure
individuals are assigned in
writing to the following
administrative roles:
Enrollment Administrator
(enroll or re-enroll users);
Security Administrator
(modify the security
configuration), and Audit
Administrator (review and
manage audit logs).
BIO1020 II The IAO will ensure the
following functions are
restricted to authorized
Administrators: -Creation or
modification of
authentication and
authorization rules -Creation,
installation, modification or
revocation of cryptographic
keys -Startup and shutdown
of the biometric service
BIO1030 II The IAO will ensure only
authorized Enrollment
Administrators are permitted
to create user biometric
templates.
BIO1040 III The IAO will ensure only
authorized Audit
Administrators can clear the
audit log or modify any of its
entries.
BIO1050 II The IAO will ensure all
Administrators must
authenticate to the biometric
system to perform
administrative functions and
that this authentication must
include a factor outside of
the biometric verification the
system supports for ordinary
users.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 19 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
BIO3010 II The IAO will ensure the
enrollment process is
conducted by an authorized
Enrollment Administrator
who will at a minimum check
that: -The enrollee has
submitted a completed
SAAR DD Form 2875 or
similar access authorization
form used to authorize
access to the system for
which the biometric system
supports authentication. -
The enrollee is in
possession of valid DoD
photo identification. - The
photo on this identification
matches the physical
characteristics of the
enrollee.
BIO3020 I The IAO will ensure users
cannot self-enroll biometric
information (i.e., enroll
outside of the presence of
an authorized Enrollment
Administrator).
BIO3030 III The IAO will ensure
Enrollment Administrators
receive appropriate training
that covers, at a minimum: -
The user identification and
authorization requirements -
Use of the biometric
software and capture device
to obtain an acceptable user
template - How to identify
when a template is
unacceptable and needs to
be recreated
BIO3040 II Enrollment Administrators
will re-create templates
when there is an indication
that a template has not been
properly captured.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 20 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
BIO3050 III The Security Administrator
will configure the system to
search for matches between
the enrolled template and
previously existing templates
and reject enrollment when a
match is discovered. If this
process cannot be
automated, the Enrollment
Administrator will enforce
this requirement manually.
BIO4010 II The Security Administrator
will configure the biometric
system to encrypt all
biometric data resident on
non-volatile memory or
storage media.
BIO4015 II The Security Administrator
will ensure biometric
templates are protected by
operating system
permissions.
BIO4020 II The Security Administrator
will ensure no user ID has
access to the files other than
those required for running
the biometric application
software.
BIO5010 II The Biometric Security
Administrator will set the
FAR to be no greater than 1
in 100,000.
BIO5030 II The Security Administrator
will configure the biometric
system to prohibit the
identical biometric sample
from being used in
consecutive authentication
attempts.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 21 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
BIO5040 II The Security Administrator
will configure the biometric
system to lock out for 15
minutes any user upon the
third unsuccessful
authentication attempt within
a 15 minute period.
BIO5050 II The Security Administrator
will configure the biometric
system to not reveal to a
user any information related
to how close the live sample
he or she supplies is to the
corresponding biometric
template.
BIO6020 II The IAO will establish
adequate identification and
authentication procedures
that must be followed
whenever the biometric
system is unavailable.
BIO6010 II The IAO will ensure
biometric technology is not
the sole means of access
control (i.e., it is one
component of a two or three-
factor authentication solution
or it is accompanied by an
automated fallback
verification system).
BIO6030 II The IAO will establish
adequate written
identification and
authentication procedures
for users that are unable to
present the required live
biometric sample.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 22 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
BIO6040 III The IAO will designate
personnel who have the
authority to override false
rejections and ensure they
receive proper training in
how to implement the
fallback protocol and verify a
user‟s identity.
BIO6050 II The IAO will ensure any
override of the biometric
system is accompanied by a
photo ID check of the user
and documentation of the
following: - The name of the
user who was granted entry
with the override - The time
the override occurred - The
reason for the false rejection
BIO6060 II The Biometric Security
Administrator will set the
FRR to be no greater than 5
in 100.
BIO2009 II The Security Administrator
will configure the biometric
system to encrypt and
digitally sign all biometric
reference data (using DoD-
approved PKI before it is
transmitted from one
physical device to another.
BIO2010 II The Security Administrator
will configure the biometric
system uses NIST FIPS 140-
2 validated cryptography to
implement encryption for
communications (data in
transit) transmitted from one
physical device to another.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 23 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
BIO4010 II The Security Administrator
will configure the biometric
system to encrypt and
digitally sign all biometric
reference data resident on
non-volatile memory or
storage media (data at rest).
BIO2020 II The Security Administrator
will ensure only the process
running biometric software is
able to read relevant private
or shared secret keys (with
the exception of key
supercession events during
which the Security
Administrator may
temporarily have the ability
to replace the key [e.g., to
modify the key file]).
BIO7010 II The IAO will ensure the file
permissions and storage
scheme for biometric audit
logs is no less secure than
the scheme for the system
audit logs of the operating
system on which the
biometric software resides.
The current requirement for
audit logs retention is 30
days online and one year
offline).
BIO7020 II The Security Administrator
will configure the biometric
system to audit the following
transactions: - All “exact
match” verification
transactions - All failed
identification or
authentication attempts - All
start and stop events for the
biometric service
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 24 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
BIO7030 II The IAO will ensure the
physical connections
between the following
biometric system
components are adequately
secured. - The connection
between the capture device
and the comparator - The
connection between the
comparator and the portal
Adequate security depends
upon what is being protected
and the risk environment,
but it, at a minimum,
involves ensuring that no
wiring is exposed to
unauthenticated users and
there is no means of
opening the capture device
with the use of common
tools such as a screwdriver.
Requirements for protection
of the physical distribution
system are found in DoDD
5200. Also see previous
section for discussion of a
physical intrusion detection
system.
AC42.010 III The Security Manager will
ensure a risk analysis is
conducted and documented
for the systems and the
facility to be protected.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 25 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
AC42.015 III The Security Manager will
ensure unresolved or
unmitigated risks (residual
risks) are identified,
documented, and accepted
by the DAA. System
changes that are needed to
mitigate these residual risks
must be documented.
AC42.020 III The Security Manager will
ensure a security plan is
prepared and signed by the
commander/director or other
appropriately authorized
senior management official.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 26 of 1298
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAG008 V0019910 I The antivirus signature file
age exceeds 7 days.
DTAM001 V0006453 I The McAfee VirusScan
Control Panel parameters
are not configured as
required.
DTAM002 V0006467 II The McAfee VirusScan on
access scan parameter for
Boot sectors is incorrect.
DTAM003 V0006468 II The McAfee VirusScan on
access scan parameter for
floppy disks is incorrect.
DTAM004 V0006469 II The McAfee VirusScan
message dialog parameters
are not configured as
required.
DTAM005 V0006470 II The McAfee VirusScan
remove messages
parameters are not
configured as required.
DTAM006 V0006471 II The McAfee VirusScan
Clean Infected file parameter
is not configured as required.
DTAM007 V0006472 II The McAfee VirusScan
delete infected file parameter
is not configured as required.
DTAM008 V0006473 II The McAfee VirusScan
quarantine parameter is not
configured as required.
DTAM009 V0006474 II The McAfee VirusScan
Control Panel log parameter
is not configured as required.
DTAM010 V0006475 II The McAfee VirusScan limit
log size parameter is not
configured as required.
DTAM011 V0006476 II The McAfee VirusScan log
session parameter is not
configured as required.
DTAM012 V0006478 II The McAfee VirusScan log
summary parameter is not
configured as required.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAM013 V0006583 II The McAfee VirusScan log
encrypted files parameter is
not configured as required.
DTAM014 V0006584 II The McAfee VirusScan log
user name parameter is not
configured as required.
DTAM016 V0006585 II The McAfee VirusScan
autoupdate parameters are
not configured as required.
DTAM021 V0006586 II The McAfee VirusScan
Exchange scanner is not
enabled.
DTAM022 V0006587 II The McAfee VirusScan find
unknown programs email
parameter is not configured
as required.
DTAM023 V0006588 II The McAfee VirusScan find
unknown macro virus email
parameter is not configured
as required.
DTAM026 V0006589 II The McAfee VirusScan scan
inside archives email
parameter is not configured
as required.
DTAM027 V0006590 II The McAfee VirusScan
decode MIME email
parameter is not configured
as required.
DTAM028 V0006591 II The McAfee VirusScan scan
e-mail message body email
parameter is not configured
as required.
DTAM029 V0006592 II The McAfee VirusScan
allowed actions email
parameter is not configured
as required.
DTAM030 V0006593 II The McAfee VirusScan
action prompt email
parameter is not configured
as required.
DTAM033 V0006594 II The McAfee VirusScan
return reply email parameter
is not configured as required.
DTAM034 V0006595 II The McAfee VirusScan
prompt message email
parameter is not configured
as required.
DTAM035 V0006596 II The McAfee VirusScan log
to file email parameter is not
configured as required.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAM036 V0006597 II The McAfee VirusScan limit
log size email parameter is
not configured as required.
DTAM037 V0006598 II The McAfee VirusScan log
content email parameter is
not configured as required.
DTAM038 V0014651 II He McAfee VirusScan
detects unwanted programs
email parameter is not
configured as required.
DTAM039 V0014652 II The McAfee VirusScan
unwanted programs action
email parameter is not
configured as required.
DTAM045 V0006599 II The McAfee VirusScan fixed
disk and running processes
are not configured as
required.
DTAM046 V0006600 II The McAfee VirusScan
include subfolders
parameter is not configured
as required.
DTAM047 V0006601 II The McAfee VirusScan
include boot sectors
parameter is not configured
as required.
DTAM048 V0006602 II The McAfee VirusScan scan
all files parameter is not
configured as required.
DTAM050 V0006604 II The McAfee VirusScan
exclusions parameter is not
configured as required.
DTAM052 V0006611 II The McAfee VirusScan scan
archives parameter is not
configured as required.
DTAM053 V0006612 II The McAfee VirusScan
decode MIME encoded files
parameter is not configured
as required.
DTAM054 V0006614 II The McAfee VirusScan find
unknown programs
parameter is not configured
as required.
DTAM055 V0006615 II The McAfee VirusScan find
unknown macro viruses
parameter is not configured
as required.
DTAM056 V0006616 II The McAfee VirusScan
action for Virus parameter is
not configured as required.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAM057 V0006617 II The McAfee VirusScan
secondary action for virus
parameter is not configured
as required.
DTAM058 V0014654 II The McAfee VirusScan
check for unwanted
programs parameter is not
configured as required.
DTAM059 V0006618 II The McAfee VirusScan log
to file parameter is not
configured as required.
DTAM060 V0006620 II The McAfee VirusScan log
file limit parameter is not
configured as required.
DTAM061 V0006621 II The McAfee VirusScan log
session settings parameter
is not configured as required.
DTAM062 V0006624 II The McAfee VirusScan log
session summary parameter
is not configured as required.
DTAM063 V0006625 II The McAfee VirusScan
failure on encrypted files
parameter is not configured
as required.
DTAM064 V0006626 II The McAfee VirusScan log
user name is not configured
as required.
DTAM070 V0006627 II The McAfee VirusScan
schedule is not configured
as required.
DTAM090 V0014618 II The McAfee VirusScan on
access scan parameter for
scipt scan is incorrect.
DTAM091 V0014619 II The McAfee VirusScan on
access scan parameter for
connection blocking is
incorrect.
DTAM092 V0014620 II The McAfee VirusScan on
access scan parameter for
connection blocking time is
incorrect.
DTAM093 V0014621 II The McAfee VirusScan on
access scan parameter for
blocking unwanted programs
is incorrect.
DTAM100 V0014622 II The McAfee VirusScan scan
default values for processes
are not configured as
required.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAM101 V0014623 II The McAfee VirusScan scan
when writing to disk is not
configured as required.
DTAM102 V0014624 II The McAfee VirusScan scan
when reading parameter is
not configured as required.
DTAM103 V0014625 II The McAfee VirusScan scan
all files parameter is not
configured as required.
DTAM104 V0014626 II The McAfee VirusScan
heuristics program viruses
parameter is not configured
as required.
DTAM105 V0014627 II The McAfee VirusScan
heuristics macro viruses
parameter is not configured
as required.
DTAM106 V0014628 II The McAfee VirusScan scan
inside archives parameter is
not configured as required.
DTAM107 V0014629 II The McAfee VirusScan scan
MIME files parameter is not
configured as required.
DTAM110 V0014630 II The McAfee VirusScan
process primary action
parameter is not configured
as required.
DTAM111 V0014631 II The McAfee VirusScan
process secondary action
parameter is not configured
as required.
DTAM112 V0014633 II The McAfee VirusScan log
user name parameter is not
configured as required.
DTAM130 V0014657 II The McAfee VirusScan
buffer overflow protection is
not configured as required.
DTAM131 V0014658 II The McAfee VirusScan
buffer overflow protection
mode is not configured as
required.
DTAM132 V0014659 II The McAfee VirusScan
buffer overflow message
parameter is not configured
as required.
DTAM133 V0014660 II The McAfee VirusScan
buffer overflow log
parameter is not configured
as required.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAM134 V0014661 II The McAfee VirusScan log
size limitation parameters
are not configured as
required.
DTAM135 V0014662 II The McAfee VirusScan
detection of Spyware is not
configured as required.
DTAM136 V0014663 II The McAfee VirusScan
detection of Adware is not
configured as required.
DTAS002 V0006359 II The Symantec Antivirus is
not configured to restart for
configuration changes.
DTAS003 V0006360 I The Symantec Antivirus
autoprotect parameter is
incorrect.
DTAS004 V0006361 II The Symantec Antivirus auto
protect-All Files configuration
is incorrect.
DTAS006 V0006362 II The Symantec Antivirus
display message parameter
is incorrect.
DTAS007 V0006363 II The Symantec Antivirus
exclude files configuration is
incorrect.
DTAS012 V0006368 II The Symantec Antivirus
autoprotect read parameter
is incorrect.
DTAS013 V0006369 II The Symantec Antivirus
AutoProtect parameter for
backup options is incorrect.
DTAS014 V0006370 II The Symantec Antivirus
AutoProtect parameter for
autoenabler is incorrect.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAS015 V0006371 II The Symantec Antivirus
AutoProtect parameter for
floppies is incorrect.
DTAS016 V0006372 II The Symantec Antivirus
AutoProtect parameter for
Boot virus is incorrect.
DTAS017 V0006374 II The Symantec Antivirus
AutoProtect parameter for
check floppy at shutdown is
incorrect.
DTAS020 V0006375 II The Symantec Antivirus
email parameter for Boot
sectors is incorrect.
DTAS021 V0006376 II The Symantec Antivirus
email client parameter for all
files is incorrect.
DTAS029 V0006383 II The Symantec Antivirus
email client parameter for
compressed files is incorrect.
DTAS030 V0006384 II The Symantec AntiVirus CE
History Options parameters
are not configured as
required.
DTAS031 V0006385 II The Symantec Antivirus is
not scheduled to autoupdate.
DTAS032 V0006386 II There is no Symantec
Antivirus Scheduled Scans
or Startup Scans task
configured to scan local
drive(s) at least weekly.
DTAS037 V0006387 II The Symantec Antivirus
weekly scan parameter for
all files is incorrect.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAS040 V0006388 II The Symantec Antivirus
weekly scan parameter for
memory enabled is incorrect.
DTAS041 V0006389 II The Symantec Antivirus
weekly scan parameter for
messages is incorrect.
DTAS042 V0006390 II The Symantec Antivirus
weekly scan parameter for
exclude files is incorrect.
DTAS047 V0006395 II The Symantec Antivirus
weekly scan parameter for
compressed files is incorrect.
DTAS048 V0006396 II The Symantec Antivirus
weekly scan parameter for
backup files is incorrect.
DTAS050 V0006397 II The Symantec Antivirus
weekly scan parameter for
scan lock is incorrect.
DTAS060 V0014477 II The Symantec Antivirus
autoprotect parameter for
Block Security Risks is
incorrect.
DTAS061 V0014481 II The Symantec Antivirus
autoprotect parameter for
scan for security risks is
incorrect.
DTAS062 V0014482 II The Symantec Antivirus
autoprotect parameter for
Delete Infected Files on
Creation is incorrect.
DTAS063 V0014591 II The Symantec AntiVirus
Auto-Protect parameter for
Threat Tracer is incorrect.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAS064 V0014592 II The Symantec Antivirus
autoprotect parameter for
Bloodhound technology is
incorrect.
DTAS065 V0014593 II The Symantec Antivirus
autoprotect parameter for
Heuristics Level is incorrect.
DTAS066 V0014594 II The Symantec Antivirus
autoprotect parameter for
macro virus first action is
incorrect.
DTAS067 V0014595 II The Symantec Antivirus
autoprotect parameter for
macro virus second action is
incorrect.
DTAS068 V0014596 II The Symantec Antivirus
autoprotect parameter for
non-macro first action virus
is incorrect.
DTAS069 V0014597 II The Symantec Antivirus
autoprotect parameter for
check non-macro second
action is incorrect.
DTAS070 V0014598 II The Symantec Antivirus
autoprotect parameter for
Security Risks first action is
incorrect.
DTAS071 V0014600 II The Symantec Antivirus
autoprotect parameter for
Security Risks Second
Action is incorrect.
DTAS080 V0014601 II The Symantec Antivirus
email client for notification
into the email is incorrect.
DTAS081 V0014602 II The Symantec Antivirus
autoprotect email parameter
for macro virus first action is
incorrect.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAS082 V0014603 II The Symantec Antivirus
autoprotect email parameter
for macro virus second
action is incorrect.
DTAS083 V0014604 II The Symantec Antivirus
autoprotect email parameter
for non-macro first action
virus is incorrect.
DTAS084 V0014605 II The Symantec Antivirus
autoprotect email parameter
for check non-macro second
action is incorrect.
DTAS085 V0014606 II The Symantec Antivirus
autoprotect email parameter
for Security Risks first action
is incorrect.
DTAS086 V0014607 II The Symantec Antivirus
Auto-Protect parameter for
Email Security Risks Second
Action is incorrect.
DTAS091 V0014609 II The Symantec Antivirus
weekly scan parameter for
scanning load points is
incorrect.
DTAS092 V0014610 II The Symantec Antivirus
weekly scan parameter for
well knowns before others is
incorrect.
DTAS093 V0014611 II The Symantec Antivirus
weekly scan parameter for
macro virus first action is
incorrect.
DTAS094 V0014612 II The Symantec Antivirus
weekly scan parameter for
macro virus second action is
incorrect.
DTAS095 V0014613 II The Symantec Antivirus
weekly scan parameter for
non-macro first action virus
is incorrect.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTAS096 V0014615 II The Symantec Antivirus
Auto-Protect parameter for
check non-macro second
action is incorrect.
DTAS097 V0014616 II The Symantec Antivirus
weekly scan parameter for
Security Risks first action is
incorrect.
DTAS098 V0014617 II The Symantec Antivirus
weekly scan parameter for
Security Risks second action
is incorrect.
DTSG001 V0014678 I AntiSpyware software is not
installed or not configured for
on access and on demand
detection.
DTSG002 V0014679 I The Antispyware software is
not at a vendor supported
level.
DTSG003 V0014680 II A migration plan does not
exist for Antispyware
software that is scheduled to
go non-support by the
vendor.
DTSG004 V0014682 II The Antispyware software
does not have the latest
maintenance rollup of
software update applied
DTSG005 V0014684 II The Antispyware software is
not configured to download
updates from a trusted
source.
DTSG006 V0014700 II The Antispyware
definition/signature files are
not automatically set to be
updated at least weekly.
DTSG007 V0014701 I The Antispyware signature
files are older than 7 days.
DTSG008 V0014702 II Beta or non-production
Antispyware
definitions/signature files are
being used on a production
machine.
DTSG009 V0014704 I The Antispyware software
does not start on-access
protection automatically
when the machine is booted.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTSG010 V0014706 II The Antispyware software is
not configured to perform a
scan of local hard drives at
least weekly.
DTSG011 V0014708 II The Antispyware scheduled
scan is not configured to
scan memory and drives
(with an indepth scan option).
DTSG012 V0014709 II The Antispyware, when
running in on access mode,
is not configured to inform
the user (or report or report
to a central monitoring
console) when malicious
activity or spyware is found.
DTSG013 V0014710 II The Antispyware, when
running in a scheduled scan,
is not configured to inform
the user (or report to a
central monitoring console)
when malicious activity or
spyware is found.
DTSG014 V0014711 II The Antispyware, when
running in on-demand mode,
is not configured to inform
the user (or report to a
central monitoring console)
when malicious activity or
spyware is found.
DTSG015 V0014712 III The Antispyware software is
not configured to maintain
logs for at least 30 days.
DTSG016 V0014713 III The Antispyware software is
not configured to maintain
logs for at least 30 days.
DTSG017 V0014714 III The Antispyware software is
included in the incident
response procedures both
for the user and the site.
Section
McAfee Local
Client, McAfee
Managed Client,
Symantec
Managed Client,
Symantec Local
Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
Section
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
Section
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
Section
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
Section
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
Section
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
McAfee Local
Client, McAfee
Managed Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Section
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Section
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Section
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Section
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Section
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Symantec
Managed Client,
Symantec Local
Client
Spyware
Spyware
Spyware
Spyware
Spyware
Spyware
Spyware
Spyware
Spyware
Section
Spyware
Spyware
Spyware
Spyware
Spyware
Spyware
Spyware
Spyware
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP2010 V0006197 II The Program Manager will
ensure an SSP is
established to describe the
technical, administrative,
and procedural IA program
and policies governing the
DoD information system,
and identifying all IA
personnel and specific IA
requirements and objectives.
APP2020 V0016773 II The Program Manager will
provide an Application
Configuration Guide to the
application hosting providers
to include a list of all
potential hosting enclaves
and connection rules and
requirements.
APP2040 V0006145 II If the application contains
classified data, the Program
Manager will ensure a
Security Classification Guide
exists containing data
elements and their
classification.
APP2050 V0016775 II The Program Manager will
ensure the system has been
assigned specific MAC and
confidentiality levels.
APP2060 V0016776 II The Program Manager will
ensure the development
team follows a set of coding
standards.
APP2070 V0006170 III The Program Manager and
designer will ensure any IA,
or IA enabled, products used
by the application are NIAP
approved or in the NIAP
approval process.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 51 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP2080 V0016777 II The Program Manager will
ensure COTS IA and IA
enabled products, comply
with NIAP/NSA endorsed
protection profiles.
APP2090 V0016778 II The Program Manager will
document and obtain DAA
risk acceptance for all open
source, public domain,
shareware, freeware, and
other software
products/libraries with no
warranty and no source
code review capability, but
are required for mission
accomplishment.
APP2100 V0006169 II The Program Manager and
designer will ensure the
application design complies
with the DoD Ports and
Protocols guidance.
APP2110 V0016779 II The Program Manager and
designer will ensure the
application is registered with
the DoD Ports and Protocols
Database.
APP2120 V0016780 II The Program Manager will
ensure all levels of program
management, designers,
developers, and testers
receive the appropriate
security training pertaining to
their job function.
APP2130 V0016781 II The Program Manager will
ensure a vulnerability
management process is in
place to include ensuring a
mechanism is in place to
notify users, and users are
provided with a means of
obtaining security updates
for the application.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 52 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP2135 V0021519 I The Program Manager will
ensure all products are
supported by the vendor or
the development team.
APP2140 V0016782 II The Program Manager will
ensure a security incident
response process for the
application is established
that defines reportable
incidents and outlines a
standard operating
procedure for incident
response to include
Information Operations
Condition (INFOCON).
APP2150 V0016783 II The Program Manager will
ensure procedures are
implemented to assure
physical handling and
storage of information is in
accordance with the data‟s
sensitivity.
APP2160 V0006198 II The Program Manager and
IAO will ensure development
systems, build systems, test
systems, and all
components comply with all
appropriate DoD STIGS,
NSA guides, and all
applicable DoD policies. The
Test Manager will ensure
both client and server
machines are STIG
compliant.
APP3010 V0007013 II The designer will create and
update the Design
Document for each release
of the application.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 53 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3020 V0006148 II The designer will ensure
threat models are
documented and reviewed
for each application release
and updated as required by
design and functionality
changes or new threats are
discovered.
APP3050 V0006149 II The designer will ensure the
application does not contain
source code that is never
invoked during operation,
except for software
components and libraries
from approved third-party
products.
APP3060 V0006150 II The Designer will ensure the
application does not store
configuration and control
files in the same directory as
user data.
APP3070 V0016784 II The designer will ensure the
user interface services are
physically or logically
separated from data storage
and management services.
APP3080 V0006157 II The designer will ensure the
application does not contain
invalid URL or path
references.
APP3100 V0006163 II The Designer will ensure the
application removes
temporary storage of files
and cookies when the
application is terminated.
APP3110 V0016786 II The designer will ensure the
application installs with
unnecessary functionality
disabled by default.
APP3120 V0006166 II The designer will ensure the
application is not subject to
error handling vulnerabilities.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 54 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3130 V0016787 I The designer will ensure the
application follows the
secure failure design
principle.
APP3140 V0006167 II The designer will ensure
application initialization,
shutdown, and aborts are
designed to keep the
application in a secure state.
APP3150 V0006137 II The designer will ensure the
application uses the Federal
Information Processing
Standard (FIPS) 140-2,
validated cryptographic
modules and random
number generator if the
application implements
encryption, key exchange,
digital signature, and hash
functionality.
APP3170 V0016788 II The designer will ensure the
application uses encryption
to implement key exchange
and authenticate endpoints
prior to establishing a
communication channel for
key exchange.
APP3180 V0016789 II The designer will ensure
private keys are accessible
only to administrative users.
APP3190 V0016790 II The designer will ensure the
application does not connect
to a database using
administrative credentials or
other privileged database
accounts.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 55 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3200 V0016791 III The designer will ensure
transaction based
applications implement
transaction rollback and
transaction journaling.
APP3210 V0006135 II The designer will ensure the
appropriate cryptography is
used to protect stored DoD
information if required by the
information owner.
APP3220 V0016792 II The designer will ensure
sensitive data held in
memory is cryptographically
protected when not in use, if
required by the information
owner, and classified data
held in memory is always
cryptographically protected
when not in use.
APP3230 V0016793 II The designer will ensure the
application properly clears or
overwrites all memory
blocks used to process
sensitive data, if required by
the information owner, and
clears or overwrites all
memory blocks used for
classified data.
APP3240 V0006142 II The designer will ensure all
access authorizations to
data are revoked prior to
initial assignment, allocation
or reallocation to an unused
state.
APP3250 V0006136 I The designer will ensure
data transmitted through a
commercial or wireless
network is protected using
an appropriate form of
cryptography.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 56 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3260 V0016794 II The designer will ensure the
application uses
mechanisms assuring the
integrity of all transmitted
information (including labels
and security parameters).
APP3270 V0006146 I The designer will ensure the
application has the capability
to mark sensitive/classified
output when required.
APP3280 V0006127 II The designer will ensure
applications requiring user
authentication are PK-
enabled and are designed
and implemented to support
hardware tokens (e.g., CAC
for NIPRNet).
APP3290 V0006128 II The designer and IAO will
ensure PK-enabled
applications are designed
and implemented to use
approved credentials
authorized under the DoD
PKI program.
APP3300 V0006168 II The designer will ensure
applications requiring server
authentication are PK-
enabled.
APP3305 V0006129 I The designer will ensure the
application using PKI
validates certificates for
expiration, confirms origin is
from a DoD authorized CA,
and verifies the certificate
has not been revoked by
CRL or OCSP, and CRL
cache (if used) is updated at
least daily.
APP3310 V0016795 I The designer will ensure the
application does not display
account passwords as clear
text.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 57 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3320 V0006130 II The designer will ensure the
application has the capability
to require account
passwords that conform to
DoD policy.
APP3330 V0016796 I The designer will ensure the
application transmits
account passwords in an
approved encrypted format.
APP3340 V0016797 I The designer will ensure the
application stores account
passwords in an approved
encrypted format.
APP3350 V0006156 I The designer will ensure the
application does not contain
embedded authentication
data.
APP3360 V0016798 II The designer will ensure the
application protects access
to authentication data by
restricting access to
authorized users and
services.
APP3370 V0016799 II The designer will ensure the
application installs with
unnecessary accounts
disabled, or deleted, by
default.
APP3380 V0006131 II The designer will ensure the
application prevents the
creation of duplicate
accounts.
APP3390 V0016800 I The designer will ensure
users‟ accounts are locked
after three consecutive
unsuccessful logon attempts
within one hour.
APP3400 V0016801 II The designer will ensure
locked users‟ accounts can
only be unlocked by the
application administrator.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 58 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3405 V0016785 I The designer will ensure the
application supports
detection and/or prevention
of communication session
hijacking.
APP3410 V0006144 II The designer will ensure the
application provides a
capability to limit the number
of logon sessions per user
and per application.
APP3415 V0016802 II The designer will ensure the
application provides a
capability to automatically
terminate a session and log
out after a system defined
session idle time limit is
exceeded.
APP3420 V0006155 II The designer will ensure the
application provides a
capability to terminate a
session and log out.
APP3430 V0006153 I The designer will ensure the
application removes
authentication credentials on
client computers after a
session terminates.
APP3440 V0006152 II The designer will ensure the
application is capable of
displaying a customizable
click-through banner at
logon which prevents further
activity on the information
system unless and until the
user executes a positive
action to manifest
agreement by clicking on a
box indicating "OK.”
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 59 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3450 V0016803 II The designer and IAO will
ensure application resources
are protected with
permission sets which allow
only an application
administrator to modify
application resource
configuration files.
APP3460 V0016804 I The designer will ensure the
application does not rely
solely on a resource name to
control access to a resource.
APP3470 V0006154 II The designer will ensure the
application is organized by
functionality and roles to
support the assignment of
specific roles to specific
application functions.
APP3480 V0006141 I The designer will ensure
access control mechanisms
exist to ensure data is
accessed and changed only
by authorized personnel.
APP3500 V0006143 II The designer will ensure the
application executes with no
more privileges than
necessary for proper
operation.
APP3510 V0006164 I The designer will ensure the
application validates all input.
APP3530 V0016806 II The designer will ensure the
web application assigns the
character set on all web
pages.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 60 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3540 V0016807 I The designer will ensure the
application is not vulnerable
to SQL Injection, uses
prepared or parameterized
statements, does not use
concatenation or
replacement to build SQL
queries, and does not
directly access the tables in
a database.
APP3550 V0016808 I The designer will ensure the
application is not vulnerable
to integer arithmetic issues.
APP3560 V0016809 I The designer will ensure the
application does not contain
format string vulnerabilities.
APP3570 V0016810 I The designer will ensure the
application does not allow
command injection.
APP3580 V0016811 I The designer will ensure the
application does not have
cross site scripting (XSS)
vulnerabilities.
APP3585 V0021500 II The designer will ensure the
application does not have
CSRF vulnerabilities.
APP3590 V0006165 I The designer will ensure the
application does not have
buffer overflows, use
functions known to be
vulnerable to buffer
overflows, and does not use
signed values for memory
allocation where permitted
by the programming
language.
APP3600 V0016812 II The designer will ensure the
application has no canonical
representation vulnerabilities.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 61 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3610 V0016813 I The designer will ensure the
application does not use
hidden fields to control user
access privileges or as a
part of a security mechanism.
APP3620 V0016814 II The designer will ensure the
application does not disclose
unnecessary information to
users.
APP3630 V0016815 II The designer will ensure the
application is not vulnerable
to race conditions.
APP3640 V0016816 II The designer will ensure the
application supports the
creation of transaction logs
for access and changes to
the data.
APP3650 V0006139 III The designer will ensure the
application has a capability
to notify an administrator
when audit logs are nearing
capacity as specified in the
system documentation.
APP3660 V0016817 III The designer will ensure the
application has a capability
to notify the user of
important login information.
APP3670 V0016818 II The designer will ensure the
application has a capability
to display the user‟s time
and date of the last change
in data content.
APP3680 V0006138 II The designer will ensure the
application design includes
audits on all access to need-
to-know information and key
application events.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 62 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3690 V0006140 II The designer and IAO will
ensure the audit trail is
readable only by the
application and auditors and
protected against
modification and deletion by
unauthorized individuals.
APP3700 V0006159 II The designer will ensure
unsigned Category 1A
mobile code is not used in
the application in
accordance with DoD policy.
APP3710 V0006161 II The designer will ensure
signed Category 1A and
Category 2 mobile code
signature is validated before
executing.
APP3720 V0006160 II The designer will ensure
unsigned Category 2 mobile
code executing in a
constrained environment has
no access to local system
and network resources.
APP3730 V0006162 II The designer will ensure
uncategorized or emerging
mobile code is not used in
applications.
APP3740 V0006158 II The designer will ensure the
application only embeds
mobile code in e-mail which
does not execute
automatically when the user
opens the e-mail body or
attachment.
APP3750 V0016819 II The designer will ensure
development of new mobile
code includes measures to
mitigate the risks identified.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 63 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3760 V0019689 II The designer will ensure
web services are designed
and implemented to
recognize and react to the
attack patterns associated
with application-level DoS
attacks.
APP3770 V0019690 II The designer will ensure the
web service design includes
redundancy of critical
functions.
APP3780 V0019691 II The designer will ensure
web service design of critical
functions is implemented
using different algorithms to
prevent similar attacks from
forming a complete
application level DoS.
APP3790 V0019692 II The designer will ensure
web services are designed
to prioritize requests to
increase availability of the
system.
APP3800 V0019693 II The designer will ensure
execution flow diagrams are
created and used to mitigate
deadlock and recursion
issues.
APP3810 V0021498 I The designer will ensure the
application is not vulnerable
to XML Injection.
APP3820 V0019695 I The designer will ensure
web services provide a
mechanism for detecting
resubmitted SOAP
messages.
APP3830 V0019696 II The designer and IAO will
ensure digital signatures
exist on UDDI registry
entries to verify the publisher.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 64 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3840 V0019697 II The designer and IAO will
ensure UDDI versions are
used supporting digital
signatures of registry entries.
APP3850 V0019698 II The designer and IAO will
ensure UDDI publishing is
restricted to authenticated
users.
APP3860 V0019701 II The designer will ensure
SOAP messages requiring
integrity, sign the following
message elements: -
Message ID -Service
Request -Timestamp -SAML
Assertion (optionally
included in messages)
APP3870 V0019702 I The designer will ensure
when using WS-Security,
messages use timestamps
with creation and expiration
times.
APP3880 V0019703 I The designer will ensure
validity periods are verified
on all messages using WS-
Security or SAML assertions.
APP3890 V0019704 II The designer shall ensure
each unique asserting party
provides unique assertion ID
references for each SAML
assertion.
APP3900 V0019705 II The designer shall ensure
encrypted assertions, or
equivalent confidentiality
protections, when assertion
data is passed through an
intermediary, and
confidentiality of the
assertion data is required to
pass through the
intermediary.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 65 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3910 V0022028 I The designer shall use the
<NotBefore> and
<NotOnOrAfter> when using
the <SubjectConfirmation>
element in a SAML assertion.
APP3920 V0022029 I The designer shall use both
the <NotBefore> and
<NotOnOrAfter> elements or
<OneTimeUse> element
when using the
<Conditions> element in a
SAML assertion.
APP3930 V0022032 II The designer shall ensure if
a OneTimeUse element is
used in an assertion, there is
only one used in the
Conditions element portion
of an assertion.
APP3940 V0022030 II The designer will ensure the
asserting party uses FIPS
approved random numbers
in the generation of
SessionIndex in the SAML
element AuthnStatement.
APP3950 V0022031 II The designer shall ensure
messages are encrypted
when the SessionIndex is
tied to privacy data.
APP3960 V0019706 II The designer will ensure the
application is compliant with
all DoD IT Standards
Registry (DISR) IPv6 profiles.
APP3970 V0019707 II The designer will ensure
supporting application
services and interfaces have
been designed, or upgraded
for, IPv6 transport.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 66 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP3980 V0019708 II The designer will ensure the
application is compliant with
IPv6 multicast addressing
and features an IPv6
network configuration
options as defined in RFC
4038.
APP3990 V0019709 II The designer will ensure the
application is compliant with
the IPv6 addressing scheme
as defined in RFC 1884.
APP4010 V0016820 III The Release Manager will
ensure the access privileges
to the configuration
management (CM)
repository are reviewed
every 3 months.
APP4030 V0016822 II The Release Manager will
develop an SCM plan
describing the configuration
control and change
management process of
objects developed and the
roles and responsibilities of
the organization.
APP4040 V0016823 II The Release Manager will
establish a Configuration
Control Board (CCB), that
meets at least every release
cycle, for managing the CM
process.
APP5010 V0016824 III The Test Manager will
ensure at least one tester is
designated to test for
security flaws in addition to
functional testing.
APP5030 V0006147 II The Test Manager will
ensure the application does
not modify data files outside
the scope of the application.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 67 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP5040 V0016825 II The Test Manager will
ensure the changes to the
application are assessed for
IA and accreditation impact
prior to implementation.
APP5050 V0016826 II The Test Manager will
ensure tests plans and
procedures are created and
executed prior to each
release of the application or
updates to system patches.
APP5060 V0016827 II The Test Manager will
ensure test procedures are
created and at least annually
executed to ensure system
initialization, shutdown, and
aborts are configured to
ensure the system remains
in a secure state.
APP5070 V0016828 III The Test Manager will
ensure code coverage
statistics are maintained for
each release of the
application.
APP5080 V0016829 II The Test Manager will
ensure a code review is
performed before the
application is released.
APP5090 V0016830 II The Test Manager will
ensure flaws found during a
code review are tracked in a
defect tracking system.
APP5100 V0016831 III The Test Manager will
ensure fuzz testing is
included in the test plans
and procedures and
performed for each
application release based on
application exposure.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 68 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP5110 V0016832 II The Test Manager will
ensure security flaws are
fixed or addressed in the
project plan.
APP6010 V0016833 II The IAO will ensure if an
application is designated
critical, the application is not
hosted on a general purpose
machine.
APP6020 V0016834 II The IAO shall ensure if a
DoD STIG or NSA guide is
not available, a third-party
product will be configured by
the following in descending
order as available: 1)
commercially accepted
practices, (2) independent
testing results, or (3) vendor
literature.
APP6030 V0006151 II The IAO will ensure
unnecessary services are
disabled or removed.
APP6040 V0016835 II The IAO will ensure at least
one application administrator
has registered to receive
update notifications, or
security alerts, when
automated alerts are
available.
APP6050 V0016836 II The IAO will ensure the
system and installed
applications have current
patches, security updates,
and configuration settings.
APP6060 V0016837 I The IAO will ensure the
application is
decommissioned when
maintenance or support is
no longer available.
APP6070 V0016838 III Procedures are not in place
to notify users when an
application is
decommissioned.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 69 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP6080 V0016839 II The IAO will ensure
protections against DoS
attacks are implemented.
APP6090 V0016840 III The IAO will ensure the
system alerts an
administrator when low
resource conditions are
encountered.
APP6100 V0006174 II The IAO will ensure
production database exports
have database
administration credentials
and sensitive data removed
before releasing the export.
APP6110 V0016841 III The IAO will review audit
trails periodically based on
system documentation
recommendations or
immediately upon system
security events.
APP6120 V0016842 II The IAO will report all
suspected violations of IA
policies in accordance with
DoD information system IA
procedures.
APP6130 V0016843 III The IAO will ensure, for
classified systems,
application audit trails are
continuously and
automatically monitored, and
alerts are provided
immediately when unusual
or inappropriate activity is
detected.
APP6140 V0006173 II The IAO will ensure
application audit trails are
retained for at least 1 year
for applications without
SAMI data, and 5 years for
applications including SAMI
data.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 70 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP6160 V0006171 II The IAO will ensure recovery
procedures and technical
system features exist so
recovery is performed in a
secure and verifiable
manner. The IAO will
document circumstances
inhibiting a trusted recovery.
APP6170 V0016844 II The IAO will ensure back-up
copies of the application
software are stored in a fire-
rated container and not
collocated with operational
software.
APP6180 V0016845 II The IAO will ensure
procedures are in place to
assure the appropriate
physical and technical
protection of the backup and
restoration of the application.
APP6190 V0006172 II The IAO will ensure data
backup is performed at
required intervals in
accordance with DoD policy.
APP6200 V0016846 II The IAO will ensure a
disaster recovery plan exists
in accordance with DoD
policy based on the Mission
Assurance Category (MAC).
APP6210 V0016847 II The IAO will ensure an
account management
process is implemented,
verifying only authorized
users can gain access to the
application, and individual
accounts designated as
inactive, suspended, or
terminated are promptly
removed.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 71 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP6220 V0016848 I The IAO will ensure
passwords generated for
users are not predictable
and comply with the
organization's password
policy.
APP6230 V0016849 II The IAO will ensure the
application's users do not
use shared accounts.
APP6240 V0006132 III The IAO will ensure all user
accounts are disabled which
are authorized to have
access to the application but
have not authenticated
within the past 30 days.
APP6250 V0006133 II The IAO will ensure
unnecessary built-in
application accounts are
disabled.
APP6260 V0006134 I The IAO will ensure default
passwords are changed.
APP6270 V0016850 II The IAO will ensure
connections between DoD
enclaves and the Internet or
other public or commercial
wide area networks require a
DMZ.
APP6280 V0019687 I The IAO will ensure web
servers are on logically
separate network segments
from the application and
database servers if it is a
tiered application.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 72 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
APP6290 V0019688 I The designer and the IAO
will ensure physical
operating system separation
and physical application
separation is employed
between servers of different
data types in the web tier of
Increment 1/Phase 1
deployment of the DoD DMZ
for Internet-facing
applications.
APP6300 V0019694 II The IAO will ensure an XML
firewall is deployed to
protect web services.
APP6310 V0019699 II The IAO will ensure web
service inquiries to UDDI
provide read-only access to
the registry to anonymous
users.
APP6320 V0019700 II The IAO will ensure if the
UDDI registry contains
sensitive information and
read access to the UDDI
registry is granted only to
authenticated users.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 73 of 1298
Application Services Checklist V1R1.1 (21 Sep 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
APS0110 V0006199 II Application server does not
utilize a Public Key
Infrastructure (PKI).
APS0130 V0006200 I The application server or a
served application does not
verify the following when
presented with a PKI
certificate:1. Revoked
certificate 2. Invalid
certificate 3. Improperly
signed certificate Application
Server/ApplicationName(s):
APS0140 V0006202 II Passwords are not
encrypted at logon.
Passwords are not required
to meet complexity
requirements. Passwords
are not changeable by the
user. Accounts are not
protected by lockout on
failed logon attempts.
APS0210 V0006203 II The following default
usernames and passwords
have not been modified from
their default values:
APS0320 V0006205 II Sensitive data tis not
encrypted with NIST-
validated or NSA-approved
cryptography.
APS0350 V0006208 II The application server is not
configured to encrypt
sensitive data in transit.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 74 of 1298
Application Services Checklist V1R1.1 (21 Sep 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
APS0410 V0006209 II Auditing is not enabled for
the application server.
Auditing is not configured to
include logon events.
Auditing is not configured to
include attempts to access
security files. Auditing is not
configured to include actions
taken in response to failed l
APS0510 V0006210 II The application server
administrator role has been
assigned to unauthorized
personnel.
APS0530 V0006212 II If session time limits are
enforced by applications or
other mean external to the
application server, then this
check is NA. If the
applications are dependent
on the application server to
employ session time limits
and this is not configured to
a limit of 24 hours or less.
APS0540 V0012304 II The application server
serves data of different
classification levels to
different audiences. The
application server does not
provide protection through
separation to applications
serving data of different
sensitivity to different
audiences.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 75 of 1298
Application Services Checklist V1R1.1 (21 Sep 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
APS0560 V0012322 II External interfaces are
defined on the application
server that are not identified
in the functional architecture
for the applcation. Protection
mechanisms configured for
the interface are not
sufficient for the data being
exchanged.
APS0570 V0012308 II Hyperlinks are not approved
prior to incorporation in the
application server content.
APS0590 V0012310 II The web page does not
identify content obtained
from remote systems.
APS0615 V0012312 II Application server software
and data are not located in
separate directories.
APS0630 V0012323 I The application server
software is not a supported
version.
APS0640 V0012313 II A migration plan to upgrade
from an unsupported version
does not exist.
APS0670 V0012316 II A baseline of the application
server software directories
and files is not maintained.
APS0720 V0012319 II A public WebLogic Platform
server is not installed in a
DMZ.
APS0730 V0006220 II The application services is
not addressed in a disaster
recovery plan.
APS0740 V0006221 II The application server
software and data is not
included in the site or
system backup strategy.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 76 of 1298
Application Services Checklist V1R1.1 (21 Sep 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ASG0520 V0006211 II The application server
process runs with privileges
not necessary for proper
operation.
ASG0540 V0006213 II A classification guide does
not exist for the application.
ASG0550 V0006214 II The application does not
mark printed and displayed
output with appropriate
classification labels.
ASG0750 V0006222 II A process does not exist to
ensure application server log
files are retained for at least
one year.
ASG0760 V0006223 II Application server does not
have an assigned IAO or
IAM.
ASJ0120 V0006201 II Application server utilizes
unapproved DOD PKI
certificates.
ASJ0330 V0006206 II Java file permissions are not
adequately restrictive.
ASJ0840 V0011810 II Java cryptography is
inadequate implementing
poor entropy.
AST0310 V0006204 II Sensitive application data is
not adequately protected at
rest.
AST0340 V0006207 II OS level file permissions are
not adequately restrictive.
AST0560 V0006215 I Application Security
Manager is not turned on.
AST0580 V0006216 II Shutdown restriction‟s
default password has not
been changed.
AST0610 V0006217 II Application server default
content has not been
removed.
AST0710 V0006218 I Application server may be
controlled from outside the
enclave.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 77 of 1298
Application Services Checklist V1R1.1 (21 Sep 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
AST0720 V0006219 II Java socket permissions are
inadequate.
AST0820 V0006225 II Admin and Manager Web
Applications are not
adequately restrictive.
AST0830 V0011828 II Application server‟s directory
listing is enabled.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 78 of 1298
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBF003 V0017988 I Installed version of Firefox
unsupported.
DTBF010 V0015982 II The Firefox SSLV2
parameter is configured to
allow use of SSL 2.0.
DTBF020 V0015767 II Firefox is configured to allow
use of SSL 3.0.
DTBF030 V0015983 II Firefox is not configured to
allow use of TLS 1.0.
DTBF050 V0015768 II FireFox is not configured to
ask which certificate to
present to a web site when a
certificate is required.
DTBF100 V0015770 II Firefox automatically
executes or downloads
MIME types which are not
authorized for auto-download.
DTBF105 V0015771 II Network shell protocol is
enabled in FireFox.
DTBF110 V0015772 II Firefox not configured to
prompt user before
download and opening for
required file types.
DTBF120 V0015773 II FireFox plug-in for ActiveX
controls is installed.
DTBF130 V0015989 II Firefox is not configured to
provide warnings when a
user switches from a secure
(SSL-enabled) to a non-
secure page.
DTBF140 V0015774 II Firefox formfill assistance
option is disabled.
DTBF150 V0015775 II Firefox is configured to
autofill passwords.
DTBF160 V0015776 II FireFox is configured to use
a password store with or
without a master password.
DTBF170 V0015777 II Firefox does not clear
cookies upon closing.
DTBF180 V0015778 II FireFox is not configured to
block pop-up windows.
DTBF181 V0015779 II FireFox is configured to
allow JavaScript to move or
resize windows.
DTBF182 V0015985 II Firefox is configured to allow
JavaScript to raise or lower
windows.
DTBF183 V0015986 II Firefox is configured to allow
JavaScript to disable or
replace context menus.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBF184 V0015987 II Firefox is configured to allow
JavaScript to hide or change
the status bar.
DTBF185 V0015988 II Firefox is configured to allow
JavaScript to change the
status bar text.
DTBG003 V0006227 I The installed version of IE is
at an unsupported version.
DTBG007 V0006317 II IE is not capable to use 128-
bit encryption.
DTBG010 V0006318 II The DOD Root Certificate is
not installed.
DTBI001 V0006228 II The IE home page is not set
to blank, a local file, or a
trusted site.
DTBI002 V0006229 II IE Local zone security
parameter is set incorrectly.
DTBI003 V0006230 II The IE Trusted sites zone
security parameter is set
incorrectly.
DTBI004 V0006231 II The IE Internet zone security
parameter is set incorrectly.
DTBI005 V0006232 II The IE Restricted sites zone
security parameter is set
incorrectly.
DTBI006 V0006233 II The IE Local zone includes
parameter is not set correctly.
DTBI007 V0006234 II The IE third party cookies
parameter is not set correctly.
DTBI010 V0017296 II Prevent performance of First
Run Customize settings is
not enabled.
DTBI011 V0007006 II The IE search parameter is
not set correctly.
DTBI012 V0006236 II The IE signature checking
parameter is not set correctly.
DTBI013 V0006237 II The IE save encrypted
pages to disk parameter is
not set correctly.
DTBI014 V0006238 II The IE SSL/TLS parameter
is not set correctly.
DTBI015 V0006239 II The IE warning of invalid
certificates parameter is not
set correctly
DTBI016 V0006240 II The IE changing zones
parameter is not set correctly.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI017 V0006241 II The IE form redirect
parameter is not set correctly.
DTBI021 V0006242 II Users can change the
advanced settings in IE.
DTBI022 V0006243 II Download signed ActiveX
controls for internet zone is
not disabled.
DTBI023 V0006244 II Download unsigned ActiveX
controls for internet zone is
not disabled.
DTBI024 V0006245 II Initialize and script ActiveX
controls not marked as safe
for internet zone is not
disabled.
DTBI025 V0016879 II The Download signed
ActiveX controls property is
not set properly for the
Lockdown Zone.
DTBI026 V0006246 II The Script ActiveX controls
marked safe for scripting
property is not set properly
for the Internet Zone.
DTBI030 V0006248 II Allow font downloads for
internet zone is not disabled.
DTBI031 V0006249 II Java permissions for internet
zone are not disabled.
DTBI032 V0006250 II Access data sources across
domains are not disabled.
DTBI034 V0006251 II The Display mixed content is
not set properly for the
Internet Zone.
DTBI035 V0006252 II The Don't prompt for client
certificate selection when no
certificate or only one
certificate exists is not set
properly for the Internet
Zone.
DTBI036 V0006253 II The Allow drag and drop or
copy and paste files for
internet zone are not
disabled.
DTBI037 V0006254 II Allow installation of desktop
items for internet zone is not
disabled.
DTBI038 V0006255 II Launching applications and
files in an IFRAME for
internet zone is not disabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI039 V0006256 II Navigate sub-frames across
different domains for internet
zone are not disabled.
DTBI040 V0006257 II Software channel
permissions for internet zone
are not disabled.
DTBI041 V0006258 II The Submit non-encrypted
form data is not set properly
for the Internet Zone.
DTBI042 V0006259 II Userdata persistence for
internet zone is not disabled.
DTBI044 V0006260 II Allow cut, copy or paste
operations from the
clipboard via script are not
disabled for internet zone.
DTBI045 V0006261 II The Scripting of Java applets
is not set properly for the
Internet Zone.
DTBI046 V0006262 II Logon options for internet
zone are not enabled.
DTBI052 V0006263 II The Download signed
ActiveX controls property is
not set properly for the Local
Zone.
DTBI053 V0006264 II The Download unsigned
ActiveX controls property is
not set properly for the Local
Zone.
DTBI054 V0006265 II The Initialize and script
ActiveX controls not marked
as safe property is not set
properly for the Local Zone.
DTBI056 V0006266 II The Script ActiveX controls
marked safe for scripting
property is not set properly
for the Local Zone.
DTBI061 V0006267 II Java permissions for local
intranet zone are not
disabled.
DTBI062 V0006268 II The Access data sources
across domains is not set
properly for the Local Zone.
DTBI065 V0006271 II The Don't prompt for client
certificate selection when no
certificate or only one
certificate exists is not set
properly for the Local Zone.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI067 V0006272 II The Installation of desktop
items is not set properly for
the Local Zone.
DTBI068 V0006273 II The Launching programs
and files in IFRAME is not
set properly for the Local
Zone.
DTBI070 V0006274 II The Software channel
permissions is not set
properly for the Local Zone.
DTBI074 V0006275 II The Allow paste operations
via script is not set properly
for the Local Zone.
DTBI076 V0006276 II The User Authentication -
Logon is not set properly for
the Local Zone.
DTBI082 V0006277 II The Download signed
ActiveX controls property is
not set properly for the
Trusted Sites Zone.
DTBI083 V0006278 II The Download unsigned
ActiveX controls property is
not set properly for the
Trusted Sites Zone.
DTBI084 V0006279 II The Initialize and script
ActiveX controls not marked
as safe property is not set
properly for the Trusted Sites
Zone.
DTBI086 V0006280 II The ActiveX controls marked
safe for scripting property is
not set properly for the
Trusted Sites Zone.
DTBI091 V0006281 II Java permissions for trusted
sites zone are not disabled.
DTBI092 V0006282 II The Access data sources
across domains is not set
properly for the Trusted Sites
Zone.
DTBI095 V0006283 II The Don't prompt for client
certificate selection when no
certificate or only one
certificate exists is not set
properly for the Trusted Sites
Zone.
DTBI097 V0006284 II The Installation of desktop
items is not set properly for
the Trusted Sites Zone.
DTBI098 V0006285 II The Launching programs
and files in IFRAME is not
set properly for the Trusted
Sites Zone.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI100 V0006286 II The Software channel
permissions is not set
properly for the Trusted Sites
Zone.
DTBI1010 V0022687 II Internet Explorer Processes
Restrict ActiveX Install
(Explorer) property is
properly set.
DTBI1020 V0022688 II Internet Explorer Processes
Restrict ActiveX Install
(IExplorer) property is
properly set.
DTBI104 V0006287 II The Allow paste operations
via script is not set properly
for the Trusted Sites Zone.
DTBI106 V0006288 II The User Authentication -
Logon is not set properly for
the Trusted Sites Zone.
DTBI112 V0006289 II Download signed ActiveX
controls for restricted sites
zone is not disabled.
DTBI113 V0006290 II Download unsigned ActiveX
controls for restricted sites
zone is not disabled.
DTBI114 V0006291 II Initialize and script ActiveX
controls not marked as safe
for restricted sites zone is
not disabled.
DTBI115 V0006292 II Run ActiveX controls and
plugins are not disabled..
DTBI116 V0006293 II Script ActiveX controls
marked safe for scripting is
not disabled.
DTBI119 V0006294 II Allow file downloads are not
disabled.
DTBI120 V0006295 II Allow font downloads for
restricted sites zone is not
disabled.
DTBI121 V0007007 II Java permissions for
restricted sites zone are not
disabled.
DTBI122 V0006297 II Access data sources across
domains restricted sites
zones are not disabled.
DTBI123 V0006298 II Allow META REFRESH is
not disabled.
DTBI124 V0006299 II The Display mixed content is
not set properly for the
Restricted Sites Zone.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI125 V0006300 II The Don‟t prompt for client
certificate selection when no
certificate or only one
certificate exists is not set
properly for the Restricted
Sites Zone.
DTBI126 V0006301 II Allow drag and drop or copy
and paste files for restricted
sites zone are not disabled.
DTBI127 V0006302 II Allow installation of desktop
items for restricted sites
zone is not disabled.
DTBI128 V0006303 II Launching applications and
files in an IFRAME is not
disabled.
DTBI129 V0006304 II Navigate sub-frames across
different domains for
restricted sites zone are not
disabled.
DTBI130 V0006305 II Software channel
permissions for restricted
sites zone are not disabled.
DTBI131 V0006306 II The Submit non-encrypted
form data is not set properly
for the Restricted Sites Zone.
DTBI132 V0006307 II Userdata persistence for
restricted sites zone is not
disabled.
DTBI133 V0006308 II Allow active scripting is not
disabled.
DTBI134 V0006309 II Allow cut, copy or paste
operations from the
clipboard via script are not
disabled for restricted sites
zone.
DTBI135 V0006310 II The Scripting of Java applets
is not set properly for the
Restricted Sites Zone.
DTBI136 V0006311 II Logon options for restricted
sites zones are not enabled.
DTBI137 V0003433 III Internet Explorer is
configured to notify users
when programs are modified
through the software
distribution channel.
DTBI140 V0006319 II The Error Reporting tool for
IE is installed or enabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI150 V0006312 II The Microsoft Java VM is
installed.
DTBI151 V0006313 II The Cipher setting for DES
56/56 is not set properly.
DTBI152 V0006314 II The Cipher setting for Null is
not set properly.
DTBI153 V0006315 II The Cipher setting for Triple
DES is not set properly.
DTBI160 V0006316 II The Hash setting for SHA is
not set properly.
DTBI300 V0021887 II Disable Configuring History -
Histroy setting is not set to
40 days.
DTBI305 V0015490 II Automatic configuration of
Internet Explorer is not
disabled.
DTBI315 V0015492 II Prevent participation in the
Customer Experience
Improvement Program is not
disabled.
DTBI316 V0003431 II Internet Explorer is
configured to allow
Automatic Install of
components.
DTBI317 V0003432 II Internet Explorer is
configured to automatically
check for updates.
DTBI318 V0003429 II Internet Explorer is
configured to Allow Users to
Add/Delete Sites.
DTBI319 V0003428 II Internet Explorer is
configured to Allow Users to
Change Policies.
DTBI320 V0003427 II Internet Explorer is not
configured to require
consistent security zone
settings to all users.
DTBI325 V0015494 II Turn off the Security Settings
Check feature is not disabled.
DTBI330 V0015495 II Turn off Managing Phishing
filter is not disabled.
DTBI340 V0015497 II Allow active content from
CDs to run on user
machines is not disabled.
DTBI350 V0015499 II Allow software to run or
install even if the signature is
invalid is not disabled.
DTBI355 V0015500 II Allow third-party browser
extensions are not disabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI365 V0015502 II Check for server certificate
revocation is not enabled.
DTBI367 V0003430 III Internet Explorer is not
configured to disable making
Proxy Settings Per Machine.
DTBI370 V0015503 II Check for signatures on
downloaded programs is not
enabled.
DTBI375 V0015504 II Intranet Sites: Include all
network paths (UNCs) are
disabled.
DTBI385 V0015507 II Allow script-initiated windows
without size or position
constraints for internet zone
is not disabled.
DTBI390 V0015508 II Allow script-initiated windows
without size or position
constraints for restricted
sites zone are not disabled.
DTBI395 V0015509 II Allow Scriptlets are not
disabled.
DTBI415 V0015513 II Automatic prompting for file
downloads is not enabled.
DTBI425 V0015515 II Java permissions for my
computer are not disabled.
DTBI430 V0015516 II Java permissions for my
computer group policy are
not disabled.
DTBI435 V0015517 II Java permissions for group
policy for local intranet zone
are not disabled.
DTBI440 V0015518 II Java permissions for group
policy for trusted sites zone
are not disabled.
DTBI445 V0015519 II Java permissions for group
policy for internet zone are
not disabled.
DTBI450 V0015520 II Java permissions for group
policy for restricted sites
zone are not disabled.
DTBI455 V0015521 II Loose or un-compiled XAML
files for internet zone are not
disabled.
DTBI460 V0015522 II Loose or un-compiled XAML
files for restricted sites zone
are not disabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI465 V0015523 II Open files based on content,
not file extension for internet
zone are not disabled.
DTBI470 V0015524 II Open files based on content,
not file extension for
restricted sites zone are not
disabled.
DTBI475 V0015525 II Turn Off First-Run Opt-In for
internet zone is not disabled.
DTBI480 V0015526 II Turn Off First-Run Opt-In for
restricted sites zone are not
disabled.
DTBI485 V0015527 II Turn on Protected Mode
internet zone is not enabled.
DTBI490 V0015528 II Turn on Protected Mode for
restricted sites zone is not
enabled.
DTBI495 V0015529 II Use Pop-up Blocker for
internet zone is not enabled.
DTBI500 V0015530 II Use Pop-up Blocker for
restricted sites zone is not
enabled.
DTBI515 V0015533 II Web sites in less privileged
Web content zones can
navigate into internet zone is
not disabled.
DTBI520 V0015534 II Web sites in less privileged
Web content zones can
navigate into restricted sites
zone is not disabled.
DTBI575 V0015545 II Allow binary and script
behaviors are not disabled.
DTBI580 V0015546 II Automatic prompting for file
downloads is not enabled.
DTBI590 V0015548 II Internet Explorer Processes
for MIME handling is not
enabled. (Reserved)
DTBI592 V0015565 II Internet Explorer Processes
for MIME handling is not
enabled. Explorer
DTBI594 V0015566 II Internet Explorer Processes
for MIME handling is not
enabled. IExplore
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI595 V0015549 III Internet Explorer Processes
for MIME sniffing is not
enabled. (Reserved)
DTBI596 V0015603 II Internet Explorer Processes
for MIME sniffing is not
enabled. Explorer
DTBI597 V0015604 II Internet Explorer Processes
for MIME sniffing is not
enabled. IExplore
DTBI599 V0015568 II Internet Explorer Processes
for MK protocol is not
enabled. (Reserved)
DTBI600 V0015550 II Internet Explorer Processes
for MK protocol is not
enabled. (Explorer)
DTBI605 V0015551 II Internet Explorer Processes
for MK protocol is not
enabled. (IExplore)
DTBI610 V0015552 II Internet Explorer Processes
for Zone Elevation is not
enabled. (Reserved)
DTBI612 V0015569 II Internet Explorer Processes
for Zone Elevation is not
enabled. Explorer
DTBI614 V0015570 II Internet Explorer Processes
for Zone Elevation is not
enabled. IExplore
DTBI630 V0015556 II Internet Explorer Processes
for Download prompt is not
enabled. (Reserved)
DTBI635 V0015557 II Internet Explorer Processes
for Download prompt is not
enabled. Explorer
DTBI640 V0015558 II Internet Explorer Processes
for Download prompt is not
enabled. IExplore
DTBI645 V0015559 II Internet Explorer Processes
for restricting pop-up
windows is not enabled.
(Reserved)
DTBI647 V0015571 II Internet Explorer Processes
for restricting pop-up
windows is not enabled.
Explorer
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI649 V0015572 II Internet Explorer Processes
for restricting pop-up
windows is not enabled.
IExplorer
DTBI650 V0015560 II Run .NET Framework-reliant
components not signed with
Authenticode are not
disabled.
DTBI655 V0015561 II Run .NET Framework-reliant
components signed with
Authenticode are not
disabled.
DTBI670 V0015562 II Scripting of Java applets is
not disabled.
DTBI675 V0015563 II Turn off changing the URL to
be displayed for checking
updates to Internet Explorer
and Internet Tools is not
disabled.
DTBI680 V0015564 II Turn off configuring the
update check interval is not
disabled.
DTBI690 V0015574 II Disable AutoComplete for
forms is not enabled.
DTBI695 V0015575 II Disable external branding of
Internet Explorer is not
enabled.
DTBI697 V0014245 III Internet Explorer - Do not
allow users to enable or
disable add-ons.
DTBI715 V0015579 II Turn off Crash Detection is
not enabled.
DTBI720 V0015580 II Turn off page transitions is
not enabled.
DTBI725 V0015581 II Turn on the auto-complete
feature for user names and
passwords on forms are not
disabled.
DTBI730 V0015582 II Turn on the Internet
Connection Wizard Auto
Detect is not disabled.
DTBI740 V0022108 II Turn off Managing
SmartScreen Filter property
is not properly set.
DTBI750 V0022147 III Include updated Web site
lists from Microsoft is
disabled.
DTBI760 V0022148 II Delete Browsing History on
exit is disabled.
DTBI770 V0022149 II Prevent Deleting Web sites
that the User has Visited is
enabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI780 V0022150 II Turn off InPrivate Browsing
is enabled.
DTBI800 V0022152 II Allow scripting of Internet
Explorer web browser
control property is set
(Internet Zone).
DTBI810 V0022153 II Include local directory path
when uploading files to a
server property is properly
set.
DTBI820 V0022154 II Launching programs and
unsafe files property is
properly set (Internet Zone).
DTBI830 V0022155 II Only allow approved
domains to use ActiveX
controls without prompt
property is properly set
(Internet Zone).
DTBI840 V0022156 II Turn on Cross-Site Scripting
(XSS) Filter property is
properly set (Internet Zone).
DTBI850 V0022157 II Allow scripting of Internet
Explorer web browser
control property is properly
configured (Restricted Sites
Zone).
DTBI860 V0022158 II Include local directory path
when uploading files to a
server is properly set
(Restricted Sites Zone).
DTBI870 V0022159 II Launching programs and
unsafe files property is
properly set (Restricted Sites
Zone).
DTBI880 V0022160 II Only allow approved
domains to use ActiveX
controls without prompt
property is properly set
(Restricted Sites Zone).
DTBI890 V0022161 II Turn on Cross-Site Scripting
(XSS) Filter property is
properly set (Restricted Sites
Zone).
DTBI900 V0022171 II Internet Explorer Processes
Restrict ActiveX Install
(Reserved) property is
properly set.
DTBI910 V0022634 II Allow status bar updates via
script (Internet Zone)
property is properly set.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DTBI920 V0022635 II Run .NET Framework-reliant
components not signed with
Authenticode (Internet Zone)
property is properly set.
DTBI930 V0022636 II Run .NET Framework-reliant
components signed with
Authenticode (Internet Zone)
property is properly set.
DTBI940 V0022637 II Allow Scriptlets (Restricted
Sites Zone) property is
properly set.
DTBI950 V0022638 II Allow status bar updates via
script (Restricted Sites Zone)
property is properly set.
Section
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
FireFox
Section
FireFox
FireFox
IE6
IE6
IE7, IE6, FireFox
IE6
IE6
IE6
IE6
IE6
IE6
IE6
IE7, IE8
IE6
IE6
IE6
IE6
IE6
IE6
Section
IE6
IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE6
IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
Section
IE7, IE8, IE6
IE7, IE8, IE6
IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE6
IE7, IE8, IE6
IE6
IE6
IE6
IE6
IE7, IE8, IE6
IE6
IE6
Section
IE6
IE6
IE6
IE6
IE6
IE6
IE6
IE6
IE6
IE7, IE8, IE6
IE6
IE6
IE6
IE6
Section
IE6
IE8
IE8
IE6
IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE6
Section
IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE6
IE7, IE8, IE6
IE6
IE6
Section
IE6
IE6
IE6
IE6
IE6
IE7, IE8
IE7, IE8
IE7
IE6
IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8, IE6
IE7, IE8
IE7
IE7, IE8
IE7, IE8
IE7, IE8
Section
IE7, IE8
IE7, IE8, IE6
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
Section
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
Section
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
Section
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7, IE8
IE7
IE8
IE8
IE8
IE8
Section
IE8
IE8
IE8
IE8
IE8
IE8
IE8
IE8
IE8
IE8
IE8
IE8
IE8
Section
IE8
IE8
IE8
IE8
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-IAP- V0014344 II The IAP ingress and egress
100 filters bound to all interfaces
are not the most current as
directed by JTF-GNO.
BTS-IAP- V0014345 II JTF-GNO instructions on
110 implementing exceptions to
the IAP filters are not
followed.
BTS-IPv6- V0014352 II IPv6 is enabled on
100 unauthorized interfaces.
BTS-IPv6- V0014357 II IPv6 traffic is tunneled using
110 other method than IPv4 or
GRE encapsulation.
BTS-IPv6- V0014359 II IPv6 is enabled on
120 unauthorized 6to4 and 6to4
relay router interfaces.
BTS-IPv6- V0014360 II 6to4 router is accepting
130 native IPv6 packets without
access to a 6to4 relay router.
BTS-IPv6- V0014361 II 6to4 relay router accepts
140 IPv6 packets from IPv6
network with a destination
prefix other than 2002::/16.
BTS-IPv6- V0014362 II 6to4 router is configured to
150 accept tunneled IPv6 traffic
from undocumented sources.
BTS-IPv6- V0014363 II 6to4 relay router is
160 configured to accept
tunneled IPv6 traffic from
undocumented sources.
BTS-IPv6- V0014364 II 6PE router at the backbone
170 edge is not configured to
tunnel all IPv6 traffic using
MPLS encapsulation.
BTS-IPv6- V0014365 II IPv6 is enabled on
180 unauthorized 6PE router
interfaces.
BTS-IPv6- V0014366 II CE-facing interfaces on the
190 6PE router accepts MPLS
traffic.
BTS- V0012652 II Protocol Independent
MCAST-010 Multicast (PIM) is not
disabled on all interfaces
that are not required to
support multicast routing.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS- V0014342 III PIM neighbor filter is not
MCAST-015 bound to interfaces that have
PIM enabled.
BTS- V0012653 III The PIM router‟s receive
MCAST-020 path or interface filter does
not validate the source
address for all traffic
destined to the “all PIM
routers” address
(224.0.0.13).
BTS- V0012654 III Customer-facing interfaces
MCAST-030 on the PIM router and does
not block inbound and
outbound administratively-
scoped multicast traffic.
BTS- V0014343 III Customer-facing interfaces
MCAST-035 do not block inbound and
outbound Auto-RP discovery
and announcement
messages.
BTS- V0012655 III PIM router accepts BSR
MCAST-040 messages.
BTS- V0012656 III RP router is not configured
MCAST-050 to limit the multicast
forwarding cache to ensure
that its resources are not
saturated managing an
overwhelming number of
PIM and MSDP SA entries.
BTS- V0012657 III The RP router peering with
MCAST-060 customer PIM-SM routers
has not been configured with
a PIM import policy to block
join and registration
messages for reserved,
Martian, single-source
multicast (SSM), and any
other undesirable multicast
groups as well as any Bogon
source addresses.
BTS- V0012659 II The Multicast Source
MCAST-070 Discovery Protocol (MSDP)
router's receive path or
interface filter is not
configured to only accept
MSDP packets from known
MSDP peers.
BTS- V0012660 I MSDP packets received by
MCAST-080 an MSDP router are not
authenticated using MD5
passwords.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS- V0012383 II MD5 passwords used for
MCAST-090 MSDP sessions with each
peering customer network
are not unique.
BTS- V0012661 III The MSDP router peering
MCAST-100 with customer MSDP routers
has not been configured with
an import policy to block
source-active (SA) multicast
advertisements for reserved,
Martian, single-source
multicast (SSM), and any
other undesirable multicast
groups as well as any SA
messages with Bogon
source addresses.
BTS- V0012662 III An export policy has not
MCAST-110 been configured on the
MSDP router to avoid global
visibility of multicast (S,G)
states local to the IP core.
BTS- V0012663 III The MSDP cache table is
MCAST-120 not configured to limit the SA
count globally, as well as on
a per-peer and a per-source
basis.
BTS- V0012388 II Each VPN customer is not
MCAST-130 assigned a unique Default-
MDT to keep its multicast
data and control traffic
separate from global as well
as other customers‟
multicast traffic.
BTS- V0012389 II Each VPN customer is not
MCAST-140 assigned a unique pool of
Data-MDTs to keep its
multicast data traffic
separate from global as well
as other customers‟
multicast traffic.
BTS- V0012392 III Group addresses are not
MCAST-150 assigned for both Default-
MDT and Data-MDTs is from
the Administratively Scoped
IP Multicast range as defined
in RFC 2365.
BTS-MGMT- V0012394 I All network devices are not
010 located in a secure room
with limited access.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-MGMT- V0012674 II Login warning banner is not
030 configured on the network
device.
BTS-MGMT- V0012675 I Access to the network
040 component does not require
an account identifier and
password.
BTS-MGMT- V0012676 I Default and backdoor
050 accounts have not been
removed.
BTS-MGMT- V0012677 II Expired or unauthorized
060 accounts are not removed
from device.
BTS-MGMT- V0012678 II Each system administrator is
070 not assigned an individual
account and password for
the purpose of administrative
access. CAVEAT: If
documented in the SSAA,
group accounts can be used
for network management
workstations located in a
controlled access area.
BTS-MGMT- V0012679 II Accounts are not assigned
075 the lowest privilege level that
allows system administrators
and engineers to perform
their duties.
BTS-MGMT- V0012396 III A formal process for
080 granting, creating, deleting,
and distributing accounts is
not implemented or the
process does not include an
authorization form and a
registration authority to
ensure that only authorized
users are gaining
management access to
network devices.
BTS-MGMT- V0012398 III A log is not maintained that
085 records the creation,
deletion, and distribution of
all accounts.
BTS-MGMT- V0012680 II More than one emergency
090 account is configured or the
account does not default to
the lowest authorization level.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-MGMT- V0012399 III The emergency account log
095 is not reviewed periodically
to ensure emergency
accounts are changed at
regular intervals and are not
compromised in any way.
BTS-MGMT- V0012699 II Username and passwords of
096 all emergency accounts are
not stored in a sealed
envelope kept in a safe or on
file server attached to the
classified network.
BTS-MGMT- V0012681 I The network device is not
100 password protected.
BTS-MGMT- V0012401 I Passwords are not set up
105 and maintained in
accordance with DODI
8500.2 IAIA-1 and IAIA-2.
BTS-MGMT- V0012682 I Default manufacturer
110 passwords are not removed
or changed from the device.
BTS-MGMT- V0012402 II Passwords are not
120 encrypted both for storage
and for transmission.
BTS-MGMT- V0012683 II An authentication server is
130 not being used to
authenticate all users prior to
acquiring administrative
access to the device.
BTS-MGMT- V0012698 II The authentication server is
135 not compliant with the
security requirements
specified in the appropriate
operating system STIG.
BTS-MGMT- V0012684 II Two-factor authentication is
140 not used to authenticate all
users prior to acquiring
administrative access to the
device.
BTS-MGMT- V0012685 III Two or more authentication
145 servers are not configured to
support user authentication
for administrative access to
the device.
BTS-MGMT- V0014374 III The key configured on the
150 authentication server used
for communication with
clients is not unique.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-MGMT- V0012405 I Keys are not set up and
160 maintained in accordance
with DODI 8500.2 IAIA-1 and
IAIA-2.
BTS-MGMT- V0012406 II A key management policy is
165 not implemented to include
key generation, distribution,
storage, usage, lifetime
duration, and destruction of
all keys used for encryption
within the backbone
infrastructure.
BTS-MGMT- V0012408 II Key lifetime exceeds 180
170 days for Type 3 encryptors
or 30 days for Type 1
encryptors.
BTS-MGMT- V0012686 I Key chains are used and
175 there is no key exists within
the chain that is configured
with a lifetime of infinite, or
the lifetime key is not
changed 7 days after the
rotating keys have expired
and have been redefined.
BTS-MGMT- V0012411 II All backbone network
190 components were not IAVM
compliant prior to connecting
the component to the
backbone network.
BTS-MGMT- V0012412 III IAVM notices are not
200 responded to within the
specified time period.
BTS-MGMT- V0012747 I Unsupported network
210 components are being used
within the backbone network
infrastructure.
BTS-MGMT- V0012687 II Software or firmware
220 versions are not upgraded
on all network components
as directed by the PMO.
BTS-MGMT- V0012754 III Documented procedures are
230 not used for upgrading or
deploying new approved
software.
BTS-MGMT- V0012418 III Testing procedures for new
240 or upgraded hardware or
software are not maintained.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-MGMT- V0012419 III Baseline configurations for
250 all network components are
not maintained with
incremental backups.
BTS-MGMT- V0012420 III File servers used for network
260 element configuration
management are not located
on the out-of-band network
or are not restricted to
authorized personnel.
Caveat: File servers used for
classified network element
configuration management
are not required to be
accessed via an out-of-band
network.
BTS-MGMT- V0012421 II OSS LAN is not configured
270 IAW the Network
Infrastructure STIG.
BTS-MGMT- V0012422 II OSS servers and
280 workstations are not
configured IAW the
appropriate OS STIG.
BTS-MGMT- V0012423 I The OOBM network (DCN)
290 is not configured IAW with
the Network Infrastructure
STIG.
BTS-MGMT- V0012424 II Dial-up connections for
300 managing network elements
do not use FIPS 140-2
compliant encryption to
protect information in transit.
BTS-MGMT- V0012688 II Management dial-up
310 connections are not
authenticated using two-
factor authentication.
BTS-MGMT- V0012691 III Communication server is not
320 configured to use CHAP
authentication to authorized
users prior to allowing the
PPP connection.
BTS-MGMT- V0014375 III Communication server is not
325 configured to use CHAP
authentication or to enable
callback to authorized phone
numbers prior to allowing the
PPP connection.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-MGMT- V0012692 II The network element is not
330 configured to timeout an idle
user session to 15 minutes
or less.
BTS-MGMT- V0012693 II In-band management
340 connection to the device is
not encrypted using FIPS
140-2 compliant
cryptography.
BTS-MGMT- V0012694 II OOBM interfaces or console
350 port that is connected to a
terminal access server is not
used to connect to the DCN.
CAVEAT: If OOBM
interfaces are not available
for a layer-3 device, this
finding can be downgraded
to a Category III if the device
is configured to ensure
management traffic and
route advertisements does
not leak from the
management network into
the transit network and vise
versa using interface filters
and route policies.
BTS-MGMT- V0014376 II A modem is connected to
355 the network component
BTS-MGMT- V0012425 III Optical link used for the
360 Optical Supervisory Channel
(OSC) exceeds 20 spans or
there is not a DCN
connection at the near and
far end OTS terminals.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-MGMT- V0012695 I SNMP Version 3 Security
370 Model (both SHA packet
authentication and DES
encryption of the PDU) is not
used across the entire
network infrastructure.
CAVEAT: If Version 1 or
Version 2 is being used with
all of the appropriate patches
to mitigate the known
security vulnerabilities, this
finding can be downgraded
to a Category II. If Version 1
or Version 2 is being used
with all of the appropriate
patches and the PMO has
developed a migration plan
to implement the Version 3
Security Model, this finding
can be downgraded to a
Category III.
BTS-MGMT- V0012696 I SNMP community strings
380 are not changed from the
default values and
usernames do not match any
other password values.
BTS-MGMT- V0012697 II Different community names
390 or usernames are not used
for read-only access and
read-write access.Write
access was enabled without
approval by the IAO.
BTS-MGMT- V0012426 III There is no standard
400 operating procedure (SOP)
for managing SNMP
community strings and
usernames to include the
following: - Community string
and username expiration
period. - Community string
and username creation will
comply with the password
requirements outlined in
Section 5.2.3 Passwords. -
SNMP community string and
username distribution
including determination of
membership
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-MGMT- V0012664 III A centralized syslog server is
410 not deployed and configured
to store all syslog messages
for a minimum of 30 days
and then stored offline for
one year.
BTS-MGMT- V0012665 III The syslog sever is not
420 configured to collect syslog
messages from levels 0
through 6 at a minimum.
BTS-MGMT- V0012666 III The syslog sever is not
430 configured to accept
messages from only
authorized devices and
administrative access from
trusted management
workstations by restricting
access via source IP
address and destination port.
BTS-MGMT- V0014377 III The syslog server is
440 connected to a network that
is not the management
network.
BTS-MGMT- V0014378 II The syslog server is not
450 configured IAW the
respective OS STIG.
BTS-MGMT- V0014379 III An HIDS is not implemented
460 on the syslog server to
provide access control for
the syslog data as well as
provide the necessary
protection against
unauthorized user and
service access.
BTS-MGMT- V0012427 II A COOP is not developed or
510 is not maintained or the
COOP is not being exercised
periodically to provide
continuous operational
services of the backbone
network. At a minimum, the
COOP must be exercised
semi-annually for MAC I
networks and annually for
MAC II and III networks.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-MGMT- V0012428 II The COOP plan does not
520 include the identification,
procurement, inventory,
storage, and deployment for
all critical spare
partsspecifically those parts
that can service single points
of failure.
BTS-MGMT- V0012430 II The COOP plan does not
530 establish procedures for a
smooth transition of mission
essential backbone network
functions to include
management, operation, and
monitoring.
BTS-MPLS- V0012638 I Not all CE-facing interfaces
010 on a PE router, providing
MPLS VPN services, are
bound to a VRF.
BTS-MPLS- V0012639 II CE-facing interface, on a PE
020 router providing MPLS VPN
services, is configured to
accept MPLS traffic.
BTS-MPLS- V0012640 III A route policy has not been
030 implemented to ensure
routes contained within any
VRF used for PE-CE links
are not advertised to any
customer networks.
BTS-MPLS- V0012431 I A unique RD is not assigned
040 for each VPN.
BTS-MPLS- V0012641 I Incorrect RDs are configured
050 for some VRFs.
BTS-MPLS- V0012642 I VRFs are not bound to the
060 proper CE-facing interface.
BTS-MPLS- V0012643 I Incorrect RT is configured
070 for VRF.
BTS-MPLS- V0012432 II Junior engineers who are not
080 trained in the design of
MPLS VPN networks are
authorized to configure VRF
information including RT and
RD and their associated
import and export route
policies.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-MPLS- V0014338 II PE-ASBR-facing interfaces
085 are not bound to a VRF for a
VRF-to-VRF implementation
on the PE-ASBR router.
BTS-MPLS- V0014339 III PE-ASBR-facing interfaces
086 on a PE-ASBR are
configured to accept MPLS
traffic for a VRF-to-VRF
implementation.
BTS-MPLS- V0014340 II PE-ASBR-facing interfaces
087 for a VRF-to-VRF
implementation are not
bound to the correct VPN.
BTS-MPLS- V0012644 III Route-target filtering are not
090 configured to only import and
export those route
advertisements with RTs that
represent the inter-AS VPNs
provisioned by the AS.
BTS-MPLS- V0012645 III The PE-ASBR leaks IPv4
100 routes to the adjacent AS
across the MP-eBGP
connection
BTS-MPLS- V0014341 II Multi-hop eBGP
110 redistribution of labeled VPN-
IPv4 routes between source
and destination ASes is used
to implement inter-AS VPN
connectivity.
BTS-MSPP- V0012670 III The MSPP does not log
010 system events, circuit
provisioning, user actions,
and configuration changes.
BTS-MSPP- V0012433 II A daily review of the MSPP
020 audit data is not conducted
by the system administrator
or qualified personnel to
determine if attempted
attacks or inappropriate
activity has occurred.
BTS-MSPP- V0012434 III The MSPP audit logs are not
030 backed up on a weekly basis
or are not retained for at
least one year.
BTS-MSPP- V0012671 III The MSPP is not configured
040 to synchronize its clock with
a trusted stratum-1 SNTP
server.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-MSPP- V0012672 II Unused MSPP interfaces are
050 not set to out of service
when not providing service.
BTS-OPTI- V0012435 I SONET components are not
010 installed in controlled areas
that restrict access to only
authorized personnel.
BTS-OPTI- V0012436 II A semi-annual security
020 analysis of a sample (20% or
more) of the SONET
components is not
conducted and documented.
BTS-OPTI- V0012667 II SONET payload scrambling
030 is not enabled using a self-
synchronous scrambler (1 +
X 43) applied to all backbone
facing PoS interfaces of all
PE routers as well as all P
router and ADM PoS
interfaces.
BTS-OPTI- V0012437 II An attack detection method
040 such as Wideband Power
Detection, Optical Spectral
Analysis, Pilot Tone, or
Optical Time Domain
Reflectometry is not used
globally to detect and locate
attacks.
BTS-OPTI- V0012438 II Optical monitoring is not
050 implemented at all service
delivery nodes.
BTS-OPTI- V0012439 III Additional monitoring points
060 are not installed at regular
intervals within the spans of
the service delivery nodes.
BTS-OPTI- V0012441 I OTDR scans are not
070 performed on all new fiber
spans before being placed in
production. Maintenance
scans are not performed
every six months.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-OPTI- V0012668 II OSPF is being used by
080 ODXCs to determine the
optimum path for
dynamically provisioning a
circuit as well as for in-band
management routing without
MD5 authentication of the
link-state advertisements.
BTS-OPTI- V0012669 II LDP is being used on the
090 control plane by ODXCs to
establish a circuit with
dynamic provisioning without
MD5 authentication.
BTS-OPTI- V0012442 II MD5 keys used for routing
100 protocol authentication are
not changed every 180 days.
BTS-OPTI- V0012443 I The ITF and OTN facilities
110 used for ULH connections is
not secured because 1) the
facility is not in a
government-controlled area
that allows access to only
authorized personnel using 2-
factor authentication, or 2)
access to the facility is not
monitored and limited to
essential and authorized
personnel, or 3) a visitor log
is not maintained.
BTS-OPTI- V0012444 III Diverse routes into and out
120 of ITF and OTN facilities are
not engineered to reduce
risk of breaks to both fiber
segments residing in same
bundle, conduit, or right-of-
way.
BTS-OPTI- V0012445 III ULH connections are not
130 created using carrier grade
transmission equipment
placed at Government
owned locations in order to
minimize the placement of
optical equipment in
commercial facilities.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-OPTI- V0012446 II Secured storage cabinets
140 requiring 2-factor
authentication for access are
not used at ITFs to house
the fiber optic equipment and
have locking cabinet doors.
BTS-OPTI- V0012447 III Locking cabinet doors used
150 at the ITFs are not equipped
with alarm sensors that
activate when doors are
opened or they do not report
to the GNSC or TNC within
its operating area via OOB in-
network circuits.
BTS-OPTI- V0012448 I Traffic traversing OCONUS
160 DISN Core segments is not
bulk encrypted using NIST
certified Type III encryptors.
BTS-OPTI- V0012449 I SONET/SDH bulk encryptors
170 are not deployed using Path
level encryption with Path
headers passed in the clear
wherever leased bandwidth
from commercial carriers is
used for transport.
BTS-OPTI- V0012450 I SONET/SDH bulk encryptors
180 are not deployed using Line
level encryption with both
Section and Line overhead
encrypted wherever dark
fiber is used for transport.
BTS-OPTI- V0012451 II A COMSEC custodian is not
190 assigned to manage the
SONET/SDH bulk encryption
devices and keys.
BTS-QoS- V0012647 II QoS policies is not
010 configured on the PE router
to ensure all customer traffic
receives forwarding
treatment as specified in the
SLA.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-QoS- V0012648 III Traffic that is not in
030 compliance with the
approved DSCP
classification is not placed
into the Scavenger class.
BTS-QoS- V0012649 III Traffic not in compliance
040 with the customer‟s SLA is
not placed into the
Scavenger class.
BTS-QoS- V0012650 III QoS policing is not
050 configured on to validate the
use of classes reserved for
premium traffic and either
mark down or rate limit traffic
according to customer
projections and SLAs prior to
entering the core.
BTS-QoS- V0012651 III QoS policing has not been
060 configured on PE router that
will mark down out-of-profile
traffic into the Scavenger
class.
BTS-QoS- V0012727 II QoS policies are not
070 configured to ensure the
necessary congestion
management is
implemented. This will
include classifying all traffic
and defining queues with
appropriate service levels to
accommodate the different
traffic classes.
BTS-RAS- V0014346 III AAA server is not used to
100 authenticate the subscriber‟s
LNS prior to establishing an
L2TP tunnel with the LNS.
BTS-RAS- V0014347 I AAA server configuration
110 does not correctly map
domain names to the
appropriate VPN.
BTS-RAS- V0014349 II The AAA server does not
120 proxy the challenge
response message to the
appropriate VPN‟s AAA
server to authenticate the
user.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-RAS- V0014350 III The RAS, NAS, or LAC
130 device is not configured to
use CHAP authentication to
provide a challenge query to
the client prior to initiating
the L2TP connection to
validate the domain name
and user.
BTS-RAS- V0014351 II AAA server is not used to
140 validate the client‟s domain
name, username, and
password to the PPP
authentication challenge
prior to initiating the L2TP
connection.
BTS-RTR- V0012559 II Neighbor authentication with
010 MD5, SHA-1, or IPSec is not
implemented for all routing
protocols with all peer
routers within the same
autonomous system as well
as between autonomous
systems.
BTS-RTR- V0014770 II MPLS signaling protocols
015 deployed to build LSP
tunnels are not using a
secured hashing algorithm
such as MD5 or SHA-1for
neighbor or message
authentication.
BTS-RTR- V0012646 II The eBGP router does not
020 have a unique key for each
eBGP neighbor that it peers
with.
BTS-RTR- V0012452 II MD5 keys used for routing
030 protocol authentication are
not changed every 180 days.
BTS-RTR- V0012560 I Key chains are being used
040 and there is no infinite key
exists within the chain. The
lifetime key is not changed
seven days after the rotating
keys expire and are
redefined.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-RTR- V0012561 II The eBGP router is not
050 configured to reject inbound
route advertisements for any
Bogon prefixes and any
prefixes belonging to the IP
core.
BTS-RTR- V0014316 II The eBGP router is not
055 configured to reject inbound
route advertisements for for
any IPv6 prefixes unless the
prefixes are received from a
customer network and 6PE
is implemented to transport
those prefixes across the
backbone using MP-iBGP.
BTS-RTR- V0012562 II The eBGP router is not
060 configured to reject inbound
route advertisements from a
CE router for prefixes that
are not allocated to that
customer.
BTS-RTR- V0012563 II BGP is not configured to
070 filter outbound route
advertisements for prefixes
that are not allocated to or
belong to any GIG IP
customers.
BTS-RTR- V0014317 II The eBGP router is not
075 configured to reject
outbound route
advertisements for for any
IPv6 prefixes unless the
prefixes are for a customer
network supported by a 6PE
deployment.
BTS-RTR- V0012564 II BGP is not configured to
080 filter outbound route
advertisements belonging to
the IP core.
BTS-RTR- V0012565 II The eBGP router is not
100 configured to reject inbound
route advertisements with an
originating AS that does not
belong to the specific
customer.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-RTR- V0012566 III ASBR is not configured to
110 deny updates received from
eBGP peers that do not list
their AS number as the first
AS in the AS_PATH attribute.
BTS-RTR- V0012567 III Graded damping algorithms
120 are not used to penalize
longer prefixes (> /20) more
than shorter prefixes.
BTS-RTR- V0012568 II BGP is not configured to use
130 the maximum prefixes
feature to protect against
route table flooding and
prefix de-aggregation
attacks.
BTS-RTR- V0012569 III BGP is not configured to limit
140 the prefix size on any route
advertisement to /24 or the
least significant prefixes
issued to the customer.
BTS-RTR- V0012570 III BGP is not configured to use
150 Generalized TTL Security
Mechanism (GTSM) to
mitigate risks associated
with a control plane DoS
attack.
BTS-RTR- V0014318 III Routers with RSVP-TE
152 enabled do not have
message pacing configured
to adjust maximum burst and
maximum number of RSVP
messages to an output
queue based on the link
speed and input queue size
of adjacent core routers.
BTS-RTR- V0012571 III The router‟s loopback
155 address is not used as the
router ID for OSPF, IS-IS,
iBGP, LDP, and MPLS-TE
configurations.
BTS-RTR- V0012573 II URPF strict mode is not
160 enabled on all customer-
facing interfaces.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-RTR- V0012574 II A filter is not implemented to
170 block inbound packets with
source Bogon address
prefixes.
BTS-RTR- V0012575 I A filter is not implemented to
180 block inbound packets
destined to the IP core
infrastructure address space.
BTS-RTR- V0012576 I A receive-path filter or
190 ingress filter bound to all
interfaces is not
implemented to restrict all
traffic destined to the router.
BTS-RTR- V0014319 III A receive-path filter is not
195 implemented to restrict all
traffic destined to the router.
BTS-RTR- V0012579 II Management plane traffic
200 destined for the router is not
restricted to only authorized
network management
stations.
BTS-RTR- V0012580 II BGP connections are not
210 restricted to known IP
addresses of BGP routers
from the same or trusted AS.
BTS-RTR- V0012581 III NTP traffic is not restricted
220 to only authorized NTP
servers.
BTS-RTR- V0012582 II The router‟s receive path
230 filter does not drop all
fragmented ICMP packets.
BTS-RTR- V0012583 II The maximum wait interval
240 for establishing a TCP
connection request to the
router is not set to ten
seconds or less, or a method
to ratelimit TCP SYN traffic
destined to the router has
not been implemented.
BTS-RTR- V0012586 II CEF is not enabled on Cisco
250 router.
BTS-RTR- V0012585 II IPv4 packets with Option
260 Type = 131 or 137 are not
blocked or IP source routing
is not disabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-RTR- V0014320 II IPv6 packets that include a
265 Routing Header with Routing
Type 0 are not blocked or IP
source routing is not
disabled.
BTS-RTR- V0012587 III IP directed broadcast is not
270 disabled on all router
interfaces.
BTS-RTR- V0012589 II IP redirects is not disabled
280 on all router interfaces.
BTS-RTR- V0012590 II ICMP mask replies is not
290 disabled on all router
interfaces.
BTS-RTR- V0012591 II ICMP unreachables are not
300 disabled on all customer-
facing interface interfaces.
Note: This requirement does
not force the router to block
ICMP Destination
Unreachable messages type
3, code 4 meaning
“Fragmentation Needed and
Don't Fragment was Set”
and, therefore, will not
disrupt Path MTU Discovery
as specified in RFC 1191.
Black-hole filtering enables
traffic destined for a
particular IP address to be
forwarded to an pseudo-
interface where it is
discarded. The address of
the pseudo-interface is
called Null0. The interface is
always live but can never
forward or receive traffic.
Hence, when a route is
pointed to the Null0
interface, traffic sent to that
destination is dropped.
BTS-RTR- V0012592 III Inactive interfaces are not
310 disabled. CAVEAT: Inactive
physical interfaces or
subinterfaces that are
preconfigured for planned
access circuits that will soon
become active is permitted,
provided that a description is
defined for each interface.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-RTR- V0014321 III There is no filter that denies
315 all traffic applied to all
inactive interfaces.
BTS-RTR- V0012593 III Two or more authentication
320 servers are not defined for
the purpose of granting
administrative access.
BTS-RTR- V0012594 III The router is not configured
330 to use AAA tiered
authorization groups for
management authentication.
BTS-RTR- V0014322 III Passwords are configured
340 on line interfaces (VTY,
console, auxiliary, and
asynchronous lines).
BTS-RTR- V0012601 II Individual accounts with
350 username and password are
not being used to access the
router.
BTS-RTR- V0012602 II Accounts are not assigned
360 the lowest privilege level that
allows them to perform their
duties.
BTS-RTR- V0012609 I Passwords are not
370 encrypted using MD5 or
SHA-1 hash algorithm.
BTS-RTR- V0012606 II Inactive accounts exist on
380 the authentication server or
router.
BTS-RTR- V0012607 II More than one local
390 emergency account is
configured on the router, or
the emergency account is
not at the lowest privilege
level.
BTS-RTR- V0012453 II There are no procedures to
395 securely control the creation,
storage, deletion, and
distribution of local
emergency user accounts.
BTS-RTR- V0012454 III A log is not being maintained
400 to record the creation,
change, deletion, and
release of all emergency
accounts.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-RTR- V0012455 III The emergency account log
405 is not being reviewed
periodically to ensure
emergency accounts are
changed at regular intervals
and are not compromised in
any way.
BTS-RTR- V0012610 III A password is not required
410 to gain access to the router's
diagnostics port.
BTS-RTR- V0012615 III CDP is not disabled on all
420 external interfaces on all
Cisco PE and ASBR routers.
BTS-RTR- V0012616 III The router is not configured
430 to send periodic TCP
keepalive messages to
connection end points if
telnet is being used for
administrative access.
BTS-RTR- V0014323 II Logging is not enabled on
440 the router.
BTS-RTR- V0012618 III The router is not configured
450 to log severity levels 0
through 6 events and send
all log data to a syslog server.
BTS-RTR- V0014324 III Router is not configured to
460 send all log data to a syslog
server.
BTS-RTR- V0012617 III The router is not configured
470 to log all denied packets.
BTS-RTR- V0014325 III The router is not configured
480 to log all denied packets.
BTS-RTR- V0014326 III Configuration changes that
485 identify the time, the
command, and the
administrator that executed
the command are not logged.
BTS-RTR- V0012619 III Two or more NTP servers
490 are not defined on the router
to synchronize its time.
BTS-RTR- V0012620 II The router is configured to
500 function as an NTP server.
BTS-RTR- II The router is not configured
510 to use MD5 to authenticate
the time source.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-RTR- V0012622 III The router is not configured
520 to use its loopback address
as the source address when
originating TACACS+ or
RADIUS traffic.
BTS-RTR- V0014327 III The router is not configured
521 to use its loopback address
as the source address when
originating syslog traffic.
BTS-RTR- V0014328 III The router is not configured
522 to use its loopback address
as the source address when
originating NTP traffic.
BTS-RTR- V0014329 III The router is not configured
523 to use its loopback address
as the source address when
originating SNMP traffic.
BTS-RTR- V0014330 III The router is not configured
524 to use its loopback address
as the source address when
originating NetFlow traffic.
BTS-RTR- V0014331 III The router is not configured
525 to use its loopback address
as the source address when
originating TFTP or FTP
traffic.
BTS-RTR- V0014332 III The router is not configured
526 to use its loopback address
as the source address when
originating SSH traffic.
BTS-RTR- V0014333 III The router is not configured
527 to use its loopback address
as the source address when
originating MSDP traffic.
BTS-RTR- V0014334 III The router is not configured
528 to use its loopback address
as the source address for
iBGP peering sessions.
BTS-RTR- V0014335 III The router is not configured
529 to use its loopback address
as the source addressfor
LDP peering sessions.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-RTR- V0012623 II The latest operating system
530 as directed by the PMO is
not implemented on the
router.
BTS-RTR- V0012730 II The latest operating system
530 as directed by the PMO is
not implemented on the
router.
BTS-RTR- V0012624 III Finger service is not
540 disabled.
BTS-RTR- V0012625 III TCP and UDP small servers
550 are not disabled.
BTS-RTR- V0012626 III PAD services are not
560 disabled.
BTS-RTR- V0012627 III Identification support is not
570 disabled.
BTS-RTR- V0012628 II BSD r-command services
580 are not disabled.
BTS-RTR- V0012629 II FTP server is enabled.
590
BTS-RTR- V0014336 II TFTP server is not disabled.
595
BTS-RTR- V0012630 III DHCP server is enabled.
600
BTS-RTR- V0012631 II HTTP server is enabled.
610
BTS-RTR- V0012632 III Bootp server is enabled.
620
BTS-RTR- V0012634 II Configuration auto-loading is
630 not disabled.
BTS-RTR- V0012635 III The router is configured as a
640 client resolver and DNS
servers are not defined.
BTS-RTR- V0012636 II Proxy ARP is not disabled.
650
BTS-RTR- V0012637 II Gratuitous ARP is not
660 disabled.
BTS-RTR- V0014337 II URPF strict mode is not
900 enabled on CE routers‟ PE-
facing interfaces.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
BTS-SDN- V0012456 I The facility used to house
010 SDN equipment is not
secured 1) because the
facility is not in a
government-controlled area
that allow access to only
authorized personnel using 2-
factor authentication, or 2)
access to the facility is not
monitored and limited to
essential and authorized
personnel, or 3) a visitor log
is not maintained.
BTS-SDN- V0012457 II A connection approval
020 process to be used when
provisioning GIG services to
DoD customers is not
implemented or enforced.
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0001 V0005658 I Vendor supported software
is evaluated and patched
against newly found
vulnerabilities.
DG0002 V0004758 II An upgrade/migration plan
should be developed to
address an unsupported
DBMS software version.
DG0003 V0005659 II The latest security patches
should be installed.
DG0005 V0006756 II Only necessary privileges to
the host system should be
granted to DBA OS accounts.
DG0007 V0006767 II The database should be
secured in accordance with
DoD, vendor and/or
commercially accepted
practices where applicable.
DG0009 V0015608 II Access to DBMS software
files and directories should
not be granted to
unauthorized users.
DG0010 V0002420 III Database executable and
configuration files should be
monitored for unauthorized
modifications.
DG0011 V0003726 III Configuration management
procedures should be
defined and implemented for
database software
modifications.
DG0012 V0004754 II Database software
directories including DBMS
configuration files are stored
in dedicated directories
separate from the host OS
and other applications.
DG0013 V0015126 II Database backup
procedures should be
defined, documented and
implemented.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 159 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0014 V0015609 II Default demonstration and
sample database objects
and applications should be
removed.
DG0016 V0003728 III Unused database
components, database
application software and
database objects should be
removed from the DBMS
system.
DG0017 V0003803 II A production DBMS
installation should not
coexist on the same DBMS
host with other, non-
production DBMS
installations.
DG0019 V0003805 III Application software should
be owned by a Software
Application account.
DG0020 V0015129 II Backup and recovery
procedures should be
developed, documented,
implemented and
periodically tested.
DG0021 V0003806 II A baseline of database
application software should
be documented and
maintained.
DG0025 V0015610 II DBMS should use NIST
FIPS 140-2, validated
cryptography.
DG0029 V0005685 II Required auditing
parameters for database
auditing should be set.
DG0030 V0002507 II Audit trail data should be
retained for one year.
DG0031 V0015133 II Transaction logs should be
periodically reviewed for
unauthorized modification of
data. Users should be
notified of time and date of
the last change in data
content.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 160 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0032 V0005686 II Audit records should be
restricted to authorized
individuals.
DG0040 V0002422 II The DBMS software
installation account should
be restricted to authorized
users.
DG0041 V0015110 II Use of the DBMS installation
account should be logged.
DG0042 V0015111 II Use of the DBMS software
installation account should
be restricted to DBMS
software installation,
upgrade and maintenance
actions.
DG0050 V0002423 II Database software,
applications and
configuration files should be
monitored to discover
unauthorized changes.
DG0051 V0003808 II Database job/batch queues
should be reviewed regularly
to detect unauthorized
database job submissions.
DG0052 V0003807 II All applications that access
the database should be
logged in the DBMS audit
trail where available.
DG0053 V0003809 II A single database
connection configuration file
should not be used to
configure all database
clients.
DG0054 V0015611 III The audit logs should be
periodically monitored to
discover DBMS access
using unauthorized
applications.
DG0064 V0015120 II DBMS backup and
restoration files should be
protected from unauthorized
access.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 161 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0065 V0003810 II DBMS authentication should
require use of a DoD PKI
certificate.
DG0066 V0003811 II Procedures for establishing
temporary passwords that
meet DoD password
requirements for new
accounts should be defined,
documented and
implemented.
DG0067 V0003812 I Database account
passwords should be stored
in encoded or encrypted
format whether stored in
database objects, external
host files, environment
variables or any other
storage locations.
DG0068 V0003813 II DBMS tools or applications
that echo or require a
password entry in clear text
should be protected from
password display.
DG0069 V0015140 II Procedures and restrictions
for import of production data
to development databases
should be documented,
implemented and followed.
DG0072 V0015612 II Database password
changes by users should be
limited to one change within
24 hours where supported
by the DBMS.
DG0076 V0003819 II Sensitive information from
production database exports
should be modified after
import to a development
database.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 162 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0077 V0003820 II Production databases
should be protected from
unauthorized access by
developers on shared
production/development host
systems.
DG0078 V0015613 II Each database user,
application or process
should have an individually
assigned account.
DG0083 V0015102 II Automated notification of
suspicious activity detected
in the audit trail should be
implemented.
DG0084 V0015614 III The DBMS should be
configured to clear residual
data from memory, data
objects and files, and other
storage locations.
DG0085 V0015615 II The DBA role should not be
assigned excessive or
unauthorized privileges.
DG0088 V0015112 III The DBMS should be
periodically tested for
vulnerability management
and IA compliance.
DG0090 V0015131 II Sensitive information stored
in the database should be
protected by encryption.
DG0092 V0015132 II Database data files
containing sensitive
information should be
encrypted.
DG0093 V0003825 II Remote adminstrative
connections to the database
should be encrypted.
DG0095 V0003827 II Audit trail data should be
reviewed daily or more
frequently.
DG0096 V0015138 III The DBMS IA policies and
procedures should be
reviewed annually or more
frequently.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 163 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0097 V0015139 II Plans and procedures for
testing DBMS installations,
upgrades, and patches
should be defined and
followed prior to production
implementation.
DG0098 V0015617 II Access to external objects
should be disabled if not
required and authorized.
DG0099 V0015618 II Access to external DBMS
executables should be
disabled or restricted.
DG0101 V0015620 II OS accounts used to
execute external procedures
should be assigned
minimum privileges.
DG0102 V0015141 II DBMS processes or
services should run under
custom, dedicated OS
accounts.
DG0103 V0015621 II The DBMS listener should
restrict database access by
network address.
DG0104 V0015622 III DBMS service identification
should be unique and clearly
identifies the service.
DG0107 V0015144 II Sensitive data is stored in
the database and should be
identified in the System
Security Plan and AIS
Functional Architecture
documentation.
DG0108 V0015145 III The DBMS restoration
priority should be assigned.
DG0109 V0015146 II The DBMS should not be
operated without
authorization on a host
system supporting other
application services.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 164 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0110 V0015179 II The DBMS should not share
a host supporting an
independent security service.
DG0111 V0015147 II The DBMS data files,
transaction logs and audit
files should be stored in
dedicated directories or disk
partitions separate from
software or other application
files.
DG0112 V0015623 II DBMS system data files
should be stored in
dedicated disk directories.
DG0113 V0015624 II DBMS data files should be
dedicated to support
individual applications.
DG0114 V0015119 II DBMS files critical for DBMS
recovery should be stored
on RAID or other high-
availability storage devices.
DG0115 V0015625 II Recovery procedures and
technical system features
exist to ensure that recovery
is done in a secure and
verifiable manner.
DG0116 V0015626 II Database privileged role
assignments should be
restricted to IAO-authorized
DBMS accounts.
DG0118 V0015127 II The IAM should review
changes to DBA role
assignments.
DG0123 V0015631 II Access to DBMS system
tables and other
configuration or metadata
should be restricted to DBAs.
DG0124 V0015632 II Use of DBA accounts should
be restricted to
administrative activities.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 165 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0126 V0015633 II Password reuse should be
prevented where supported
by the DBMS.
DG0128 V0015635 I DBMS default accounts
should be assigned custom
passwords.
DG0129 V0015636 I Passwords should be
encrypted when transmitted
across the network.
DG0130 V0015637 II DBMS passwords should not
be stored in compiled,
encoded or encrypted batch
jobs or compiled, encoded or
encrypted application source
code.
DG0131 V0015638 III DBMS default account
names should be changed.
DG0134 V0015640 II Concurrent connections to
the DBMS should be limited
and controlled.
DG0140 V0015643 II Access to DBMS security
should be audited.
DG0141 V0015644 II Attempts to bypass access
controls should be audited.
DG0142 V0015645 II Changes to configuration
options should be audited.
DG0145 V0015646 II Audit records should contain
required information.
DG0146 V0015647 II Audit records should include
the reason for blacklisting or
disabling DBMS connections
or accounts.
DG0151 V0015648 II Access to the DBMS should
be restricted to static, default
network ports.
DG0152 V0015148 II DBMS network
communications should
comply with PPS usage
restrictions.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 166 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0153 V0015149 III DBA roles assignments
should be assigned and
authorized by the IAO.
DG0154 V0015150 III The DBMS requires a
System Security Plan
containing all required
information.
DG0155 V0015649 II The DBMS should have
configured all applicable
settings to use trusted files,
functions, features, or other
components during startup,
shutdown, aborts, or other
unplanned interruptions.
DG0156 V0015650 III The IAO for the DBMS
should be assigned and
authorized by the IAM.
DG0157 V0015651 II Remote DBMS
administration should be
documented and authorized
or disabled.
DG0158 V0015652 II DBMS remote administration
should be audited.
DG0159 V0015118 II Remote administrative
access to the database
should be monitored by the
IAO or IAM.
DG0160 V0015653 III The DBMS should limit failed
logins within a specified time
period.
DG0161 V0015103 II An automated tool that
monitors audit data and
immediately reports
suspicious activity should be
employed for the DBMS.
DG0167 V0015104 I Sensitive data served by the
DBMS should be protected
by encryption when
transmitted across the
network.
DG0170 V0015655 II DBMS transaction journaling
should be enabled.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 167 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0171 V0015656 II The DBMS should not have
a connection defined to
access or be accessed by a
DBMS at a different
classification level.
DG0175 V0015116 II The DBMS host platform
and other dependent
applications should be
configured in compliance
with applicable STIG
requirements.
DG0176 V0015117 II The DBMS audit logs should
be included in backup
operations.
DG0179 V0015658 II The DBMS warning banner
should meet DoD policy
requirements.
DG0186 V0015122 II The database should not be
directly accessible from
public or unauthorized
networks.
DG0187 V0015121 II DBMS software libraries
should be periodically
backed up.
DG0190 V0015154 II Credentials stored and used
by the DBMS to access
remote databases or
applications should be
authorized and restricted to
authorized users.
DG0192 V0015660 II Remote database or other
external access should use
fully-qualified names.
DG0194 V0015108 II Privileges assigned to
developers on shared
production and development
DBMS hosts and the DBMS
should be monitored every
three months or more
frequently for unauthorized
changes.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 168 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0195 V0015109 II DBMS production
application and data
directories should be
protected from developers
on shared
production/development
DBMS host systems.
DG0198 V0015662 II Remote administration of the
DBMS should be restricted
to known, dedicated and
encrypted network
addresses and ports.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 169 of 1298
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0001 V0005658 I Vendor supported software
is evaluated and patched
against newly found
vulnerabilities.
DG0002 V0004758 II An upgrade/migration plan
should be developed to
address an unsupported
DBMS software version.
DG0003 V0005659 II The latest security patches
should be installed.
DG0004 V0005683 II Application object owner
accounts should be disabled
when not performing
installation or maintenance
actions.
DG0005 V0006756 II Only necessary privileges to
the host system should be
granted to DBA OS accounts.
DG0007 V0006767 II The database should be
secured in accordance with
DoD, vendor and
commercially accepted
practices where applicable.
DG0008 V0015607 II Application objects should
be owned by accounts
authorized for ownership.
DG0009 V0015608 II Access to DBMS software
files and directories should
not be granted to
unauthorized users.
DG0010 V0002420 III Database executable and
configuration files should be
monitored for unauthorized
modifications.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0011 V0003726 III Configuration management
procedures should be
defined and implemented for
database software
modifications.
DG0012 V0004754 II Database data files should
not be stored in the same
logical storage partition as
database application
software.
DG0013 V0015126 II Database backup
procedures should be
defined, documented and
implemented.
DG0014 V0015609 II Default demonstration and
sample database objects
and applications should be
removed.
DG0015 V0003727 III Database applications
should be restricted from
using static DDL statements
to modify the application
schema.
DG0016 V0003728 III Unused database
components, database
application software and
database objects should be
removed from the DBMS
system.
DG0017 V0003803 II System resources and
database identifiers should
be clearly separated and
defined.
DG0019 V0003805 III Application software should
be owned by a Software
Application account.
DG0020 V0015129 II Backup and recovery
procedures should be
developed, documented,
implemented and
periodically tested.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0021 V0003806 II A baseline of database
application software should
be documented and
maintained.
DG0025 V0015610 II DBMS should use NIST
FIPS 140-2, validated
cryptography.
DG0029 V0005685 II Required auditing
parameters for database
auditing should be set.
DG0030 V0002507 II Audit trail data should be
retained for one year.
DG0031 V0015133 II Transaction logs should be
periodically reviewed for
unauthorized modification of
data. Users should be
notified of time and date of
the last change in data
content.
DG0032 V0005686 II Audit records should be
restricted to authorized
individuals.
DG0040 V0002422 II The DBMS software
installation account should
be restricted to authorized
users.
DG0041 V0015110 II Use of the DBMS installation
account should be logged.
DG0042 V0015111 II Use of the DBMS software
installation account should
be restricted to DBMS
software installation,
upgrade and maintenance
actions.
DG0050 V0002423 II Database software,
applications and
configuration files should be
monitored to discover
unauthorized changes.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0051 V0003808 II Database job/batch queues
should be reviewed regularly
to detect unauthorized
database job submissions.
DG0052 V0003807 II All applications that access
the database should be
logged in the DBMS audit
trail where available.
DG0053 V0003809 II A single database
connection configuration file
should not be used to
configure all database clients.
DG0054 V0015611 III The audit logs should be
periodically monitored to
discover DBMS access
using unauthorized
applications.
DG0060 V0002424 II All database non-interactive,
n-tier connection, and
shared accounts that exist
should be documented and
approved by the IAO.
DG0063 V0015107 II DBMS privileges to restore
database data or other
DBMS configurations,
features or objects should be
restricted to authorized
DBMS accounts.
DG0064 V0015120 II DBMS backup and
restoration files should be
protected from unauthorized
access.
DG0065 V0003810 II DBMS authentication should
require use of a DoD PKI
certificate.
DG0066 V0003811 II Procedures for establishing
temporary passwords that
meet DoD password
requirements for new
accounts should be defined,
documented and
implemented.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0067 V0003812 I Database passwords used
by batch and job processes
should be stored in
encrypted format.
DG0068 V0003813 II DBMS tools or applications
that echo or require a
password entry in clear text
should be protected from
password display.
DG0069 V0015140 II Procedures and restrictions
for import of production data
to development databases
should be documented,
implemented and followed.
DG0070 V0002508 II Unauthorized user accounts
should not exist.
DG0071 V0003815 II New passwords should be
required to differ from old
passwords by more than four
characters.
DG0073 V0003817 II Database accounts should
not specify account lock
times less than the site-
approved minimum.
DG0074 V0015130 II Unapproved inactive or
expired database accounts
should not be found on the
database.
DG0075 V0003818 II Unauthorized database links
should not be defined and
active.
DG0076 V0003819 II Sensitive information from
production database exports
should be modified after
import to a development
database.
DG0077 V0003820 II Production databases should
be protected from
unauthorized access by
developers on shared
production/development host
systems.
DG0078 V0015613 II Each database user,
application or process
should have an individually
assigned account.
DG0079 V0015152 II DBMS login accounts
require passwords to meet
complexity requirements.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0080 V0003821 II Application user privilege
assignment should be
reviewed monthly or more
frequently to ensure
compliance with least
privilege and documented
policy.
DG0083 V0015102 II Automated notification of
suspicious activity detected
in the audit trail should be
implemented.
DG0085 V0015615 II The DBA role should not be
assigned excessive or
unauthorized privileges.
DG0086 V0015106 II DBA roles should be
periodically monitored to
detect assignment of
unauthorized or excess
privileges.
DG0087 V0015616 III Sensitive data should be
labeled.
DG0088 V0015112 III The DBMS should be
periodically tested for
vulnerability management
and IA compliance.
DG0089 V0015114 III Developers should not be
assigned excessive
privileges on production
databases.
DG0090 V0015131 II Sensitive information stored
in the database should be
protected by encryption.
DG0091 V0003823 III Custom and GOTS
application source code
stored in the database
should be protected with
encryption or encoding.
DG0092 V0015132 II Database data files
containing sensitive
information should be
encrypted.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0093 V0003825 II Remote adminstrative
connections to the database
should be encrypted.
DG0095 V0003827 II Audit trail data should be
reviewed daily or more
frequently.
DG0096 V0015138 III The DBMS IA policies and
procedures should be
reviewed annually or more
frequently.
DG0097 V0015139 II Plans and procedures for
testing DBMS installations,
upgrades, and patches
should be defined and
followed prior to production
implementation.
DG0098 V0015617 II Access to external objects
should be disabled if not
required and authorized.
DG0099 V0015618 II Access to external DBMS
executables should be
disabled or restricted.
DG0100 V0015619 II Replication accounts should
not be granted DBA
privileges.
DG0101 V0015620 II OS accounts used to
execute external procedures
should be assigned
minimum privileges.
DG0102 V0015141 II DBMS processes or services
should run under custom,
dedicated OS accounts.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0103 V0015621 II The DBMS listener should
restrict database access by
network address.
DG0104 V0015622 III DBMS service identification
should be unique and clearly
identifies the service.
DG0105 V0015128 II DBMS application user roles
should not be assigned
unauthorized privileges.
DG0106 V0015143 II Database data encryption
controls should be
configured in accordance
with application
requirements.
DG0107 V0015144 II Sensitive data is stored in
the database and should be
identified in the System
Security Plan and AIS
Functional Architecture
documentation.
DG0108 V0015145 III The DBMS restoration
priority should be assigned.
DG0109 V0015146 II The DBMS should not be
operated without
authorization on a host
system supporting other
application services.
DG0110 V0015179 II The DBMS should not share
a host supporting an
independent security service.
DG0111 V0015147 II The DBMS data files,
transaction logs and audit
files should be stored in
dedicated directories or disk
partitions separate from
software or other application
files.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0112 V0015623 II DBMS system data files
should be stored in
dedicated disk directories.
DG0113 V0015624 II DBMS data files should be
dedicated to support
individual applications.
DG0115 V0015625 II Recovery procedures and
technical system features
exist to ensure that recovery
is done in a secure and
verifiable manner.
DG0116 V0015626 II Database privileged role
assignments should be
restricted to IAO-authorized
DBMS accounts.
DG0117 V0015627 II Administrative privileges
should be assigned to
database accounts via
database roles.
DG0118 V0015127 II The IAM should review
changes to DBA role
assignments.
DG0119 V0015628 II DBMS application users
should not be granted
administrative privileges to
the DBMS.
DG0120 V0015105 II Unauthorized access to
external database objects
should be removed from
application user roles.
DG0121 V0015629 II Application users privileges
should be restricted to
assignment using application
user roles.
DG0122 V0015630 II Access to sensitive data
should be restricted to
authorized users identified
by the Information Owner.
DG0123 V0015631 II Access to DBMS system
tables and other
configuration or metadata
should be restricted to DBAs.
DG0124 V0015632 II Use of DBA accounts should
be restricted to
administrative activities.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0125 V0015153 II DBMS account passwords
should be set to expire every
60 days or more frequently.
DG0126 V0015633 II Password reuse should be
prevented where supported
by the DBMS.
DG0127 V0015634 II DBMS account passwords
should not be set to easily
guessed words or values.
DG0128 V0015635 I DBMS default accounts
should be assigned custom
passwords.
DG0129 V0015636 I Passwords should be
encrypted when transmitted
across the network.
DG0130 V0015637 II DBMS passwords used by
batch jobs or executables
should not be stored in the
job or executable files.
DG0133 V0015639 II Unlimited account lock times
should be specified for
locked accounts.
DG0135 V0015641 II Users should be alerted
upon login of previous
successful connections or
unsuccessful attempts to
access their account.
DG0138 V0015642 II Access grants to sensitive
data should be restricted to
authorized user roles.
DG0140 V0015643 II Access to DBMS security
should be audited.
DG0141 V0015644 II Attempts to bypass access
controls should be audited.
DG0142 V0015645 II Changes to configuration
options should be audited.
DG0145 V0015646 II Audit records should contain
required information.
DG0146 V0015647 II Audit records should include
the reason for blacklisting or
disabling DBMS connections
or accounts.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0152 V0015148 II DBMS network
communications should
comply with PPS usage
restrictions.
DG0153 V0015149 III DBA roles assignments
should be assigned and
authorized by the IAO.
DG0154 V0015150 III The DBMS requires a
System Security Plan
containing all required
information.
DG0155 V0015649 II The DBMS should verify
trustworthiness of data and
configuration files at startup.
DG0157 V0015651 II Remote DBMS
administration should be
documented and authorized
or disabled.
DG0158 V0015652 II DBMS remote administration
should be audited.
DG0159 V0015118 II Remote administrative
access to the database
should be monitored by the
IAO or IAM.
DG0161 V0015103 II An automated tool that
monitors audit data and
immediately reports
suspicious activity should be
employed for the DBMS.
DG0165 V0015654 II DBMS symmetric keys
should be protected in
accordance with NSA or
NIST-approved key
management technology or
processes.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0166 V0015142 II Asymmetric keys should use
DoD PKI Certificates and be
protected in accordance with
NIST (unclassified data) or
NSA (classified data)
approved key management
and processes.
DG0167 V0015104 I Sensitive data served by the
DBMS should be protected
by encryption when
transmitted across the
network.
DG0171 V0015656 II The DBMS should not have
a connection defined to
access or be accessed by a
DBMS at a different
classification level.
DG0172 V0015657 II Changes to DBMS security
labels should be audited.
DG0175 V0015116 II The DBMS host platform
and other dependent
applications should be
configured in compliance
with applicable STIG
requirements.
DG0176 V0015117 II The DBMS audit logs should
be included in backup
operations.
DG0179 V0015658 II The DBMS warning banner
should meet DoD policy
requirements.
DG0186 V0015122 II The database should not be
directly accessible from
public or unauthorized
networks.
DG0187 V0015121 II DBMS software libraries
should be periodically
backed up.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DG0190 V0015154 II Credentials stored and used
by the DBMS to access
remote databases or
applications should be
authorized and restricted to
authorized users.
DG0191 V0015659 II Credentials used to access
remote databases should be
protected by encryption and
restricted to authorized users.
DG0192 V0015660 II Remote database or other
external access should use
fully-qualified names.
DG0194 V0015108 II Privileges assigned to
developers on shared
production and development
DBMS hosts and the DBMS
should be monitored every
three months or more
frequently for unauthorized
changes.
DG0195 V0015109 II DBMS production application
and data directories should
be protected from
developers on shared
production/development
DBMS host systems.
DG0198 V0015662 II Remote administration of the
DBMS should be restricted
to known, dedicated and
encrypted network
addresses and ports.
DO0120 V0003842 II The Oracle software
installation account should
not be granted excessive
host system privileges.
DO0140 V0002511 II Access to the Oracle SYS
and SYSTEM accounts
should be restricted to
authorized DBAs.
DO0145 V0003845 III OS DBA group membership
should be restricted to
authorized accounts.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DO0155 V0003846 II Only authorized system
accounts should have the
SYSTEM tablespace
specified as the default
tablespace.
DO0157 V0003847 III Database application user
accounts should be denied
storage usage for object
creation within the database.
DO0190 V0002515 II The audit table should be
owned by SYS or SYSTEM.
DO0210 V0002516 II Access to default accounts
used to support replication
should be restricted to
authorized DBAs.
DO0220 V0002517 II Oracle instance names
should not contain Oracle
version numbers.
DO0221 V0003848 III The Oracle SID should not
be the default SID.
DO0231 V0003849 II Application owner accounts
should have a dedicated
application tablespace.
DO0233 V0015747 II The directory assigned to the
DIAGNOSTIC_DEST
parameter should be
protected from unauthorized
access.
DO0234 V0003850 II The directory assigned to the
AUDIT_FILE_DEST
parameter should be
protected from unauthorized
access.
DO0235 V0003851 II The directory assigned to the
USER_DUMP_DEST
parameter should be
protected from unauthorized
access.
DO0236 V0003852 II The directory assigned to the
BACKGROUND_DUMP_DE
ST parameter should be
protected from unauthorized
access.
DO0237 V0003853 II The directory assigned to the
CORE_DUMP_DEST
parameter should be
protected from unauthorized
access.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DO0238 V0003854 II The directories assigned to
the LOG_ARCHIVE_DEST*
parameters should be
protected from unauthorized
access.
DO0240 V0002519 III The Oracle OS_ROLES
parameter should be set to
FALSE.
DO0243 V0003857 II The Oracle
_TRACE_FILES_PUBLIC
parameter if present should
be set to FALSE.
DO0250 V0002520 II Fixed user and public
database links should be
authorized for use.
DO0260 V0002521 II A minimum of two Oracle
control files should be
defined and configured to be
stored on separate, archived
physical disks or archived
partitions on a RAID device.
DO0270 V0002522 II A minimum of two Oracle
redo log groups/files should
be defined and configured to
be stored on separate,
archived physical disks or
archived directories on a
RAID device.
DO0286 V0003862 II The Oracle
INBOUND_CONNECT_TIME
OUT and
SQLNET.INBOUND_CONNE
CT_TIMEOUT parameters
should be set to a value
greater than 0.
DO0287 V0003863 II The Oracle
SQLNET.EXPIRE_TIME
parameter should be set to a
value greater than 0.
DO0320 V0003437 II Application role permissions
should not be assigned to
the Oracle PUBLIC role.
DO0340 V0003438 II Oracle application
administration roles should
be disabled if not required
and authorized.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DO0350 V0003439 II Oracle system privileges
should not be directly
assigned to unauthorized
accounts.
DO0360 V0003440 II Connections by mid-tier web
and application systems to
the Oracle DBMS should be
protected, encrypted and
authenticated according to
database, web, application,
enclave and network
requirements.
DO0420 V0003865 III The XDB Protocol server
should be uninstalled if not
required and authorized for
use.
DO0430 V0003866 III The Oracle Management
Agent should be uninstalled
if not required and
authorized or is installed on
a database accessible from
the Internet.
DO3440 V0002527 II The DBA role should not be
granted to unauthorized user
accounts.
DO3447 V0002531 III The Oracle
OS_AUTHENT_PREFIX
parameter should be
changed from the default
value of OPS$.
DO3451 V0002533 II The Oracle WITH GRANT
OPTION privilege should not
be granted to non-DBA or
non-Application
administrator user accounts.
DO3475 V0002539 II Execute permission should
be revoked from PUBLIC for
restricted Oracle packages.
DO3536 V0002552 II The IDLE_TIME profile
parameter should be set for
Oracle profiles IAW DoD
policy.
DO3538 V0002554 I The Oracle
REMOTE_OS_AUTHENT
parameter should be set to
FALSE.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DO3539 V0002555 I The Oracle
REMOTE_OS_ROLES
parameter should be set to
FALSE.
DO3540 V0002556 II The Oracle
SQL92_SECURITY
parameter should be set to
TRUE.
DO3546 V0002558 II The Oracle
REMOTE_LOGIN_PASSWO
RDFILE parameter should
be set to EXCLUSIVE or
NONE.
DO3609 V0002561 II System privileges granted
using the WITH ADMIN
OPTION should not be
granted to unauthorized user
accounts.
DO3610 V0002562 II Required object auditing
should be configured.
DO3612 V0002564 II System Privileges should not
be granted to PUBLIC.
DO3622 V0002574 II Oracle roles granted using
the WITH ADMIN OPTION
should not be granted to
unauthorized accounts.
DO3630 V0002608 I The Oracle Listener should
be configured to require
administration authentication.
DO3685 V0002586 III The Oracle
O7_DICTIONARY_ACCESSI
BILITY parameter should be
set to FALSE.
DO3686 V0002587 I Oracle accounts should not
have permission to view the
table SYS.LINK$ which
contain unencrypted
database link passwords.
DO3689 V0002589 II Object permissions granted
to PUBLIC should be
restricted.
DO3696 V0002593 II The Oracle
RESOURCE_LIMIT
parameter should be set to
TRUE.
DO3847 V0002607 II Oracle passwords should not
be stored unencrypted in the
spoolmain.log file.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DO5037 V0002612 II Oracle SQLNet and listener
log files should not be
accessible to unauthorized
users.
DO6740 V0003497 II The Oracle Listener
ADMIN_RESTRICTIONS
parameter if present should
be set to ON.
DO6746 V0016031 III The Oracle listener.ora file
should specify IP addresses
rather than host names to
identify hosts.
DO6747 V0016032 II Remote administration
should be disabled for the
Oracle connection manager.
DO6748 V0016033 II Case sensitivity for
passwords should be
enabled.
DO6749 V0016035 II The Oracle
SEC_MAX_FAILED_LOGIN_
ATTEMPTS parameter
should be set to an IAO-
approved value between 1
and 3.
DO6750 V0016053 II The Oracle
SEC_PROTOCOL_ERROR_
FURTHER_ACTION
parameter should be set to a
value of DELAY or DROP.
DO6751 V0016057 II The SQLNet
SQLNET.ALLOWED_LOGO
N_VERSION parameter
should be set to a value of
10 or higher.
DO6752 V0016054 II The Oracle
SEC_PROTOCOL_ERROR_
TRACE_ACTION parameter
should not be set to NONE.
DO6753 V0016055 II Oracle Application Express
or Oracle HTML DB should
not be installed on a
production database.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DO6754 V0016056 II Oracle Configuration
Manager should not remain
installed on a production
system.
Section
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Section
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Section
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Section
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Section
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Section
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Section
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Section
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Section
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Section
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Section
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Section
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Section
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Section
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB
Oracle 9i DB
Oracle 9i DB
Section
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Section
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Section
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i DB,
Oracle 11g DB
Oracle 9i
Installation
Section
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 9i
Installation, Oracle
10g Installation,
Oracle 11g
Installation
Oracle 11g
Installation
Oracle 11g
Installation
Oracle 11g
Installation
Oracle 10g
Installation, Oracle
11g Installation
Oracle 11g
Installation
Oracle 10g
Installation, Oracle
11g Installation
Section
Oracle 10g
Installation, Oracle
11g Installation
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0001 V0005658 I Vendor supported software SQL7
is evaluated and patched Installation,
against newly found SQL8 2000
vulnerabilities. Installation,
SQL9 2005
Installation
DG0002 V0004758 II An upgrade/migration plan SQL7
should be developed to Installation,
address an unsupported SQL8 2000
DBMS software version. Installation,
SQL9 2005
Installation
DG0003 V0005659 II The latest security patches SQL7
should be installed. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
DG0004 V0005683 II Application object owner SQL7
accounts should be disabled Database,
when not performing SQL8 2000
installation or maintenance Database,
actions. SQL9 2005
Database
DG0005 V0006756 II Only necessary privileges to SQL7
the host system should be Installation,
granted to DBA OS accounts. SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 208 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0007 V0006767 II The database should be SQL7
secured in accordance with Installation,
DoD, vendor and/or SQL8 2000
commercially accepted Installation,
practices where applicable. SQL9 2005
Installation
DG0008 V0015607 II Application objects should SQL7
be owned by accounts Database,
authorized for ownership. SQL8 2000
Database,
SQL9 2005
Database
DG0009 V0015608 II Access to DBMS software SQL7
files and directories should Installation,
not be granted to SQL8 2000
unauthorized users. Installation,
SQL9 2005
Installation
DG0010 V0002420 III Database executable and SQL7
configuration files should be Installation,
monitored for unauthorized SQL8 2000
modifications. Installation,
SQL9 2005
Installation
DG0011 V0003726 III Configuration management SQL7
procedures should be Installation,
defined and implemented for SQL8 2000
database software Installation,
modifications. SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 209 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0012 V0004754 II Database software SQL7
directories including DBMS Installation,
configuration files are stored SQL8 2000
in dedicated directories Installation,
separate from the host OS SQL9 2005
and other applications. Installation
DG0013 V0015126 II Database backup SQL7
procedures should be Installation,
defined, documented and SQL8 2000
implemented. Installation,
SQL9 2005
Installation
DG0014 V0015609 II Default demonstration and SQL7
sample database objects Installation,
and applications should be SQL8 2000
removed. Installation,
SQL9 2005
Installation
DG0015 V0003727 III Database applications SQL7
should be restricted from Database,
using static DDL statements SQL8 2000
to modify the application Database,
schema. SQL9 2005
Database
DG0016 V0003728 III Unused database SQL7
components, database Installation,
application software and SQL8 2000
database objects should be Installation,
removed from the DBMS SQL9 2005
system. Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 210 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0017 V0003803 II A production DBMS SQL7
installation should not Installation,
coexist on the same DBMS SQL8 2000
host with other, non- Installation,
production DBMS SQL9 2005
installations. Installation
DG0019 V0003805 III Application software should SQL7
be owned by a Software Installation,
Application account. SQL8 2000
Installation,
SQL9 2005
Installation
DG0020 V0015129 II Backup and recovery SQL7
procedures should be Installation,
developed, documented, SQL8 2000
implemented and Installation,
periodically tested. SQL9 2005
Installation
DG0021 V0003806 II A baseline of database SQL7
application software should Installation,
be documented and SQL8 2000
maintained. Installation,
SQL9 2005
Installation
DG0025 V0015610 II DBMS should use NIST SQL7
FIPS 140-2, validated Installation,
cryptography. SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 211 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0029 V0005685 II Required auditing SQL8 2000
parameters for database Installation,
auditing should be set. SQL9 2005
Installation
DG0030 V0002507 II Audit trail data should be SQL7
retained for one year. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
DG0031 V0015133 II Transaction logs should be SQL7
periodically reviewed for Installation,
unauthorized modification of SQL8 2000
data. Users should be Installation,
notified of time and date of SQL9 2005
the last change in data Installation
content.
DG0032 V0005686 II Audit records should be SQL7
restricted to authorized Installation,
individuals. SQL8 2000
Installation,
SQL9 2005
Installation
DG0040 V0002422 II The DBMS software SQL7
installation account should Installation,
be restricted to authorized SQL8 2000
users. Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 212 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0041 V0015110 II Use of the DBMS installation SQL7
account should be logged. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
DG0042 V0015111 II Use of the DBMS software SQL7
installation account should Installation,
be restricted to DBMS SQL8 2000
software installation, Installation,
upgrade and maintenance SQL9 2005
actions. Installation
DG0050 V0002423 II Database software, SQL7
applications and Installation,
configuration files should be SQL8 2000
monitored to discover Installation,
unauthorized changes. SQL9 2005
Installation
DG0051 V0003808 II Database job/batch queues SQL7
should be reviewed regularly Installation,
to detect unauthorized SQL8 2000
database job submissions. Installation,
SQL9 2005
Installation
DG0052 V0003807 II All applications that access SQL7
the database should be Installation,
logged in the DBMS audit SQL8 2000
trail where available. Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 213 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0054 V0015611 III The audit logs should be SQL7
periodically monitored to Installation,
discover DBMS access SQL8 2000
using unauthorized Installation,
applications. SQL9 2005
Installation
DG0060 V0002424 II All database non-interactive, SQL7
n-tier connection, and Installation,
shared accounts that exist SQL8 2000
should be documented and Installation,
approved by the IAO. SQL9 2005
Installation
DG0063 V0015107 II DBMS privileges to restore SQL7
database data or other Installation,
DBMS configurations, SQL8 2000
features or objects should be Installation,
restricted to authorized SQL9 2005
DBMS accounts. Installation
DG0064 V0015120 II DBMS backup and SQL7
restoration files should be Installation,
protected from unauthorized SQL8 2000
access. Installation,
SQL9 2005
Installation
DG0065 V0003810 II DBMS authentication should SQL7
require use of a DoD PKI Installation,
certificate. SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 214 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0066 V0003811 II Procedures for establishing SQL7
temporary passwords that Installation,
meet DoD password SQL8 2000
requirements for new Installation,
accounts should be defined, SQL9 2005
documented and Installation
implemented.
DG0067 V0003812 I Database account SQL7
passwords should be stored Installation,
in encoded or encrypted SQL8 2000
format whether stored in Installation,
database objects, external SQL9 2005
host files, environment Installation
variables or any other
storage locations.
DG0068 V0003813 II DBMS tools or applications SQL7
that echo or require a Installation,
password entry in clear text SQL8 2000
should be protected from Installation,
password display. SQL9 2005
Installation
DG0069 V0015140 II Procedures and restrictions SQL7
for import of production data Installation,
to development databases SQL8 2000
should be documented, Installation,
implemented and followed. SQL9 2005
Installation
DG0070 V0002508 II Unauthorized user accounts SQL7
should not exist. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 215 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0071 V0003815 II New passwords should be SQL7
required to differ from old Installation,
passwords by more than SQL8 2000
four characters. Installation,
SQL9 2005
Installation
DG0072 V0015612 II Database password SQL7
changes by users should be Installation,
limited to one change within SQL8 2000
24 hours where supported Installation,
by the DBMS. SQL9 2005
Installation
DG0073 V0003817 II Database accounts should SQL7
not specify account lock Database,
times less than the site- SQL8 2000
approved minimum. Database,
SQL9 2005
Database
DG0074 V0015130 II Unapproved inactive or SQL7
expired database accounts Installation,
should not be found on the SQL8 2000
database. Installation,
SQL9 2005
Installation
DG0075 V0003818 II Unauthorized database links SQL7
should not be defined and Installation,
active. SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 216 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0076 V0003819 II Sensitive information from SQL7
production database exports Installation,
should be modified after SQL8 2000
import to a development Installation,
database. SQL9 2005
Installation
DG0077 V0003820 II Production databases SQL7
should be protected from Installation,
unauthorized access by SQL8 2000
developers on shared Installation,
production/development host SQL9 2005
systems. Installation
DG0078 V0015613 II Each database user, SQL7
application or process Installation,
should have an individually SQL8 2000
assigned account. Installation,
SQL9 2005
Installation
DG0079 V0015152 II DBMS login accounts SQL8 2000
require passwords to meet Installation,
complexity requirements. SQL9 2005
Installation
DG0080 V0003821 II Application user privilege SQL7
assignment should be Installation,
reviewed monthly or more SQL8 2000
frequently to ensure Installation,
compliance with least SQL9 2005
privilege and documented Installation
policy.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 217 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0083 V0015102 II Automated notification of SQL7
suspicious activity detected Installation,
in the audit trail should be SQL8 2000
implemented. Installation,
SQL9 2005
Installation
DG0084 V0015614 III The DBMS should be SQL9 2005
configured to clear residual Installation
data from memory, data
objects and files, and other
storage locations.
DG0085 V0015615 II The DBA role should not be SQL7
assigned excessive or Installation,
unauthorized privileges. SQL8 2000
Installation,
SQL9 2005
Installation
DG0086 V0015106 II DBA roles should be SQL7
periodically monitored to Installation,
detect assignment of SQL8 2000
unauthorized or excess Installation,
privileges. SQL9 2005
Installation
DG0087 V0015616 III Sensitive data should be SQL9 2005
labeled. Installation
DG0088 V0015112 III The DBMS should be SQL7
periodically tested for Installation,
vulnerability management SQL8 2000
and IA compliance. Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 218 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0089 V0015114 III Developers should not be SQL7
assigned excessive Installation,
privileges on production SQL8 2000
databases. Installation,
SQL9 2005
Installation
DG0090 V0015131 II Sensitive information stored SQL7
in the database should be Installation,
protected by encryption. SQL8 2000
Installation,
SQL9 2005
Installation
DG0091 V0003823 III Custom and GOTS SQL7
application source code Database,
stored in the database SQL8 2000
should be protected with Database,
encryption or encoding. SQL9 2005
Database
DG0092 V0015132 II Database data files SQL7
containing sensitive Installation,
information should be SQL8 2000
encrypted. Installation,
SQL9 2005
Installation
DG0093 V0003825 II Remote adminstrative SQL7
connections to the database Installation,
should be encrypted. SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 219 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0095 V0003827 II Audit trail data should be SQL7
reviewed daily or more Installation,
frequently. SQL8 2000
Installation,
SQL9 2005
Installation
DG0096 V0015138 III The DBMS IA policies and SQL7
procedures should be Installation,
reviewed annually or more SQL8 2000
frequently. Installation,
SQL9 2005
Installation
DG0097 V0015139 II Plans and procedures for SQL7
testing DBMS installations, Installation,
upgrades, and patches SQL8 2000
should be defined and Installation,
followed prior to production SQL9 2005
implementation. Installation
DG0098 V0015617 II Access to external objects SQL7
should be disabled if not Installation,
required and authorized. SQL8 2000
Installation,
SQL9 2005
Installation
DG0099 V0015618 II Access to external DBMS SQL7
executables should be Installation,
disabled or restricted. SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 220 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0100 V0015619 II Replication accounts should SQL7
not be granted DBA Installation,
privileges. SQL8 2000
Installation,
SQL9 2005
Installation
DG0101 V0015620 II OS accounts used to SQL7
execute external procedures Installation,
should be assigned SQL8 2000
minimum privileges. Installation,
SQL9 2005
Installation
DG0102 V0015141 II DBMS processes or SQL7
services should run under Installation,
custom, dedicated OS SQL8 2000
accounts. Installation,
SQL9 2005
Installation
DG0104 V0015622 III DBMS service identification SQL7
should be unique and clearly Installation,
identifies the service. SQL8 2000
Installation,
SQL9 2005
Installation
DG0105 V0015128 II DBMS application user roles SQL7
should not be assigned Database,
unauthorized privileges. SQL8 2000
Database,
SQL9 2005
Database
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 221 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0106 V0015143 II Database data encryption SQL7
controls should be Installation,
configured in accordance SQL8 2000
with application Installation,
requirements. SQL9 2005
Installation
DG0107 V0015144 II Sensitive data is stored in SQL7
the database and should be Installation,
identified in the System SQL8 2000
Security Plan and AIS Installation,
Functional Architecture SQL9 2005
documentation. Installation
DG0108 V0015145 III The DBMS restoration SQL7
priority should be assigned. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
DG0109 V0015146 II The DBMS should not be SQL7
operated without Installation,
authorization on a host SQL8 2000
system supporting other Installation,
application services. SQL9 2005
Installation
DG0110 V0015179 II The DBMS should not share SQL7
a host supporting an Installation,
independent security service. SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 222 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0111 V0015147 II The DBMS data files, SQL7
transaction logs and audit Installation,
files should be stored in SQL8 2000
dedicated directories or disk Installation,
partitions separate from SQL9 2005
software or other application Installation
files.
DG0114 V0015119 II DBMS files critical for DBMS SQL7
recovery should be stored Installation,
on RAID or other high- SQL8 2000
availability storage devices. Installation,
SQL9 2005
Installation
DG0115 V0015625 II Recovery procedures and SQL7
technical system features Installation,
exist to ensure that recovery SQL8 2000
is done in a secure and Installation,
verifiable manner. SQL9 2005
Installation
DG0116 V0015626 II Database privileged role SQL7
assignments should be Installation,
restricted to IAO-authorized SQL8 2000
DBMS accounts. Installation,
SQL9 2005
Installation
DG0117 V0015627 II Administrative privileges SQL7
should be assigned to Installation,
database accounts via SQL8 2000
database roles. Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 223 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0118 V0015127 II The IAM should review SQL7
changes to DBA role Installation,
assignments. SQL8 2000
Installation,
SQL9 2005
Installation
DG0119 V0015628 II DBMS application users SQL7
should not be granted Installation,
administrative privileges to SQL8 2000
the DBMS. Installation,
SQL9 2005
Installation
DG0120 V0015105 II Unauthorized access to SQL7
external database objects Installation,
should be removed from SQL8 2000
application user roles. Installation,
SQL9 2005
Installation
DG0121 V0015629 II Application users privileges SQL7
should be restricted to Database,
assignment using application SQL8 2000
user roles. Database,
SQL9 2005
Database
DG0122 V0015630 II Access to sensitive data SQL7
should be restricted to Database,
authorized users identified SQL8 2000
by the Information Owner. Database,
SQL9 2005
Database
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 224 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0123 V0015631 II Access to DBMS system SQL7
tables and other Installation,
configuration or metadata SQL8 2000
should be restricted to DBAs. Installation,
SQL9 2005
Installation
DG0124 V0015632 II Use of DBA accounts should SQL7
be restricted to Installation,
administrative activities. SQL8 2000
Installation,
SQL9 2005
Installation
DG0125 V0015153 II DBMS account passwords SQL9 2005
should be set to expire every Installation
60 days or more frequently.
DG0127 V0015634 II DBMS account passwords SQL7
should not be set to easily Installation,
guessed words or values. SQL8 2000
Installation,
SQL9 2005
Installation
DG0128 V0015635 I DBMS default accounts SQL7
should be assigned custom Installation,
passwords. SQL8 2000
Installation,
SQL9 2005
Installation
DG0129 V0015636 I Passwords should be SQL7
encrypted when transmitted Installation,
across the network. SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 225 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0130 V0015637 II DBMS passwords should not SQL7
be stored in compiled, Installation,
encoded or encrypted batch SQL8 2000
jobs or compiled, encoded or Installation,
encrypted application source SQL9 2005
code. Installation
DG0131 V0015638 III DBMS default account SQL9 2005
names should be changed. Installation
DG0133 V0015639 II Unlimited account lock times SQL7
should be specified for Installation,
locked accounts. SQL8 2000
Installation,
SQL9 2005
Installation
DG0138 V0015642 II Access grants to sensitive SQL7
data should be restricted to Database,
authorized user roles. SQL8 2000
Database,
SQL9 2005
Database
DG0140 V0015643 II Access to DBMS security SQL7
should be audited. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
DG0141 V0015644 II Attempts to bypass access SQL7
controls should be audited. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 226 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0142 V0015645 II Changes to configuration SQL9 2005
options should be audited. Installation
DG0145 V0015646 II Audit records should contain SQL8 2000
required information. Installation,
SQL9 2005
Installation
DG0151 V0015648 II Access to the DBMS should SQL9 2005
be restricted to static, default Installation
network ports.
DG0152 V0015148 II DBMS network SQL7
communications should Installation,
comply with PPS usage SQL8 2000
restrictions. Installation,
SQL9 2005
Installation
DG0153 V0015149 III DBA roles assignments SQL7
should be assigned and Installation,
authorized by the IAO. SQL8 2000
Installation,
SQL9 2005
Installation
DG0154 V0015150 III The DBMS requires a SQL7
System Security Plan Installation,
containing all required SQL8 2000
information. Installation,
SQL9 2005
Installation
DG0155 V0015649 II The DBMS should have SQL7
configured all applicable Installation,
settings to use trusted files, SQL8 2000
functions, features, or other Installation,
components during startup, SQL9 2005
shutdown, aborts, or other Installation
unplanned interruptions.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 227 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0157 V0015651 II Remote DBMS SQL7
administration should be Installation,
documented and authorized SQL8 2000
or disabled. Installation,
SQL9 2005
Installation
DG0158 V0015652 II DBMS remote administration SQL7
should be audited. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
DG0159 V0015118 II Remote administrative SQL7
access to the database Installation,
should be monitored by the SQL8 2000
IAO or IAM. Installation,
SQL9 2005
Installation
DG0161 V0015103 II An automated tool that SQL7
monitors audit data and Installation,
immediately reports SQL8 2000
suspicious activity should be Installation,
employed for the DBMS. SQL9 2005
Installation
DG0165 V0015654 II DBMS symmetric keys SQL9 2005
should be protected in Database
accordance with NSA or
NIST-approved key
management technology or
processes.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 228 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0166 V0015142 II Asymmetric keys should use SQL9 2005
DoD PKI Certificates and be Database
protected in accordance with
NIST (unclassified data) or
NSA (classified data)
approved key management
and processes.
DG0167 V0015104 I Sensitive data served by the SQL7
DBMS should be protected Installation,
by encryption when SQL8 2000
transmitted across the Installation,
network. SQL9 2005
Installation
DG0171 V0015656 II The DBMS should not have SQL7
a connection defined to Installation,
access or be accessed by a SQL8 2000
DBMS at a different Installation,
classification level. SQL9 2005
Installation
DG0172 V0015657 II Changes to DBMS security SQL9 2005
labels should be audited. Database
DG0175 V0015116 II The DBMS host platform SQL7
and other dependent Installation,
applications should be SQL8 2000
configured in compliance Installation,
with applicable STIG SQL9 2005
requirements. Installation
DG0176 V0015117 II The DBMS audit logs should SQL7
be included in backup Installation,
operations. SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 229 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0179 V0015658 II The DBMS warning banner SQL7
should meet DoD policy Installation,
requirements. SQL8 2000
Installation,
SQL9 2005
Installation
DG0186 V0015122 II The database should not be SQL7
directly accessible from Installation,
public or unauthorized SQL8 2000
networks. Installation,
SQL9 2005
Installation
DG0187 V0015121 II DBMS software libraries SQL7
should be periodically Installation,
backed up. SQL8 2000
Installation,
SQL9 2005
Installation
DG0190 V0015154 II Credentials stored and used SQL7
by the DBMS to access Installation,
remote databases or SQL8 2000
applications should be Installation,
authorized and restricted to SQL9 2005
authorized users. Installation
DG0194 V0015108 II Privileges assigned to SQL7
developers on shared Installation,
production and development SQL8 2000
DBMS hosts and the DBMS Installation,
should be monitored every SQL9 2005
three months or more Installation
frequently for unauthorized
changes.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 230 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DG0195 V0015109 II DBMS production SQL7
application and data Installation,
directories should be SQL8 2000
protected from developers Installation,
on shared SQL9 2005
production/development Installation
DBMS host systems.
DG0198 V0015662 II Remote administration of the SQL7
DBMS should be restricted Installation,
to known, dedicated and SQL8 2000
encrypted network Installation,
addresses and ports. SQL9 2005
Installation
DM0510 V0002426 II C2 Audit mode should be SQL8 2000
enabled or custom audit Installation,
traces defined. SQL9 2005
Installation
DM0530 V0002427 II Fixed Server roles should SQL7
have only authorized users Installation,
or groups assigned as SQL8 2000
members. Installation,
SQL9 2005
Installation
DM0531 V0015151 II Fixed Database roles should SQL7
have only authorized users Database,
or groups as members. SQL8 2000
Database,
SQL9 2005
Database
DM0660 V0002436 II MS SQL Server Instance SQL8 2000
name should not incude a Installation,
SQL Server or other SQL9 2005
software version number. Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 231 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DM0900 V0003335 II SQL Mail, SQL Mail SQL7
Extended Stored Procedures Installation,
(XPs) and Database Mail SQL8 2000
XPs are required and Installation,
enabled. SQL9 2005
Installation
DM0901 V0003336 II SQL Server Agent email SQL7
notification usage if enabled Installation,
should be documented and SQL8 2000
approved by the IAO. Installation,
SQL9 2005
Installation
DM0919 V0015170 II SQL Server services should SQL7
be assigned least privileges Installation,
on the SQL Server Windows SQL8 2000
host. Installation,
SQL9 2005
Installation
DM0920 V0003832 II A Windows OS DBA group SQL7
should exist. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
DM0921 V0003833 II Windows OS DBA group SQL7
should contain only Installation,
authorized users. SQL8 2000
Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 232 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DM0924 V0003835 II The SQL Server service SQL7
should use a least-privileged Installation,
local or domain user account. SQL8 2000
Installation,
SQL9 2005
Installation
DM0927 V0003838 II SQL Server registry keys SQL7
should be properly secured. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
DM0928 V0015169 II The SQL Server services SQL7
should not be assigned Installation,
excessive user rights. SQL8 2000
Installation,
SQL9 2005
Installation
DM0929 V0015134 II The Integration Services SQL9 2005
service account should not Installation
be assigned excess host
system privileges.
DM0933 V0015155 II The SQL Server Agent SQL7
service account should not Installation,
be assigned excess user SQL8 2000
rights. Installation,
SQL9 2005
Installation
DM1709 V0002451 II The guest user account SQL7
should be disabled. Database,
SQL8 2000
Database,
SQL9 2005
Database
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 233 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DM1715 V0002457 II Object permission SQL7
assignments should be Database,
authorized. SQL8 2000
Database,
SQL9 2005
Database
DM1749 V0002458 II Permissions on system SQL7
tables should be restricted to Database,
authorized accounts. SQL8 2000
Database,
SQL9 2005
Database
DM1757 V0002460 II Direct access to system SQL7
table updates should be Installation,
disabled. SQL8 2000
Installation
DM1758 V0002461 I Extended stored procedure SQL7
xp_cmdshell should be Installation,
restricted to authorized SQL8 2000
accounts. Installation,
SQL9 2005
Installation
DM1760 V0002463 II DDL permissions should be SQL7
granted only to authorized Database,
accounts. SQL8 2000
Database,
SQL9 2005
Database
DM1761 V0002464 II Execute stored procedures SQL7
at startup, if enabled, should Installation,
have a custom audit trace SQL8 2000
defined. Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 234 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DM2095 V0002472 II OLE Automation extended SQL7
stored procedures should be Installation,
restricted to sysadmin SQL8 2000
access. Installation,
SQL9 2005
Installation
DM2119 V0002473 II Registry extended stored SQL7
procedures should be Installation,
restricted to sysadmin SQL8 2000
access. Installation,
SQL9 2005
Installation
DM2142 V0002485 II Remote access should be SQL7
disabled if not authorized. Installation,
SQL8 2000
Installation,
SQL9 2005
Installation
DM3566 V0002487 II SQL Server authentication SQL7
mode should be set to Installation,
Windows authentication SQL8 2000
mode or Mixed mode. Installation,
SQL9 2005
Installation
DM3763 V0002488 II SQL Server Agent CmdExec SQL7
or ActiveScripting jobs Installation,
should be restricted to SQL8 2000
sysadmins. Installation,
SQL9 2005
Installation
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 235 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DM3930 V0015137 II Error log retention shoud be SQL7
set to meet log retention Installation,
policy. SQL8 2000
Installation,
SQL9 2005
Installation
DM5144 V0002498 II Permissions using the WITH SQL7
GRANT OPTION should be Database,
granted only to DBA or SQL8 2000
application administrator Database,
accounts. SQL9 2005
Database
DM5267 V0002500 II Trace Rollover should be SQL8 2000
enabled for audit traces that Installation,
have a maximum trace file SQL9 2005
size. Installation
DM6015 V0015124 II The Named Pipes network SQL7
protocol should be Installation,
documented and approved if SQL8 2000
enabled. Installation,
SQL9 2005
Installation
DM6030 V0015176 II SQL Server event SQL7
forwarding, if enabled, Installation,
should be operational. SQL8 2000
Installation,
SQL9 2005
Installation
DM6045 V0015125 II Only authorized users SQL9 2005
should be assigned Installation
permissions to SQL Server
Agent proxies.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 236 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DM6065 V0015113 II SQL Server replications SQL9 2005
agents should be run under Installation
separate and dedicated OS
accounts.
DM6070 V0015178 II Replication databases SQL7
should have authorized Installation,
db_owner role members. SQL8 2000
The replication monitor role Installation,
should have authorized SQL9 2005
members. Installation
DM6075 V0015182 II Replication snapshot folders SQL9 2005
should be protected from Installation
unauthorized access.
DM6085 V0015183 II The Analysis Services ad SQL9 2005
hoc data mining queries Installation
configuration option should
be disabled if not required.
DM6086 V0015184 II Analysis Services SQL9 2005
Anonymous Connections Installation
should be disabled.
DM6087 V0015204 II Analysis Services Links to SQL9 2005
Objects should be disabled if Installation
not required.
DM6088 V0015186 II Analysis Services Links SQL9 2005
From Objects should be Installation
disabled if not required.
DM6099 V0015181 II Analysis Services user- SQL9 2005
defined COM functions Installation
should be disabled if not
required.
DM6101 V0015188 I Analysis Services Required SQL9 2005
Protection Level should be Installation
set to 1.
DM6103 V0015190 II Analysis Services Security SQL9 2005
Package List should be Installation
disabled if not required.
DM6108 V0015193 II The Analysis Services SQL9 2005
server role should be Installation
restricted to authorized
users.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 237 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DM6109 V0015194 II Only authorized accounts SQL9 2005
should be assigned to one or Installation
more Analysis Services
database roles.
DM6120 V0015199 III Reporting Services Web SQL9 2005
service requests and HTTP Installation
access should be disabled if
not required.
DM6121 V0015205 III Reporting Services SQL9 2005
scheduled events and report Installation
delivery should be disabled if
not required.
DM6122 V0015203 II Reporting Services Windows SQL9 2005
Integrated Security should Installation
be disabled.
DM6123 V0015202 III Use of Command Language SQL9 2005
Runtime objects should be Installation
disabled if not required.
DM6126 V0015206 II Only authorized XML Web SQL9 2005
Service endpoints should be Installation
configured on the server.
DM6128 V0015165 II Only authorized service SQL9 2005
broker endpoints should be Installation
configured on the server.
DM6130 V0015198 II The Web Assistant SQL9 2005
procedures configuration Installation
option should be disabled if
not required.
DM6140 V0015197 II Dedicated accounts should SQL9 2005
be designated for SQL Installation
Server Agent proxies.
DM6145 V0015196 II Only authorized SQL Server SQL9 2005
proxies should be assigned Installation
access to subsystems.
DM6150 V0015201 II Cross database ownership SQL9 2005
chaining, if required, should Installation
be documented and
authorized by the IAO.
DM6155 V0015187 II Linked server providers SQL9 2005
should not allow ad hoc Installation
access.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 238 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DM6160 V0015166 II Database Engine Ad Hoc SQL9 2005
distributed queries should be Installation
disabled.
DM6175 V0015159 II The Database Master key SQL9 2005
encryption password should Database
meet DoD password
complexity requirements.
DM6179 V0015161 II The Database Master Key SQL9 2005
should be encrypted by the Database
Service Master Key where
required.
DM6180 V0015162 II Database Master Key SQL9 2005
passwords shoud not be Database
stored in credentials within
the database.
DM6183 V0015168 II Symmetric keys should use SQL9 2005
a master key, certificate, or Database
asymmetric key to encrypt
the key.
DM6184 V0015164 II Asymmetric keys should be SQL9 2005
derived from DoD PKI Database
certificates.
DM6185 V0015185 II Asymmetric private key SQL9 2005
encryption should use an Database
authorized encryption type.
DM6188 V0015177 II The Service Master Key SQL9 2005
should be backed up, stored Database
offline and off site.
DM6189 V0015167 II The data directory should SQL7
specify a dedicated disk Installation,
partition and restricted SQL8 2000
access. Installation,
SQL9 2005
Installation
DM6193 V0015180 II Only authorized users SQL9 2005
should be granted access to Installation
Analysis Services data
sources.
DM6195 V0015173 II Database TRUSTWORTHY SQL9 2005
status should be authorized Installation
and documented or set to off.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 239 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DM6196 V0015172 II Object permissions should SQL7
not be assigned to PUBLIC Database,
or GUEST. SQL8 2000
Database,
SQL9 2005
Database
DM6197 V0015171 II Predefined roles should not SQL7
be assigned to GUEST. Database,
SQL8 2000
Database
DM6198 V0015210 II The Agent XPs option SQL9 2005
should be set to disabled if Installation
not required.
DM6199 V0015211 II The SMO and DMO SPs SQL9 2005
option should be set to Installation
disabled if not required.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 240 of 1298
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS0100 V0013032 II A name server is not
protected by equivalent or
better physical access
controls than the clients it
supports.
DNS0110 V0013034 II The DNS log archival
requirements do not meet or
exceed the log archival
requirements of the
operating system on which
the DNS software resides.
DNS0115 V0013035 II DNS logs are not reviewed
daily or a real-time log
analysis or network
management tool is not
employed to immediately
alert an administrator of
critical DNS system
messages.
DNS0120 V0013036 III A list of personnel authorized
to administer each zone and
name server is not
maintained.
DNS0125 V0013314 II A zone or name server does
not have a backup
administrator.
DNS0130 V0013037 III A patch and DNS software
upgrade log; to include the
identity of the administrator,
date and time each patch or
upgrade was implemented,
is not maintained.
DNS0135 V0013038 II Operating procedures do not
require that DNS
configuration, keys, zones,
and resource record data are
backed up on any day on
which there are changes.
DNS0140 V0013039 II Configuration change logs
and justification for changes
are not maintained.
DNS0145 V0013040 II Written procedures for the
replacement of cryptographic
keys used to secure DNS
transactions does not exist.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS0150 V0013041 II The IAO has not established
written procedures for the
process of updating zone
records, who is authorized to
submit and approve update
requests, how the DNS
administrator verifies the
identity of the person from
whom he/she received the
request, and how the DNS
administrator documents any
changes made.
DNS0160 V0013050 III The DNS architecture is not
documented to include
specific roles for each DNS
server, the security controls
in place, and what networks
are able to query each
server.
DNS0170 V0013313 II The underlying operating
system of the DNS server is
not in compliance with the
appropriate OS STIG.
DNS0175 V0013051 I The DNS server software is
either installed on or enabled
on an operating system that
is no longer supported by the
vendor.
DNS0185 V0013053 III The contents of zones are
not reviewed at least
annually.
DNS0190 V0013052 III The SA has not subscribed
to ISC's mailing list "bind
announce" for updates on
vulnerabilities and software
notifications.
DNS0200 V0013042 I An authoritative master
name server does not have
at least one and preferably
two or more active slave
servers for each of its zones.
The slave server does not
reside on a separate host.
DNS0205 V0013043 I Name servers authoritative
for a zone are not located on
separate network segments
if the host records described
in the zone are themselves
located across more than
one network segment.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS0210 V0013044 II A zone includes hosts
located in more than one
building or site, yet at least
one of the authoritative
name servers supporting the
zone is not as geographically
and topologically distributed
as the most remote host.
DNS0215 V0013045 III Private IP space is used
within an Enclave without the
use of split DNS to prevent
private IPs from leaking into
the public DNS system.
DNS0220 V0013046 III The DNS database
administrator has not
documented the owner of
each zone (or group of
related records) and the date
the zone was created, last
modified, or verified. This
documentation will preferably
reside in the zone file itself
through comments, but if this
is not feasible, the DNS
database administrator will
maintain a separate
database for this purpose.
DNS0225 V0004467 III Record owners will validate
their zones no less than
annually. The DNS database
administrator will remove all
zone records that have not
been validated in over a year.
DNS0230 V0004468 III Resource records for a host
in a zone file are included
and their fully qualified
domain name resides in
another zone. The exception
is a glue record or CNAME
record supporting a system
migration.
DNS0235 V0004469 III Zone-spanning CNAME
records, that point to a zone
with lesser security, are
active for more than six
months.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS0240 V0004470 I The DNS database
administrator has not
ensured each NS record in a
zone file points to an active
name server authoritative for
the domain specified in that
record.
DNS0250 V0012440 III A unique TSIG key is not
generated and utilized for
each type of transaction.
DNS0260 V0012479 II Computer accounts for
DHCP servers are members
of the DNSUpdateProxy
group.
DNS0400 V0013047 II The name server software
on production name servers
is not BIND, Windows 2000
or later DNS, or alternatives
with equivalent security
functionality and support,
configured in a manner to
satisfy the general security
requirements listed in the
STIG. The only currently
approved alternative is
CISCO CSS DNS.
DNS0402 V0014763 I The name server software
on production name servers
is not BIND, Windows 2003
or later DNS, or alternatives
with equivalent vendor
support, configured in a
manner to satisfy the general
security requirements listed
in the STIG. The only
currently approved
alternative is CISCO CSS
DNS.
DNS0405 V0013048 II Hosts outside an enclave
can directly query or request
a zone transfer from a name
server that resides on the
internal network (i.e., not in a
DMZ).
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS0415 V0004473 II DNS software does not run
on dedicated (running only
those services required for
DNS) hardware. The only
currently accepted exception
of this requirement is
Windows 2000/2003 DNS,
which must run on a domain
controller that is integrated
with Active Directory
services.
DNS0420 V0004475 II Permissions on files
containing DNS encryption
keys are inadequate.
DNS0425 V0004476 II Users and/or processes
other than the DNS software
Process ID (PID) and/or the
DNS database administrator
have edit/write access to the
zone database files.
DNS0430 V0004477 II Users or processes other
than the DNS software
administrator and the DNS
software PID have read
access to the DNS software
configuration files and/or
users other than the DNS
software administrator have
write access to these files.
DNS0435 V0004478 II The name server's IP
address is NOT statically
defined and configured
locally on the server. The
name server has a DHCP
address.
DNS0440 V0004479 II An integrity checking tool is
not installed or not
monitoring for modifications
to the root.hints and
named.conf files.
DNS0445 V0004480 II A cryptographic key used to
secure DNS transactions
has been utilized on a name
server for more than one
year.
DNS0450 V0004481 I Dynamic updates are not
cryptographically
authenticated.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS0455 V0004482 I The DNS software
administrator will configure
each master/slave server
supporting a zone to
cryptographically
authenticate zone transfers.
DNS0460 V0004483 II A zone master server does
not limit zone transfers to a
list of active slave name
servers authoritative for that
zone.
DNS0470 V0004485 II A name server is not
configured to only accept
notifications of zone changes
from a host authoritative for
that zone.
DNS0475 V0004486 II Recursion is not prohibited
on an authoritative name
server.
DNS0480 V0004487 II A caching name server does
not restrict recursive queries
to only the IP addresses and
IP address ranges of known
supported clients.
DNS0482 V0012774 II The forwarding configuration
of DNS servers allows the
forwarding of queries to
servers controlled by
organizations outside of the
U.S. Government.
DNS0485 V0004488 I The DNS software does not
log, at a minimum, success
and failure of starting and
stopping of the name server
service daemon, zone
transfers, zone update
notifications, and dynamic
updates.
DNS0490 V0004489 II The DNS software
administrator has not
configured the DNS software
to send all log data to either
the system logging facility
(e.g., UNIX syslog or
Windows Application Event
Log) or an alternative logging
facility with security
configuration equivalent to or
more restrictive than the
system logging facility.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS0495 V0004490 III Entries in the name server
logs do not contain
timestamps and severity
information.
DNS0500 V0004491 I Valid root name servers do
not appear in the local root
zone file. G and H root
servers, at a minimum, do
not appear in the local root
zone files.
DNS0505 V0004492 III The DNS software
administrator has not
removed the root hints file on
an authoritative name server
in order for it to resolve only
those records for which it is
authoritative, and ensure
that all other queries are
refused.
DNS0705 V0004493 III The DNS software
administrator has not utilized
at least 160 bit HMAC-SHA1
keys if available.
DNS0710 V0004494 II A TSIG key is not in its own
dedicated file.
DNS0715 V0004511 II A BIND name server is not
configured to accept control
messages only when the
control messages are
cryptographically
authenticated and sent from
an explicitly defined list of
DNS administrator
workstations.
DNS0720 V0004495 II A unique TSIG key is not
utilized for communication
between name servers
sharing zone information.
DNS0805 V0004501 I The DHCP server service is
not disabled on any
Windows 2000/2003 DNS
server that supports dynamic
updates.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS0810 V0004502 I Zone transfers are not
prohibited or a VPN solution
is not implemented that
requires cryptographic
authentication of
communicating devices and
is used exclusively by name
servers authoritative for the
zone.
DNS0815 V0004503 II Forwarders on an
authoritative Windows
2000/2003 DNS server are
not disabled.
DNS0825 V0004505 I WINS lookups is not
prohibited on a Windows
2000 DNS server.
DNS0900 V0004506 III The shared secret in the
APP session(s) was not a
randomly generated 32
character text string.
DNS0905 V0004507 II The Cisco CSS DNS is
utilized to host the
organizations authoritative
records and DISA
Computing Services does
not support that host in its
csd.disa.mil domain and
associated high-availability
server infrastructure.
DNS0910 V0004508 III Zones are delegated with the
CSS DNS.
DNS0915 V0004512 I CSS DNS does not
cryptographically
authenticate APP sessions.
DNS0920 V0004509 III The CSS DNS does not
transmit APP session data
over an out-of-band network
if one is available.
DNS0925 V0004510 II Forwarders are not disabled
on the CSS DNS.
DNS4440 V0003617 III BIND is not configured to run
as a dedicated non-
privileged user account.
BIND is running as a root
user.
DNS4445 V0012967 III The SA has not configured
BIND in a chroot(ed)
directory structure.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS4450 V0003618 II A UNIX or UNIX-based
name server is running
unnecessary
daemon/services and/or is
configured to start an
unnecessary daemon,
service, or program upon
boot up.
DNS4460 V0003619 III It is possible to obtain a
command shell by logging
on to the DNS user account.
DNS4470 V0003620 II Permissions on critical UNIX
name server files are not as
restrictive as required.
DNS4480 V0012966 II Inadequate file permissions
on BIND name servers.
DNS4530 V0003621 II ISC BIND is not configured
to run as a dedicated non-
privileged service user
account.
DNS4540 V0003622 III The ISC BIND service user
is a member of a group other
than Everyone and
Authenticated Users.
DNS4550 V0003623 III The ISC BIND service does
not have the appropriate
user rights required for the
proper configuration and
security of ISC BIND.
DNS4570 V0003624 II The appropriate encryption
software is not correctly
installed and configured on
Windows ISC BIND name
servers and it is required that
in-band remote management
be performed from hosts
outside the enclave in which
the name server resides.
DNS4580 V0003625 II Shares other than the default
administrative shares are
enabled on a name server.
DNS4590 V0003626 II The ownership and
permissions on all Windows
ISC BIND name servers are
not as restrictive as required.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS4600 V0014756 III The DNS administrator will
ensure non-routeable IPv6
link-local scope addresses
are not configured in any
zone. Such addresses begin
with the prefixes of "FE8",
"FE9", "FEA", or "FEB".
DNS4610 V0014757 III AAAA addresses are
configured on a host that is
not IPv6 aware.
DNS4620 V0014758 II The DNS software
administrator will ensure the
named.conf options
statement does not include
the option "listen-on-v6 { any;
};" when an IPv6 interface is
not configured and enabled.
DNS4630 V0014768 II The IPv6 protocol is installed
and the server is only
configured to respond to
IPv4 A records.
DNS4640 V0014759 III The DNS administrator,
when implementing
DNSSEC, will create and
maintain separate key-pairs
for key signing and zone
signing.
DNS4650 V0014760 III The DNSSEC algorithm for
digital signatures is not
RSASHA1.
DNS4660 V0014761 III The DNSSEC key signing
key is not at least 2048 bits.
DNS4670 V0014762 III The DNSSEC key signing
key does not have a
minimum roll over period of
one year.
DNS4680 V0014764 III The DNSSEC zone signing
key size is not at least 1024
bits.
DNS4690 V0014765 III The DNSSEC zone signing
key minimum roll over period
is not at least 60 days.
DNS4700 V0014766 I The DNSSEC private key file
is not owned by the DNS
administrator or the
permissions are not set to a
minimum of 600.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DNS4710 V0014767 II DNSSEC is not enabled for
signing files between names
servers with DNSSEC
capabilities.
DNS4720 V0024996 I The DNS server will not use
a statically configured source
port for all DNS query traffic.
DNS4730 V0024997 II All DNS caching resolvers
(A/K/A "recursive name
servers") will have port and
Query ID randomization
enabled for all DNS
querypackets/frames.
EN540 V0004027 II Servers do not employ Host
Based Intrusion Detection
(HIDS).
Section
DNS Policy
DNS Policy
DNS Policy
DNS Policy
DNS Policy
DNS Policy
DNS Policy
DNS Policy
DNS Policy
Section
DNS Policy
DNS Policy
DNS Policy
DNS Policy
DNS Policy
DNS Policy
DNS Policy
DNS Policy
Section
DNS Policy
DNS Policy
DNS Policy
BIND DNS, Cisco
CSS DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS, Cisco
CSS DNS,
Windows DNS
Section
BIND DNS,
Windows DNS
BIND DNS
Windows DNS
DNS Policy
DNS Policy
DNS Policy
Section
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS
BIND DNS,
Windows DNS
Section
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
Section
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS,
Windows DNS
BIND DNS
BIND DNS
BIND DNS
BIND DNS
Windows DNS
Section
Windows DNS
Windows DNS
Windows DNS
Cisco CSS DNS
Cisco CSS DNS
Cisco CSS DNS
Cisco CSS DNS
Cisco CSS DNS
Cisco CSS DNS
BIND DNS
BIND DNS
Section
BIND DNS
BIND DNS
BIND DNS
BIND DNS
BIND DNS
BIND DNS
BIND DNS
BIND DNS
Windows DNS
BIND DNS
Section
BIND DNS, Cisco
CSS DNS,
Windows DNS
BIND DNS, Cisco
CSS DNS,
Windows DNS
BIND DNS
Windows DNS
BIND DNS
BIND DNS
BIND DNS
BIND DNS
BIND DNS
BIND DNS
BIND DNS
Section
BIND DNS
BIND DNS
BIND DNS
DNS Policy
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
APPNET00 V0007022 II The File IO permission
01 allows an application to
access system files directly.
APPNET00 V0007023 II The Isolated Storage
03 permission is used to allow
applications to store
temporary data to a local
user data store.
APPNET00 V0007024 II The User Interface
04 Permission for windowing
controls access to user
interface windows.
APPNET00 V0007025 II The User Interface
05 Permission for clipboard
controls application access
to clipboards used by the
user or other applications.
APPNET00 V0007026 II The Reflection permission
06 controls an application's
discovery of other system
resources and applications.
APPNET00 V0007027 II The Printing permission
07 controls application access
to system printing resources.
APPNET00 V0007028 II The DNS permission
08 controls application access
to DNS resources available
to the host system.
APPNET00 V0007029 II The Socket Access
09 permission controls
application access to
network ports defined on the
host system.
APPNET00 V0007030 II The Web Access permission
10 controls application access
to HTTP requests to
designated URLs or the
configuration of HTTP
settings.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 263 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
APPNET00 V0007031 II The Message Queue
11 permission controls
application access to
communications across the
network.
APPNET00 V0007033 II The Service Controller
12 permission controls
application access to the
control of Windows services.
APPNET00 V0007034 II The Database permissions
13 control application access to
databases defined on the
host system.
APPNET00 V0007035 II The Security permission
14 Extend Infrastructure
controls application access
to message processing.
APPNET00 V0007037 II The Security permission
15 Enable Remoting
Configuration defines the
communication channels
available to an application.
APPNET00 V0007038 II The Security permission
16 Enable Serialization
Formatter controls access to
serialized data. Serialized
data is data formatted into a
series of bits for storing or
transmitting.
APPNET00 V0007039 II The Security permission
17 Enable Thread Control is
used to control application
access to abort, suspend, or
resume its threads.
APPNET00 V0007040 II The Security permission
18 Allow Principal control
controls application access
to Windows user information.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 264 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
APPNET00 V0007041 II The Security permission
19 Enable Assembly Execution
allows applications to
execute.
APPNET00 V0007042 II The Security permission
20 Skip Verification controls the
execution of code that is
verified as being type safe.
APPNET00 V0007043 II The Security permission
21 Allow Calls to Unmanaged
Assemblies controls
application access to
applications not managed by
the .Net Framework.
APPNET00 V0007044 II The Security permission
22 Allow Policy Control controls
application access to it's the
current security policy
configuration.
APPNET00 V0007045 II The Security permission
23 Allow Domain Policy
controls defines application
access to its own application
domain security policy.
APPNET00 V0007046 II The Security permission
24 Allow Evidence Control is
used to control an
application's access to
supply or modify evidence
used to determine access to
system resources.
APPNET00 V0007048 II The Security permission
25 Assert any Permission that
Has Been Granted controls
application access to
permissions assigned to any
code in the assembly that
called it.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 265 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
APPNET00 V0007049 II The Performance Counter
26 permission controls
application access to system
performance monitoring
resources.
APPNET00 V0007051 II The Environment Variables
27 permission controls
application access to system
environment variables and to
other system resource
names.
APPNET00 V0007052 II The Event Log permission
28 controls application access
to event log resources
defined on the system.
APPNET00 V0007053 II The Registry permission
29 controls application access
to the Windows registry.
APPNET00 V0007054 II The Directory Services
30 permission controls
application access to the
system Directory Service
resources.
APPNET00 V0007055 II The Strong Name
31 Membership Condition
establishes the requirement
for all code defined in the
group to be configured with
a Strong Name. Strong
Name verification should not
be omitted in a production
environment.
APPNET00 V0007056 II The First Match Code Group
32 is used to control the depth
to which a branch of the
code group tree is traversed
when assigning membership
to assemblies.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 266 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
APPNET00 V0007057 II The File Code Groups and
33 Net Code Groups are used
to establish directory access
and web site connections
respectively by the
application.
APPNET00 V0007058 II The Level Final Code Group
35 Attribute prevents
permission sets farther down
in the Code Group hierarchy
from being applied to the
assembly.
APPNET00 V0007059 II The Zone Membership
41 Condition determines policy
level based on the URL zone
of the application origin.
APPNET00 V0007060 I The use of the CAS policy
45 can be enabled or disabled
on the system.
APPNET00 V0007061 II The Windows system may
46 be configured to allow use of
certificates that are
designated as being for test
use.
APPNET00 V0007062 II The Windows system may
47 be configured to check the
application for use of expired
certificates.
APPNET00 V0007063 II The Publisher Member
48 Condition requires member
code to be certified using
certificates originating from a
trusted source.
APPNET00 V0007064 II This checks the setting that
49 determines whether
certificates are checked for
revocation status.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 267 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
APPNET00 V0007065 II The settings reviewed in this
50 check determine the
handling of certificates with
differing unknown statuses
due to temporary
unavailability of a certificate
verification service. For
example, certificate
verification that is dependent
on real-time access to a
certificate status server
could be unavailable due to
a break in network
communications.
APPNET00 V0007066 II This Windows setting
51 determines whether the
system requires certificates
to be time stamped to verify
the certificate is current.
APPNET00 V0007067 II The Strong Name
52 Membership condition
requires that member
assemblies be defined with
Strong Names.
APPNET00 V0007068 III The use of duplicate code
54 group names within a level
of the CAS policy can lead to
mis-assignment of
permissions.
APPNET00 V0007069 II CAS Policy and CAS Policy
55 Configuration files are
required for a complete
system baseline and
disaster recovery event.
APPNET00 V0007070 II The typefilterlevel="Full"
60 attribute allows unfiltered
code to access system
resources.
APPNET00 V0018395 II Verify the installed .Net
61 Frameworks are still
supported by Microsoft.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 268 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1001 V0004661 III An IAO must be appointed in
writing.
DRSN1002 V0004669 III There must be a separation
of duties between the
Special Security Officer
(SSO) and the Information
Assurance Officer
DRSN1003 V0004681 III DRSN Collateral switch
nodes must be located in an
approved TS exclusion area.
DRSN1004 II A facility housing DRSN end
terminals or instruments
must be certified and
approved for operations at
the highest classification of
the instrument.
DRSN1005 III No policy and/or procedure
is defined and enforced that
provides for inspection of
unattended facilities upon
entry and/or there is no
procedure for providing
granular documentation of
the inspection and/or there
is no defined reporting
procedures for detected
incidents.
DRSN1006 III No means of detection or
reporting of physical
tampering has been
provided for equipment
cabinets and/or devices.
DRSN1007 III The IAO must conduct
and/or document self-
inspections of the DRSN
components at least semi-
annually for security risks.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 269 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1008 II Facilities housing DRSN
switches and/or peripheral
and OAM&P/NM systems
have NO access controls or
they are improperly used.
DRSN1009 II There is no personnel
security program defined,
documented, and/or enforced
DRSN1010 II Personnel working on and in
areas housing DRSN
switches as well as
peripheral and OAM&P/NM
systems must possess a
current security clearance
appropriate to the area.
DRSN1011 II Personnel physical access
to facilities housing DRSN
switches, peripheral, and
OAM&P/NM systems must
be properly controlled.
DRSN1012 V0004615 II A non-disclosure agreement
(NDA) required for access to
classified information must
be on file.
DRSN1014 II All personnel supporting a
DRSN switch must be
briefed (or “read on”)
regarding the security
requirements relating to all
missions supported by the
switch.
DRSN1015 V0004660 III Personnel accessing the
DRSN must possess the
appropriate need-to-know.
DRSN1016 V0004677 II Visit Authorization Letters
must be on file for contractor
personnel.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 270 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1017 II Contractor personnel
performing hardware or
software installation or
maintenance, must possess
a verified individual
clearance and need-to-know
or are not escorted
DRSN1018 II Cleaning crews must be
properly cleared for the
area(s) to be cleaned and/or
perform janitorial services
during normal working hours.
DRSN1019 V0004676 II Users must have their status
and affiliation displayed as
part of their e-mail address.
DRSN1020 II Temporary Foreign/Local
National personnel must be
properly supervised or
escorted.
DRSN1021 II Foreign/Local National
personnel hired by a
base/post/camp/station for
the purpose of operating or
performing OAM&P / NM
functions on DRSN switches
and subsystems must be
properly cleared.
DRSN1022 II Foreign/Local National
personnel must not have
duties or access privileges
that exceed those allowed
by DoDI 8500.2 E3.4.8.
DRSN1023 V0004616 I Foreign National access to
DRSN must be approved in
writing by the DoD
Component Head IAW DoD,
DOS, and DCI policies.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 271 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1024 I DRSN terminals accessible
by properly cleared non-U.S.
citizens, authorized for
unsupervised access, must
be assigned “foreign-
access” SALs.
DRSN1025 II Allied or foreign national
personnel authorized for
unsupervised access to
network terminals must be
authorized in writing by the
commander who is
responsible for the network
terminals.
DRSN1026 V0004668 III Site personnel must receive
the proper security training.
DRSN1027 II Site personnel must receive
the proper security training
and/or be familiar with the
documents located in the
security library.
DRSN1028 V0004675 II Authorized personnel must
be assigned an appropriate
ADP Access Level.
DRSN1029 V0004618 II Personnel with IA
responsibilities must be
trained and certified.
DRSN1030 III The IAO must maintain an
up-to-date IA policy and
information library.
DRSN1031 II Users of classified
communications systems
must verify the clearance
and need-to-know of the
distant parties with whom
they communicate.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 272 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1032 II Personnel authorized
uncontrolled access to the
physical area in which
classified communications
systems, are located,
mustensure only authorized
persons access the
equipment.
DRSN1033 I Foreign nationals who are
authorized for unsupervised
access to classified
communications systems,
located in U.S.-controlled
areas, must be properly
cleared.
DRSN1035 II A DRSN Approved Products
List (APL) must be
implemented/maintained
and/or must test systems for
IO and IA.
DRSN1036 II A DRSN system in operation
must be listed on the DRSN
APL or in the process of
being tested.
DRSN1037 III All applicable STIGs and
deployment limitations must
be applied to installed
systems.
DRSN1038 III A DRSN system must be
implemented as APL listed
using the configuration that
was approved and for the
approved purpose.
DRSN1039 III DSN/DRSN APL, NIAP
CCEVS, and/or FIPS CMVP
listing must be considered
for products being
considered for procurement,
installation, or upgrade and
connection to the DISN.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 273 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1040 I Interfaces to DRSN RED
switch must be properly
approved by OSD, JS,
and/or DRSN PMO
appropriate in accordance
with CJCSI 6215.01B.
DRSN1041 III Ongoing “compliance with all
applicable STIGs and
checklists” requirements and
validation measures must be
included in RFPs,
specifications, and contracts
for procured or leased
systems or services.
DRSN1042 III Support for C&A
requirements must be
included in RFPs,
specifications, and contracts
for procured systems.
DRSN1043 III Vendor testing and approval
of STIG or checklist or IAVM
required security patches
and other configuration
changes must be included in
RFPs, specifications, and
contracts for support of
procured systems.
DRSN1044 III Commercially contracted
(leased or procured)
systems and services must
comply with all applicable
STIGs
DRSN1045 V0004674 I The local switch site must be
accredited.
DRSN1046 V0004665 III A formal system security
baseline must exist.
DRSN1047 II Security related SOPs have
must be established and
followed.
DRSN1048 V0004666 II A site specific SSAA must
exist.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 274 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1049 II Deviations from program
directed or published
standard system baseline
security configurations must
be approved
DRSN1051 II PMO must maintain overall
site/system/network
documentation and topology
diagrams and must include
all site level documentation.
DRSN1052 II IAVM notices must be
responded to within the time
period specified within the
notice.
DRSN1053 II IAVMs must be addressed
using RTS system vendor
approved or provided
patches.
DRSN1054 II DRSN assets must be
registered in a VMS and/or
DISA owned assets are not
registered in the DISA VMS
DRSN1055 III DRSN SAs must be
registered in the DISA or
similar VMS as the assets
for which they are
responsible are.
DRSN1056 III Systems/devices must be
IAVM compliant before
connection to the network
DRSN1057 II The PMO has no or has a
deficient configuration
management process.
DRSN1058 II DRSN IAO must be involved
in the configuration
management process and/or
does not ensure adherence
to the security requirements
of the STIG(s).
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 275 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1059 III The NOCs and IAOs must
be aware of the
configuration management
process and/or must adhere
to the documented process.
DRSN1060 II Testing procedures for all
new or upgraded hardware
and software have not been
created and/or are not
maintained
DRSN1061 II Site staff does not verify
and/or record the identity of
individuals installing or
modifying a device or
software.
DRSN1063 II Public domain software
products are in use.
DRSN1064 II A standard software or OS
release version must be
tested and designated for
use on all similar systems
DRSN1065 II All similar devices are NOT
deployed or upgraded to the
most current tested and
certified software versions
as directed by the PMO.
DRSN1066 II The latest software loads
and patches are NOT
applied to all systems to
take advantage of security
enhancements.
DRSN1067 II Installed maintenance and/or
security patches are not
tested and/or approved
DRSN1068 II System software has been
upgraded to a major new
software version that has
NOT been tested, certified,
and placed on the
DSN/DRSN APL before
installatioN.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 276 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1069 II Baseline configurations for
all similar systems and
devices in the network are
not tested, certified,
identified, documented,
and/or maintained by the
PMO.
DRSN1070 III The appropriate current /
standard PMO approved
baseline configuration is not
used on all systems and
devices
DRSN1071 III The current and previous
device configurations are not
“backed up” and/or are not
stored in a secured location
that is not collocated with
the system/device.
DRSN1072 III A network-addressing plan
that addresses logical
address grouping to
enhance routing and
flexibility has not been
developed, documented,
maintained, and/or enforced
by the PMO.
DRSN1073 III The current approved
network addressing plan is
not implemented.
DRSN1074 III A naming convention for all
network devices has not
been developed,
documented, maintained,
and/or enforced.
DRSN1075 III Network devices are not
named in accordance with
the documented and
approved naming convention.
DRSN1076 III The DNS names of network
devices are not coordinated
with the device names.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 277 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1077 II No procedures are in place
and/or followed that ensure
the integrity of master copies
of all operational software,
operational backup files,
audit information and current
hardware/firmware
configuration data.
DRSN1078 II System configurations and
data for all devices are not
backed up at a minimum on
a weekly basis and/or
backups are not properly
stored.
DRSN1079 III A COOP/Disaster recovery
plan has not been
developed, documented,
tested, periodically
exercised, and/or maintained.
DRSN1080 III No software
upgrade/deployment
procedure has been defined
and/or do not include testing
and validation of the
upgrade.
DRSN1081 III Upgrade procedures are not
referenced in change
management documentation.
DRSN1082 II Up-to-date back-up media is
not available prior to
software or configuration
modification
DRSN1083 III Current operating and saved
configurations are NOT
synchronized locally within
one hour of configuration
changes
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 278 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1084 II Configurations are not
backed up to a different local
system, or offline, one hour
following software or
configuration modification.
DRSN1085 I DRSN links and trunks are
NOT encrypted using NSA-
approved cryptographic
interface configurations
approved by the PMO.
DRSN1086 I Unencrypted DRSN lines,
links, and trunks (i.e., those
carrying classified red
signals), are NOT protected
by a PDS or SDS
DRSN1088 I Distribution System(s)
(PDSs) are NOT inspected
and/or certified as required,
initially, periodically, and
when modified, by the
appropriate designated
Certified TEMPEST
Technical Authority (CTTA).
DRSN1089 I COMSEC keying material is
not properly handled or
stored IAW NSTISSI 4010
and/or DoD component
directives.
DRSN1090 V0004672 I COMSEC material is not
being stored in a GSA
approved container.
DRSN1091 II COMSEC Keying Material is
not changed in accordance
with the approved schedule.
DRSN1092 II COMSEC Keying Materials
are not properly managed
DRSN1094 II Encryption software used to
protect sensitive information
(not classified) is not Federal
Information Processing
Standard (FIPS) 140-2
validated.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 279 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN1095 V0004680 I Instruments located in local
commanders quarters
operate at SCI level and are
not limited to TS or Secret.
DRSN1096 I DRSN information not
properly classified and/or
handled IAW established
policies
DRSN1097 V0004683 II Documents associated with
DRSN switches are not
properly classified and/or
class marked (labeled).
DRSN1098 V0004685 II Systems, devices, terminals,
and/or storage devices are
not properly marked with the
highest security level of the
information being stored,
displayed, or processed.
DRSN1099 I DRSN information not
properly classified and/or
handled IAW established
policies.
DRSN1101 II No SOP exists or is followed
that ensures all suspected or
actual security compromises
are properly reported to all
appropriate authorities,
investigated, and repaired
IAW DRSN and national
security policy.
DRSN2001 III A DoD Voice/Video/RTS
system or device is NOT
configured in substantial
compliance with all
applicable STIGs or the
appropriate STIGs have not
been applied to the fullest
extent possible.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 280 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2002 II Critical systems,
subsystems, and/or
components share the
general use data network.
DRSN2003 II Critical DRSN/RTS
servers/devices are not
dedicated to their main
purpose and contain
applications not required for
the critical operations.
DRSN2004 III Unused device connections
or physical ports on
backbone communications
devices such as routers,
ATM switches, and other
network elements, are not
disabled or removed.
DRSN2005 III Unused network access
device connections or
physical ports are not
appropriately secured from
unauthorized use
DRSN2006 II An unclassified speaker
system is improperly
designed/implemented such
that speakers located in
classified areas can pick up
classified conversations and
transmit them out of the
classified area.
DRSN2007 II Voice/Video/RTS devices
located in SCIFs do not
prevent on-hook audio pick-
up and/or do not have a
speakerphone feature
disabled or are not
implemented in accordance
with DCID 6/9 or TSG
Standard 2.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 281 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2008 II A classified speaker system
is improperly
designed/implemented such
that speakers located in
classified areas can pick up
classified conversations and
transmit them, or broadcast
the carried classified
information out of the
classified area.
DRSN2009 II No policy for speakerphones
on classified systems
DRSN2010 II A policy is NOT in place
and/or enforced regarding
the placement and use of
speakerphones connected to
secure telephone systems
(e.g., the DRSN) that are
located SCIFs.
DRSN2011 I A policy is NOT in place
and/or enforced regarding
the placement and use of
speakerphones connected to
secure telephone systems
(e.g., the DRSN) that are
located SCIFs.
DRSN2101 II The out-of-band or direct
connection method for
system device management
is not used.
DRSN2102 II An OOB management
network is not dedicated to
device management.
DRSN2104 II System management access
(in-band or OOB) does not
enforce DoD policy for role
based access, two-factor
authentication, encrypted
sessions, and/or auditing.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 282 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2105 II Network management traffic
and/or session login is NOT
encrypted, or is not using
FIPS 140-2 validated crypto
modules.
DRSN2106 II The use of in-band
management is NOT limited
to emergency situations,
and/or is not approved and
documented on a case by
case basis.
DRSN2107 II The use of in-band
management is NOT
restricted to a limited
number of authorized IP
addresses (10 or less).
DRSN2108 II Idle connections DO NOT
disconnect in 15 min.
DRSN2109 II The component is not
configured to be unavailable
for 60 seconds after 3
consecutive failed logon
attempts.
DRSN2110 II A Management network
DOES NOT comply with the
Enclave and/or Network
Infrastructure STIGs.
DRSN2111 I Access to systems or
devices and/or management
networks is granted to non-
government employees or
contractors that is not
controlled or monitored.
DRSN2112 II OOB management routers
and terminal servers DO
NOT limit the source of any
management connection to
authorized source addresses.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 283 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2113 II OOB management routers
and terminal servers DO
NOT maintain separation
between the management
and production networks.
DRSN2115 I Unapproved modems are
used against policy for
management of DRSN
switches, assets, and/or
communications devices.
DRSN2116 II Modems do not comply with
the requirements for user
authentication and access to
connected devices,
management access, and
encryption.
DRSN2117 II Modem authentication dose
not use a separate
authentication server located
within the extended enclave
and/or encryption is not used.
DRSN2118 II Modems are not physically
protected to prevent
unauthorized device
changes.
DRSN2119 II A detailed listing of all
modems is not being
maintained.
DRSN2120 II Unauthorized modems are
installed.
DRSN2121 II Modem phone lines are not
restricted and configured to
their mission required
purpose (i.e. inward/outward
dial only).
DRSN2122 II Modem phone lines are not
restricted to single-line
operation
DRSN2123 II The option of Automatic
Number Identification (ANI)
is available but not being
used.
DRSN2125 I SSH version 1, or version 1
compatibility mode is used
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 284 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2126 II A vulnerable version of SSH
is in use
DRSN2127 I SNMP V1 or V2 has been
enabled on the network
infrastructure. SNMP V3 has
been enabled on the
network infrastructure
without the V3 User-based
Security Model
authentication and privacy.
DRSN2128 II A standard operating
procedure for SNMP
community string
management is not establish
and/or maintained
DRSN2129 III Both privileged and non-
privileged SNMP modes are
used on all devices SNMP
but different community
names are not used for read-
only access and read-write
access.
DRSN2130 II NM servers and/or NM
systems do not restrict
access to them from
authorized IP addresses
DRSN2131 I SNMP community strings
are not changed from the
default values.
DRSN2133 II The finger service is not
disabled
DRSN2134 I HTTP, and/or TELNET, is
not disabled or secured
DRSN2136 II TFTP usage is not justified
and/or documented
DRSN2138 II FTP username and
password are NOT
configured
DRSN2139 II Encryption protocols are
used to transmit traffic
directly to a host a host
based but a host intrusion
detection (HID) system is
not in use.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 285 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2140 II VPN traffic bypasses the
Network IDS
DRSN2150 II FTP user IDs do not expire
and/or passwords are not
changed every 90 days.
DRSN2151 I FTP or Telnet is used with a
userid (UID)/password that
has administrative or root
privileges.
DRSN2152 III “Anonymous” FTP is used
within the enclave.
DRSN2153 I Remote control software is
used to allow access to
systems, servers, or network
devices from non-DoD non-
secure networks outside the
enclave.
DRSN2154 I Unrestricted remote control
access to DoD systems,
servers, or network devices
is permitted or is in use.
DRSN2155 II Remote control software is
not properly secured and or
is not DAA approved
DRSN2157 II A properly worded Login
Banner is not used on all
management access ports
and/or OAM&P/NM
workstations.
DRSN2201 I Administrative/management
ports on a device or system
does not use the strongest
password method available
on the device
DRSN2202 II Access to all management
system workstations and
administrative / management
ports is NOT remotely
authenticated
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 286 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2204 III Strong two-factor
authentication is NOT used
to access all management
system workstations and
administrative / management
ports on all devices or
systems.
DRSN2205 I Default accounts/passwords,
and manufacturer backdoor
accounts have not been
removed or changed prior to
connection to the network.
DRSN2207 V0004658 II Switch personnel are not
assigned individual userids
and passwords.
DRSN2208 II-III- Shared user/SA accounts
IV are used and not
documented.
DRSN2209 III Passwords must meet
complexity requirements.
DRSN2210 II The option to use passwords
that are randomly generated
by the DSN/DRSN
component is available but
not being used.
DRSN2211 II Users/SAs are not required
to change their password
during their first session
logon or following a reset.
DRSN2212 V0004663 II Passwords are not changed
every 90 days, after
departure of personnel, and
after suspected compromise.
DRSN2213 II Users/SA are permitted to
change their passwords at
an interval of less than 24
hours without ISSO/IAO
intervention.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 287 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2214 III Password reuse/history is
not set to 8 or greater of the
previous passwords used.
DRSN2215 III User/SA accounts are not
disabled after 35 days of
inactivity.
DRSN2216 II A users/SAs account is not
automatically disabled after
three notifications of
password expiration.
DRSN2217 I User/SA passwords can be
retrieved and viewed in clear
text by another user/SA.
DRSN2218 I Users‟/SA‟s passwords are
displayed in the clear when
logging into the
system/device.
DRSN2219 II Passwords are viewable in
the clear in configuration
files viewable online or in
offline storage
DRSN2220 I Password lists are not
encrypted when stored on
management workstations or
systems that manage device
login for a SA (single sign-on
systems etc) or on the
system/device itself
DRSN2221 II All system administrative
and maintenance user
accounts are not
documented and/or stored in
a secure or controlled
manner (e.g., in a safe).
DRSN2222 V0004662 II The ISSO/IAO has not
recorded the passwords of
high level users (ADMIN)
used on DSN/DRSN
components and stored
them in a secure or
controlled manner.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 288 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2223 II User names and passwords
must be encrypted when
logging into system devices
remotely across a network.
DRSN2225 II Un-needed device
management accounts have
not been removed or
disabled.
DRSN2226 II More than 2 emergency
accounts are configured on
a device.
DRSN2227 II Local emergency usernames
and passwords are not
stored in a locked container
(safe) at the NOC or access
to the container is not
controlled and/or logged.
DRSN2228 II Local emergency accounts
are use to access devices
under non emergency
conditions.
DRSN2229 II Local emergency
management accounts are
not changed and
documented following use.
DRSN2230 II A device is capable of
encrypting the local
emergency password,
however this feature is not
being used.
DRSN2231 II Roll Based DAC not
employed or availavle
DRSN2232 II System administrative and
maintenance users are
assigned accounts with
privileges that are not
commensurate with their
assigned responsibilities.
DRSN2233 III Unauthorized SAs have the
ability to access stored
configuration files
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 289 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSIDCAT Requirement Vulnerability Status Finding Notes
DRSN2234 III The option to restrict user
access based on duty hours
is available but is not being
utilized.
DRSN2235 V0004664 II An audit trail is not being
maintained for all access
requests to DRSN RED
switch operating information,
control functions, and
software.
DRSN2236 II System auditing does not
capture all events that are
required to be recorded
DRSN2237 II System auditing does not
capture all information
required to be recorded for
each event
DRSN2238 III A centralized audit server is
not used to collect audit
records from system and
network devices
DRSN2239 III The audit collection server is
not restricted by IP address
and can accept/poll devices
that are not with in its scope
DRSN2240 II Audit data files and
directories are readable by
personnel NOT authorized
by the IAO.
DRSN2241 II Audit logs not
stored/archived per policy.
i.e., 90 days online and 9
months offline for a total of
12 months
DRSN2242 II Audit logs are not reviewed
daily or completely
DRSN2350 I RED/BLACK isolation is not
maintained between red and
black switch nodes or their
management systems
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 290 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2351 V0004682 I RED and BLACK distribution
systems do not maintaining
required separation/isolation.
DRSN2352 I RED switch network
originated audio is not
encrypted on an unclassified
network before the crypto
equipment enters secure
mode.
DRSN2353 I The RED/BLACK mgmt.
LAN is not properly protected
DRSN2354 II BLACK switch
implementations are not
approved in writing by the
local commander.
DRSN2358 I DRSN consoles and/or
terminals do not maintain
RED/BLACK isolation.
DRSN2359 V0004684 I There is no fail-safe design
of the red/black interface in
place to preclude switching
from operating in both black
and red modes
simultaneously.
DRSN2360 I DRSN Console operator
intervention not implemented
per policy.
DRSN2361 V0004670 I Switch subscriber terminals
are configured for automatic
answering.
DRSN2362 II Interfaces configured for
auto-answer are not
approved by the appropriate
DAA and the DRSN PMO
and/or are not certified for IO
and IA under DoDI 8100.3.
DRSN2363 II Speaker(s) or
speakerphone(s) are not
approved by all parties as
required.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 291 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2364 I External device(s) used with
a DRSN RED switch user
instrument is not configured
to operate at the security
level of its associated
terminal, and/or is not
approved by the appropriate
DAA.
DRSN2365 V0004678 I DRSN phones are enabled
when not under the
immediate control of cleared
personnel.
DRSN2366 I RED Switch must permit
instrument disablement for
when appropriately cleared
personnel do not man them.
DRSN2367 I Each DRSN Terminal does
not have unique enable code.
DRSN2368 V0004673 I DRSN terminal enable
codes are not changed
every 90 days, or when
there is a suspected
compromise, or when an
instrument and/or
Subscriber Directory
Number (SDN) is reassigned
to another user.
DRSN2369 I Enable codes are not treated
as classified SECRET
DRSN2370 V0004673 I Subscriber terminals do not
have labels affixed showing
highest security level
authorized for the instrument.
DRSN2372 II PushTo-Talk (PTT) handsets
have been removed without
DAA approval and/or there is
no procedure for maintaining
the secure integrity of the
instrument.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 292 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2373 I Participants of ongoing
conferences established
through DRSN RED
Switches are NOT informed
of a change in the
classification, SCI character,
or foreign access of the
conference.
DRSN2375 II Recording equipment is not
approved by the DRSN PMO
and/or as applicable, by the
DAA/INSCI if installed in a
SCIF.
DRSN2376 II No SOP for the handling of
call or conference
recordings exists and/or is
not followed to ensure their
proper handling, storage,
dissemination, and/or
destruction.
DRSN2377 II Recordings of calls and/or
conferences are not handled
per the SOP that details
their proper handling,
storage, dissemination,
and/or destruction.
DRSN2383 I A “Barge in Tone” and visual
indication is not provided to
all parties in a call when the
security level of the call is
downgraded or upgraded
during normal calls or during
call forwarding, call transfer,
and when adding or deleting
conferees to/from a
conference call.
DRSN2384 I DRSN RED switch
Terminals must display
proper classification level or
SAL of terminals with which
they communicate.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 293 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2385 I A DRSN Terminal does not
properly display the self-
authenticating security level
of the call or conference in
progress, and/or does not
properly display the identity
data of the distant terminal
or identify the network
and/or equipment type
associated with the distant
party and/or when a
conference call is in
progress.
DRSN2371 I Manual Override of Security
Features is permitted and/or
is not audited
DRSN2386 II A DRSN RED telephone that
is enabled for Flash, Flash-
Override, and Flash-
Override-Override
precedence is not
documented as having Joint
Staff approval.
DRSN2387 II Documentation on SAL
assignments for the DRSN
switch and its access lines is
not maintained and/or
available for inspection.
DRSN2388 II The approved and
documented SAL
assignments are not those
implemented on the switch.
DRSN2389 II A cryptographic-interface
that is in addition to the
primary trunk interface has
not been reported to the
DRSN PMO and/or identified
on the configuration listing of
the accreditation package,
and/or the documentation is
not available for inspection.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 294 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2390 II Insufficient quantity -
cryptographic-interface
(STU-III/R, STE-R, etc) per
SAL or SALs improperly
assigned.
DRSN2400 II A VoIP/VoSIP security
architecture is missing or is
inadequate and/or does not
comply with all applicable
STIGs.
DRSN2401 II WAN based VoIP/VoSIP
service core equipment is
not in a dedicated enclave
that can be protected.
DRSN2402 II WAN based VoIP/VoSIP
service delivery is not
redundant in core equipment
or delivery circuits.
DRSN2403 II A WAN based VoIP/VoSIP
service provider‟s
customer‟s VoIP/VoSIP
enclave is not properly
implemented or protected.
DRSN2404 II WAN based VoIP/VoSIP
implementation does not
utilize out of band
management methods or
networks.
DRSN2405 II VoIP/VoSIP implementation
is not substantially compliant
with all applicable OS and
application STIGs.
DRSN2406 II The VoIP/VoSIP
implementation has not been
tested and certified in
compliance with DoDI
8100.3 requirements, and
not placed on the DRSN
APL.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 295 of 1298
DoD Defense Red Switch Network Checklist (28 Mar 06) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
DRSN2407 II Inter-enclave VoIP/VoSIP
communications is used as
the primary C2
communications system
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 296 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS00.0100 V0008527 III There is no policy to ensure AD,
that changes to the directory Generic
schema are subject to a
configuration management
process.
DS00.0110 V0008550 II For a directory service used AD,
by e-mail components Generic
(server or client), the
contractor abbreviation (ctr)
or country code (for foreign
nationals) is not maintained
for the *DoD* e-mail address
and display name attributes.
DS00.0120 V0008316 I Directory service data files AD,
do not have proper access Generic
permissions.
DS00.0130 V0002370 I Directory service data AD,
objects do not have proper Generic
access permissions.
DS00.0140 V0004243 II Directory service data AD,
objects do not have proper Generic
audit settings.
DS00.0150 V0008322 II A time synchronization tool AD,
is not implemented on the Generic
directory server.
DS00.0151 V0008324 III The time synchronization AD,
tool does not log changes to Generic
the time source.
DS00.0160 V0002369 II Directory data is not backed AD,
up on a daily or weekly basis. Generic
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 297 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS00.1100 III Note: At this time there is a Generic
Common Criteria Protection
Profile for directory products
titled, “US Government
Directory Protection Profile
For Medium Robustness
Environments”. However,
there are no products that
have been evaluated for
conformance to this
Protection Profile. Therefore
this check is not currently
active.
DS00.1120 V0008530 III Appropriate documentation AD,
is not maintained for each Generic
cross-directory
authentication configuration.
DS00.1130 V0014834 II An encryption, signing, or Generic
other cryptographic
algorithm used in a directory
server application is not
FIPS 140-2, validated.
DS00.1140 V0008522 II A directory service AD,
implementation that spans Generic
enclave boundaries does not
use a VPN to protect
directory network traffic.
DS00.1150 V0008320 II Directory program or AD,
configuration files do not Generic
have proper access
permissions.
DS00.1155 V0014775 II Directory server software Generic
files are not monitored for
unauthorized modifications.
DS00.1160 V0014836 I A non-vendor supported Generic
directory server product
release is in use.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 298 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS00.1165 V0014776 II A migration plan has not Generic
been developed to remove
or upgrade a directory server
product for which vendor
security patch support is
soon being or already has
been dropped.
DS00.1170 V0014779 III The directory server product Generic
is not documented in the
CCB and C&A software
inventory or the inventory
backup copy is not subject
to adequate physical
protections.
DS00.1180 V0008326 II A directory server supporting AD,
(directly or indirectly) system Generic
access or resource
authorization is not running
on a machine dedicated to
that function. The same host
is running an application
such as a database server,
e mail server, e mail client,
web server, or DHCP server.
DS00.1190 V0008317 II The directory server data AD,
files are located on the same Generic
logical partition as data files
owned by users.
DS00.2100 V0014838 II The directory server is not AD,
configured or is not capable Generic
of supporting version 3 of
the LDAP protocol.
DS00.2110 V0014813 II Passwords used with or Generic
stored in the directory do not
adhere to complexity
requirements for length or
composition according to the
parameters of the DoD
policy currently in effect.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 299 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS00.2115 V0014814 II Passwords used with or Generic
stored in the directory do not
expire, or a history of
previously used passwords
is not kept according to the
parameters of the DoD
policy currently in effect.
DS00.2120 V0014815 I Factory set, default, or Generic
standard passwords are
defined in the directory.
DS00.2121 V0014805 III Factory set, default, or Generic
standard accounts or groups
that could be renamed or
removed are defined in the
directory.
DS00.2130 V0014816 I Passwords stored in the Generic
directory are not encrypted.
DS00.2140 V0014820 I PKI certificates used in a AD,
directory service are not Generic
issued by the DoD PKI or an
approved External
Certificate Authority (ECA).
DS00.3130 V0014798 I Directory data (outside the AD,
root DSE) of a non-public Generic
directory can be read
through anonymous access.
DS00.3131 V0014797 III The root DSE of a non- Generic
public directory can be read
through anonymous access.
DS00.3140 V0014799 I Update access to the Generic
directory schema is not
restricted to appropriate
accounts.
DS00.3150 V0014807 III The number of accounts is Generic
excessive or documentation
does not exist for the
accounts that are assigned
proxy authorization
permission.
DS00.3170 V0014800 III Tools are not installed to Generic
support reviewing audit data
from a directory server.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 300 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS00.3175 V0014790 III Audit data from a directory Generic
server is not backed up at
least weekly on external
media or on a system other
than where the server
executes.
DS00.3180 V0014791 III Audit data from a directory Generic
server is not retained for at
least one year.
DS00.3185 V0014804 II Directory server audit data Generic
files do not have proper
access permissions.
DS00.3190 V0014810 II The number of accounts is Generic
excessive or documentation
does not exist for the
accounts that are members
of locally defined privileged
groups in the directory.
DS00.3200 V0008549 II Accounts from another AD,
directory are members of Generic
privileged groups and the
other directory is not under
the control of the same
organization or subject to the
same security policies.
DS00.3210 V0008344 I An account used to execute Generic
the directory server or a
directory service process is
a member of a privileged
group on the OS or is
assigned administrative
privileges and the level of
privilege assigned exceeds
what is needed.
DS00.3220 V0014808 II An account used for a Generic
directory server or process
application is not dedicated
to that function.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 301 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS00.3230 V0008553 II Replication is not enabled to AD,
occur at least daily for a Generic
directory service in which
identification, authentication,
or authorization data is
replicated.
DS00.3240 V0014839 II Available options of the Generic
directory server are not
configured to enforce the
referential integrity of
identification, authentication,
and authorization data.
DS00.3250 V0014812 II Accounts are not locked out Generic
after multiple, consecutive,
unsuccessful logon (bind)
attempts according to the
parameters of the DoD
policy currently in effect.
DS00.3260 V0008327 II OS services that are critical AD,
for the directory server are Generic
not configured for automatic
startup.
DS00.3270 V0014780 III There is no policy to ensure AD,
that code that is not vendor- Generic
provided and is used in a
directory server
implementation that updates
identification, authentication,
or authorization data is
subject to a configuration
management process.
DS00.3280 V0014782 II A directory service Generic
implementation that
transfers replication data
over wireless or non-DoD
networks does not use
encryption to protect the
network traffic.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 302 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS00.3281 V0014783 II A directory service AD,
implementation at a Generic
classified confidentiality
level, that transfers
replication data through a
network cleared to a lower
level than the data or
includes SAMI data, does
not use separate, NSA-
approved cryptography.
DS00.3290 V0014828 II Directory administration Generic
sessions over a network are
not encrypted.
DS00.3300 V0014824 II A replication implementation Generic
does not include
authentication of the source
*and* target directory
servers (mutual
authentication).
DS00.3310 V0014809 II An account used for Generic
directory replication is not
dedicated to that function.
DS00.3320 V0014826 I The password of the Generic
replication account is not
encrypted in transit.
DS00.3330 V0014822 II Directory administration Generic
does not include
authentication of the target
directory server *and*
administration client (mutual
authentication).
DS00.3340 V0014823 II Directory updates performed Generic
under proxy credentials do
not include authentication of
the target directory server
*and* proxy client (mutual
authentication).
DS00.3350 V0014794 III A directory server that Generic
utilizes PKI certificates does
not perform certificate
validation that includes CRL
or OCSP checking.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 303 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS00.3360 V0014830 III A directory service Generic
implementation does not use
data signing or other
methods to ensure the
integrity of directory
administration and
replication traffic over a
network.
DS00.3370 V0014831 III The directory server does AD,
not have a default to Generic
terminate LDAP network
connections that have been
inactive five (5) minutes or
more.
DS00.3375 V0014795 III Accounts are defined with Generic
inactivity timeout values
higher than five (5) minutes
and the accounts are not
listed in local documentation.
DS00.4100 V0014785 III Privileged remote access to Generic
a directory server is not
implemented through a
managed access control
point and with increased
session security
mechanisms.
DS00.4110 V0014786 III Sessions for privileged Generic
remote access to a directory
server are not logged or the
logs are not reviewed at
least weekly.
DS00.4120 V0014787 III Non-privileged remote Generic
access to a directory server
is not implemented through
a managed access control
point.
DS00.4130 V0014788 II Remote access to a Generic
directory server is not
encrypted.
DS00.4140 V0008523 II The VPN used to protect AD,
directory network traffic does Generic
not support visibility to an
IDS.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 304 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS00.6110 V0014789 III Code used in a directory AD,
service implementation that Generic
is not vendor-provided is not
backed up periodically.
DS00.6120 V0008525 III Disaster recovery plans do AD,
not include sufficient Generic
directory service architecture
information such as
hierarchy and replication
structure.
DS00.6130 V0014793 III Disaster recovery plans do Generic
not include identification of
software products used in
directory server operations.
DS00.6140 V0008524 II Only one directory server AD,
supports a directory service. Generic
DS00.7100 V0008526 III Cross-directory AD,
authentication configurations Generic
have not been evaluated
with respect to possible
INFOCON procedures.
DS00.7110 V0014777 II Security related patches for Generic
directory server products are
not applied or the application
status is not documented.
DS05.0100 III Note: At this time there is no Generic
Common Criteria Protection
Profile for directory
synchronization products.
Therefore this check is not
currently active.
DS05.0110 III Note: At this time there is no Generic
Common Criteria Protection
Profile for directory
synchronization products.
Therefore this check is not
currently active.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 305 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS05.0120 V0011782 II An encryption, signing, or Generic
other cryptographic
algorithm used in a directory
synchronization application
is not FIPS 140-2, validated.
DS05.0130 V0011760 II A synchronization Generic
implementation that spans
enclave boundaries and
uses LDAP or HTTP
protocol does not use a VPN
to protect the network traffic.
DS05.0140 V0011761 II A synchronization Generic
implementation that spans
enclave boundaries and
uses LDAPS or HTTPS
protocol does not use a
DoDI 8551.1-compliant
solution to protect the
network traffic.
DS05.0150 V0011787 II Directory synchronization Generic
program or configuration
files do not have proper
access permissions.
DS05.0155 V0014772 II Synchronization application Generic
software files are not
monitored for unauthorized
modifications.
DS05.0160 V0011784 I A non-vendor supported Generic
directory synchronization
product is in use.
DS05.0170 V0011762 II A migration plan has not Generic
been developed to remove
or upgrade a
synchronization product for
which vendor security patch
support is soon being or
already has been dropped.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 306 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS05.0180 V0011763 III A synchronization product Generic
used in routine, scheduled
operations is not
documented in the CCB and
C&A software inventory or
the inventory backup copy is
not subject to adequate
physical protections.
DS05.0190 V0011785 II Public domain software is Generic
used to perform directory
synchronization operations.
DS05.0200 V0011786 III The source code for a Generic
directory synchronization
application is located in the
same directory as data that
is input to or output from the
application.
DS05.0210 V0011764 I A password used in the Generic
execution of a
synchronization
implementation is embedded
in a script or stored in an
unencrypted file.
DS05.0220 V0011783 II PKI certificates used in a Generic
directory synchronization
application are not issued by
the DoD PKI or an approved
External Certificate Authority
(ECA).
DS05.0230 V0011788 I Directory synchronization Generic
data files do not have proper
access permissions.
DS05.0240 V0011789 II A directory synchronization Generic
data file that contains a
substantial aggregate of the
directory data for an entire
geographic command is not
encrypted.
DS05.0250 V0011790 II A directory synchronization Generic
application is not configured
to collect audit data.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 307 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS05.0260 V0011791 III Tools are not installed to Generic
support reviewing audit data
from a directory
synchronization application.
DS05.0270 V0011765 III Audit data from a Generic
synchronization
implementation is not
backed up at least weekly on
external media or on a
system other than where the
implementation executes.
DS05.0280 V0011766 III Audit data from a Generic
synchronization
implementation is not
retained for at least one year.
DS05.0290 V0011792 II Directory synchronization Generic
audit data files do not have
proper access permissions.
DS05.0320 V0011767 III There is no policy to ensure Generic
that code that is not vendor-
provided and is used in a
synchronization
implementation that updates
security principal accounts is
subject to a configuration
management process.
DS05.0330 V0011769 II A synchronization Generic
implementation that
transfers data over wireless
or non-DoD networks does
not use encryption to protect
the network traffic.
DS05.0331 V0014773 II A synchronization Generic
implementation at a
classified confidentiality
level, that transfers data
through a network cleared to
a lower level than the
synchronization data or
transfers SAMI data, does
not use separate, NSA-
approved cryptography.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 308 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS05.0340 V0011771 II A synchronization Generic
implementation that
transfers a substantial
aggregate of the directory
data for an entire geographic
command does not use
encryption to protect the
network traffic.
DS05.0350 V0011772 III A synchronization product Generic
that utilizes PKI certificates
does not perform certificate
validation that includes CRL
or OCSP checking.
DS05.0360 V0011770 III A synchronization Generic
implementation does not use
data signing or other
methods to ensure the
integrity of directory data
network traffic.
DS05.0370 V0011773 II A synchronization Generic
implementation does not
perform authentication of the
synchronization client *and*
target directory server
(mutual authentication).
DS05.0380 V0011774 II Privileged remote access to Generic
a synchronization
implementation is not
implemented through a
managed access control
point and with increased
session security
mechanisms.
DS05.0390 V0011775 II Sessions for privileged Generic
remote access to a
synchronization
implementation are not
logged or the logs are not
reviewed at least weekly.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 309 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS05.0400 V0011776 III Non-privileged remote Generic
access to a synchronization
implementation is not
implemented through a
managed access control
point.
DS05.0410 V0011777 II Remote access to a Generic
synchronization
implementation is not
encrypted.
DS05.0420 V0011778 II Physical access to a host Generic
used in routine, scheduled
synchronization operations
is not restricted to
authorized personnel.
DS05.0430 V0011779 II Production data from Generic
routine, scheduled
synchronization operations
is not backed up periodically.
DS05.0440 V0011768 III Code used in a Generic
synchronization
implementation that is not
vendor-provided is not
backed up periodically.
DS05.0450 V0011780 III Disaster recovery plans do Generic
not include identification of
products used in routine,
scheduled synchronization
operations.
DS05.0460 V0011781 II Security related patches for Generic
synchronization products are
not applied or the application
status is not documented.
DS10.0150 V0008303 II The Directory Services AD
Restore Mode (DSRM)
password does not meet
complexity standards.
DS10.0151 V0008310 II There is no policy to ensure AD
that the DSRM password is
changed often enough.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 310 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS10.0160 V0008551 III An AD domain that has no AD
Windows NT domain
controllers is at a domain
functional level that allows
the addition of new Windows
NT domain controllers.
DS10.0170 V0008533 II An external, forest, or realm AD
AD trust relationship is
defined where access
requirements do not support
the need.
DS10.0180 V0008534 I An external, forest, or realm AD
AD trust relationship is
defined between systems at
different classification levels.
DS10.0181 V0008536 I An external, forest, or realm AD
AD trust relationship is
defined between a DoD
system and a non-DoD
system without explicit
approval of the DAA and
appropriate documentation
of the external network
connection(s).
DS10.0190 V0008538 II An outgoing external or AD
forest trust is configured
without SID filtering.
DS10.0200 V0008540 II An outgoing forest trust is AD
configured without Selective
Authentication.
DS10.0210 V0012780 I The Synchronize Directory AD
Service Data user right has
been assigned to an account.
DS10.0220 V0008547 II The Pre-Windows 2000 AD
Compatible Access group
includes the Everyone or
Anonymous Logon groups.
DS10.0230 V0008555 II The dsHeuristics option is AD
not configured to prevent
anonymous access to AD.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 311 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DS10.0240 V0008548 II The number of accounts is AD
excessive or documentation
does not exist for the
accounts that are members
of the Domain Admins,
Enterprise Admins, Schema
Admins, Group Policy
Creator Owners, or
Incoming Forest Trust
Builders groups.
DS10.0260 V0008521 II The number of accounts is AD
excessive or documentation
does not exist for the
accounts that have been
delegated AD object
ownership or update
permissions and are *not*
members of Windows built-
in administrative groups.
DS10.0295 V0008557 II The domain controller AD
holding the forest
authoritative time source is
not configured to use a DoD-
authorized external time
source.
DS10.0310 V0008313 II Physical access to the AD AD
forest root FSMO domain
controllers is not restricted
to specifically authorized
personnel.
DS10.0320 V0008311 II The offline copy of the AD
DSRM password is not
subject to adequate physical
protections.
DS10.9100 V0012778 III The AD domain and forest in AD
which the domain controller
resides have not been
reviewed for vulnerabilities.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 312 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN01.01 V0007921 III The IAO does not conduct
and document self-
inspections of the DSN
components at least semi-
annually for security risks.
DSN01.02 V0007922 III The sites telephone switch is
not frequently monitored for
changing calling patterns
and system uses for
possible security concerns.
DSN01.03 V0007923 II The ISSO/IAO does not
ensure that administration
and maintenance personnel
have proper access to the
facilities, functions,
commands, and calling
privileges required to
perform their job.
DSN02.01 V0007924 III DSN systems are not
registered in the DISA VMS
DSN02.02 V0007925 III System Administrators (SAs)
responsible for DSN
information systems are not
registered with the DISA
VMS.
DSN02.03 V0007926 II The ISSO/IAO and
ISSM/IAM, in coordination
with the SA, will be
responsible for ensuring that
all IAVM notices are
responded to within the
specified time period.
DSN02.04 V0008338 II IAVMs are not addressed
using RTS system vendor
approved or provided
patches.
DSN02.05 V0008339 III DoD voice/video/RTS
information system assets
and vulnerabilities are not
tracked and managed using
any vulnerability
management system as
required by DoD policy.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 313 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN03.01 V0008340 III A DoD Voice/Video/RTS
system or device is NOT
configured in compliance
with all applicable STIGs or
the appropriate STIGs have
not been applied to the
fullest extent possible.
DSN03.02 V0008341 III The purchase / maintenance
contract, or specification, for
the Voice/Video/RTS system
under review does not
contain verbiage requiring
compliance and validation
measures for all applicable
STIGs.
DSN03.03 V0008342 III The DAA, IAM, IAO, or SA
for the system DOES NOT
enforce contract
requirements for STIG
compliance and validation
DSN03.04 V0008345 II A Voice/Video/RTS system
is in operation but is not
listed on the DSN APL nor is
it in the process of being
tested.
DSN03.05 V0008346 III A Voice/Video/RTS system
or device is NOT installed
according to the deployment
restrictions and/or
mitigations contained in the
IA test report, Certifying
Authoritys recommendation
and/or DSAWG approval
documentation.
DSN03.06 V0008347 III A Voice/Video/RTS system
or device is NOT installed in
the same configuration and
being used for the same
purpose that was tested for
prior to DSAWG approval
and DSN APL listing.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 314 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN03.07 V0008348 III The requirement of DSN
APL listing is not being
considered during the
procurement, installation,
connection, or upgrade to
the sites Voice/Video/RTS
infrastructure.
DSN04.01 V0007930 II Switch administration,
ADIMSS, or other Network
Management terminals are
not located on a dedicated
LAN.
DSN04.02 V0007931 II Network Management
routers located at switch
sites are not configured to
provide IP and packet level
filtering/protection.
DSN04.03 V0007932 II Administration terminals are
used for other day-to-day
functions (i.e. email, web
browsing, etc).
DSN04.04 V0007933 II Switch Administration
terminals do not connect
directly to the switch
administration port or
connect via a controlled,
dedicated, out of band
network used for switch
administration support.
DSN04.05 V0007934 III Attendant console ports are
available to unauthorized
users by not allowing any
instrument other than the
Attendant console to
connect to the Attendant
console port.
DSN04.06 V0007935 III The ISSO/IAO has not
established Standard
Operating Procedures.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 315 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN04.07 V0008545 II OAM&P / NM and CTI
networks are NOT dedicated
to the system that they serve
in accordance with their
separate DSN APL
certifications.
DSN04.08 V0008544 II An OAM&P / NM and CTI
network/LAN is connected to
the local general use (base)
LAN without appropriate
boundary protection.
DSN04.09 V0008542 II An OAM&P / NM and CTI
network/LAN is connected to
the local general use (base)
LAN without appropriate
boundary protection.
DSN04.10 V0008541 II An OAM&P / NM or CTI
network DOES NOT comply
with the Enclave and/or
Network Infrastructure
STIGs.
DSN05.01 V0007936 II Applicable security
packages have not been
installed on the system.
DSN06.01 V0007937 II The IAO DOES NOT ensure
that all temporary
Foreign/Local National
personnel given access to
DSN switches and
subsystems for the purpose
of installation and
maintenance, are controlled
and provided direct
supervision and oversight
(e.g., escort) by a
knowledgeable and
appropriately cleared U.S.
citizen.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 316 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN06.02 V0008519 II Foreign/Local National
personnel hired by a
base/post/camp/station for
the purpose of operating or
performing OAM&P / NM
functions on DSN switches
and subsystems have not
been vetted through the
normal process for providing
SA clearance as dictated by
the local Status of Forces
Agreement (SOFA).
DSN06.03 V0008520 II Foreign/Local National
personnel have duties or
access privileges that
exceed those allowed by
DODI 8500.2 E3.4.8.
DSN06.04 V0007940 III The option to restrict user
access based on duty hours
is available but is not being
utilized.
DSN06.05 V0008558 II System administrative and
maintenance users are
assigned accounts with
privileges that are not
commensurate with their
assigned responsibilities.
DSN06.06 V0008556 III All system administrative
and maintenance user
accounts are not
documented.
DSN06.07 V0008554 III The available option of
Command classes or
command screening is NOT
being used to limit system
privileges
DSN07.01 V0007941 III The Direct Inward System
Access feature and/or
access to Voice Mail is not
controlled by either class of
service, special
authorization code, or PIN.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 317 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN07.02 V0007942 III Direct Inward System
Access and Voice Mail
access codes are not
changed semi-annually.
DSN07.03 V0007943 III Personal Identification
Numbers (PIN) assigned to
special subscribers used to
control Direct Inward System
Access and Voice Mail
services are not being
controlled like passwords
and deactivated when no
longer required.
DSN07.04 V0007944 III Privilege authorization,
Direct Inward System
Access and/or Voice Mail
special authorization codes
or individually assigned
PINS are not changed when
compromised.
DSN08.01 V0007945 III Equipment, cabling, and
terminations that provide
emergency life safety
services such as 911 (or
European 112) services
and/or emergency
evacuation paging systems
are NOT clearly identified
and marked.
DSN08.02 V0008537 III There is no system installed
that can provide emergency
life safety or security
announcements
DSN08.03 V0008539 II A policy is NOT in place
and/or NOT enforced
regarding the use of
unclassified telephone/RTS
instruments located in areas
or rooms where classified
meetings, conversations, or
work normally occur.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 318 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN08.04 V0008543 II Voice/Video/RTS devices
located in SCIFs do not
prevent on-hook audio pick-
up and/or do not have a
speakerphone feature
disabled or are not
implemented in accordance
with DCID 6/9 or TSG
Standard 2.
DSN09.01 V0007946 III SS7 links are not clearly
identified and routed
separately from termination
point to termination point.
DSN09.02 V0007947 IIII The SS7 termination blocks
are not clearly identified at
the MDF.
DSN09.03 V0007948 III Power cabling that serves
SS7 equipment is not
diversely routed to separate
Power Distribution Frames
(PDF) and identified.
DSN09.04 V0007949 III Power cabling that serves
SS7 equipment is not clearly
identified at both the
termination point and at the
fusing position.
DSN09.05 V0007950 II Links within the SS7 network
are not encrypted.
DSN10.02 V0007952 II A DoD VoIP system, device,
or network is NOT
configured in compliance
with all applicable STIGs or
the appropriate STIGs have
not been applied to the
fullest extent possible.
DSN11.01 V0007953 II Transport circuits are not
encrypted.
DSN11.02 V0007954 III Physical access to
commercial Add/Drop
Multiplexers (ADMs) is not
restricted.
DSN12.01 V0007955 III The ISSO/IAO does not
maintain a library of security
documentation.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 319 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN13.01 V0007956 II Users are not required to
change their password
during their first session.
DSN13.02 V0007957 I Default passwords and user
names have not been
changed.
DSN13.03 V0007958 II Shared user accounts are
used and not documented
by the ISSO/IAO.
DSN13.04 V0007959 III The option to disable user
accounts after 30 days of
inactivity is not being used.
DSN13.05 V0007960 I Management access points
(i.e.
administrative/maintenance
ports, system access, etc.)
are not protected by
requiring a valid username
and a valid password for
access.
DSN13.06 V0007961 III Passwords do not meet
complexity requirements.
DSN13.07 V0007962 II Maximum password age
does not meet minimum
requirements.
DSN13.08 V0007963 II Users are permitted to
change their passwords at
an interval of less than 24
hours without ISSO/IAO
intervention.
DSN13.09 V0007964 III Password reuse is not set to
8 or greater.
DSN13.10 V0007966 II User passwords can be
retrieved and viewed in clear
text by another user.
DSN13.11 V0007967 II User passwords are
displayed in the clear when
logging into the system.
DSN13.12 V0007968 III The option to use passwords
that are randomly generated
by the DSN component is
available but not being used.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 320 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN13.13 V0007969 II The system is not configured
to disable a users account
after three notifications of
password expiration.
DSN13.14 V0007965 II The ISSO/IAO has not
recorded the passwords of
high level users (ADMIN)
used on DSN components
and stored them in a secure
or controlled manner.
DSN13.15 V0007970 II Crash-restart vulnerabilities
are present on the DSN
system component.
DSN13.16 V0008560 II Access to all management
system workstations and
administrative / management
ports is NOT remotely
authenticated
DSN13.17 V0008559 II Strong two-factor
authentication is NOT used
to access all management
system workstations and
administrative / management
ports on all devices or
systems
DSN14.01 V0007971 II The DSN system component
is not installed in a
controlled space with visitor
access controls applied.
DSN14.02 V0007972 II Documented procedures do
not exist that will prepare for
a suspected compromise of
a DSN component.
DSN15.01 V0007973 II Audit records are NOT
stored in an unalterable file
and can be accessed by
individuals not authorized to
analyze switch access
activity.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 321 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN15.02 V0007974 II Audit records do not record
the identity of each person
and terminal device having
access to switch software or
databases.
DSN15.03 V0007975 II Audit records do not record
the time of the access.
DSN15.04 V0007976 II The auditing records do not
record activities that may
change, bypass, or negate
safeguards built into the
software.
DSN15.05 V0007977 II Audit record archive and
storage do not meet
minimum requirements.
DSN15.06 V0007978 II Audit records are not being
reviewed by the ISSO/IAO
weekly.
DSN15.07 V0008546 II The auditing process DOES
NOT record security relevant
actions such as the
changing of security levels
or categories of information
DSN16.01 V0007979 II An Information Systems
Security Officer/Information
Assurance Officer
(ISSO/IAO) is not
designated for each
telecommunications
switching system or DSN
Site.
DSN16.02 V0007980 II Site personnel have not
received the proper security
training and/or are not
familiar with the documents
located in the security library.
DSN16.03 V0007981 III The ISSO/IAO does not
maintain a DSN Personnel
Security Certification letter
on file for each person
involved in DSN A/NM duties.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 322 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN16.04 V0007982 II System administrators are
NOT appropriately cleared.
DSN17.01 V0007983 II Site staff does not verify and
record the identity of
individuals installing or
modifying a device or
software.
DSN17.02 V0007984 II System images are not
being backed up on a
weekly basis to the local
system and a copy is not
being stored on a removable
storage device and/or is not
being stored off site.
DSN17.03 V0007985 II Site staff does not ensure
backup media is available
and up to date prior to
software modification.
DSN17.04 V0008531 II The latest software loads
and patches are NOT
applied to all systems to
take advantage of security
enhancements.
DSN17.05 V0008532 II Maintenance and security
patches are NOT approved
by the local DAA prior to
installation in the system
DSN17.06 V0008535 II Major software version
upgrades have NOT been
tested, certified, and placed
on the DSN APL before
installation.
DSN18.01 V0007986 II Modems are not physically
protected to prevent
unauthorized device
changes.
DSN18.02 V0007987 II A detailed listing of all
modems is not being
maintained.
DSN18.03 V0007988 II Unauthorized modems are
installed.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 323 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN18.04 V0007989 II Modem phone lines are not
restricted and configured to
their mission required
purpose (i.e. inward/outward
dial only).
DSN18.05 V0007990 II Modem phone lines are not
restricted to single-line
operation.
DSN18.06 V0007991 III The option of Automatic
Number Identification (ANI)
is available but not being
used.
DSN18.07 V0007992 II Authentication is not
required for every session
requested.
DSN18.08 V0007993 III The option to use the
callback feature for remote
access is not being used.
DSN18.09 V0007994 III FIPS 140-2, validated Link
encryption mechanisms are
not being used to provide
end-to-end security of all
data streams entering the
remote access port of a
telephone switch.
DSN18.10 V0007995 III The option to use two-factor
authentication when
accessing remote access
ports is not being used.
DSN18.11 V0007996 II Administrative/maintenance
ports are not being
controlled by deactivating or
physically disconnecting
remote access devices
when not in use.
DSN18.12 V0007997 II Idle connections DO NOT
disconnect in 15 min.
DSN18.13 V0007998 II The DSN component is not
configured to be unavailable
for 60 seconds after 3
consecutive failed logon
attempts.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 324 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
DSN18.14 V0007999 III Serial
management/maintenance
ports are not configured to
force out or drop any
interrupted user session.
DSN18.15 V0008518 II An OOB Management
DOES NOT comply with the
Enclave and/or Network
Infrastructure STIGs.
DSN18.16 V0008517 II OOB management network
are NOT dedicated to
management of like or
associated systems
DSN18.17 V0008516 II Network
management/maintenance
ports are not configured to
force out or drop any user
session that is interrupted
for more than 15 seconds.
DSN19.01 V0008000 II A properly worded Login
Banner is not used on all
system/device management
access ports and/or
OAM&P/NM workstations.
DSN20.01 V0008515 I A SMU component is not
installed in a controlled
space with visitor access
controls applied.
DSN20.02 V0008514 III The SMU ADIMSS
connection is NOT dedicated
to the ADIMSS network
DSN20.03 V0008513 II The ADIMSS server
connected to the SMU is
NOT dedicated to ADIMSS
functions.
DSN20.04 V0008512 II The SMU management port
or management workstations
is improperly connected to a
network that is not dedicated
to management of the SMU.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 325 of 1298
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EN005 V0016162 II PKI usage and
implementation is not
compliant with DoD
Instruction 8520.02, Public
Key Infrastructure (PKI) and
Public Key (PK) Enabling, 1
April 2004.
EN010 V0003914 II Enclave assets and/or
systems that support
enclave protection are not
registered with an IAVM
tracking mechanism (e.g.,
Vulnerability Management
System (VMS) and AVTR).
EN020 V0003915 III System Administrators (SAs)
are not responsible for
critical assets or are not
registered with a vulnerability
management tracking
system and therefore are not
aware of critical patch
releases or vulnerabilities.
EN030 V0003916 II IAVM notices are not
responded to within the
specified period of time.
EN040 V0003917 II Security related patches
have not been applied to all
systems.
EN041 V0004712 II A documented security patch
management process is not
in place or cannot be
validated.
EN042 V0004713 III Workstations do not use an
automated patch distribution
process from a trusted site
or secure source (i.e., tools
such as Windows Update
Services (WUS), scripts,
Tivoli, etc.) to distribute and
apply security related
patches.
EN043 V0007572 III Patch testing is not
performed, prior to
deployment, in a non-
production environment.
EN050 V0003920 II INFOCON procedures are
not followed in accordance
with Strategic Command
Directive SD 527-1, 27
January 2006.
EN070 V0014264 III Supplemental SA INFOCON
procedures are not available
as required.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EN080 V0003922 III IA or IA enabled products do
not meet the minimum EAL
and robustness level
requirements as established
by the Designated Approving
Authority (DAA).
EN090 V0003923 III The acquisition of IA or IA-
enabled products does not
meet the requirements as
set forth by NSTISSP 11 and
the DODI 8500.2.
EN100 V0003924 III Enclave assets are not
assigned a Mission
Assurance Category (MAC)
or not assigned the correct
MAC.
EN270 V0004001 II Low assurance/risky (red
port) PPS traffic is allowed
through a virtual private
network (VPN) without
addressing the risk to the
other enclaves and is not
approved by the DAA.
EN280 V0014265 III Exceptions to the minimum
Enclave requirements have
not been approved by the
appropriate authority.
EN290 V0014266 II An external intrusion
detection system (IDS) is not
present at the enclave
perimeter as directed by the
Computer Network Defense
Service Provider (CNDSP).
EN300 V0004004 II The external NID is not
under the operational control
of the CNDSP and is not
located outside of a local
firewall.
EN360 V0004010 III Permitted IPs and ports,
protocols and services are
not documented.
EN430 V0004016 II The DNS server and
architecture is not configured
in accordance with the DNS
STIG.
EN440 V0004017 I Privileged level user remote
access is not encrypted.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EN460 V0004019 III Content security checking is
not employed for email, ftp,
or http data.
EN465 V0014276 II A policy and procedure is not
in place to monitor all virus
alerts (to include desktop
clients) and/or reporting any
malicious activity to
appropriate personnel is not
being accomplished.
EN480 V0004021 II A policy is not in place to
ensure a DMZ is established
within the Enclave Security
Architecture to host any
remotely or publicly
accessible system.
EN520 V0004025 III Major new device
configuration or operating
systems changes are
installed without security
guidance.
EN540 V0004027 II Servers do not employ Host
Based Intrusion Detection
(HIDS).
EN550 V0004122 III The SA is not responding to
initial real time HIDs alarms
and do not perform analysis
of reports.
EN560 V0004123 II Significant events are not
reported to the sites
Computer Network Defense
Service Provider (CNDSP)
and/or auditing requirements
are not met in accordance
with the DoDI 8500.2.
EN610 V0004128 III Local policies have not been
developed to ensure
information posted to the
Internet/Intranet is reviewed
by a duly appointed PAO or
authorized content reviewer
for sensitive information.
EN620 V0004129 II The web servers are not
configured in accordance
with the Web Server STIG.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EN670 V0004134 I Classified or sensitive
information is transmitted
over unapproved
communications systems or
non-DOD systems.
EN710 V0004138 III DOD policy on mobile code
is not being followed.
EN730 V0004139 II The Database Management
System (DBMS) is not
secured in accordance with
the Database STIG.
EN735 V0004756 II Wireless Local Area
Networks (LANS) and/or
devices are not secured in
accordance with the
Wireless STIG.
EN795 V0014305 II Annual assessments are not
being performed in
accordance with DoD 8500.2
IA Control DCAR1.
EN800 V0014283 III The site does not coordinate
access for the Classified
Connection Approval Office
(CCAO) to perform random
assessments within the
Enclave.
EN805 V0004755 II The application infrastructure
is not in compliance with the
Application Security and
Development and
Application Services STIGs.
EN890 V0015748 I FTP and/or telnet from
outside the enclave into the
enclave is permitted, without
applying the appropriate
security requirements.
EN900 V0015749 II FTP user IDs do not expire
and/or passwords are not
changed every 90 days.
EN910 V0015750 I FTP or Telnet is used with a
userid (UID)/password that
has administrative or root
privileges.
EN920 V0015751 III An anonymous FTP
connection within the
enclave is established.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ENCTO- V0016161 II The site is not in compliance
0712 with the JTF-GNO issued
CTO-07-12, Deployment of
the Host Based Security
System .
ENCTO- V0011939 II The site is not in compliance
0715 with JTF-GNO
Communications Tasking
Order 07-15, PKI
Implementation Phase 2.
ENCTO- V0004145 II Scanning, remediation, and
08005 reporting of vulnerabilities
are not maintained in
accordance with JTF CTO
08-005.
ENCTO- V0016160 II The site is not in compliance
08008A with JTF-GNO issued CTO-
08-008A which requires the
use of the standardized DoD
Warning Banner and user
agreement. Compliance has
not been reported as
outlined in CTO 08-008A
ENDC130 V0012060 II The architecture must not
leak RFC 1918 address
space onto the public
Internet or NIPRNet and this
must be tested and
documented on a continual
basis.
ENDC150 V0012062 II Devices in the production
network must allow for
failover to other production
network sites in accordance
with DoD IA control backup
and redundancy
requirements dependant on
Mission Assurance Category.
ENDC200 V0012295 II An access control solution
must be in place for access
to the management network
and to isolate and/or
disconnect any privileged
level access client that is not
compliant with security
requirements.
ENDC220 V0012307 II The management and
production networks must be
separate and distinct from
any other network.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ENDC230 V0012311 III A DMZ must be utilized to
access production hosts for
non-administrative purposes.
For sites/networks that have
a DMZ, all external access to
production assets will
traverse a DMZ. There will
be no direct access from
external devices.
ENDC310 V0019225 II SA system or host access
for management purposes or
performance of any
privileged level function must
be performed via a
management network.
ENDC370 V0019205 I Changes to the configuration
of any network element that
manages the network must
be documented and
approved by the Information
Assurance Manager.
ENDC400 V0019275 II The private, encrypted,
management network must
be utilized to administer and
manage devices in the
infrastructure.
ENDC410 V0019253 II A client must use a policy
enforcement client/agent on
thier computer to access the
management network.
ENDC460 V0019254 II Access Control Lists (ACL)
must be employed to
separate security domains,
based on the sensitivity and
classification of the data,
within the production
networks.
ENDC480 V0019255 II A system/application that
has the capability to tier
separate, must be separated.
ENDC570 V0019223 II Publicly accessible systems
currently residing in the
production computing
environment will be moved
to the DoD DMZ.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ENDC710 V0019212 I Logical segregation must be
employed to protect
production traffic, via a DMZ
or Community of Interest
(COI) network. There will be
no direct connections from
the NIPRNet or other
networks to production
assets.
ENDC730 V0019277 II Split tunneling will not be
configured on VPN client
connections entering an out-
of-band or management
network.
ENDC740 V0019279 II There is not a Memorandum
of Understanding (MOU) or
Service Level Agreement
(SLA) in place to identify the
security requirements (by IA
control) to be shared across
accreditation boundaries.
ENTD100 V0003918 II Test and development
systems are not connected
to an isolated network
separated from production
systems.
ENTD110 V0003919 II Out of band access is not
utilized to access a test and
development enclave
remotely.
ENTD120 V0014306 II Development is performed
on platforms that are not
STIG compliant and/or within
a non-STIG compliant
infrastructure.
ENTD130 V0014307 II Network infrastructure
devices, such as router,
switches, firewalls, etc., that
support the
Test/Development enclave
are not STIG compliant.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ENTD140 V0014308 II Documentation which details
the description and function
of each system, the zone the
system resides in, the SA of
the system, applications,
OS, and hardware of the
system is incomplete or
missing.
ENTD150 V0014309 II Systems in test and
development zones are
connected to a DoD
production network without
security controls, as required
by the appropriate STIGs. A
Connection Approval
Process (CAP) has not been
used prior to connection to a
DoD network.
ENTD160 V0014310 II Test and development
systems are not physically
disconnected or blocked at
the firewall from external
networks during the
installation of an operating
system.
ENTD170 V0014311 II Development is performed in
a Zone D test enclave.
ENTD180 V0014312 I Zone D systems have direct
connectivity to a DoD
network.
ENTD190 V0014371 I Zone D systems contain
production or "live" DoD data
or privacy act information
and are connected to an
external network.
ENTD200 V0014372 I DoD client
workstations/laptops, used
for DoD official business,
interact or connect (to
include remote access) to a
Zone D system or network.
ENTD210 V0014373 I Zone C systems have
external connectivity to a
network other than that of an
additional testing facility with
the same security
requirements (e.g. Zone C to
Zone C).
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ENTD220 V0014472 II Zone C systems are not
tightly restricted and/or
controlled via network
resources to avoid T&D
systems traffic or data from
entering the DoD network.
ENTD230 V0014380 II Zone B network connections
(all incoming/outgoing traffic)
are not strictly controlled via
network infrastructure
devices to include the
establishment of a VPN,
VLAN or TACLANE.
ENTD240 V0014381 II A Network Infrastructure
STIG compliant DMZ has
not been established for the
downloading of applicable
software for a Zone B
environment.
ENTD250 V0014434 II External to internal (ingress)
network initiated connections
are permitted for Zone B
environments.
ENTD260 V0014457 II Zone B egress traffic is not
restricted via source and
destination filtering as well
and ports, protocols and
services. Zone B traffic is not
restricted to facilitate system
testing.
ENTD270 V0014458 II Systems residing in a Zone
A test/development
environment are not STIG
compliant. POA&Ms are not
in place to address any open
findings for systems.
ENTD280 V0014459 II Zone A systems are not
separated/isolated from
production assets via
network infrastructure
devices, e.g., VLANs,
separate subnets.
ENTD290 V0014460 II Zone A systems do not
comply with the
requirements in the DoD
PPS Assurance Category
Assignments List (CAL) for
PPS utilization.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ENTD300 V0014461 II Zone A systems do not
utilize a Connection Approval
Process to include
assessment and scanning
for security baselines, and
final ATC.
ENTD310 V0014464 II The IAO will ensure, if
remote access is required to
a non STIG compliant
system in Zone B, dedicated
clients (non-production) are
utilized to access Zone B
systems from a VPN or
dialup connection. No
connectivity will occur from a
production STIG compliant
client (e.g., STIG'd
Government Furnished
Equipment) to a non-STIG'd
system in Zone B.
ENTD320 V0014465 II Non-STIG'd systems
connect or communicate
with STIG compliant
production systems via a
remote access solution.
ENTD330 V0014466 I Virtual machine guest
operating systems (OS)
which are used to access a
T&D zone communicate with
the host OS or a production
OS.
ENTD340 V0014467 I In a virtual machine remote
access solution, T&D client
traffic is not restricted such
that all network traffic can
only flow to and from the
T&D zone.
ENTD350 V0014468 II Non-production "guests"
communicate with DoD
networks via the LAN.
Section
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
Section
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
Section
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
Section
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
Section
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
Section
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
Section
General Business
LAN Enclave
General Business
LAN Enclave
General Business
LAN Enclave
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Section
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone D
Test Enclave -
Zone D
Test Enclave -
Zone D
Test Enclave -
Zone D
Test Enclave -
Zone C
Section
Test Enclave -
Zone C
Test Enclave -
Zone B
Test Enclave -
Zone B
Test Enclave -
Zone B
Test Enclave -
Zone B
Test Enclave -
Zone A
Test Enclave -
Zone A
Test Enclave -
Zone A
Section
Test Enclave -
Zone A
Test Enclave -
Zone B
Test Enclave -
Zone B, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
Test Enclave -
Zone A, Test
Enclave - Zone B,
Test Enclave -
Zone C, Test
Enclave - Zone D
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
7.035 V0003765 I IAVM Alert 2002-A-0003,
Apache Web Server Chunk
Handling Vulnerability, has
not been applied.
1999-0001 V0005749 I Mountd Remote Buffer
Overflow Vulnerability
1999-0003 V0005751 I Remote FTP Vulnerability
1999-A- V0005753 I Statd and Automountd
0006 Vulnerabilities
2000-A- V0005777 I Cross-Site Scripting
0001 Vulnerability
2000-A- V0005778 I Gauntlet Firewall for Unix
0003 and WebShield
Cyberdaemon Buffer
Overflow Vulnerability
2000-B- V0005780 I Bind NXT Buffer Overflow
0001
2000-B- V0005781 I Netscape Navigator
0002 Improperly Validates SSL
Sessions
2000-B- V0005782 I Multiple Buffer Overflows in
0003 Kerberos Authenticated
Services
2000-B- V0005783 I Washington University FTP
0004 Daemon (wu-ftpd) Site Exec
Vulnerability and
setproctitle() Vulnerabilty
2000-B- V0005784 I Input Validation Problem in
0005 rpc.statd
2000-T-0006 V0005791 II Frame Domain Cverification,
Unauthorized Cookie Access
and Malformed Component
Attribute Vulnerabilities
2000-T-0015 V0005798 II BMC Best/1 Version 6.3
Performance Management
System Vulnerability
2001-A- V0005799 I Multiple Vulnerabilities in
0001 BIND
2001-A- V0005803 I IPlanet Web Servers Expose
0007 Sensitive Data via Buffer
Overflow.
2001-A- V0005804 I Gauntlet Firewall for Unix
0009 and WebShield CSMAP and
smap/smapd Buffer
Overflow Vulnerability
2001-A- V0005805 I Format String Vulnerability in
0011 CDE ToolTalk
2001-A- V0005807 I SSH CRC32 Remote Integer
0013 Overflow Vulnerability
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
2001-B- V0005811 I Encoding Intrusion Detection
0003 System Bypass Vulnerability
2001-B- V0005812 I WU-FTPd Remote Code
0004 Execution Vulnerability
2001-T-0004 V0005816 II MySQLd Vulnerability
2001-T-0005 V0005817 II Input Validation Problems in
LPRng
2001-T-0008 V0005820 II Buffer Overflow in telnetd
2001-T-0009 V0005821 II Symantec Norton Antivirus
LiveUpdate Host Verification
Vulnerability
2001-T-0015 V0005825 II Multiple Vulnerabilities in lpd
Daemon
2001-T-0017 V0005826 II OpenSSH UseLogin Multiple
Vulnerabilities
2001-T-0018 V0005827 II Short Password Vulnerability
in SSH Communications
Security
2002-A- V0005830 I Apache Web Server Chunk
0003 Handling Vulnerability
2002-A- V0005837 I Multiple Simple Network
SNMP-003 Management Protocol
Vulnerabilities in Servers and
Applications
2002-A- V0005838 I Multiple Simple Network
SNMP-004 Management Protocol
Vulnerabilities in Perimeter
Devices
2002-A- V0005839 I Multiple Simple Network
SNMP-005 Management Protocol
Vulnerabilities in Enclave
Devices
2002-A- V0005840 I Multiple Simple Network
SNMP-006 Management Protocol
Vulnerabilities in Servers and
Applications
2002-B- V0005842 I Multiple Vulnerabilities in
0003 PHP
2002-B- V0005847 I Multiple Simple Network
SNMP-002 Management Protocol
Vulnerabilities in Servers and
Applications
2002-T-0004 V0005851 II Kerberos Telnet Protocol
Vulnerability
2002-T-0005 V0005852 II Multiple Vulnerabilities in
Oracle Database Server
2002-T-0006 V0005853 II Multiple Vulnerabilities in
Oracle9i Application Server
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
2002-T-0015 V0005862 II Integer Overflow
Vulnerability in SunRPC
derived XDR Libraries
2002-T-0016 V0005863 II Multiple Vendor kadmind
Remote Buffer Overflow
Vulnerability
2002-T- V0005867 II Multiple Simple Network
SNMP-003 Management Protocol
Vulnerabilities in Servers and
Applications
2003-A- V0005873 I Multiple Vulnerabilities in
0006 Multiple Versions of Oracle
Database Server
2003-A- V0005908 I Multiple Vulnerabilities in
0015 OpenSSL
2003-B- V0005877 I Multiple Buffer Overflow
0001 Vulnerabilities in Various
DNS Resolver Libraries
2003-B- V0005879 I Sendmail Memory
0003 Corruption Vulnerability
2003-B- V0005906 I Sendmail Prescan Variant
0005 Remote Buffer Overrun
Vulnerability
2003-T-0004 V0005883 II Multiple Vulnerabilities in
Oracle 9i Application Server
2003-T-0007 V0005886 II Sun RPC XDR Library
Integer Overflow Vulnerability
2003-T-0015 V0005896 II Multiple Vendor PDF
Hyperlinks Arbitrary
Command Execution
Vulnerability
2003-T-0018 V0005900 II Real Networks Helix
Universal Server Vulnerability
2003-T-0020 V0005904 II OpenSSH Buffer
Mismanagement and
Multiple Portable OpenSSH
PAM Vulnerabilities
2003-T-0024 V0005916 II RSync Daemon Mode
Undisclosed Remote Heap
Overflow Vulnerability
2004-A- V0005923 I Multiple Vulnerabilities in
0002 Check Point Firewall
2004-A- V0005929 I ISS Internet Security
0004 Systems ICQ Parsing Buffer
Overflow Vulnerability
2004-B- V0005921 I Cisco Voice Product
0003 Vulnerabilities on IBM
Servers
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
2004-B- V0005946 I HP Web Jetadmin Multiple
0007 Vulnerabilities
2004-B- V0005954 I Oracle E-Business Suite
0009 Multiple SQL Injection
Vulnerability
2004-T-0002 V0005924 II Oracle 9i
Application/Database Server
Denial Of Service
Vulnerability
2004-T-0003 V0005925 II Apache-SSL Client
Certificate Forging
Vulnerability
2004-T-0005 V0005928 II Oracle9i Lite Mobile Server
Multiple Vulnerabilities
2004-T-0008 V0005934 II TCPDump ISAKMP
Decoding Routines Multiple
Remote Buffer Overflow
2004-T-0011 V0005940 II Oracle Application Server
Web Cache HTTP Request
Method Heap Overrun
Vulnerability
2004-T-0018 V0005955 II Multiple Vulnerabilities in ISC
DHCP 3
2004-T-0022 V0005964 II Check Point VPN-1, ASN.1
Buffer Overflow Vulnerabilty
2004-T-0038 V0005988 II Sun Java System Web And
Application Servers Remote
Denial Of Service
Vulnerability
2005-A- V0006033 I Multiple Vulnerabilities in
0014 Oracle E-Business and
Application Suite
2005-A- V0011666 I Multiple Vulnerabilities in
0019 Oracle E-Business and
Applications Suite
2005-A- V0011700 I Multiple Vulnerabilities in
0034 Oracle E-Business and
Applications Suite
2005-A- V0011703 I VERITAS NetBackup Java
0037 User-Interface Remote
Format String Vulnerability
2005-A- V0011709 I VERITAS NetBackup
0041 Volume Manager Daemon
Buffer Overflow Vulnerability
2005-B- V0006015 I Symantec UPX Parsing
0007 Engine Remote Heap
Overflow Vulnerability
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
2005-B- V0006016 I Trend Micro VSAPI ARJ
0008 Handling Heap Overflow
Vulnerability
2005-T-0007 V0006018 II Multiple Vulnerabilities in
Computer Associates
Products
2005-T-0010 V0006021 II Multiple Vulnerabilities in
Sybase Software
2005-T-0013 V0011646 II Computer Associates
BrighStor ARCserve Backup
UniversalAgent Remote
Buffer Overflow
2005-T-0031 V0011680 II Multiple Vulnerabilities in
Computer Associates
Message Queuing
(CAM/CAFT)
2005-T-0035 V0011684 II Check Point SecurePlatform
NGX Firewall Rules Bypass
Vulnerability
2005-T-0038 V0011687 II Sun Java System Application
Server Web Application JAR
Disclosure
2006-A- V0011723 I Multiple Vulnerabilities in
0007 Oracle E-Business Suite and
Applications
2006-A- V0011724 I Computer Associates (CA)
0008 iTechnology iGateway
Service Vulnerability
2006-A- V0011732 I Oracle E-Business Suite
0011 Unspecified Vulnerability
2006-A- V0011737 I Sendmail Asynchronous
0013 Signal Handling Remote
Code Execution Vulnerability
2006-A- V0011748 I Multiple Vulnerabilities in
0020 Oracle E-Business Suite and
Applications
2006-A- V0011756 I Multiple Vulnerabilities in
0023 Macromedia Flash
2006-A- V0012321 I Multiple Vulnerabilities in
0032 Oracle E-Business Suite and
Applications
2006-A- V0012899 I Multiple Vulnerabilities in
0050 Oracle E-Business Suite and
Applications
2006-T-0002 V0011726 I Multiple Vulnerabilities within
BEA WebLogic Software
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
2006-T-0008 V0011750 II HP Color LaserJet
2500/4600 Toolbox Directory
Traversal Vulnerability
2006-T-0013 V0011805 I RealVNC Remote
Authentication Bypass
Vulnerability
2006-T-0016 V0012055 II Sun ONE and Sun Java
System Application Server
Cross-Site Scripting
Vulnerability
2007-A- V0013583 I Multiple Vulnerabilities in
0010 Oracle E-Business Suite and
Applications
2007-A- V0013605 I Trend Micro Antivirus UPX
0013 Compressed PE File Buffer
Overflow Vulnerability
2007-A- V0013996 I Multiple Vulnerabilities in
0025 Oracle E-Business Suite and
Applications
2007-A- V0014480 I Symantec AntiVirus
0038 Malformed CAB and RAR
Compression Remote
Vulnerabilities
2007-B- V0014462 I RPC Remote Code
0012 Execution Vulnerabilities in
MIT Kerberos
2007-B- V0014587 I Multiple Vulnerabilities in
0018 Oracle E-Business Suite
2007-B- V0015376 II Multiple RealPlayer Remote
0035 Code Execution
Vulnerabilities
2007-T-0025 V0014383 I Multiple Vulnerabilities in
MIT Kerberos
2007-T-0033 V0014842 I Hewlett-Packard Openview
Multiple Remote Buffer
Overflow Vulnerabilities
2007-T-0037 V0015097 I MIT Kerberos Administration
Daemon Remote Code
Execution Vulnerabilities
2008-A- V0015746 II SQL Injection in Cisco
0011 Unified Communications
Manager Vulnerability
2008-A- V0015966 I Multiple Vulnerabilities in
0020 Oracle E-Business Suite
2008-A- V0016019 I Cisco Unified
0032 Communications Manager
Denial of Service
Vulnerabilities
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
2008-A- V0016023 I IBM Lotus Sametime
0034 Multiplexer Buffer Overflow
Vulnerability
2008-A- V0016039 I Multiple Security
0038 Vulnerabilities in Sun Java
ASP
2008-A- V0016170 I DNS Protocol Cache
0045 Poisoning Vulnerability
2008-A- V0016172 II Multiple Vulnerabilities in
0049 Oracle E-Business Suite
2008-A- V0016319 I Multiple Vulnerabilities in the
0052 Oracle WebLogic Server
component in BEA Product
Suite
2008-A- V0016523 II Multiple RealPlayer Remote
0053 Code Execution
Vulnerabilities
2008-A- V0017786 I Multiple Vulnerabilities in
0075 Oracle E-Business Suite
2008-B- V0015753 II Multiple Apache HTTP
0017 Server Vulnerabilities
2008-B- V0015755 I Multiple Symantec
0020 Decomposer Denial of
Service Vulnerabilities
2008-B- V0015780 I Multiple MIT Kerberos
0024 Vulnerabilities
2008-B- V0015994 I Sun Java System Directory
0041 Server Remote
Unauthorized Access
Vulnerability
2008-B- V0016022 I Multiple CA ARCserve
0043 Backup Remote
Vulnerabilities
2008-B- V0016025 II Multiple Sun Java System
0045 Application Server and Web
Server Vulnerabilities
2008-B- V0017414 I Multiple Vulnerabilities in
0064 Openwsman (VMWare)
2008-B- V0017742 I Multiple HP OpenView
0073 Network Node Manager
Vulnerabilities
2008-B- V0017874 I Multiple Vulnerabilities in
0078 VMware
2008-T-0003 V0015665 II Sun Java Web Proxy Server
and Sun Java Web Server
Multiple Cross-Site Scripting
Vulnerabilities
2008-T-0010 V0015935 II CA BrightStor ARCserve
Backup ListCtrl ActiveX
Control Buffer Overflow
Vulnerability
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
2008-T-0017 V0015995 II CA Products DSM
gui_cm_ctrls ActiveX Control
Code Execution
2008-T-0026 V0016046 I SNMP Remote
Authentication Bypass
Vulnerability
2008-T-0046 V0017144 II Red Hat OpenSSH
Vulnerability
2008-T-0048 V0017352 II Apache mod_proxy_ftp
Cross-Site Scripting
Vulnerability
2008-T-0049 V0017350 I Multiple Vulnerabilities in
RedHat Fedora Directory
Server
2008-T-0050 V0017465 I Denial of Service
Vulnerabilities in Cisco
Unified Communications
Manager
2008-T-0052 V0017542 III MySQL Command-Line
Client HTML Injection
Vulnerability
2008-T-0054 V0017737 I Cisco Unity Remote
Administration
Authentication Bypass
Vulnerability
2008-T-0063 V0017904 II Multiple Vulnerabilities in
Symantec Backup Exec
2008-T-0064 V0017917 I Bzip2 Remote Denial-of-
Service Vulnerability
2009-A- V0018000 II Vulnerability in Oracle
0006 Collaboration Suite
2009-A- V0018005 I Multiple Oracle/BEA
0009 Weblogic Security
Vulnerabilities
2009-A- V0018613 I Multiple Vulnerabilities in
0023 OpenSSL
2009-A- V0019765 II Multiple Vulnerabilities in
0057 Oracle Enterprise Manager
2009-A- V0019802 I ISC BIND Denial of Service
0060 Vulnerability
2009-A- V0021637 I Snort Remote Denial Of
0089 Service Vulnerability
2009-B- V0018295 I Multiple Vulnerabilities in
0006 VMware
2009-B- V0018638 I Multiple Vulnerabilities in
0015 VMware
2009-B- V0018766 I VMware Hosted Products
0016 Code Execution Vulnerability
2009-B- V0018751 I Multiple MIT Kerberos
0017 Vulnerabilities
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
2009-B- V0019297 I Multiple Vulnerabilities in
0021 VMware Products
2009-B- V0019438 II Multiple Vulnerabilities in
0026 Apache Tomcat
2009-B- V0019859 I Multiple Apache HTTP
0034 Server Vulnerabilities
2009-B- V0021686 I Multiple Vulnerabilities in
0051 Apache
2009-T-0024 V0018983 I Multiple Vulnerabilities in
Linux Kernel
2009-T-0050 V0021503 I Multiple Vulnerabilities in
Wireshark
2009-T-0051 V0021537 I PHP 5.2.10 Denial of
Service Vulnerability
ESX0010 V0015783 II ESX Server is not configured
in accordance with the UNIX
STIG.
ESX0020 V0015784 II An NFS Server is running on
the ESX Server host
ESX0030 V0015785 II VMotion virtual switches are
not configured with a
dedicated physical network
adapter
ESX0040 V0015786 II There is no dedicated VLAN
or network segment
configured for virtual disk file
transfers.
ESX0050 V0015787 II Permissions on the
configuration and virtual disk
files are incorrect.
ESX0055 V0016881 II Permissions on the virtual
disk files are incorrect.
ESX0060 V0015788 II ISCSI VLAN or network
segment is not configured
for iSCSI traffic.
ESX0070 V0015789 II CHAP authentication is not
configured for iSCSI traffic.
ESX0080 V0015790 II ISCSI storage equipment is
not configured with the latest
patches and updates.
ESX0090 V0015791 II ISCSI passwords are not
compliant with DoD policy.
ESX0100 V0015792 II Static discoveries are not
configured for hardware
iSCSI initiators.
ESX0110 V0015793 II USB drives automatically
load when inserted into the
ESX Server host.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ESX0120 V0015801 III The ESX Server does not
meet the minimum
requirement of two network
adapters.
ESX0130 V0015802 II The service console and
virtual machines are not on
dedicated VLANs or network
segments.
ESX0140 V0015803 III Notify Switches feature is not
enabled to allowfor
notifications to be sent to
physical switches.
ESX0150 V0015804 II The ESX Server external
physical switch ports are
configured to VLAN 1.
ESX0160 V0015805 II Permissions have been
changed on the
/usr/sbin/esx* utilities
ESX0170 V0015806 II Virtual machines are
connected to public virtual
switches and are not
documented.
ESX0180 V0015807 II Virtual switch port group is
configured to VLAN 1
ESX0190 V0015808 II Virtual switch port group is
configured to VLAN 1001 to
1024.
ESX0200 V0015809 II Virtual switch port group is
configured to VLAN 4095.
ESX0210 V0015810 II Port groups are not
configured with a network
label.
ESX0220 V0015811 II Unused port groups have not
been removed
ESX0230 V0015812 II Virtual switches are not
labeled.
ESX0240 V0015813 II Virtual switch labels begin
with a number.
ESX0250 V0015815 I The MAC Address Change
Policy is set to "Accept" for
virtual switches.
ESX0260 V0015817 I Forged Transmits are set to
"Accept" on virtual switches
ESX0270 V0015818 I Promiscuous Mode is set to
"Accept" on virtual switches.
ESX0280 V0015819 I Promiscuous mode is
enabled for virtual switches
during the ESX Server boot
process.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ESX0290 V0015820 II External physical switch
ports configured for EST
mode are configured with
spanning-tree enabled.
ESX0300 V0015821 II The non-negotiate option is
not configured for trunk links
between external physical
switches and virtual switches
in VST mode.
ESX0310 V0015822 II Undocumented VLANs are
configured on ESX Server in
VST mode.
ESX0320 V0015824 II ESX Server firewall is not
configured to High Security.
ESX0330 V0015825 II A third party firewall is
configured on ESX Server.
ESX0340 V0015826 II IP tables or internal
router/firewall is not
configured to restrict IP
addresses to services.
ESX0350 V0015827 III ESX Server required
services are not documented.
ESX0360 V0015828 II ESX Server service console
administrators are not
documented
ESX0370 V0015829 II Hash signatures for the /etc
files are not stored offline.
ESX0380 V0015833 II Hash signatures for the /etc
files are not reviewed
monthly.
ESX0390 V0015835 II The setuid and setgid flags
have been disabled.
ESX0400 V0015836 II ESX Server is not
authenticating the time
source with a hashing
algorithm.
ESX0410 V0015840 II ESX Server does not record
log files.
ESX0420 V0015841 II ESX Server log files are not
reviewed daily.
ESX0430 V0015842 II Log file permissions have
not been configured to
restrict unauthorized users
ESX0440 V0015843 III ESX Server does not send
logs to a syslog server.
ESX0450 V0015844 II Auditing is not configured on
the ESX Server.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ESX0460 V0015845 III The IAO/SA does not
subscribe to vendor security
patches and update
notifications.
ESX0470 V0015846 II The ESX Server software
version is not at the latest
release.
ESX0480 V0015847 II ESX Server updates are not
tested.
ESX0490 V0015848 II VMware tools are not used
to update the ESX Server.
ESX0500 V0015849 I ESX Server software version
is not supported.
ESX0510 V0015850 I VMware and third party
applications are not
supported.
ESX0520 V0015851 III There are no procedures for
the backup and recovery of
the ESX Server,
management servers, and
virtual machines.
ESX0530 V0015852 II The ESX Servers and
management servers are not
backed up in accordance to
the MAC level of the servers.
ESX0540 V0015853 II Disaster recovery plan does
not include ESX Servers,
VirtualCenter servers, virtual
machines, and necessary
peripherals associated with
the system.
ESX0550 V0015854 II Backups are not located in
separate logical partitions
from production data.
ESX0560 V0015855 II VI client sessions to the ESX
Server are unencrypted.
ESX0570 V0015856 II VI Web Access sessions to
the ESX Server are
unencrypted.
ESX0580 V0015857 II VirtualCenter
communications to the ESX
Server are unencrypted.
ESX0590 V0015858 II SNMP write mode is enabled
on ESX Server.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ESX0600 V0015859 II VirtualCenter server is
hosting other applications
such as database servers, e-
mail servers or clients, dhcp
servers, web servers, etc.
ESX0610 V0015860 II Patches and security
updates are not current on
the VirtualCenter Server.
ESX0650 V0015864 II VirtualCenter virtual machine
is not configured in an ESX
Server cluster with High
Availability enabled.
ESX0660 V0015865 II VirtualCenter virtual machine
does not have a CPU
reservation.
ESX0670 V0015866 II VirtualCenter virtual machine
does not have a memory
reservation.
ESX0680 V0015867 III VirtualCenter virtual machine
CPU alarm is not configured.
ESX0690 V0015868 III VirtualCenter virtual machine
memory alarm is not
configured.
ESX0700 V0015869 II Unauthorized users have
access to the VirtualCenter
virtual machine.
ESX0710 V0015870 II No dedicated VirtualCenter
administrator created within
the Windows Administrator
Group on the Windows
Server for managing the
VirtualCenter environment.
ESX0720 V0015871 II No logon warning banner is
configured for VirtualCenter
users.
ESX0725 V0017020 II VirtualCenter is not using
DoD approved certificates.
ESX0730 V0015872 II VI Client sessions with
VirtualCenter are
unencrypted.
ESX0740 V0015873 II VI Web Access sessions
with VirtualCenter are
unencrypted.
ESX0750 V0015874 I VirtualCenter vpxuser has
been modified.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ESX0760 V0015875 III Users assigned to
VirtualCenter groups are not
documented.
ESX0770 V0015876 III Users in the VirtualCenter
Server Windows
Administrators group are not
documented.
ESX0780 V0015877 II VirtualCenter Server groups
are not reviewed monthly
ESX0790 V0015878 II No documented
configuration management
process exists for
VirtualCenter changes.
ESX0800 V0015879 II There is no VirtualCenter
baseline configuration
document for users, groups,
permissions, and roles.
ESX0810 V0015880 II VirtualCenter does not log
user, group, permission or
role changes.
ESX0820 V0015881 II VirtualCenter logs are
reviewed daily.
ESX0828 V0016851 III ESX administrators have not
received proper training to
administer the ESX Server.
ESX0860 V0015882 II There is no up-to-date
documentation of the
virtualization infrastructure.
ESX0863 V0015973 II ESX Server is not properly
registered in VMS.
ESX0866 V0015974 II ESX Server assets are not
configured with the correct
posture in VMS.
ESX0869 V0015975 II VirtualCenter Server assets
are not properly registered in
VMS.
ESX0872 V0015984 II VirtualCenter Server assets
are not configured with the
correct posture in VMS.
ESX0880 V0015884 II ISO images are not
restricted to authorized users.
ESX0890 V0015885 II ISO images do not have
hash checksums.
ESX0900 V0015886 II ISO images are not verified
for integrity when moved
across the network.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ESX0910 V0015887 III Master templates are not
stored on a separate
partition.
ESX0920 V0015888 II Master templates are not
restricted to authorized users
only.
ESX0930 V0015889 III The VMware-converter utility
is not used for VMDK
imports or exports.
ESX0940 V0015890 II Nonpersistent disk mode is
set for virtual machines.
ESX0950 V0015891 III No policy exists to assign
virtual machines to
personnel.
ESX0960 V0015892 III VI Console is used to
administer virtual machines.
ESX0970 V0015893 II Clipboard capabilities (copy
and paste) are enabled for
virtual machines.
ESX0980 V0015894 II VMware Tools drag and drop
capabilities are enabled for
virtual machines.
ESX0990 V0015895 II The VMware Tools setinfo
variable is enabled for virtual
machines.
ESX1000 V0015896 III Configuration tools are
enabled for virtual machines.
ESX1010 V0015897 II Virtual machines are not
time synchronized with the
ESX Server or an
authoritative time server.
ESX1020 V0015898 III The IAO/SA does not
document and approve
virtual machine renames.
ESX1030 V0015899 II Test and development virtual
machines are not logically
separated from production
virtual machines.
ESX1040 V0015900 III No policy exists to restrict
copying and sharing virtual
machines over networks and
removable media.
ESX1050 V0015901 II Virtual machine moves are
not logged from one physical
server to another.
ESX1060 V0015902 II Virtual machine moved to
removable media are not
documented.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ESX1070 V0015903 II Virtual machines are
removed from the site
without approval
documentation.
ESX1080 V0015904 II Production virtual machines
are not located in a
controlled access area.
ESX1090 V0015905 III Virtual machine rollbacks are
performed when virtual
machine is connected to the
network.
ESX1100 V0015906 II Virtual machine OS log files
are not saved before rollback.
ESX1110 V0015907 II Virtual machine log files do
not have a size limit.
ESX1120 V0015908 II ESX Server is not configured
to maintain a specific
number of log files via log
rotation.
ESX1130 V0015909 II Virtual machine log files are
not maintained for 1 year.
ESX1140 V0015913 II Virtual machines are not
backed up in accordance
with the MAC level.
ESX1150 V0015972 II Virtual machines are not
registered in VMS.
ESX1160 V0015919 III Virtual machine
requirements are not
documented before creating
a virtual machine.
ESX1170 V0015921 II Unused hardware is enabled
in virtual machines.
ESX1180 V0015924 II Guest OS selection does not
match installed OS.
ESX1190 V0015926 I Guest operating system is
not supported by ESX Server.
ESX1200 V0015931 II Anti-virus software and
signatures are out of date for
"off" and "suspended" virtual
machines
ESX1210 V0015932 II OS patches and updates are
out of date on "off" and
"suspended" virtual
machines.
ESX1220 V0017043 II Virtual machines are not
configured with the correct
posture in VMS.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
GEN000020 V0000756 II The UNIX host is bootable in
single user mode without a
password.
GEN000040 V0000757 II The UNIX host is not
configured to require a
password when booted to
single-user mode and is not
documented.
GEN000060 V0000758 II The UNIX host cannot be
configured to require a
password when booted to
single-user mode and is not
located in a controlled
access area.
GEN000260 V0000759 II A shared account is not
justified and documented by
the IAO.
GEN000280 V0000760 II A shared, i.e., default,
application, or utility -account
is logged into directly.
GEN003320 V0000986 II Default system accounts
(with the exception of root)
are listed in the at.allow file
or excluded from the
cron.deny file if cron.allow
does not exist.
GEN003680 V0000972 III Network services required
for operations have not been
documented by the IAO.
GEN003700 V0012005 II All inetd/xinetd services are
disabled and inetd (xinetd for
Linux) is not disabled.
GEN003820 V0004687 I A system has a vulnerable
trust relationship through rsh
or remsh.
GEN003840 V0004688 I A system has the rexec
service active.
GEN003860 V0004701 III A system has the finger
service active.
GEN003865 V0012049 II Network Analysis tools are
enabled.
GEN003960 V0004369 II The traceroute command
owner is NOT root.
GEN003980 V0004370 II The traceroute command
group owner is not sys, bin,
or root.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
GEN004000 V0004371 II Traceroute file permissions
are less restrictive than 700.
GEN004020 V0004372 III The browser is NOT capable
of 128-bit encryption.
GEN004040 V0004373 II A browser SmartUpdate, or
software update feature, is
enabled.
GEN004060 V0004374 II The browser has
unencrypted secure content
caching enabled.
GEN004100 V0004376 III The browser is configured to
allow active scripting.
GEN004120 V0004377 II The browser is not
configured to give a warning
when form data is redirected.
GEN004160 V0004379 II The browser gives no
warning before viewing
remote data with a security
certificate that does not
match the remote address.
GEN004180 V0004380 II The browser home page is
not configured for a blank
page or a locally generated
page.
GEN004200 V0004381 II The browser is NOT
configured for Secure
Socket Layer (SSL) v2 and
SSL v3.
GEN004220 V0004382 I An SA browses the WEB as
root.
GEN004240 V0001038 II The browser is not a
supported version.
GEN004260 V0001039 III The browser does not issue
a warning prior to accepting
a cookie from a remote site.
GEN004280 V0001041 III A browser does not issue a
warning when submitting
non encrypted form data.
GEN004300 V0001042 III The browser does not issue
a warning prior to viewing a
document with both secure
and non-secure content.
GEN004320 V0001043 III The browser does not issue
a warning prior to leaving an
encrypted or secure site.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
GEN004540 V0012006 II The sendmail help command
is not disabled.
GEN004560 V0004384 III The O Smtp greeting in
sendmail.cf, or equivalent,
has not been changed to
mask the version.
GEN004580 V0004385 I .forward files were found.
GEN004600 V0004689 I A sendmail server has an
out-of-date version of
sendmail active.
GEN004620 V0004690 I A UNIX sendmail server has
the debug feature active.
GEN004640 V0004691 I A UNIX sendmail server has
a uudecode alias active.
GEN004660 V0004692 III A sendmail server has the
EXPN feature active.
GEN004680 V0004693 III A sendmail server has the
VRFY feature active.
GEN004700 V0004694 III A UNIX sendmail server has
the wizard backdoor active.
GEN004720 V0012007 II FTP or telnet within an
enclave is not behind the
premise router and protected
by a firewall and router
access control lists.
GEN004760 V0012008 I FTP or telnet from outside
the enclave into the enclave
is enabled and not within
requirements.
GEN004780 V0012009 I FTP or telnet
userids/passwords have
administrative or root
privileges.
GEN004800 V0012010 II An AORL is not used to
document the use of
unencrypted FTP or telnet or
the risk is not accepted as
part of the accreditation
package.
GEN004840 V0004702 II A system allows anonymous
FTP access.
GEN005020 V0004388 I An anonymous ftp account
does not implement STIG
security guidance.
GEN005040 V0012011 II An FTP user's umask is not
077.
GEN005060 V0012013 I FSP is enabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
GEN005140 V0004695 I TFTP is active and it is not
justified and documented
with the IAO.
GEN005180 V0012014 II .Xauthority files are more
permissive than 600.
GEN005200 V0004697 I A system is exporting X
displays to the world.
GEN005220 V0012016 II Authorized X clients are not
listed in the X*.hosts (or
equivalent) file(s) if the
.Xauthority utility is not used.
GEN005240 V0012017 II Access to the X-terminal
host is not limited to
authorized X clients.
GEN005260 V0012018 II The X Window System
connections are not required
and the connections are not
disabled.
GEN005280 V0004696 II A UNIX system has the
UUCP service active.
GEN005360 V0012019 II The snmpd.conf file is not
owned by root and group
owned by sys or the
application.
GEN005380 V0004392 II An snmp server runs more
than network management
and DBMS software and
there is no IAO justifying
documentation.
GEN005400 V0004393 II Either /etc/syslog.conf is not
owned by root or is more
permissive than 640.
GEN005420 V0004394 II The /etc/syslog.conf group
owner is NOT root, bin, or
sys.
GEN005440 V0012020 II Local hosts are used as
loghosts for systems outside
the local network.
GEN005460 V0004395 II A system is using a remote
log host not justified and
documented with the IAO.
GEN005480 V0012021 II The syslog deamon accepts
remote messages and is not
an IAO documented loghost.
GEN005500 V0004295 I SSH, or a similar utility, is
running and SSHv1 protocol
is used.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
GEN005540 V0012022 II Encrypted communications
are not configured for IP
filtering and logon warning
banners.
GEN005560 V0004397 II The system is not a router
but has no default gateway
defined.
GEN005580 V0004398 II A system used for routing
also uses other applications
and/or utilities.
GEN005600 V0012023 II IP forwarding is not disabled.
GEN005620 V0004703 III A Lotus Domino 5.0.5 Web
Application was found
vulnerable to the .nsf, .box,
and .ns4 directory traversal
exploit.
GEN005640 V0004706 III A system running Squid
Web Proxy Cache server
was found vulnerable to the
authentication header
forwarding exploit.
GEN005660 V0004707 II A system running Squid
Web Proxy Cache was
found vulnerable to the
MSNT auth helper buffer
overflow exploit.
GEN005680 V0004709 III The SA will ensure the Squid
Proxy Cache server is not a
vulnerable version.
GEN005700 V0004708 III An iPlanet Web Server was
found with the search engine
NS-query-pat file viewing
vulnerability.
GEN006000 V0012024 II A public instant messaging
client is installed.
GEN006040 V0012025 II A peer-to-peer file-sharing
application is installed and
not authorized and
documented with the DAA.
GEN006060 V0004321 II Samba is running and is not
being used.
GEN006080 V0001026 II The Samba Web
Administration tool is not
used with ssh port
forwarding.
GEN006100 V0001027 II The /etc/smb.conf file is not
owned by root.
GEN006120 V0001056 II The /etc/smb.conf file does
not have a group owner of
root.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
GEN006140 V0001028 II The /etc/smb.conf file is
more permissive than 644.
GEN006160 V0001029 II The smbpasswd file is not
owned by root.
GEN006180 V0001058 II The /etc/smbpasswd file
does not have a group
owner of root.
GEN006200 V0001059 II The /etc/smbpasswd file has
permissions more
permissive than 600.
GEN006220 V0001030 II The smb.conf file is not
configured correctly.
GEN006240 V0001023 II A Linux Internet Network
News server is not
authorized and documented
by the IAO.
GEN006260 V0004273 II A Linux /etc/news/hosts.nntp
is more permissive than 600.
GEN006280 V0004274 II A Linux
/etc/news/hosts.nntp.nolimit
is more permissive than 600.
GEN006300 V0004275 II A Linux
/etc/news/nnrp.access is
more permissive than 600.
GEN006320 V0004276 II Linux /etc/news/passwd.nntp
is more permissive than 600.
GEN006340 V0004277 II Linux files in /etc/news are
not owned by root or news.
GEN006360 V0004278 II Linux /etc/news files group
owner is not root or news.
GEN006380 V0004399 I NIS/NIS+ is implemented
under UDP.
GEN006420 V0012026 II NIS maps are not protected
through hard-to-guess
domain names.
GEN006560 V0012028 II The system vulnerability
assessment tool, host-based
intrusion detection tool, and
file system integrity baseline
tool does not notify the SA
and the IAO of a security
breach or a suspected
security breach.
GEN006620 V0012030 II The access control program
is not configured to grant
and deny system access to
specific hosts.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
GEN006640 V0012765 II An approved DOD virus
scan program in not used
and/or updated.
IAVA0010 V0001002 I A TCP_WRAPPERS Trojan
exists on the system.
IAVA0020 V0001006 II There are Internet Message
Access Protocol (IMAP) or
Post Office Protocol (POP)
vulnerabilities.
IAVA0025 V0001007 II A vulnerability exists in mime-
aware mail and news clients.
IAVA0150 V0007520 II There are multiple
vulnerabilities in Sybase
Software.
IAVA0295 V0003612 III There are multiple SSH
vulnerabilities.
IAVA0380 V0004547 II A vulnerable version of the
H.323 Protocol is in use.
IAVA0510 V0004699 I A BSD system has the FTP
RNFR command
vulnerability.
LNX00060 V0004246 II A Linux system Password
Configuration Table has the
User Password set to ON.
LNX00080 V0004247 I A Linux system is using a
boot diskette as the boot
loader.
LNX00100 V0004248 I A Linux system has not been
configured with GRUB as the
default boot loader and the
boot loader in use has not
been authorized, justified,
and documented with the
IAO.
LNX00120 V0004255 I The Linux /boot partition is
on removable media and is
not stored in a secure
container.
LNX00140 V0004249 I The Linux boot-loader does
not use an MD5 encrypted
password.
LNX00160 V0004250 II Linux /boot/grub/grub.conf is
more permissive than 600.
LNX00180 V0004252 I A Linux system authorized to
use LILO does not have a
global password in
/etc/lilo.conf.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
LNX00200 V0012036 I The LILO Boot Loader
password is not encrypted.
LNX00220 V0004253 I A Linux /etc/lilo.conf file is
more permissive than 600.
LNX00260 V0004256 I A site SOP does not restrict
the use of Kickstart to
isolated development LANs.
LNX00300 V0004262 II A Linux system does not
have the rpc.ugidd daemon
disabled.
LNX00320 V0004268 I A Linux system has special
privilege accounts, such as
shutdown and halt.
LNX00340 V0004269 II A Linux system has
unnecessary accounts.
LNX00360 V0001021 II A Linux X server does not
have the correct options
enabled.
LNX00380 V0001022 II A Linux X server has one of
the following options
enabled: -ac, -core (except
for debugging purposes), or -
nolock.
LNX00400 V0001025 II The /etc/login.access file is
not owned by root.
LNX00420 V0001054 II The /etc/login.access file
does not have a privileged
group owner.
LNX00440 V0001055 II The /etc/login.access
permissions are more
permissive than 640.
LNX00480 V0004334 II Linux /etc/sysctl.conf is not
owned by root.
LNX00500 V0004335 II Linux /etc/sysctl.conf group
owner is not root.
LNX00520 V0004336 II Linux /etc/sysctl.conf file is
more permissive than 600.
LNX00540 V0012037 I The insecure option is set.
LNX00560 V0004339 I A Linux NFS Server has the
insecure file locking option.
LNX00580 V0004342 I The Linux x86 CTRL-ALT-
DELETE key sequence has
not been disabled.
LNX00600 V0004346 II Linux PAM grants sole
access to admin privileges to
the first user who logs into
the console.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
LNX00620 V0012038 II The /etc/securetty file is not
group owned by root, sys, or
bin.
LNX00640 V0012039 II The /etc/securetty file is not
owned by root.
LNX00660 V0012040 II The /etc/securetty file is
more permissive than 640.
LNX00680 V0012041 II A vulnerable RealPlayer
version is installed.
SOL00040 V0004353 II /etc/security/audit_user has
a different auditing level for
specific users.
SOL00060 V0004352 II /etc/security/audit_user is
not owned by root.
SOL00080 V0004351 II The /etc/security/audit_user
group is not root, sys, or bin.
SOL00100 V0004245 II /etc/security/audit_user is
more permissive than 640.
SOL00400 V0004300 II An NFS server does not
have logging implemented.
USB00.001. V0006764 III There is no document
00 instructing users that USB
devices be powered off for at
least 60 seconds prior to
being connected to an IS.
USB01.001. V0006765 II MP3 players, camcorders, or
00 digital cameras are being
attached to ISs without prior
DAA approval.
USB01.002. V0006766 II USB devices are attached to
00 a DoD IS without prior IAO
approval.
USB01.003. V0006768 II Disguised jump drives are
00 not banned from locations
containing DOD ISs.
USB01.004. V0006769 II Notices are not prominently
00 displayed informing
everyone of the ban of
disguised jump drives.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
USB01.005. V0006770 II Persistent memory USB
00 devices are not treated as
removable media and
contrary to DODD 5200.1-R;
the devices are not secured,
transported, and sanitized in
a manner appropriate for the
classification level of the
data they contain.
USB01.006. V0006771 II Persistent memory USB
00 devices are not labeled in
accordance with the
classification level of the
data they contain.
USB01.007. V0006772 II Sensitive data stored on a
00 USB device with persistent
memory, that the data owner
requires encryption is not
encrypted using NIST-
certified cryptography.
USB01.008. V0006773 II USB devices with persistent
00 memory are not formatted in
a manner to allow the
application of Access
Controls to files or data
stored on the device.
USB01.009. V0006774 II There is no section within
00 the SFUG, or equivalent
documentation, describing
the correct usage and
handling of USB
technologies.
USB01.010. V0006775 III The USB usage section of
00 the SFUG, or equivalent
document, does not contain
a discussion of the devices
that contain persistent non-
removable memory.
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Virtual
Center
Virtual
Center
ESX Server
ESX Server
Virtual
Center
Virtual
Center
ESX Server
ESX Server
Virtual
Center
ESX Server
Section
ESX Server
Virtual
Center
Virtual
Center
ESX Server
ESX Server
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
ESX Server
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Policy
ESX Server
ESX Server
ESX Server
ESX Server
ESX Policy
ESX Server
ESX Server
ESX Server
ESX Policy
ESX Server
ESX Server
ESX Server
Section
ESX Policy
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Policy
ESX Server
ESX Policy
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
ESX Server
Section
ESX Policy
ESX Policy
ESX Policy
ESX Policy
ESX Policy
Virtual
Center
ESX Policy
ESX Policy
ESX Policy
ESX Server
ESX Server
Virtual
Center
Virtual
Center
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Policy
Virtual
Center
ESX Policy
ESX Policy
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
Virtual
Center
ESX Policy
Virtual
Center
ESX Policy
ESX Server
ESX Policy
Section
ESX Policy
ESX Server
ESX Policy
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Policy
Virtual
Machine
Virtual
Machine
Virtual
Machine
Virtual
Machine
Virtual
Machine
Virtual
Machine
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
Section
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
ESX Server
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EMG0-056 V0018865 III The E-mail Administrator
role is not assigned and
authorized by the IAO.
EMG0-075 V0018877 II E-mail Administrator Groups
do not ensure least privilege.
EMG0-090 V0018885 III E-mail acceptable use policy
is not documented in the
System Security Plan or
does not require annual user
review.
EMG0-092 V0018886 III E-mail Acceptable Use
Policy does not contain
required elements.
EMG1-002 V0018681 III Unneeded OMA E-mail Web
Virtual Directory is not
removed.
EMG1-004 V0018682 III Unneeded Active Sync E-
mail Web Virtual Directory is
not removed.
EMG1-007 V0018759 II Default web site allows
anonymous access.
EMG1-012 V0018683 III Unneeded "Public" E-mail
Virtual Directory is not
removed.
EMG1-103 V0018786 I Public Folder access does
not require secure channels
and encryption.
EMG1-105 V0018787 I Outlook Web Access (OWA)
does not require secure
channels and encryption.
EMG1-110 V0018733 II E-mail web applications are
operating on non-standard
ports.
EMG2-005 V0018666 II E-mail Server Global
Sending or Receiving
message size is set to
Unlimited.
EMG2-006 V0018671 III The Global Recipient Count
limit is set to “Unlimited”.
EMG2-010 V0018667 III Sending or Receiving
message size is not set to
Unlimited on the SMTP
virtual server.
EMG2-013 V0018661 II Mailbox server is not
protected by E-mail Edge
Transport role (E-mail
Secure Gateway) performing
Global Accept/Deny list
filtering.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EMG2-015 V0018663 II The Mailbox server is not
protected by an Edge
Transport Server Role (E-
mail Secure Gateway)
performing 'Block List'
filtering.
EMG2-017 V0018664 II Mailbox server is not
protected by an Edge
Transport Server role (E-
mail Secure Gateway)
performing Block List
exception filtering at the
perimeter.
EMG2-021 V0018675 II The E-Mail server is not
protected by having
connections from “Sender
Filter” sources dropped by
the Edge Transport Server
role (E-Mail Secure
Gateway) at the perimeter.
EMG2-024 V0018673 II The Mailbox server is not
protected by having filtered
messages archived by the
Edge Transport Role server
(E-mail Secure Gateway) at
the perimeter.
EMG2-026 V0018674 II The Mailbox server is not
protected by having blank
sender messages filtered by
the Edge Transport Role
server (E-mail Secure
Gateway) at the perimeter.
EMG2-029 V0018662 II Mailbox Server is not
protected by an Edge
Transport Server (E-mail
Secure Gateway) performing
SPAM evaluation.
EMG2-030 V0018721 II E-mail servers are not
protected by an Edge
Transport Server role (E-
mail Secure Gateway)
removing disallowed
message attachments at the
network perimeter.
EMG2-031 V0018672 II The Exchange E-mail
Services environment is not
protected by an Edge
Transport Server (E-Mail
Secure Gateway) performing
Non-existent recipient
filtering at the perimeter.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EMG2-038 V0018818 II E-mail Services are not
protected by having an Edge
Transport Server (E-mail
Secure Gateway) performing
outbound message signing
at the perimeter.
EMG2-043 V0018665 II Mailbox Server is not
protected by an Edge
Transport Server (E-mail
Secure Gateway) performing
Sender Authentication at the
perimeter.
EMG2-046 V0018660 II Automated Response
Messages are Enabled.
EMG2-105 V0018734 II E-mail SMTP services are
using Non-PPSM compliant
ports.
EMG2-107 V0018670 II Message Recipient Count
Limit is not limited on the
SMTP virtual server.
EMG2-109 V0018735 II SMTP Virtual Server is not
bound to the PPSM
Standard Port.
EMG2-111 V0018780 II Exchange Server is not
protected by an Edge
Transport Server (E-mail
Secure Gateway) that
performs Anonymous
Connections interaction with
Internet-based E-mail
servers.
EMG2-114 V0018690 III Maximum outbound
connection timeout limit is
not at 10 minutes or less.
EMG2-117 V0018693 III Maximum Inbound
Connection Timeout Limit is
not 10 or less.
EMG2-120 V0018691 III Outbound Connection Limit
per Domain Count is not 100
or less.
EMG2-123 V0018687 III The Outbound Delivery Retry
Values are not at the
Defaults, or do not have
alternate values documented
in the System Security Plan.
EMG2-124 V0018770 II SMTP Virtual Server
Auditing is not active.
EMG2-125 V0018692 III Inbound Connection Count
Limit is not set to "Unlimited".
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EMG2-126 V0018689 III SMTP Maximum outbound
connections are not at 1000,
or an alternate value is not
documented in System
Security Plan.
EMG2-129 V0018668 III The SMTP Virtual Server
Session Size is not set to
"Unlimited".
EMG2-130 V0018688 III SMTP Maximum Hop Count
is not 30.
EMG2-131 V0018701 II “Smart-Host” is specified at
the Virtual Server level.
EMG2-133 V0018762 I One or more SMTP Virtual
Servers do not have a Valid
Certificate.
EMG2-136 V0018643 III E-mail user mailboxes do
not have Storage Quota
Limitations.
EMG2-139 V0018644 III E-mail Public Folders do not
have Storage Quota
Limitations.
EMG2-143 V0018704 III The SMTP Virtual Server is
configured to perform DNS
lookups for anonymous E-
mails.
EMG2-144 V0018782 II SMTP Virtual Servers do not
Require Secure Channels
and Encryption.
EMG2-146 V0018700 II SMTP virtual Server does
not Restrict Relay Access.
EMG2-148 V0018702 III The SMTP Virtual Server
performs reverse DNS
lookups for anonymous
message delivery.
EMG2-149 V0018669 III The SMTP Virtual Server
Message Count Limit is not
20.
EMG2-250 V0018694 II SMTP Connection
Restrictions do not use the
"Deny All" strategy.
EMG2-251 V0018696 II ExAdmin Virtual Directory is
not Configured for Integrated
Windows Authentication.
EMG2-255 V0018805 II Scripts are Permitted to
Execute in the ExAdmin
Virtual Server.
EMG2-256 V0018760 I OWA does not require only
Integrated Windows
Authentication.
EMG2-259 V0018803 II Scripts are permitted to
execute in the OWA Virtual
Server.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EMG2-263 V0018806 II Users do not have correct
permissions in the OWA
Virtual Server.
EMG2-266 V0018719 II Users do not have correct
permissions in the Public
Virtual Server.
EMG2-269 V0018807 II ExAdmin does not have
correct permissions in the
ExAdmin Virtual Server.
EMG2-271 V0018745 I OWA Virtual Server has
Forms-Based Authentication
enabled.
EMG2-272 V0018695 III SMTP Sender, Recipient, or
Connection Filters are not
engaged.
EMG2-275 V0018804 II Scripts are permitted to
execute in the Public Folder
web server.
EMG2-303 V0018812 III Exchange application
memory is not zeroed out
after message deletion.
EMG2-305 V0018788 III ExAdmin is configured for
Secure Channels and
Encryption.
EMG2-307 V0018725 III Mailbox Stores Restore
Overwrite is enabled.
EMG2-311 V0018726 III Public Folder Stores Restore
Overwrite is enabled.
EMG2-313 V0018641 II User mailboxes are hosted
on non-Mailbox Server role.
EMG2-317 V0018727 III E-mail message copies are
not archived.
EMG2-318 V0018646 III Mailbox Stores "Do Not
Mount at Startup" is enabled.
EMG2-320 V0018655 II Public Folder Stores "Do not
Mount at Startup" is enabled.
EMG2-323 V0018642 I E-mail Server does not
require S/MIME capable
clients.
EMG2-327 V0018744 I E-mail Public Folders do not
require S/MIME capable
clients.
EMG2-333 V0018705 III E-mail Server "Circular
Logging" is not set
appropriately.
EMG2-340 V0018723 II Mailboxes and messages
are not retained until
backups are complete.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EMG2-344 V0018724 II Public Folder stores and
documents are not retained
until backups are complete.
EMG2-507 V0018645 III Public Folders Store storage
quota limits are overridden.
EMG2-511 V0018658 III Public Folder “Send on
Behalf of” feature is in use.
EMG2-710 V0018686 II Message size restrictions
are specified on routing
group connectors.
EMG2-713 V0018685 III Connectors are not clearly
named as to direction or
purpose.
EMG2-718 V0019198 II Message size restriction is
specified at the SMTP
connector level. .
EMG2-721 V0018698 II The SMTP connectors do
not specify use of a “Smart
Host”.
EMG2-730 V0018697 II Routing Group is not
selected as the SMTP
connector scope.
EMG2-736 V0018699 I SMTP connectors allow
unauthenticated relay.
EMG2-743 V0018784 I SMTP Connectors perform
outbound anonymous
connections.
EMG2-803 V0018703 II Virtual Server default
outbound security is not
anonymous and TLS.
EMG2-806 V0018715 II SMTP Queue Monitor is not
configured with a threshold
and alert.
EMG2-807 V0018713 II CPU Monitoring Notifications
are not configured with
threshold and action.
EMG2-810 V0018707 II E-mail “Subject Line” logging
is enabled during production
operations.
EMG2-811 V0018706 II E-mail Diagnostic Logging is
enabled during production
operations.
EMG2-813 V0018714 II Virtual memory monitoring
notifications are not
configured with threshold
and action.
EMG2-815 V0018716 II Windows 2003 Services
Monitoring Notifications are
not configured with
thresholds and actions.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EMG2-817 V0018717 II Exchange Core Services
Monitors are not configured
with threshold and actions.
EMG2-825 V0018710 II SMTP Virtual Server Audit
Records are not directed to a
separate partition.
EMG2-831 V0018711 II Exchange sends fatal errors
to Microsoft.
EMG2-833 V0018767 II The “Disable Server
Monitoring” feature is
enabled.
EMG2-835 V0018712 II Disk Space Monitoring is not
Configured with Threshold
and Action.
EMG2-840 V0018763 III Audit Records do not contain
all required fields.
EMG2-863 V0019186 II Mailbox access control
mechanisms are not audited
for changes.
EMG3-005 V0018881 III The E-mail backup and
recovery strategy is not
documented or is not tested
on an INFOCON compliant
frequency.
EMG3-006 V0018880 II Audit logs are not included in
backups.
EMG3-007 V0018883 II E-mail backups do not meet
schedule or storage
requirements.
EMG3-009 V0018882 II E-mail backup and recovery
data is not protected.
EMG3-010 V0018884 II E-mail critical software
copies are not stored offsite
in a fire rated container.
EMG3-015 V0018857 II Annual procedural reviews
are not conducted at the site.
EMG3-020 V0018858 II Exchange with Outlook Web
Access is not deployed as
Front-end/Back-end
Architecture.
EMG3-028 V0018868 III E-mail software installation
account usage is not logged.
EMG3-037 V0018869 III E-mail audit trails are not
reviewed daily.
EMG3-045 V0018864 II E-Mail Configuration
Management (CM)
procedures are not
implemented.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EMG3-050 V0018867 II E-mail Services are not
documented in System
Security Plan.
EMG3-058 V0018741 II E-mail software is not
monitored for change on
INFOCON frequency
schedule.
EMG3-071 V0018879 II E-mail audit records are not
retained for 1 year.
EMG3-079 V0018878 II Automated audit reporting
tools are not available.
EMG3-106 V0019546 I E-mail services and servers
are not protected by routing
all SMTP traffic through an
Edge Transport Server.
EMG3-108 V0019548 I E-mail web services are not
protected by having an
application proxy server
outside the enclave.
EMG3-115 V0018731 II E-mail application installation
is sharing a partition with
another application.
EMG3-116 V0018792 II SMTP service banner
response reveals
configuration details.
EMG3-119 V0018795 II E-mail Services accounts
are not restricted to named
services.
EMG3-121 V0018801 II Services permissions do not
reflect least privilege.
EMG3-145 V0018796 II E-Mail service accounts are
not operating at least
privilege.
EMG3-150 V0018819 II E-Mail audit trails are not
protected against
unauthorized access.
EMG3-801 V0018676 II E-Mail server has unneeded
processes or services active.
EMG3-802 V0018742 II Security support data or
process is sharing a
directory or partition with
Exchange.
EMG3-805 V0018743 II Exchange software baseline
copy does not exist.
EMG3-817 V0018684 II VRFY command is resident
on Exchange 2003 server.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
EMG3-823 V0018732 II Audit data is sharing
directories or partitions with
the E-mail application.
EMG3-824 V0018802 II Exchange application
permissions are not at
vendor recommended
settings.
EMG3-828 V0018799 II E-mail restore permissions
are not restricted to E-mail
administrators.
EMG3-829 V0018820 I E-mail servers do not have E-
mail aware virus protection.
Section
Email Services
Policy
Email Services
Policy
Email Services
Policy
Email Services
Policy
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Section
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Section
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Section
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Section
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Section
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Section
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Email Services
Policy
Email Services
Policy
Email Services
Policy
Email Services
Policy
Email Services
Policy
Email Services
Policy
Email Services
Policy
Email Services
Policy
Email Services
Policy
Email Services
Policy
Section
Email Services
Policy
Exchange Server
2003
Email Services
Policy
Email Services
Policy
Email Services
Policy
Email Services
Policy
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Section
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
Exchange Server
2003
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H20100 V0014282 II (U) A static IP address exists
for the ePO server.
H20120 V0014483 II (U) The ePO server is
located in a protected
Enclave Security Services
DMZ or screened subnet.
H20140 V0014484 II (U//FOUO) The ePO server's
management workstations,
outside the enclave, use
NIST certified encrypted
VPNs for access and the
traffic is logged.
H20160 V0014485 II (U) VPN traffic into the ePO
is visible to a network
intrusion detection system.
H20180 V0014488 II (U) The ePO server is being
protected by a local network
IDS.
H20200 V0014486 I (U) The ePO server
perimeter protection is in
deny by default with
allowable exceptions.
H20260 V0014489 II (U) The site has registered
the HBSS server within the
Ports and Protocols
database.
H20280 V0014843 II (U) The site is using a proxy
for http/https traffic.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H30100 V0014491 III (U) The HBSS is under
direct control of a site CCB.
H30120 V0017882 II (U) HBSS is using the
approved WSUS HBSS site
for Microsoft patches.
H30140 V0014493 II (U) The ePO server uses
only the DoD-controlled
source repository.
H30160 V0014494 III (U) A DoD-controlled DNS
server is used for resolution
for the ePO server.
H30200 V0014496 II (U) HBSS is not operating on
different classification levels
or across mixed DoD and
non-DoD systems or
networks.
H30220 V0014497 I (U) The ePO server is
dedicated to HBSS.
H30240 V0014498 II (U) The ePO is using the
correct port assignments.
H30241 V0024170 II (U) Agent-to-server
communication port is set
correctly.
H30242 V0024171 II (U) Agent-to-server
communication secure port
is set correctly.
H30243 V0024172 II (U) Agent wake-up
communication port set
correctly.
H30244 V0024173 II (U) Agent broadcast port is
set correctly.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H30245 V0024174 II (U) Console-to-application
server communication port is
set correctly.
H30246 V0024175 II (U) Client-to-server
authenticated
communication port is set
correctly.
H30247 V0024024 II (U//FOUO) Port used for
Console-to-Server
communication is set
correctly.
H30250 V0025504 II (U//FOUO) The notification
connector is set to the
loopback adapter.
H30260 V0014499 II (U) The ePO software
directories are adequately
protected from unauthorized
modification.
H30280 V0014500 II (U) HBSS has the current
security patches installed.
H30290 V0017880 II (U) HBSS application has a
DoD certificate installed.
H30300 V0014501 I (U) The ePO server is not
using the default keys.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H30400 V0014502 II (U) The ePO server has all
clients using non-default
keys.
H30500 V0014503 II (U) The ePO server has a
scheduled task to pull
updates daily from the
authorized source repository.
H30540 V0014504 II (U) The ePO server has a
scheduled task to replicate
changes to distributed
repositories daily.
H30560 V0014505 II (U) The ePO server does not
have a scheduled task to do
complete repository updates
at least weekly.
H30580 V0014506 II (U) The ePO server has a
scheduled task to identify
Inactive Agents daily.
H30620 V0014508 II (U//FOUO) Only a dedicated
machine can be use to
manage the ePO server.
H30640 V0014507 I (U//FOUO) The ePO server
cannot be part of a domain.
H30700 V0014509 II (U) The ePO server is
regularly checked for file
integrity.
H30720 V0017885 II (U) The ePO server has
MyAverts disabled.
H30740 V0017886 II (U) The ePO server displays
the correct warning banner.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H30760 V0017887 II (U) The ePO server has user
timeout parameter set
properly.
H30780 V0017888 II (U//FOUO) The HBSS
console tabbed browsing is
disabled.
H30800 V0017889 II (U//FOUO) HBSS does not
have vendor site supplied
data dashboards in use.
H30820 V0017890 II (U//FOUO) The HBSS
dashboard refresh rate is set
properly.
H31100 V0014510 I (U//FOUO) The ePO SQL
database installation is
dedicated to HBSS.
H31120 V0014511 III (U//FOUO) The SQL
database installation partition
is separated from the other
parts of the application.
H31160 V0014939 II (U) The SQL database is
configured as least privilege
or only authorized users
have access to data.
H33100 V0014513 II (U//FOUO) The workstation
used for administrative
access is dedicated to HBSS.
H33120 V0014514 I (U//FOUO) The workstation
used for remote access is
blocked from other
connections.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H33130 V0014515 II (U//FOUO) The workstation
used for remote access is
protected both logically and
physically by a DoD enclave.
H33140 V0014516 II (U//FOUO) The ePO server's
management workstation
outside the enclave uses
VPNs for access and logs
VPN traffic.
H33150 V0014517 I (U//FOUO) The ePO server's
remote console machine
cannot be part of a domain.
H33160 V0014518 II (U//FOUO) The ePO server's
remote console machine
must have a static IP
address.
H34100 V0014519 II (U) Rogue System Detection
is in place.
H35000 V0015346 II (U//FOUO) The site scans
hosts before installation of
the HBSS client.
H35100 V0014520 II (U//FOUO) The ePO agent
is configured for Agent
Wakeup.
H35110 V0017884 II (U//FOUO) The ePO agent
is configured to only accept
connections from the ePO
server.
H35120 V0014521 II (U//FOUO) The ePO agent
is configured correctly for the
policy enforcement interval.
H35140 V0014522 I (U//FOUO) The ePO agent
to server communication is
enabled.
H35160 V0014523 II (U//FOUO) The ePO agent
to server communication
interval is set correctly.
H35180 V0014524 II (U//FOUO) The ePO agent
policy age parameter interval
is set correctly.
H35200 V0014525 II (U//FOUO) The ePO agent
property type is set correctly.
H35220 V0014526 II (U//FOUO) The ePO agent
is configured to upload
events immediately.
H35300 V0014527 II (U//FOUO) The ePO agent
is configured for logging.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H35320 V0014528 I (U//FOUO) The ePO agent
is configured to disallow
remote access to logs.
H35400 V0014529 II (U//FOUO) The ePO agent
is configured to use ePO
repositories.
H35420 V0014530 II (U//FOUO) The ePO agent
is configured to use multiple
ePO repositories.
H35440 V0014531 II (U) The ePO agent is
configured to use DoD-
controlled ePO repositories.
H35500 V0017891 II (U) The ePO component is
not in enforcement mode.
H36000 V0015363 II (U//FOUO) The HIPS
module is deployed.
H36100 V0014532 II (U//FOUO) The HIPS
parameter that controls the
'add and remove' programs'
option is disabled.
H36110 V0017892 II (U) The HIPS error reporting
feature is disabled.
H36120 V0014534 I (U) The Host Intrusion
Prevention System (HIPS)
Admin password for the
User Interface (UI) is known
and protected.
H36140 V0014533 I (U) The Host Intrusion
Prevention System (HIPS)
Admin password for the
User Interface (UI) has been
changed from the default.
H36160 V0014535 II (U//FOUO) The HIPS User
Interface Admin password
meets password complexity
requirements.
H36180 V0014536 II (U//FOUO) The HIPS Admin
password for the User
Interface (UI) time-based
password is disabled.
H36200 V0014537 II (U//FOUO) The HIPS User
Interface (UI) parameter for
disabling features from the
tray is set correctly.
H36210 V0017893 II (U//FOUO) The HIPS IPS
engines are active.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H36220 V0014538 II (U//FOUO) The ePO
Server's HIPS Trusted
Network address list allows
only acceptable networks.
H36260 V0014540 II (U//FOUO) The HIPS
Trusted Network address list
allows only acceptable
networks.
H36280 V0014541 II (U//FOUO) The HIPS
Trusted Network address list
does not include the local
subnet automatically.
H36300 V0014542 II (U//FOUO) The HIPS trusted
application list is reviewed
against the machine's
expected baseline.
H36400 V0014543 I (U//FOUO) The HIPS policy
has enabled Host IPS.
H36410 V0014546 II (U//FOUO) The HIPS policy
disallows the retention of
existing client rules.
H36420 V0014544 I (U//FOUO) The HIPS policy
enables Network IPS.
H36440 V0014545 I (U//FOUO) The HIPS policy
enables the automatic
blocking of network intruders.
H36500 V0014547 I (U//FOUO) The HIPS policy
for High Severity is set
correctly.
H36510 V0014548 II (U//FOUO) The HIPS policy
for Medium Severity is set
properly.
H36640 V0014552 II (U//FOUO) The HIPS policy
implements an appropriate
rules hierarchy.
H36660 V0014553 II (U//FOUO) The HIPS policy
includes the signature for
protection of the ePO
registry.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H36661 V0014554 II (U//FOUO) The HIPS policy
includes the signature for
protection of the ePO Server
KeyStore.
H36662 V0014555 II (U//FOUO) The HIPS policy
includes the signature for
protection of the INFOCON
registry key.
H36663 V0014556 II (U//FOUO) The HIPS policy
includes the signature for
protection of Server.ini.
H36664 V0014557 II (U//FOUO) The HIPS policy
includes the signature for
protection of HIPS
preferences.
H36665 V0017894 II (U//FOUO) The HIPS policy
includes the signature for
protection of ePO Server
Agent Keystore.
H36666 V0017895 II (U//FOUO) The HIPS policy
includes the signature for
protection of Protect Product
Folders.
H36900 V0014560 II (U) The HIPS for the ePO
server has the firewall
installed and enabled.
H36920 V0014561 II (U//FOUO) The HIPS for the
ePO server has the firewall
set for regular protection.
H36940 V0014562 II (U//FOUO) The HIPS for the
ePO server has the firewall
set not to retain client rules.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H36960 V0014495 II (U//FOUO) The ePO server
firewall rules are set
correctly.
H37100 V0014563 II (U//FOUO) The Assets
Module Baseline has been
installed.
H37500 V0024305 II (U) The ePO server, if
hosting Symantec AV, will
only use the DoD-controlled
SEPM server, when
available.
H38100 V0014565 II (U) The distributed
repository is a Super Agent
Repository.
H39200 V0019885 II (U//FOUO) Policy Auditor
has been installed.
H40100 V0014566 I (U) Default operating system
passwords do not exist on
the HBSS server.
H40120 V0014567 I (U) Default passwords do
not exist within the HBSS
application.
H40140 V0014568 II (U) The ePO has users
assigned in appropriate roles.
H40160 V0014569 II (U) The ePO users are
granted access with proper
procedures and/or
verification of need to know.
H40180 V0014570 II (U//FOUO) The ePO has a
comprehensive account
management process.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H40200 V0014868 II (U//FOUO) The account
management process
enforces password
complexity.
H40220 V0014571 II (U//FOUO) The account
used for vulnerability
scanning on the ePO server
meets creation and deletion
requirements.
H40300 V0024169 I (U//FOUO) Credentials
cannot be stored outside
HBSS.
H41110 V0017897 II (U) ePO accounts are not
configured with shared
Windows accounts.
H42100 V0024011 II (U) HBSS Client
Authentication Module is
enabled.
H42110 V0024012 II (U) HBSS Client
Authentication is set to
current version.
H42120 V0024013 II (U) Limit number of non-PK
enabled accounts.
H42130 V0024014 II (U) Remove all user
certificates after import.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H42155 V0024017 II (U) Certificate Authority
folder populated for
Intermediate CAs.
H42180 V0024020 II (U) Permissions on the CRL
directory must be set
correctly.
H42185 V0024021 II (U) CRL directory content is
complete.
H42190 V0024022 II (U) Local CRL checking is
enabled.
H42195 V0024023 II (U) OCSP Responder URL
configured.
H42200 V0024161 II (U) The HBSS keystore
permissions are set correctly.
H50100 V0014572 II (U) SA account is not used
within the application.
H50110 V0014512 II (U) The SQL database
connection account is
configured as least privilege.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H50120 V0014573 II (U//FOUO) A plan for
grouping of machines for
updates and alerts is in
place.
H50240 V0014574 II (U) Procedures exist and are
followed to mark classified or
sensitive data.
H50260 V0017898 II (U) Application Report
Header is configured
correctly.
H51100 V0024162 II (U//FOUO) SSL in use for
SQL Server.
H51110 V0024165 II (U//FOUO) A DoD certificate
is used for encryption.
H51200 V0024307 II (U) The Site ePO server has
the account used by the
Rollup server to pull data
from the Site ePO to be
configured with read-only
access to the ePO data.
H51210 V0024308 II (U) Staging server will have
the account used by the
Rollup Server to pull data
from the Staging Server to
be configured with Read only
access to the ePO data.
H51220 V0024309 II (U) The staging server has
separate account for each
site ePO that is being
serviced.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H51230 V0024310 II (U) The Rollup server will
have a separate account for
each staging server or Site
ePO that it is servicing.
H51240 V0024311 II (U) The staging server
accounts used for site ePOs
to push data to the staging
server have write access
only in the database for the
ePO's site.
H52000 V0024167 II (U) ePO Rollup server does
not control clients.
H60100 V0014575 II (U) HBSS Audit Logs are
retained for at least one year.
H60120 V0014577 II (U) HBSS audit log reviews
are performed at least
weekly.
H60140 V0014578 II (U) HBSS audit data is
backed up at least weekly to
a different system or media.
H60160 V0014579 II (U) The HBSS audit data is
properly protected from
unauthorized access.
H60180 V0014580 II (U) The Remote Admin
access of ePO is reviewed.
H62100 V0017899 II (U) HBSS Event Logs are
being retained for at least
one year.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
H80100 V0014581 II (U) The disaster recovery
plan includes HBSS.
H80120 V0014582 II (U) The ePO Data Backup
Frequency or content is
complete.
H80200 V0015354 II (U//FOUO) Offline copies of
the HBSS database are
encrypted.
H80300 V0024306 II (U) Sensitive data is not
included in e-mail
notifications.
H90120 V0014583 II (U//FOUO) The ePO server
is registered in VMS.
H90140 V0014584 II (U//FOUO) The ePO has the
correct attributes within VMS.
H90160 V0014585 II (U//FOUO) HBSS is
incorporated into the site's
incident response plan.
H90200 V0015357 II (U//FOUO) The HBSS SAs
or Analysts have completed
training.
H90300 V0015358 II (U//FOUO) The site
incorporates the installation
of HBSS agents on new
hosts prior to network
connection.
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
Section
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
McAfee ePO 4.5
Rollup, McAfee
ePO 4.5 Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Mcafee Rogue
Sensor, McAfee
Policy Auditor,
McAfee HIPS,
McAfee ePO 4.5
Site, McAfee Asset
Module, McAfee
Agent
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Remote Console,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
Remote Console
Remote Console
Section
Remote Console
Remote Console
Remote Console
Remote Console
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
McAfee Agent
McAfee Agent
McAfee Agent
McAfee Agent
McAfee Agent
McAfee Agent
McAfee Agent
McAfee Agent
McAfee Agent
Section
McAfee Agent
McAfee Agent
McAfee Agent
McAfee Agent
Mcafee Rogue
Sensor, McAfee
HIPS, McAfee
Asset Module,
McAfee Agent
McAfee Agent
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee HIPS
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee HIPS
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee HIPS
McAfee HIPS
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee HIPS
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Remote Console,
McAfee ePO 4.5
Site
McAfee HIPS
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Staging Server,
McAfee ePO 4.5
Site
McAfee Agent
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee Distributed
Repository
McAfee Agent
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Remote Console,
McAfee ePO 4.5
Site
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Staging Server,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
Staging Server,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
Staging Server
Staging Server
Section
McAfee ePO 4.0
Rollup, McAfee
ePO 4.5 Rollup
Staging Server
McAfee ePO 4.0
Rollup, McAfee
ePO 4.5 Rollup
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
Section
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.0 Rollup, McAfee
ePO 4.5 Rollup,
McAfee ePO 4.5
Site
McAfee ePO 4.0
Site, McAfee ePO
4.5 Site
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
GR-815 CAT Requirement Vulnerability Status Finding Notes Systems Components
Affected Affected
R3-6[4] Low A process (e.g., an NSC, An administrator
service, or application) that will not be able to
is invoked by a user, shall distinguish
be associated with the between entities
identifier (e.g., userID) of that are
that user. When the invoked accessing the
process invokes another system. The
process, the invoked system will not
process shall be associated provide enough
with the identifier of the information to
invoking process. facilitate after
Autonomous processes (i.e., incident audits, or
processes running without investigations.
user invocation, such as
print spoolers, database
management servers,
translation process monitors,
etc.) shall be associated with
a system defined unique
identification code (e.g.,
system ownership).
R3-17[42] Medi The access point shall
um perform the entire user
authentication procedure
even if the user-ID that is
entered is not valid.
R3-18[43] Medi The error feedback
um generated by the access
point after the user
authentication procedure,
shall provide no information
other than “invalid,” i.e., it
shall not reveal which part of
the user-entered information
(user-ID and/or
authenticator) is incorrect.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 446 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
GR-815 CAT Requirement Vulnerability Status Finding Notes Systems Components
Affected Affected
R3-25[13] Medi Access points that provide a
um login service shall not
prevent a user from
choosing (e.g., unknowingly)
a password that is already
associated with another user-
ID. (Otherwise, an existing
password may be divulged.)
R3-26[14] High The NE/FS/NS shall store
passwords in a one-way
encrypted form.
R3-30[18] Medi The NE/FS/NS shall provide The system is
um a mechanism for a password vulnerable to
to be user changeable. This unauthorized
mechanism shall require re- access and
authentication of user masquerading. At
identity. the time that the
password is
issued, both the
user and the
issuing authority
know the user
name and
password. The
issuing authority
could
masquerade as
the user and
perform malicious
acts on the
system.
R3-61[236] Medi An SS7 Signaling Transfer
um Point (STP) shall provide
gateway screening
capabilities for operations
and services functions and
for all types of messages.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 447 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
GR-815 CAT Requirement Vulnerability Status Finding Notes Systems Components
Affected Affected
R3-62[237] Medi An NGN Signaling Gateway
um (SGW) shall provide
gateway screening
capabilities for operations
and services functions and
for all types of messages.
CR3-65[240] Medi NE/FS/NSs that support
um remote network
management applications
and/or critical network
services shall provide data
integrity services to enable
the access point to
determine if all received
messages /operations
requests have been modified
since being sent from an
authorized entity.
CR3-69[244] Low NE/FS/NSs that support
remote network
management applications
and/or critical network
services shall provide
support for message replay
detection services to enable
the NSC to detect message
replay attacks.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 448 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
GR-815 CAT Requirement Vulnerability Status Finding Notes Systems Components
Affected Affected
R3-87[55] Low If the NE/FS/NS belongs to The system is
class A, the following shall vulnerable to
be displayed upon unauthorized
successful access to the access. An
NE/FS/NS: 1.The date and adversary could
time (and location identifier, access the
when available) of the user‟s system using
last successful access to the compromised
NE/FS/NS. 2.The number of credentials
unsuccessful attempts by without the user
that user-ID to gain system knowing that his
access to the NE/FS/NS account has been
(e.g., mis-typed password) compromised.
since the last successful The system is
access by that user-ID. also vulnerable to
an adversary
guessing account
information in an
attempt to gain
access.
R3-119[83] Medi The security log and its The system may
um control mechanisms shall be vulnerable to
survive system restarts (e.g., an attacker
via reloading). performing
undetectable
malicious acts.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 449 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
GR-815 CAT Requirement Vulnerability Status Finding Notes Systems Components
Affected Affected
R3-127[101] Low The NE/FS/NS shall have
the capability to protect data
integrity by performing
integrity checks and/or data
update such as: 1. Proper
rule checking on data
update. 2. Adequate alert
messages (e.g.,“Do you
really mean it?”) in response
to potentially damaging
commands before executing
them, so that involuntary
human errors may be
reduced. 3. Proper handling
of duplicate/multiple inputs.
4. Checking return status. 5.
Checking intermediate
results. 6. Checking inputs
for reasonable values.
R3-129[97] Low The NE/FS/NS shall provide If the system has
mechanisms to monitor a problem that
NE/FS/NS resources and affects the secure
their availability (e.g., operation of the
overflow indication, lost system, it could
messages, buffer queues). go unnoticed and
eventually cause
a denial of
service.
R3-130[98] Low The NE/FS/NS shall provide
mechanisms to detect
communication errors
(relevant to the NE/FS/NS)
above a specifiable
threshold.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 450 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
GR-815 CAT Requirement Vulnerability Status Finding Notes Systems Components
Affected Affected
R3-145[112] Low Display all users currently The system may
logged on, where the word be vulnerable to
user is used in a broad unauthorized use
sense as elsewhere in this since an
document. administrator
would not be able
to verify who was
using the system.
R3-156[123] Medi The following security The system will
um/L parameters shall not be hard- not be able to
ow coded (i.e., they shall be adjust to future,
specifiable/assignable and more stringent
adjustable by an appropriate requirements.
administrator using
operations-related
messages): 1. Password
Aging Interval, i.e., the
length of time the password
will remain valid after being
updated. 2.The interval (or
equivalent) during which an
expired password of a user
shall be denied being
selected again as a new
password by the same user
(to prevent “password
flipping”). 3.The events that
may trigger alarms (e.g.,
failed login attempts), the
levels of alarms (e.g.,
critical, major, minor), the
type of notification (e.g.,
beep and/or message), and
the routing of the alarm
(e.g., specific port). 4.The
duration of channel lock-out,
which occurs when the
threshold on the number of
incorrect logins is exceeded.
5.A customized advisory
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 451 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
GR-815 CAT Requirement Vulnerability Status Finding Notes Systems Components
Affected Affected
CR3- Low For an NE/FS/NS that is The system is
158[125] required to provide a vulnerable to
notification to users requiring password
them to change their guessing and
passwords, the mechanism password hacking
to accomplish this shall not scripts.
be hard-coded (i.e., it shall
be specifiable/assignable
and adjustable by an
appropriate administrator
using operations-related
messages). The following
are examples of alternative
ways to accomplish this: *
Adjusting the early warning
period” (i.e., how early shall
the user be notified before
the password expiration). *
Adjusting the "grace period”
(i.e., the period over which
an expired password is still
accepted by the NE/FS/NS).
* Adjusting the subsequent
number of logins that will be
allowed after password
expiration.
R3-167[134] Low When an NE/FS/NS needs
to be restarted, default user-
IDs and passwords,
previously modified by an
administrator, shall not
revert back to the vendor-
delivered default user-IDs
and passwords.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 452 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
IM0010 V0015437 III No policy prohibiting peer-to-
peer applications or software
exists
IM0020 V0015398 I Peer-to-peer applications
are used for instant
messaging
IM0030 V0015436 I Publicly hosted instant
messaging applications are
being used for instant
messaging.
IM0040 V0015401 I Instant messaging servers
are not located behind a
firewall
IM0050 V0015402 II Instant messaging clients
connect to unapproved
instant messaging servers.
IM0060 V0015403 II Instant messaging gateway
servers are not located in
the DMZ.
IM0070 V0015404 I Instant messaging system
communicates or interacts
with public servers.
IM0080 V0015405 II Instant messaging traffic is
not encrypted
IM0090 V0015438 II Instant messaging clients
are not using DoD certificate
authority.
IM0100 V0015439 II Instant messaging services
not required are enabled.
Required services will be
documented with the IAO/SA.
IM0110 V0015440 III There is no topology
diagram of the instant
messaging system.
IM0130 V0015441 III Instant messaging username
policy does not exist.
IM0140 V0015442 III Instant messaging
usernames are not in
accordance with the
username policy.
IM0150 V0015443 II Instant messaging system is
not linked to a directory
service.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 453 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
IM0160 V0015444 III There are no documented
procedures for adding and
deleting instant messaging
users.
IM0170 V0015445 II User passwords are not in
accordance with DoD
password policy.
IM0180 V0015446 II System administrator
passwords are not in
accordance with DoD
password policy.
IM0190 V0015406 II Instant messaging system
stored passwords are not
encrypted.
IM0200 V0015447 II Anonymous and guest users
are enabled.
IM0210 V0015448 II Unsuccessful logon attempts
is not configured to three
with an account lockout of
15 minutes or until it is
unlocked.
IM0220 V0015449 II Instant messaging system
does not log user events.
IM0230 V0015450 II Instant messaging system
does not log system events.
IM0240 V0015451 II Instant messaging system
does not log virtual meeting
entries and exits.
IM0250 V0015452 II Instant messaging system
does not log virtual meeting
tools.
IM0310 V0015453 II Instant messaging system
logs are not stored offline for
a year.
IM0320 V0015454 III No centralized syslog server
is deployed for the instant
messaging system.
IM0330 V0015455 II Instant messaging system
logs are not restricted to
authorized users only. These
authorized users will be
documented.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 454 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
IM0340 V0015735 II Instant messaging system
logs are not reviewed.
IM0350 V0015457 II No warning banner
configured on instant
messaging system.
IM0360 V0015458 II Instant messaging servers
are not configured according
to the operating system
STIG.
IM0370 V0015459 II Instant messaging system
databases are not
configured according to the
Database STIG.
IM0380 V0015396 III The IAO/SA does not
subscribe to instant
messaging system patches
or update notices.
IM0390 V0015461 II Instant messaging servers
and clients are not
configured with the latest
patches and updates.
IM0400 V0015462 II Remote administration to
instant messaging servers is
not restricted to authorized
IP addresses.
IM0410 V0015463 II Remote administration traffic
is not encrypted.
IM0420 V0015464 II Instant messaging servers
do not have antivirus or Host
Based IDS.
IM0430 V0015407 II Instant messaging servers
are not located in a
controlled access area.
IM0440 V0015408 II Instant messaging system is
not configured in accordance
with the PPS CAL. The
ports, protocols, and
services for the instant
messaging system are not
documented with the IAO/SA.
IM0450 V0015465 III The instant messaging
system is not registered in
the Ports and Protocols
Registration system.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 455 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
IM0460 V0015466 II The instant messaging
system is not registered in
VMS.
IM0470 V0015467 II Instant messaging system is
not configured to product
specific checklist.
IM0500 V0015468 I No antivirus software is
installed on instant
messaging client computers.
IM0510 V0015469 II IM community
announcements are not
restricted to authorized
users only.
IM0520 V0015470 III No policy prohibiting IM file
sharing exists.
IM0530 V0015471 II IM file sharing is enabled.
IM0560 V0015472 II IM server ports are open
that are not required for
operation. Ports that are
required for operation are
not documented with the
IAO/SA.
IM0570 V0015473 II Unapproved IM client
software used on IM
network. Approved IM client
software is not documented
with the IAO/SA.
IM0580 V0015474 II Common IM domain names
are not blocked at enclave
perimeter.
IM0590 V0015475 III No IM user policy exists
outlining the acceptable
behavior and consequences
for violation of the policy.
IM0600 V0015476 III No IM instruction presented
to all users outlining known
IM risks and possible ways
to mitigate these risks.
IM0700 V0015477 II Virtual spaces or rooms are
not restricted to authorized
users.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 456 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
IM0710 V0015478 II Virtual spaces and rooms
are not labeled according to
the classification assignment
(unclassified, FOUO,
classified).
IM0720 V0015479 II Virtual meeting data is not
labeled in accordance to the
classification of the virtual
space or room (unclassified,
FOUO, or classified).
IM0730 V0015480 II Virtual meeting tools are not
disabled if not required for
virtual meeting.
IM0740 V0015481 II Uninvited users are able to
participate in virtual
meetings.
IM0750 V0015482 II Virtual meetings do not
require passwords.
IM0800 V0015483 III Virtual meeting application
sharing tools are not
restricted to authorized
users.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 457 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.1 I The system shall support System
dual IPv4 and IPv6 stacks Requirements
as described in RFC 4213.
NOTE: The tunnel
requirements are only
associated with appliances
that provide IP routing
functions (e.g., routers). The
primary intent of these
requirements is to (1)
require dual stacks on all UC
appliances and (2) allow
dual stacks and tunneling on
routers.
5.3.5.3.1.1 I If the system supports System
routing functions, the system Requirements
shall support the manual
tunnel requirements as
described in RFC 4213.
5.3.5.3.2 II The system shall support the System
IPv6 format as described in Requirements
RFC 2460 and updated by
RFC 5095.
5.3.5.3.3 III The system shall support the System
transmission of IPv6 packets Requirements
over Ethernet networks
using the frame format
defined in RFC 2464. NOTE:
This requirement does not
mandate that the remaining
sections of RFC 2464 have
to be implemented.
5.3.5.3.1.4 I The system shall support MTU
Path Maximum
Transmission Unit (MTU)
Discovery (RFC 1981).
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 458 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.1.5 II The system shall support a MTU
minimum MTU of 1280 bytes
(RFC 2460 and updated by
RFC 5095). NOTE:
Guidance on MTU
requirements and settings
can be found in UCR 2008,
Section 5.3.3.10.1.2 Layer 2-
Data Link Layer.
5.3.5.3.1.6 II If Path MTU Discovery is MTU
used and a “Packet Too Big”
message is received
requesting a next-hop MTU
that is less than the IPv6
minimum link MTU, the
system shall ignore the
request for the smaller MTU
and shall include a fragment
header in the packet.NOTE:
This is to mitigate an attack
where the path MTU is
adequate, but the Packet
Too Big messages are used
to make the packet so small
it is inefficient.
5.3.5.3.2.7 II The system shall not use the Flow Label
Flow Label field as
described in RFC 2460.
5.3.5.3.2.7.1 II The system shall be capable Flow Label
of setting the Flow Label
field to zero when originating
a packet.
5.3.5.3.2.7.2 II The system shall not modify Flow Label
the Flow Label field when
forwarding packets.
5.3.5.3.2.7.3 II The system shall be capable Flow Label
of ignoring the Flow Label
field when receiving packets.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 459 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.3.8 II The system shall support the Address
IPv6 Addressing
Architecture as described in
RFC 4291.NOTE: The use
of “IPv4 Mapped” addresses
“on-the-wire” is discouraged
due to security risks raised
by inherent ambiguities.
5.3.5.3.4.10 II If Dynamic Host DHCP
Configuration Protocol
(DHCP) is supported within
an IPv6 system, it shall be
implemented in accordance
with the DHCP for IPv6
(DHCPv6) as described in
RFC 3315.NOTE 1: UCR
2008, Section 5.4,
Information Assurance,
requires that the voice or
video DHCP servers are not
to be located on the same
physical appliance as the
voice or video LAN switches
and routers in accordance
with the Security Technical
Implementation Guides
(STIGs). Also, the VoIP
STIG requires (in VoIP
0082) separate DHCP
servers for (1) the phone
system in the phone
VLAN(s) and (2) the data
devices (PCs) in the data
VLAN(s). NOTE 2: There is
no requirement that separate
DHCP servers be used for
IPv4 and for IPv6.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 460 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.4.10. II If the system is a DHCPv6 DHCP
1 client, the system shall
discard any messages that
contain options that are not
allowed, which are specified
in Section 15 of RFC 3315.
5.3.5.3.4.10. II The system shall support DHCP
2 DHCPv6 as described in
RFC 3315. NOTE: The
following subtended
requirements are predicated
upon an implementation of
DHCPv6 for the end
instrument. It is not expected
that other UC appliances will
use DHCPv6.
5.3.5.3.4.10. II If the system is a DHCPv6 DHCP
2.1 client,and the first
Retransmission Timeout has
elapsed since the client sent
the Solicit message and the
client has received an
Advertise message(s),but
the Advertise message(s)
does not have a preference
value of 255, the client shall
continue with a client-
initiated message exchange
by sending a Request
message.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 461 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.4.10. II If the system is a DHCPv6 DHCP
2.2 client and the DHCPv6
message exchange fails, it
shall restart the
reconfiguration process after
receiving user input, system
restart, attachment to a new
link, a system configurable
timer, or a user defined
external event occurs.
NOTE: The intent is to
ensure that the DHCP client
continues to restart the
configuration process
periodically until it succeeds.
5.3.5.3.4.10. II If the system is a DHCPv6 DHCP
2.3 client and it sends an
Information-Request
message,it shall include a
Client Identifier option to
allow it to be authenticated
to the DHCPv6 server.
5.3.5.3.4.10. II If the system is a DHCPv6 DHCP
2.4 client, it shall perform
duplicate address detection
upon receipt of an address
from the DHCPv6 server
prior to transmitting packets
using that address for itself.
5.3.5.3.4.10. II If the system is a DHCPv6 DHCP
2.5 client, it shall log all
reconfigure events.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 462 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.4.10. II If the system supports DHCP
3 DHCPv6 and uses
authentication, it shall
discard unauthenticated
DHCPv6 messages from UC
systems and log the event.
NOTE: This requirement
assumes authentication is
used as described in RFC
3118 (and extended in RFC
3315) but does not require
authentication.
5.3.5.3.5.11 II The system shall support Neighbor
Neighbor Discovery for IPv6 Discovery
as described in RFC 2461
and RFC 4861 (FY2010).
5.3.5.3.5.11. II The system shall not set the Neighbor
1 override flag bit in the Discovery
neighbor advertisement
message for solicited
advertisements for anycast
addresses or solicited proxy
advertisements.
5.3.5.3.5.11. II The system shall set the Neighbor
2 override flag bit in the Discovery
neighbor advertisement
message to “1” if the
message is not an anycast
address or a unicast
address for which the
system is providing proxy
service.
5.3.5.3.5.11. II If a valid neighbor Neighbor
3 advertisement is received by Discovery
the system and the system
neighbor cache does not
contain the target‟s entry,
the advertisement shall be
silently discarded.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 463 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.5.11. II If a valid neighbor Neighbor
4 advertisement is received by Discovery
the system and the system
neighbor cache entry is in
the INCOMPLETE state
when the advertisement is
received and the link layer
has addresses and no target
link-layer option is included,
the system shall silently
discard the received
advertisement.
5.3.5.3.5.11. II If address resolution fails on Neighbor
5 a neighboring address, the Discovery
entry shall be deleted from
the system‟s neighbor cache.
5.3.5.3.5.1.1 II The system shall support the Redirect
1.6 ability to configure the Messages
system to ignore redirect
messages.
5.3.5.3.5.1.1 II The system shall only Redirect
1.7 accept redirect messages Messages
from the same router as is
currently being used for that
destination. NOTE: The
intent of this requirement is
that if a node is sending its
packets destined for location
A to router X, that it can only
accept a redirect message
from router X for packets
destined for location A to be
sent to router Z.
5.3.5.3.5.1.1 II If redirect messages are Redirect
1.7.1 allowed, the system shall Messages
update its destination cache
in accordance with the
validated redirect message.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 464 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.5.1.1 II If the valid redirect message Redirect
1.7.2 is allowed and no entry Messages
exists in the destination
cache, the system shall
create an entry.
5.3.5.3.5.2.1 II If the system sends router Router
1.8 advertisements, the system Advertisments
shall inspect valid router
advertisements sent by other
routers and verify that the
routers are advertising
consistent information on a
link and shall log any
inconsistent router
advertisements.
5.3.5.3.5.2.1 II The system shall prefer Router
1.8.1 routers that are reachable Advertisments
over routers whose
reachability is suspect or
unknown.
5.3.5.3.5.2.1 II If the system sends router Router
1.9 advertisements, the system Advertisments
shall include the MTU value
in the router advertisement
message for all links in
accordance with RFC 2461
and RFC 4861 (FY2010).
5.3.5.3.6.12 II If the system supports Stateless
stateless IP address Address
autoconfiguration, the Autoconfigurati
system shall support IPv6 on and Manual
Stateless Address Auto- Address
Configuration (SLAAC) for Assignment
interfaces supporting UC
functions in accordance with
RFC 2462 and RFC 4862
(FY2010).
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 465 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.6.12. II The system shall have a Stateless
1 configurable parameter that Address
allows the “managed Autoconfigurati
address configuration” flag on and Manual
and the “other stateful Address
configuration” flag to always Assignment
be set and not perform
stateless autoconfiguration.
NOTE: The objective of this
requirement is to prevent a
system from using stateless
auto configuration.
5.3.5.3.6.12. II The system shall support Stateless
2 manual assignment of IPv6 Address
addresses. Autoconfigurati
on and Manual
Address
Assignment
5.3.5.3.6.12. II The system shall support Stateless
3 stateful autoconfiguration Address
(i.e., ManagedFlag=TRUE). Autoconfigurati
NOTE: This requirement is on and Manual
associated with the earlier Address
requirement for the EI to Assignment
support DHCPv6.
5.3.5.3.6.12. II If the system sends router Stateless
3.1 advertisements, the system Address
shall default to using the Autoconfigurati
“managed address on and Manual
configuration” flag and the Address
“other stateful flag” set to Assignment
TRUE in their router
advertisements when
stateful autoconfiguration is
implemented.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 466 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.6.12. II If the system supports a Stateless
4 subtended appliance behind Address
it, the system shall ensure Autoconfigurati
that the IP address on and Manual
assignment process of the Address
subtended appliance is Assignment
transparent to the UC
components of the system
and does not cause the
system to attempt to change
its IP address. NOTE: An
example is a PC that is
connected to the LAN
through the hub or switch
interface on a phone. The
address assignment process
of the PC should be
transparent to the EI and
should not cause the phone
to attempt to change its IP
address.
5.3.5.3.6.12. II If the system supports IPv6 Stateless
5 SLAAC, the system shall Address
have a configurable Autoconfigurati
parameter that allows the on and Manual
function to be enabled and Address
disabled. Assignment
5.3.5.3.6.12. II If the system supports Stateless
6 SLAAC and security Address
constraints prohibit the use Autoconfigurati
of hardware identifiers as on and Manual
part of interface addresses Address
generated using SLAAC, Assignment
IPsec capable systems shall
support privacy extensions
for stateless address
autoconfiguration as defined
in RFC 4941 - Privacy
Extensions for Stateless
Address Autoconfiguration in
IPv6.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 467 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.6.12. II If the system supports Stateless
7 stateless IP address Address
autoconfiguration, the Autoconfigurati
system shall support a on and Manual
configurable parameter to Address
enable or disable manual Assignment
configuration of the site-local
and Global addresses (i.e.,
disable the “Creation of
Global and Site-Local
Addresses” as described in
Section 5.5 of RFC 2462).
5.3.5.3.6.12. II All IPv6 nodes shall support Stateless
8 link-local address Address
configuration, and the Autoconfigurati
Duplicate Address Detection on and Manual
(DAD) shall not be disabled Address
in accordance with RFC Assignment
2462 and RFC 4862
(FY2010).
5.3.5.3.7.14 II The system shall support the Internet
Internet Control Message Control
Protocol for IPv6 (ICMPv6) Message
as described in RFC 4443. Protocol
(ICMP)
5.3.5.3.7.14. II The system shall have a Internet
1 configurable rate limiting Control
parameter for rate limiting Message
the forwarding of ICMP Protocol
messages. (ICMP)
5.3.5.3.7.14. II The system shall support the Internet
2 capability to enable or Control
disable the ability of the Message
system to generate a Protocol
Destination Unreachable (ICMP)
message in response to a
packet that cannot be
delivered to its destination
for reasons other than
congestion.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 468 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.7.14. II The system shall support the Internet
3 enabling or disabling of the Control
ability to send an Echo Message
Reply message in response Protocol
to an Echo Request (ICMP)
message sent to an IPv6
multicast/anycast address.
NOTE: The number of
responses may be traffic
conditioned to limit the effect
of a denial of service attack.
5.3.5.3.7.14. II The system shall validate Internet
4 ICMPv6 messages, using Control
the information contained in Message
the payload, prior to acting Protocol
on them. (ICMP)
5.3.5.3.8.15 II If the system supports Routing
routing functions, the system Functions
shall support the Open
Shortest Path First (OSPF)
for IPv6 as described in RFC
2740.
5.3.5.3.8.15. II If the system supports Routing
1 routing functions, the system Functions
shall support securing OSPF
with Internet Protocol
Security (IPSec) as
described for other IPSec
instances in UCR 2008,
Section 5.4, Information
Assurance.
5.3.5.3.8.15. II If the system supports Routing
2 routing functions, the system Functions
shall support router-to-router
integrity using the IP
Authentication Header with
HMAC-SHA1-128 as
described in RFC 4302.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 469 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.8.16 II If the system acts as a CE Routing
router, the system shall Functions
support the use of Border
Gateway Protocol (BGP) as
described in RFC 1772 and
4271
5.3.5.3.8.16. II If the system acts as a Routing
1 customer edge router, the Functions
system shall support the use
of BGP-4 multiprotocol
extensions for IPv6 Inter-
Domain routing (RFC 2545).
NOTE: The requirement to
support BGP-4 is in UCR
2008, Section 5.3.3, Wide
Area Network General
System Requirements.
5.3.5.3.8.17 II If the system acts as a CE Routing
router, the system shall Functions
support multiprotocol
extensions for BGP-4 RFC
2858 and RFC 4760
(FY2010). NOTE: The
requirement to support BGP-
4 is in UCR 2008, Section
5.3.3, Wide Area Network
General System
Requirements.
5.3.5.3.8.18 II If the system acts as a CE Routing
router, the system shall Functions
support the Generic Routing
Encapsulation (GRE) as
described in RFC 2784.
5.3.5.3.8.19 II If the system acts as a CE Routing
router, the system shall Functions
support the Generic Packet
Tunneling in IPv6
Specification as described in
RFC 2473. NOTE: Tunneling
is provided for data
applications and is not
needed as part of the VVoIP
architecture.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 470 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.8.20 II If the system supports Routing
routing functions, the system Functions
shall support the Multicast
Listener Discovery (MLD)
process as described in
RFC 2710 and extended in
RFC 3810. NOTE: The FY
2008 VVoIP design does not
utilize multicast, but routers
supporting VVoIP also
support data applications
that may utilize multicast. A
softphone will have non-
routing functions that require
MLDv2.
5.3.5.3.8.21 II The system shall support Routing
MLD as described in RFC Functions
2710. NOTE: This
requirement was added in
order to ensure that
Neighbor Discovery
multicast requirements are
met. Routers are not
included in this requirement
since they have to meet
RFC 2710 in the preceding
requirement.
5.3.5.3.9.22 II If the system uses IPSec, IP Security
the system shall support the
Security Architecture for the
IP RFC 2401 and RFC 4301
(FY2010). In FY2008, RFC
2401 (and its related RFCs)
is the Threshold requirement
as described in UCR 2008,
Section 5.4, Information
Assurance. In addition, the
interfaces required to use
IPSec are defined in UCR
2008, Section 5.4,
Information Assurance.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 471 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
1 the system shall support
binding of a security
association (SA) with a
particular context.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
2 the system shall be capable
of disabling the BYPASS
IPSec processing choice.
NOTE: The intent of this
requirement is to ensure that
no packets are transmitted
unless they are protected by
IPSec.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
3 the system shall not support
the mixing of IPv4 and IPv6
in a security association.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
4 the system‟s security
association database (SAD)
cache shall have a method
to uniquely identify a SAD
entry. NOTE: The concern is
that a single SAD entry will
be associated with multiple
security associations. RFC
4301, Section 4.4.2,
describes a scenario where
this could occur.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 472 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
5 the system shall be capable
of correlating the
Differentiated Services Code
Point (DSCP) for a VVoIP
stream to the security
association in accordance
with UCR 2008, Section
5.3.2, Assured Services
Requirements and Section
5.3.3, Network Infrastructure
End-to-End Performance
Requirements, plain text
DSCP plan. For a more
detailed description of the
requirement, please see
Section 4-1 of RFC 4301 -
Security Architecture for the
Internet Protocol.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
6 the system shall implement
IPSec to operate with both
integrity and confidentiality.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
7 the system shall be capable
of enabling and disabling the
ability of the system to send
an ICMP message informing
the sender that an outbound
packet was discarded.
5.3.5.3.9.22. II If an ICMP outbound packet IP Security
7.1 message is allowed, the
system shall be capable of
rate limiting the transmission
of ICMP responses
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 473 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
8 the system shall be capable
of enabling or disabling the
propagation of the Explicit
Congestion Notification
(ECN) bits.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
9 the system‟s Security Policy
Database (SPD) shall have
a nominal, final entry that
discards anything
unmatched.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
10 and the system receives a
packet that does not match
any SPD cache entries and
the system determines it
should be discarded, the
system shall log the event
and include the date/time,
Security Parameter Index
(SPI) if available, IPSec
protocol if available, source
and destination of the
packet, and any other
selector values of the packet.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
11 the system should include a
management control to allow
an administrator to enable or
disable the ability of the
system to send an Internet
Key Exchange (IKE)
notification of an
INVALID_SELECTORS.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
12 the system shall support the
Encapsulating Security
Payload (ESP) Protocol in
accordance with RFC 4303.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 474 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.9.22. II If RFC 4303 is supported, IP Security
12.1 the system shall be capable
of enabling anti-replay.
5.3.5.3.9.22. II If RFC 4303 is supported, IP Security
12.2 the system shall check as its
first check after a packet has
been matched to its SA
whether the packet contains
a Sequence Number that
does not duplicate the
Sequence Number of any
other packet received during
the life of the sec.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
13 the system shall support the
cryptographic algorithms as
defined in RFC 4308 for
Suite Virtual Private Network
(VPN)-B.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
13.1 the system shall support the
use of AES-CBC with 128-
bits keys for encryption.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
13.2 the system shall support the
use of HMAC-SHA1-96 for
(Threshold) and AES-XCBC-
MAC-96 (FY2010).
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
14 the system shall support IKE
Version 1 (IKEv1)
(Threshold) as defined in
RFC 2409, and IKE Version
2 (IKEv2) (FY2010) as
defined in RFC 4306. NOTE:
Internet Key Exchange
version 1 (IKEv1)
requirements are found in
UCR 2008, Section 5.4,
Information Assurance.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 475 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.9.22. II If the system supports IP Security
14.1 IKEv2, it shall be capable of
configuring the maximum
User Datagram Protocol
(UDP) message size.
5.3.5.3.9.22. II If IKEv2 is supported, the IP Security
14.2 system shall support the use
of the ID_IPv6_ADDR and
ID_IPV4_ADDR
Identification Type.
5.3.5.3.9.22. II If the system supports IP Security
14.3 IKEv2, the system shall be
capable of ignoring
subsequent SA setup
response messages after
the receipt of a valid
response.
5.3.5.3.9.22. II If the system supports IP Security
14.4 IKEv2, the system shall be
capable of sending a Delete
payload to the other end of
the security association.
5.3.5.3.9.22. II If the system supports IP Security
14.5 IKEv2, the system shall
reject initial IKE messages
unless they contain a Notify
payload of type COOKIE.
5.3.5.3.9.22. II If the system supports IP Security
14.6 IKEv2, the system shall
close a SA instead of
rekeying when its lifetime
expires if there has been no
traffic since the last rekey.
5.3.5.3.9.22. II If the system supports IP Security
14.7 IKEv2, the system shall not
use the Extensible
Authentication Protocol
(EAP) method for IKE
authentication.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 476 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.9.22. II If the system supports IP Security
14.8 IKEv2, the system shall limit
the frequency to which it
responds to messages on
UDP port 500 or 4500 when
outside the context of a
security association known
to it.
5.3.5.3.9.22. II If the system supports IP Security
14.9 IKEv2, the system shall not
support temporary IP
addresses or respond to
such requests.
5.3.5.3.9.22. II If the system supports IP Security
14.10 IKEv2, the system shall
support the IKEv2
cryptographic algorithms
defined in RFC 4307.
5.3.5.3.9.22. II If the system supports IP Security
14.11 IKEv2, the system shall
support the VPN-B Suite as
defined in RFC 4308 and
RFC 4869 (FY2010).
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
15 the system shall support
extensions to the Internet IP
Security Domain of
Interpretation for the Internet
Security Association and
Key Management Protocol
(ISAKMP) as defined in RFC
2407.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
16 the system shall support the
ISAKMP as defined in RFC
2408.
5.3.5.3.9.22. II If the system supports the IP Security
17 IPsec Authentication Header
Mode, the system shall
support the IP Authentication
Header (AH) as defined in
RFC 4302.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 477 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
18 the system shall support
manual keying of IPSec.
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
19 the system shall support the
ESP and AH cryptographic
algorithm implementation
requirements as defined in
RFC 4305 and RFC 4835
(FY2010).
5.3.5.3.9.22. II If RFC 4301 is supported, IP Security
21 the system shall support the
IKEv1 security algorithms as
defined in RFC 4109.
5.3.5.3.10.2 II The system shall comply Network
3 with the Management Management
Information Base (MIB) for
IPv6 textual conventions and
general group as defined in
RFC 4293. NOTE: The
requirements to support
SNMPv3 are found in UCR
2008, Section 5.3.2.17.3.1.5,
SNMP Version 2 and
Version 3 Format Alarm
messages, and UCR 2008,
Section 5.4, Information
Assurance.
5.3.5.3.10.2 II If the system performs Network
3.1 routing functions, the system Management
shall support the SNMP
management framework as
described in RFC 3411.
5.3.5.3.10.2 II If the system performs Network
3.2 routing functions, the system Management
shall support SNMP
message processing and
dispatching as described in
RFC 3412.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 478 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.10.2 II If the system performs Network
3.3 routing functions, the system Management
shall support the SNMP
applications as described in
RFC 3413.
5.3.5.3.10.2 II The system shall support the Network
4 ICMPv6 MIBs as defined in Management
RFC 4293.
5.3.5.3.10.2 II The system shall support the Network
5 Transmission Control Management
Protocol (TCP) MIBs as
defined in RFC 4022.
5.3.5.3.10.2 II The system shall support the Network
6 UDP MIBs as defined in Management
RFC 4113.
5.3.5.3.10.2 II If the system performs Network
7 routing functions, the system Management
shall support IP tunnel MIBs
as described in RFC 4087.
5.3.5.3.10.2 II If the system performs Network
8 routing functions, the system Management
shall support the IP
Forwarding MIB as defined
in RFC 4292.
5.3.5.3.10.2 II If the system supports Network
9 mobile users, the system Management
shall support the Mobile IP
Management MIBs as
described in RFC 4295.
5.3.5.3.10.3 II If the system supports Network
1 SNMP and IPsec, the Management
system shall support the
IPsec security policy
database as described in
RFC 4807.
5.3.5.3.10.3 II If the system uses Uniform Network
2 Resource Identifiers (URIs), Management
the system shall use the URI
syntax described in RFC
3986.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 479 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.10.3 II If the system uses the Network
3 Domain Name System Management
(DNS), the system shall
conform to RFC 3596 for
DNS queries. NOTE: DNS is
primarily used for NM
applications.
5.3.5.3.12.3 II The system shall forward IP Version
7 packets using the same IP Negotiation
version as the version in the
received packet.NOTE: If
the packet was received as
an IPv6 packet, the
appliance will forward it as
an IPv6 packet. If the packet
was received as an IPv4
packet, the appliance will
forward the packet as an
IPv4 packet. This
requirement is primarily
associated with the signaling
packets to ensure that
translation does not occur.
REMINDER: This
requirement may be waived
from FY2008 to FY2012 in
order to support IPv4 or IPv6
only EIs.
5.3.5.3.12.3 II The system shall use the IP Version
8 Alternative Network Address Negotiation
Types (ANAT) semantics for
the Session Description
Protocol (SDP) in
accordance with RFC 4091
when establishing media
streams from dual stacked
appliances for AS-SIP
signaled sessions.
5.3.5.3.12.3 II The system shall place the IP Version
8.2 SDP-ANAT option-tag in a Negotiation
required header field when
using ANAT semantics in
accordance with RFC 4092.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 480 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.12.3 II Dual stacked systems shall IP Version
8.3 include the IPv4 and IPv6 Negotiation
addresses within the SDP of
the SIP INVITE message
when the INVITE contains
the SDP.
5.3.5.3.13.4 II The system shall be able to AS-SIP IPv6
5 provide topology hiding (e.g., Unique
NAT) for IPv6 packets in the Requirements
manner described in UCR
2008 Section 5.4,
Information Assurance.
5.3.5.3.13.4 II The system shall support AS-SIP IPv6
6 default address selection for Unique
IPv6 as defined in RFC 3484 Requirements
(except for Section 2.1).
5.3.5.3.13.4 II If the system supports Miscellaneous
7 Remote Authentication Dial Requirements
In User Service (RADIUS)
authentication, the system
shall support RADIUS in the
manner defined in RFC 3162.
5.3.5.3.14.4 II If the system supports Miscellaneous
8 Mobile IP version 6 (MIPv6), Requirements
the system shall provide
mobility support as defined
in RFC 3775.
5.3.5.3.14.4 II If the system acts as a home Miscellaneous
8.1 agent, the system shall Requirements
provide mobility support as
defined in RFC 3775.
5.3.5.3.14.4 II If the system supports Miscellaneous
9 Mobile IP version 6 (MIPv6), Requirements
the system shall provide a
secure manner to signal
between mobile nodes and
home agents in manner
described in RFC 3776 and
RFC 4877 (FY2010).
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 481 of 1298
____ Checklist _V_R_ (<date>) <Test> - TN <Ticket Number>
PDI VMSID CAT Requirement Vulnerability Status Finding Notes Section
5.3.5.3.14.5 II If the system supports Miscellaneous
1 network mobility (NEMO), Requirements
the system shall support the
function as defined in RFC
3963.
5.3.5.3.14.5 II The systems shall support Miscellaneous
2 Differentiated Services as Requirements
Described in RFC 2474 and
RFC 5072 (FY 2010) for a
voice and video stream to
the security association in
accordance with UCR 2008,
Section 5.3.2, Assured
Services Requirements and
UCR 2008, Section 5.3.3,
Network Infrastructure End-
to-End Performance
Requirements, plain text
DSCP plan.
5.3.5.3.14.5 II If the system acts as an IPv6 Miscellaneous
3 tunnel broker, the system Requirements
shall support the function in
the manner defined in RFC
3053.
5.3.5.3.14.5 II If the system supports Miscellaneous
4 roaming (as defined within Requirements
RFC 4282), the system shall
support this function as
described by RFC 4282.
5.3.5.3.14.5 II If the system supports the Miscellaneous
5 Point-to-Point Protocol Requirements
(PPP), the system shall
support PPP as described in
RFC 2472.
Legend:
R or RAE = Required Ancillary Equipment
NF = Not a Finding
NA = Not Applicable 482 of 1298
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ISA0-056 V0021620 III ISA Server Administrator
role must be assigned or
authorized by the IAO.
ISA2-001 V0021629 II The ISA server must not be
deployed on a Single
Network Adapter Template.
ISA2-007 V0021653 II The ISA Servers must have
appropriate web filters
enabled.
ISA2-010 V0021651 II The ISA Server must have
UDP fragment blocking
disabled.
ISA2-013 V0021652 II ISA server must have Syn
Flood and DOS attack
prevention enabled plus
associated logging.
ISA2-023 V0021648 II The ISA System Policy must
restrict Active Directory
traffic to specific Domain
Controllers.
ISA2-025 V0021640 II Non-Microsoft authentication
traffic from the ISA server
must not be allowed.
ISA2-026 V0021670 II Certification Revocation
Checking must be performed
and use specific
configurations.
ISA2-027 V0021641 II Remote Management traffic
to the ISA server must be
disabled.
ISA2-028 V0021642 II PING to the ISA server must
be disabled.
ISA2-029 V0021643 II Remote MS Monitoring
traffic to the ISA server must
be disabled.
ISA2-030 V0021644 II SMTP traffic from the ISA
server must be disabled.
ISA2-031 V0021635 II Error Reporting to Microsoft
must be disabled.
ISA2-032 V0021639 II DHCP traffic from the ISA
server must not be allowed.
ISA2-035 V0021664 II The ISA server must have a
valid DoD SSL certificate for
OWA.
ISA2-038 V0021634 III Unneeded ISA Server
application filters must be
disabled.
ISA2-040 V0021676 II Unneeded VPN services
must be disabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ISA2-041 V0021675 II Unneeded Cache services
must be disabled.
ISA2-042 V0021677 II ISA services must be
restricted to specific service
accounts.
ISA2-056 V0021647 II ISA Server must have a
specific domain scope
defined.
ISA2-135 V0021671 II The OWA Web Listener
must require only SSL
connections.
ISA2-171 V0021654 II OWA Web Listener must
require only Client Certificate
Authentication.
ISA2-175 V0021649 II OWA Listeners in the DoD
must trust only DoD Root
Certificate Authorities.
ISA2-204 V0021632 II ISA Rule must use IP
addresses for applications.
ISA2-220 V0021650 II The OWA firewall rule must
be restricted to authenticated
users.
ISA2-241 V0021646 II The OWA firewall rule must
require Kerberos
Constrained Delegation
(KCD) to enable CAC
authentication.
ISA2-247 V0021655 II ISA Server must restrict
each firewall rule to one
published application such
as OWA.
ISA2-833 V0021645 II ISA Server's Microsoft
Customer Experience
Improvement Program
Participation must be
disabled.
ISA2-855 V0021656 II Failsafe shutdown must be
configured for low disk
space condition.
ISA2-882 V0021680 II The ISA Server must be
monitored for Invalid
Certificate Usage.
ISA2-884 V0021666 III The ISA Server must be
monitored for Certificates
nearing their expiration date.
ISA2-886 V0021665 II The ISA Server must be
monitored for failed
Kerberos Credential
Delegation.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ISA2-890 V0021631 II ISA firewall rules must have
logging enabled.
ISA2-892 V0021669 II The ISA Server must be
monitored for Log Storage
Failure.
ISA2-894 V0021668 II The ISA Server must be
monitored for Logging failure.
ISA2-896 V0021667 II The ISA Server must be
monitored for Available Free
Disk Space
ISA3-002 V0021618 II ISA-Unique security
requirements, such as
Interface Model, server role,
and protected assets must
be documented.
ISA3-005 V0021626 II The ISA Backup and
Recovery strategy must be
documented and must be
tested according to the
INFOCON schedule.
ISA3-006 V0021625 II Audit Logs must be included
in Backups.
ISA3-007 V0021622 II ISA Recovery Data must be
restricted to Administrators
and Backup/Recovery
processes.
ISA3-009 V0021672 II Access to ISA configuration
data must be restricted to
ISA Server Administrator
role.
ISA3-010 V0021627 II Software Critical Copies for
ISA Services must be
backed up and available for
restore action.
ISA3-015 V0021617 II Procedural Reviews for ISA
Services must be done
annually.
ISA3-041 V0021679 I The ISA Server must utilize
file-and-web Antivirus
software.
ISA3-045 V0021619 II Configuration Management
(CM) procedures must be
implemented for ISA
services.
ISA3-050 V0021621 II ISA services must be
documented in the System
Security Plan.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
ISA3-058 V0021662 II The ISA software must be
monitored for change
compliant with INFOCON
frequency.
ISA3-071 V0021624 II ISA audit records must be
retained for at least one year.
ISA3-079 V0021623 II Automated tools must be
available for review and
reporting on ISA Services
audit records.
ISA3-108 V0021661 II ISA services must be
configured to use PPSM-
compliant ports and
protocols.
ISA3-112 V0021674 II The ISA External interface
must have only TCPIP
protocol installed.
ISA3-150 V0021678 II ISA audit trails must be
protected against
unauthorized access.
ISA3-169 V0021673 II ISA Server interfaces must
not have IPv6 protocol
installed.
ISA3-815 V0021658 II The ISA Application must be
installed on a dedicated
partition separate from
Security functions or other
applications.
ISA3-821 V0021660 II The ISA logs or audit data
must be on a separate
partition from the ISA
application.
ISA3-825 V0021659 II The ISA Configuration
Storage Server must be
installed on a separate
computer.
ISA3-858 V0021663 II The ISA software baseline
must exist to be used for
scan comparisons.
Section
ISA 2006
OWA Proxy
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
Section
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
Section
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
OWA Proxy
ISA 2006
OWA Proxy
ISA 2006
OWA Proxy
ISA 2006
OWA Proxy
ISA 2006
Server
ISA 2006
OWA Proxy
ISA 2006
OWA Proxy
ISA 2006
Server
ISA 2006
OWA Proxy
ISA 2006
OWA Proxy
Section
ISA 2006
Server
ISA 2006
OWA Proxy
ISA 2006
OWA Proxy
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
ISA 2006
Server
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0090 V0008046 II The IAO/NSO will maintain a
current drawing of the site‟s
network topology that
includes all external and
internal links, subnets, and
all network equipment.
NET0130 V0008047 II The IAO/NSO will ensure
that all external connections
are validated and approved
by the CAP and DAA, SNAP
or CAO requirements have
been met, and MOA and
MOU is established between
enclaves, prior to
connections.
NET0135 V0008048 II The IAO/NSO will review all
connection requirements on
a semi-annual basis to
ensure the need remains
current, as well as evaluate
all undocumented network
connections discovered
during inspections.
NET0140 V0008049 III The IAO/NSO will ensure the
connection between the
CSU/DSU and the local
exchange carrier‟s (LEC)
data service jack (i.e.,
demarc) is in a secured
environment.
NET0141 V0008050 III The IAO/NSO will ensure the
network management
modems connected to all
Channel Service Units
(CSUs)/Data Service Units
(DSUs) are disabled or
disconnected when not in
use.
NET0160 V0008051 I The IAM will ensure that
written approval is obtained
from the GIG Waiver Panel
or the Office of the DoD
Chief Information Officer
(DoD CIO) prior to
establishing an ISP
connection.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0162 V0004622 I The IAO/NSO will ensure
premise router interfaces
that connect to an AG (i.e.,
ISP) are configured with an
ingress ACL that only
permits packets with
destination addresses within
the site‟s address space.
NET0164 V0004623 I The IAO/NSO will ensure the
premise router does not
have a routing protocol
session with a peer router
belonging to an AS
(Autonomous System) of the
AG service provider. A static
route is the only acceptable
route to an AG.
NET0166 V0004624 III The IAO/NSO will ensure the
AG network service provider
IP addresses are not
redistributed into or
advertised to the NIPRNet or
any router belonging to any
other Autonomous System
(AS) i.e. to another AG
device in another AS.
NET0167 V0014632 II The IAO/NSO will ensure the
route to the AG network
adheres to the PPS CAL
boundary 13 and 14 policies
and is in compliance with all
perimeter filtering defined in
the perimeter and router
sections of the Network
STIG.
NET0168 V0014634 II If the site has a non-DoD
external connection
(Approved Gateway), the
IAO/NSO will ensure that the
external NIDS is located
between the site‟s Approved
Gateway (Service Delivery
Router) and the premise
router.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0170 V0008052 II The IAO/NSO will ensure
that no backdoor
connections exist between
the site‟s secured private
network and the Internet,
NIPRNet, SIPRNet, or other
external networks unless
approved by the DAA.
NET0180 V0002990 II The IAO/NSO will ensure all
public address ranges used
on the NIPRNet are properly
registered with the .MIL
Network Information Center
(NIC).
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0185 V0003157 II The IAO/NSO will ensure
that all addresses used
within the site‟s SIPRNet
infrastructure are authorized
.smil.mil or .sgov.gov
addresses that have been
registered and assigned to
the activity. RFC1918
addresses are not permitted.
NET0190 V0003005 III The IAO/NSO will ensure
that workstation clients‟ real
IPv4 addresses are not
revealed to the public by
implementing NAT on the
firewall or the router.
NET0198 V0008099 III The IAO/NSO will ensure
that the DHCP server is
configured to log hostnames
or MAC addresses for all
clients, and all logs are
stored online for 30 days and
offline for one year.
NET0199 V0008100 III The IAO/NSO will ensure
that any DHCP server used
within SIPRNet infrastructure
is configured with a lease
duration time of 30 days or
more.
NET0210 V0008054 II The IAO/NSO will ensure
that all network devices (i.e.,
IDS, routers, RAS, NAS,
firewalls, etc.) are located in
a secure room with limited
access.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0230 V0003012 I The IAO/NSO will ensure all
communications devices are
password protected.
NET0240 V0003143 I The IAO/NSO will ensure all
default manufacturer
passwords are changed.
NET0260 V0008055 II The IAO/NSO will ensure all
passwords are created and
maintained in accordance
with the rules outlined in
DODI 8500.2, IAIA-1, and
IAIA-2.
http://www.dtic.mil/whs/directi
ves/corres/html/85002.htm.
NET0270 V0008056 II The IAO/NSO will record the
locally configured passwords
used on communications
devices and store them in a
secured manner.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0340 V0003013 II An approved DoD login
banner is not used on the
device.
NET0345 V0008065 II The IAO will ensure only
firewalls that have been
evaluated and validated
against NIAP existing
profiles are placed in the
network infrastructure.
NET0346 V0014638 II The IAO/NSO will ensure
that DMZ Architecture is
implemented, providing
boundary protection for
classified and sensitive
architectures that
interconnect enclaves.
NET0347 V0014639 III The IAO will ensure the
Accreditation documentation
(e.g. SSAA) will be updated
to reflect the installation or
modification of the site‟s
firewall.
NET0348 V0014640 II The IAO will ensure publicly
accessible servers (i.e., web
servers) are placed in an
enclave DMZ.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0351 V0008066 II The IAO/NSO will ensure,
when protecting the
boundaries of a network, the
firewall is placed between
the private network and the
perimeter router and the
DMZ.
NET0355 V0014641 II The IAO/NSO will ensure,
when protecting the
boundaries of a network, the
firewall and IDS are separate
components or the physical
integrated device has
separate hardware
components (i.e., CPU,
memory, etc) for the firewall
and IDS.
NET0365 V0014642 I The IAO will ensure the
enclave is protected by
providing a firewall that
provides full packet
awareness as provided by
application-level gateways,
hybrid firewalls or a non
application-level firewall
solution using an application-
proxy gateway.
NET0366 V0014643 II The SA will configure the
firewall for the minimum
content and protocol
inspection requirements.
NET0369 V0011796 I The IAO will ensure the
Enclave perimeter is
protected via deny by default
policy implemented at the
perimeter router or at the
firewall. This does not
negate the firewall
requirement.
NET0375 V0003156 II The IAO/NSO will ensure
that the firewall is configured
to protect the network
against denial of service
attacks such as Ping of
Death, TCP SYN floods, etc.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0377 V0003054 II The FA will ensure the
firewall will not utilize any
services or capabilities other
than firewall software (e.g.,
DNS servers, e-mail client
servers, ftp servers, web
servers, etc.), and if these
services are part of the
standard firewall suite, they
will be either uninstalled or
disabled.
NET0379 V0004619 II The FA will ensure that if the
firewall product operates on
an OS platform, the host
must be STIG compliant
prior to the installation of the
firewall product.
NET0380 V0014644 II The IAO will ensure the
firewall shall reject requests
for access or services where
the source address received
by the firewall specifies a
loopback address.
NET0384 V0008067 III The FA will subscribe to the
vendor's vulnerability mailing
list to be made aware of
required upgrades and
patches.
NET0386 V0014646 III The firewall or IDS will
immediately alert the
administrators by displaying
a message at the remote
administrative console,
generate an alarm or alert,
and page or send an
electronic message if the
audit trail exceeds 75 %
percentage or more of
storage capacity.
NET0388 V0014647 III The FA will have a
procedure in place to dump
logs when they reach 75%
capacity to a syslog server.
NET0390 V0003176 II The IAO/NSO will ensure the
IDS or firewall is configured
to alert the administrator of a
potential attack or system
failure.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0391 V0014648 II The IAO/NSO will ensure the
firewall provides critical alert
message levels to the FA
regardless of whether an
administrator is logged in.
NET0392 V0014649 II The IAO/NSO will ensure the
message is displayed at the
remote console if an
administrator is already
logged in, or when an
administrator logs in if the
alarm message has not
been acknowledged
NET0395 V0014653 III The IAO/NSO will ensure the
alarm message identifying
the potential security
violation makes accessible
the audit record contents
associated with the event(s).
NET0396 V0014655 III The IAO/NSO will ensure an
alert will remain written on
the consoles until
acknowledged by an
administrator.
NET0398 V0014656 III The IAO/NSO will ensure an
acknowledgement message
identifying a reference to the
potential security violation is
logged and it contains a
notice that it has been
acknowledged, the time of
the acknowledgement and
the user identifier that
acknowledged the alarm, at
the remote administrator
session that received the
alarm.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0400 V0003034 II The router administrator will
ensure neighbor
authentication with IPSec AH
or MD5 Signatures are
implemented for interior
routing protocols with all
peer routers within the same
or between Autonomous
Systems (AS).
NET0408 V0014665 II The router administrator will
ensure neighbor
authentication with MD5 or
IPSec is implemented for all
BGP routing protocols with
all peer routers within the
same or between
autonomous systems (AS).
NET0410 V0003035 II The router administrator will
restrict BGP connections to
known IP addresses of
neighbor routers from
trusted Autonomous
Systems.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0412 V0014666 II If multiple eBGP peers are
defined in the network, the
IAO will ensure all eBGP
neighbor authentications are
configured with unique
passwords when TCP MD5
Signature option is
implemented
NET0420 V0008058 II The IAO/NSO will ensure a
key management policy has
been implemented to include
key generation, distribution,
storage, usage, lifetime
duration, and destruction of
all keys used for encryption.
NET0422 V0014667 III The IAO/NSO will ensure a
rotating key does not have a
duration exceeding 180 days.
NET0425 V0007009 I The IAO/NSO will ensure the
lifetime of a MD5 Key
expiration is set to never
expire. The lifetime of the
MD5 key will be configured
as infinite for route
authentication, if supported
by the current approved
router software version.
Note: Only Enhanced Interior
Gateway Routing Protocol
(EIGRP), and Routing
Information Protocol (RIP)
Version 2 use key chains.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0430 V0014720 II The IAO/NSO will ensure
two authentication servers
are deployed to provide
authentication for
administrative access to all
network devices.
NET0431 V0025894 III The IAO will ensure all AAA
authentication services are
configured to use two-factor
authentication .
NET0432 V0025895 III The IAO will ensure the
authentication server is
configured to use tiered
authorization groups for
various levels of access.
NET0433 V0015432 II The IAO will ensure all
networki devices are
configured to use two or
more authentication servers
for the purpose of granting
administrative access.
NET0434 V0015433 II The IAO/NSO will ensure the
AAA authentication method
implements user
authentication.
NET0435 V0025896 II The IAO will ensure the
authentication server is
connected to the
management network.
NET0436 V0017843 II The AAA server is not
compliant with respective OS
STIG.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0437 V0017844 III The AAA server is not
configured with a unique key
to be used for
communication (i.e.
RADIUS, TACACS+) with
any client requesting
authentication services.
NET0438 V0017845 II An HIDS has not been
implemented on the AAA
server
NET0440 V0003966 II The IAO/NSO will ensure
when an authentication
server is used for
administrative access to the
device, only one account or
console account is defined
locally for use in an
emergency (i.e.,
authentication server or
connection to the device is
down).
NET0441 V0015434 I The IAO/NSO will ensure the
emergency account defaults
to the lowest authorization
level and the password is in
a locked safe.
NET0445 V0014723 II To ensure the proper
authorized network
administrator is the only one
who can access the device,
the IAO/NSO will ensure
device management is
restricted by two-factor
authentication (e.g.,
SecurID, DoD PKI, or
alternate token logon).
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0460 V0003056 I The IAO/NSO will ensure
each user accessing the
device locally have their own
account with username and
password.
NET0465 V0003057 II The IAO/NSO will ensure all
user accounts are assigned
the lowest privilege level that
allows them to perform their
duties.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0470 V0003058 II The IAO/NSO will
immediately have accounts
removed from the
authentication server or
device, which are no longer
required.
NET0580 V0004583 III The router administrator will
ensure a password is
required to gain access to
the router's diagnostics port.
NET0600 V0003062 I The administrator will ensure
passwords are not viewable
when displaying the
configuration.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0700 V0003160 II The administrator will
implement a current
supported operating system
with all IAVMs addressed.
NET0710 V0003077 III The router administrator will
ensure CDP is disabled on
all active external interfaces
on Cisco premise routers.
NET0720 V0003078 III The router administrator will
ensure TCP & UDP small
servers are disabled.
NET0722 V0005614 III The router administrator will
ensure PAD services are
disabled unless approved by
the DAA.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0724 V0005615 III The router administrator will
ensure TCP Keep-Alives for
Telnet Session are enabled.
NET0726 V0005616 III The router administrator will
ensure identification support
is not enabled.
NET0728 V0005617 III The router administrator will
ensure DHCP Services are
disabled on premise routers.
NET0730 V0003079 III The router administrator will
ensure Finger is disabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0740 V0003085 II The router administrator will
ensure HTTP servers are
disabled.
NET0742 V0014668 II The router administrator will
ensure FTP server is
disabled.
NET0744 V0014669 II The router administrator will
ensure BSD r command
services are disabled.
NET0750 V0003086 III The router administrator will
ensure Bootp server is
disabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0760 V0003080 II The administrator will ensure
configuration auto-loading is
disabled.
NET0770 V0003081 II The router administrator will
ensure IP source routing is
disabled.
NET0780 V0003082 II The router administrator will
ensure IP Proxy ARP is
disabled on all external
interfaces.
NET0781 V0005618 II The router administrator will
ensure Gratuitous ARP is
disabled.
NET0790 V0003083 III The router administrator will
ensure IP directed broadcast
is disabled on all layer 3
interfaces.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0800 V0003084 II The router administrator will
ensure ICMP unreachable
notifications, mask replies,
and redirects are disabled on
all external interfaces of the
premise router.
NET0810 V0017860 III Two NTP servers have not
been deployed in the
management network.
NET0812 V0023747 III The IAO/NSO will ensure all
managed network elements
are configured to use two or
more NTP servers to
synchronize time.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0813 V0014671 II The IAO will ensure all NTP-
enabled devices
authenticate received NTP
messages.
NET0814 V0025883 II The NTP server is
connected to a network other
than the management
network.
NET0815 V0017848 III The NTP server is not
compliant with the OS STIG
NET0816 V0017849 III An HIDS has not been
implemented on the NTP
server.
NET0817 V0017850 III Two independent sources of
time reference are not being
utilized.
NET0819 V0017852 III The NTP server is not
configured with a symmetric
key that is unique from any
key configured on any other
NTP server.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0820 V0003020 III The IAO/NSO will ensure
that the DNS servers are
defined if the router is
configured as a client
resolver.
NET0890 V0003021 II The router administrator will
restrict SNMP access to the
router from only authorized
internal IP addresses.
NET0892 V0003022 II The router administrator will
ensure SNMP is blocked at
all external interfaces. SNMP
Access is permitted for
enterprise mapping
capabilities as directed by
CTO 09-011.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0894 V0003969 II The administrator will ensure
SNMP is only enabled in the
read mode. Write mode is
permitted if SNMPv3 with
authentication is
implemented, or if approved
and documented by the IAO.
NET0897 V0014672 III The router administrator will
ensure the router‟s loopback
address is used as the
source address when
originating TACACS+ or
RADIUS traffic.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0898 V0014673 III The router administrator will
ensure the router‟s loopback
address is used as the
source address when
originating syslog traffic.
NET0899 V0014674 III The router administrator will
ensure the router‟s loopback
address is used as the
source address when
originating NTP traffic.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0900 V0014675 III The router administrator will
ensure the router‟s loopback
address is used as the
source address when
originating SNMP traffic.
NET0901 V0014676 III The router administrator will
ensure the router‟s loopback
address is used as the
source address when
originating NetFlow traffic.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0902 V0014677 III The router administrator will
ensure the router‟s loopback
address is used as the
source address when
originating TFTP or FTP
traffic.
NET0903 V0014681 III The router administrator will
ensure the router‟s loopback
address is used as the
source address for iBGP
peering sessions.
NET0910 V0005731 II The SA will utilize ingress
and egress ACLs to restrict
traffic destined to the
enclave perimeter in
accordance with the
guidelines contained in DoD
Instruction 8551.1 for all
ports and protocols required
for operational commitments.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0911 V0003026 II The System Administrator
can permit inbound ICMP
messages Echo Reply (type
0), ICMP Destination
Unreachable fragmentation
needed (type 3 - code 4),
Source Quench (type 4),
Time Exceeded (type 11),
and Parameter Problem
(type 12). All other inbound
ICMP messages are
prohibited. The following
exception: All ICMP
messages must be denied
from external AG addresses.
NET0912 V0003027 II The System Administrator
can permit outbound ICMP
messages Packet-too-Big
(type 3, code 4), Source
Quench (type 4), Echo
Request (type 8), and Time
Exceeded (type 11). All other
outbound ICMP messages
are prohibited. The following
exception: All ICMP
messages must be denied to
external AG addresses.
NET0918 V0003028 III The router administrator will
block all inbound traceroutes
to prevent network discovery
by unauthorized users.
NET0920 V0003968 II The router administrator will
bind the ingress ACL filtering
packets entering the network
to the external interface on
an inbound direction.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0921 V0014688 II The router administrator will
bind the egress ACL filtering
packets leaving the network
to the internal interface on
an inbound direction.
NET0923 V0014689 I The router administrator will
restrict the premise router
from accepting any inbound
IP packets with a local host
loop back address
(127.0.0.0/8).
NET0924 V0014690 I The router administrator will
restrict the premise router
from accepting any inbound
IP packets with a link-local
IP address range
(169.254.0.0/16)
NET0926 V0014691 I The router administrator will
restrict the premise router
from accepting any inbound
IP packets having a source
field from BOGON, Martian
IP addresses.
NET0927 V0014692 I The router administrator will
restrict the premise router
from accepting any inbound
IP packets having a source
field from RFC1918 IP
addresses.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0928 V0005607 II The Router Administrator will
have a procedure in place to
check for changes and
modify the BOGON/Martian
list on a monthly basis.
NET0940 V0003024 I The router administrator will
restrict the premise router
from accepting any inbound
IP packets with a source
address that contain an IP
address from the internal
network, any local host loop
back address (127.0.0.0/8),
the link-local IP address
range (169.254.0.0/16),
IANA unallocated addresses
or any reserved private
addresses in the source field.
NET0949 V0005645 II The router administrator will
ensure that CEF is enabled
on all Cisco routers and
multi-layer switches.
NET0950 V0003164 I The router administrator will
restrict the router from
accepting any outbound IP
packet that contains an
illegitimate address in the
source address field by
enabling Unicast Reverse
Path Forwarding (uRPF)
Strict mode or via egress
ACL.
NET0960 V0003165 II The IAO/NSO will implement
tcp intercept features
provided by the router or
implement a filter to rate limit
tcp syn to protect servers
from any TCP SYN flood
attacks from an outside
network.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0965 V0005646 II The router administrator will
set the maximum wait
interval for establishing a
TCP connection request to
the router to 10 seconds or
less, or implement a feature
to rate-limit TCP SYN traffic
destined to the router.
NET0966 V0019188 II Control plane protection is
not enabled.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0985 V0017815 II IGP instances configured on
the OOBM gateway router
do not peer only with their
appropriate routing domain.
NET0986 V0017816 II The routes from the two IGP
domains are redistributed to
each other.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0987 V0017817 II Traffic from the managed
network is able to access the
OOBM gateway router
NET0988 V0017818 II Traffic from the managed
network will leak into the
management network via the
gateway router interface
connected to the OOBM
backbone.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0989 V0017819 II Management network traffic
is leaking into the managed
network.
NET0990 V0017820 II The OOBM access switch is
not physically connected to
the managed network
element OOBM interface.
NET0991 V0017821 II Managed NE OOBM
interface is not configured
with an OOBM network
address.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0992 V0017822 II The management interface
is not configured with both
an ingress and egress ACL.
NET0993 V0017823 III The management interface
is not configured as passive
for the IGP instance for the
managed network.
NET0994 V0017824 II The management interface
is an access switchport and
has not been assigned to a
separate management
VLAN.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET0995 V0017825 III An address has not been
configured for the
management VLAN from
space belonging to the
OOBM network assigned to
that site.
NET0996 V0017826 II The access switchport
connecting to the OOBM
access switch is not the only
port with membership to the
management VLAN.
NET0997 V0017827 III The management VLAN is
not pruned from any VLAN
trunk links belonging to the
managed network‟s
infrastructure.
NET0998 V0017772 II A separate management
subnet has not been
implemented.
NET0999 V0017858 II Not all management network
elements with an IP address
from management address
block.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1000 V0017829 II The gateway router for the
managed network is not
configured with an ACL or
filter on the egress interface
to block all outbound
management traffic.
NET1001 V0017830 II A firewall located behind the
premise router must be
configured to block all
outbound management
traffic.
NET1002 V0017901 II The management station or
server is not connected to
the management VLAN.
NET1003 V0017832 II The management VLAN is
not configured with an IP
address from the
management network
address block.
NET1004 V0017833 II The IAO will ensure that only
authorized management
traffic is forwarded by the
multi-layer switch from the
production or managed
VLANs to the management
VLAN.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1005 V0017834 II An inbound ACL is not
configured for the
management network sub-
interface of the trunk link to
block non-management
traffic.
NET1006 V0017835 II Traffic entering the tunnels is
not restricted to only the
authorized management
packets based on
destination address.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1007 V0017836 III Management traffic is not
classified and marked at the
nearest upstream MLS or
router when management
traffic must traverse several
nodes to reach the
management network.
NET1008 V0017837 III The core router within the
managed network has not
been configured to provide
preferred treatment for
management traffic that
must traverse several nodes
to reach the management
network.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1020 V0003000 III The IAO/NSO will ensure all
attempts to any port,
protocol, or service that is
denied is logged.
NET1021 V0004584 III The IAO/NSO will configure
all devices to log severity
levels 0 through 6 and send
log data to a syslog server.
NET1022 V0023749 II The IAO will ensure the
syslog server is only
connected to the
management network.
NET1023 V0023750 II The IAO will ensure the
syslog servers are
configured IAW the
appropriate OS STIG.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1025 V0008060 III The IAO/NSO will ensure a
centralized syslog server is
deployed and configured by
the syslog administrator to
store all syslog messages for
a minimum of 30 days online
and then stored offline for
one year.
NET1027 V0003031 III The syslog administrator will
configure the syslog sever to
collect syslog messages
from levels 0 through 6.
NET1030 V0003072 III The administrator will ensure
that the running and startup
configurations are
synchronized after changes
have been made and
implemented.
NET1040 V0008061 III The IAO will ensure all
current and previous router
and switch configurations
are stored in a secured
location. Storage can take
place on a classified
network, an OOB network, or
offline. The configurations
can only be accessed by the
server or network
administrator.
NET1050 V0023735 II The IAO will ensure that all
router and switch
configurations are encrypted
while stored on a server.
NET1060 V0008062 I The IAO will ensure that
passwords contained within
a router, switch, or firewall
configuration file are not
stored offline unencrypted.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1070 V0008063 II The IAO/NSO will authorize
and maintain justification for
all TFTP implementations.
NET1071 V0005644 II If TFTP implementation is
used, the router
administrator will ensure the
TFTP server resides on a
controlled managed LAN
subnet, and access is
restricted to authorized
devices within the local
enclave.
NET1110 V0008064 II The IAO/NSO will ensure all
changes and updates are
documented in a manner
suitable for review and audit.
NET1111 V0014718 II The IAO/NSO will ensure
request forms are used to
aid in recording the audit trail.
NET1113 V0014719 II The IAO/NSO will ensure
current paper or electronic
copies of configurations are
maintained in a secure
location.
NET1114 V0015430 II The IAO/NSO will ensure
only authorized personnel,
with proper verifiable
credentials, are allowed to
request changes to routing
tables or service parameters.
NET1280 V0008068 III The IAO/NSO will ensure
there is a review on a daily
basis, of the firewall log data
by the firewall administrator
(FA), or other qualified
personnel, to determine if
attacks or inappropriate
activity has occurred.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1281 V0014726 III The IAO will ensure a HIDS
is implemented on the syslog
servers.
NET1284 V0008070 III The IAO/NSO will ensure the
firewall configuration data
are backed up weekly and
whenever configuration
changes occur.
NET1286 V0008071 III The IAO/NSO will ensure the
audit data is backed up
weekly.
NET1287 V0014727 III The IAO/NSO will ensure the
audit logs are protected from
deletion.
NET1288 V0025890 III The IAO/NSO will ensure the
audit trail events are
stamped with accurate date
and time.
NET1289 V0025891 III The IAO/NSO will ensure the
audit trail events include
source IP, destination IP,
port, protocol used and
action taken.
NET1299 V0025892 III The IAO will ensure the
firewall provides the ability to
perform searches and
sorting of audit data based
on source address,
destination address, date,
time, protocol, port, and
ingress interface.
NET1300 V0003178 III The IAO/NSO will ensure
administrator logons,
changes to the administrator
group, and account lockouts
are logged.
NET1328 V0008075 III The IAO/NSO will ensure
that the data from the
external NIDS is restricted to
CNDSP personnel only.
NET1340 V0008076 II The IAO/NSO will establish
policies outlining procedures
to notify U.S. Cyber
Command when suspicious
activity is observed.
NET1342 V0008077 II The IAO/NSO will ensure
that authorized reviewers of
Network IDS data are
identified in writing by the
site‟s IAM.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1344 V0008273 II The IAO/NSO will ensure
that any unauthorized traffic
is logged for further
investigation.
NET1352 V0018576 II The Network administrator
will implement additional
intrusion protection that
detect both specific attacks
on mail and traffic types
(protocols) that should not
be seen on the segments
containing mail servers at
the regional enclave mail
perimeter.
NET1432 V0014734 II The IAO/NSO will ensure if
Sticky MAC Port Security is
implemented, the running
and startup configuration
files are identical.
NET1433 V0014735 II The IAO will ensure that if
Sticky MAC Port Security is
implemented, a policy is in
place that prohibits
connection to the switchport
unless it has been approved.
NET1440 V0014736 II The IAO/NSO will ensure
VMPS must not be used to
provide port authentication
or dynamic VLAN
assignment.
NET1615 V0017840 II The communications server
is not configured to use PPP
encapsulation and PPP
authentication CHAP for the
async or AUX port used for
dial in.
NET1617 V0017842 III The communications server
is not configured accept a
callback request or in a
secured mode so that it will
not callback an unauthorized
user.
NET1621 V0014715 II The IAO will properly register
all network components in
an asset management
tracking system such as
VMS.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1622 V0014716 II The IAO/NSO will ensure an
OOB management network
is in place for MAC I systems
or 24x7 personnel have
immediate console access
(direct connection method)
for communication device
management.
NET1623 V0004582 I The IAO will ensure that all
OOB management
connections to the device
require authentication.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1624 V0003967 II The system administrator will
ensure the console port is
configured to time out after
10 minutes or less of
inactivity.
NET1628 V0008059 II The IAO/NSO will ensure
modems are not connected
to the console port.
NET1629 V0007011 III The system administrator will
ensure that the device
auxiliary port is disabled if a
secured modem providing
encryption and
authentication is not
connected.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1636 V0003175 I The IAO will ensure that all
in-band management
connections to the device
require authentication.
NET1637 V0005611 II The system administrator will
ensure that the device only
allows in-band management
sessions from authorized IP
addresses from the internal
network.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1638 V0003069 II The system administrator will
ensure in-band management
access to the device is
secured using FIPS 140-2,
approved encryption or hash
algorithms such as AES,
3DES, SSH, or TLS / SSL.
NET1639 V0003014 II The system administrator will
ensure the timeout for in-
band management access is
set for no longer than 10
minutes.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1640 V0003070 III The system administrator will
configure the ACL that is
bound to the inband
interface to log permitted
and denied access attempts.
NET1645 V0005612 II The system administrator will
ensure SSH timeout value is
set to 60 seconds or less,
causing incomplete SSH
connections to shut down
after 60 seconds or less.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1646 V0005613 II The system administrator will
ensure the maximum
number of unsuccessful
SSH login attempts is set to
three, locking access to the
network device.
NET1647 V0014717 II The system administrator will
ensure SSH version 2 is
implemented.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1660 V0003196 I The IAO will ensure that if
SNMP is implemented, the
device is configured to use
SNMP Version 3 Security
Model with FIPS 140-2,
compliant cryptography (i.e.,
SHA authentication and AES
encryption).
NET1665 V0003210 I The IAO/NSO will ensure
that all SNMP community
strings are changed from the
default values.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1670 V0008092 III The IAO/NSO will establish
and maintain a standard
operating procedure
managing SNMP community
strings and usernames to
include the following: -
Community string and
username expiration period -
SNMP community string and
username distribution
including determination of
membership
NET1675 V0003043 II The IAO/NSO will ensure
that if both privileged and
non-privileged modes are
used on all devices. Different
community names will be
used for read-only access
and read-write access.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1710 V0003046 III The IAO/NSO will ensure
that security alarms are set
up within the managed
network's framework. At a
minimum, these will include
the following: - Integrity
Violation: Indicates that
network contents or objects
have been illegally modified,
deleted, or added. -
Operational Violation:
Indicates that a desired
object or service could not
be used. - Physical Violation:
Indicates that a physical part
of the network (such as a
cable) has been damaged or
modified without
authorization. - Security
Mechanism Violation:
Indicates that the network's
security system has been
compromised or breached. -
Time Domain Violation:
Indicates that an event has
happened outside its allowed
or typical time slot.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1720 V0003047 III The IAO/NSO will ensure
that alarms are categorized
by severity using the
following guidelines: - Critical
and major alarms are given
when a condition that affects
service has arisen. For a
critical alarm, steps must be
taken immediately in order to
restore the service that has
been lost completely. - A
major alarm indicates that
steps must be taken as soon
as possible because the
affected service has
degraded drastically and is in
danger of being lost
completely. - A minor alarm
indicates a problem that
does not yet affect service,
but may do so if the problem
is not corrected. - A warning
alarm is used to signal a
potential problem that may
affect service. - An
indeterminate alarm is one
that requires human
intervention to decide its
severity.
NET1730 V0008093 II The IAO/NSO will ensure
that the management
workstation is located in a
secure environment.
NET1731 V0017854 II The SNMP manager is not
compliant with the OS STIG
NET1732 V0017855 III An HIDS has not been
implemented on the SNMP
manager
NET1733 V0017856 II The SNMP manager is not
connected to only the
management network.
NET1734 V0017857 III SNMP messages are stored
for a minimum of 30 days
and then archived.
NET1740 V0008094 II The IAO/NSO will ensure
that only those accounts
necessary for the operation
of the system and for access
logging are maintained.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1750 V0003050 III The IAO/NSO will ensure a
record is maintained of all
logons and transactions
processed by the
management station. NOTE:
Include time logged in and
out, devices that were
accessed and modified, and
other activities performed.
NET1760 V0003051 I The IAO/NSO will ensure
access to the NMS is
restricted to authorized users
with individual userids and
passwords.
NET1762 V0004613 II The IAO/NSO will ensure
that all in-band sessions to
the NMS is secured using
FIPS 140-2, approved
encryption or hash
algorithms such as AES,
3DES, SSH, or SSL.
NET1780 V0003184 II The IAO/NSO will ensure all
accounts are assigned the
lowest possible level of
access/rights necessary to
perform their jobs.
NET1800 V0003008 II The IAO will ensure IPSec
VPNs are established as
tunnel type VPNs when
transporting management
traffic across an ip backbone
network.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1807 V0017754 II Management traffic is not
restricted to only the
authorized management
packets based on
destination and source IP
address.
NET1808 V0017814 II Gateway configuration at the
remote VPN end-point is a
not a mirror of the local
gateway
NET1815 V0012101 II The IAM will ensure REL
LAN environments are
documented in the SSAA.
NET1816 V0012102 II The IAM will ensure annual
reviews are performed on
REL LAN environments.
NET1820 V0008275 II The IAM will require the
customer to provide a Host
Based IDS capability for any
gateway-to-host VPN
established that bypasses
the site‟s current IDS
capability.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1826 V0014741 I Leasing of point-to-point
circuits that extend classified
backside connectivity to any
non-DoD, foreign or
contractor facility is
prohibited unless the
termination is government
operated in the contractor or
foreign government facility.
NET1827 V0014742 II The IAO/NSO will have all
C2 and non-C2 exceptions
of SIPRNet use documented
in the enclave‟s accreditation
package and an Interim
Authority to
Connect/Authority to
Connect (IATC/ATC)
amending the connection
approval received, prior to
implementation.
NET1830 V0014744 II The IAM will ensure the
controls over the type of data
to be moved are described in
classification guidance,
Executive Orders, or other
issuances pertaining to
controls over categories of
information.
NET1832 V0014745 II The IAM will ensure the VPN
tunnel demarcation is
located in facilities
authorized to process
classified US government
information, classified at the
Secret Level (for SIPRNet).
NET1930 V0015266 II The IAO/NSO will ensure the
internal router‟s egress
interface is the only interface
accepting native IPv6 traffic.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1931 V0015269 II The IAO/NSO will ensure the
internal router‟s ingress
interfaces does not allow
native IPv6 traffic.
NET1934 V0015272 II The IAO/NSO will ensure the
internal router‟s ingress
interfaces do not allow native
IPv6 NLRI exchanges.
NET1935 V0015275 II The IAO/NSO will ensure
there is only one IPv6 to
IPv4 tunnel between the
interfaces of the internal
router‟s ingress interface and
the perimeter router‟s egress
interface.
NET1940 V0015282 II IAO/NSO will ensure the
perimeter router does not
route native IPv6 traffic
during MO2.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET1942 V0015283 II The IAO/NSO will ensure an
access list is applied on all
interfaces not supporting
IPv6 that blocks native IPv6
traffic when IPv6 is used in
an enclave environment.
NET1945 V0015285 II The IAO/NSO will ensure
tunnels used for IPv6
transition are filtered by
protocol 41 and the
endpoints are explicitly
defined on the permit filter.
NET1970 V0025037 I The IAO will ensure that the
router or firewall software
has been upgraded to
mitigate the risk of DNS
cache poisoning attack
caused by a flawed PAT
implementation using a
predictable source port
allocation method for DNS
query traffic.
NET-IDPS- V0018489 II The Network IDPS
001 administrator will ensure all
Network IDPS systems are
installed and operational in
stealth mode no ip address
on interface with data flow.
NET-IDPS- V0018484 II The IAO/NSO will ensure the
002 IDPS consoles,
management and database
servers reside in the
management network.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET-IDPS- V0003179 II The IAO/NSO will ensure the
003 sensor‟s monitoring
application or mechanism
retrieves events from the
sensor before the queue
becomes full.
NET-IDPS- V0018501 II The IAO/NSO will ensure
004 notifications are sent to the
syslog server or central
controller when threshold
limits exceed the sensor‟s
capacity.
NET-IDPS- V0018502 II The Network IDPS
005 administrator will review
whitelists and blacklists
regularly and validate all
entries to ensure that they
are still accurate and
necessary.
NET-IDPS- V0018508 II The Network administrator
006 will implement signatures
that detect specific attacks
and protocols that should not
be seen on the segments
containing web servers.
NET-IDPS- V0018509 II The Network administrator
007 will implement signatures
that detect both specific
attacks on public service
servers and traffic types
(protocols) that should not
be seen on the segments
containing ftp servers.
NET-IDPS- V0018513 II The Network IDPS
008 administrator will ensure IP
hijacking signatures have
been implemented with the
common default signatures.
NET-IDPS- V0018512 II The Network IDPS
009 administrator will tune the
sensor to alarm if
unexpected protocols for
network management enter
the subnet.
NET-IDPS- V0019233 II The IDPS device positioned
010 to protect servers in the
server farm or DMZs must
provide protection from DoS
SYN Flood attacks by
dropping half open TCP
sessions.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET-IDPS- V0019246 II The Network IDPS
011 administrator will ensure the
IDPS is protecting the
enclave from malware and
unexpected traffic by using
TCP Reset signatures.
NET-IDPS- V0019250 II The IDPS administrator will
012 ensure LAND DoS signature
has been implemented to
protect the enclave.
NET-IDPS- V0019256 II The IDPS Administrator will
013 ensure Atomic Signatures
are implemented to protect
the enclave.
NET-IDPS- V0018490 II The IAO will ensure an IDPS
016 sensor is monitoring DMZ
segments housing all public
servers.
NET-IDPS- V0018491 II The IAO will ensure an IDPS
017 sensor is monitoring VPN
concentrators to monitor
unencrypted VPN traffic and
behind all tunnel endpoints
to monitor all traffic (IPv4
and IPv6) entering the
enclave.
NET-IDPS- V0018492 II The IAO will ensure an IDPS
018 sensor is monitoring Server
Farms segments containing
databases, private backend
servers, and personnel data.
NET-IDPS- V0018493 II The IAO will ensure an IDPS
019 sensor is monitoring
segments that house
network security
management servers
(Network Management
segments or OOB networks).
NET-IDPS- V0008272 II The IAO will ensure an IDS
021 is installed and operational
behind the firewall that
monitors all traffic entering
and leaving the enclave or all
traffic not being monitored by
other positioned sensors.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET-IDPS- V0014732 II The IAO will ensure IDPS
022 components that have been
evaluated and validated
against NIAP existing
profiles are placed in the
network infrastructure.
NET-IDPS- V0018495 II The IAO/NSO will ensure the
023 Regional Enclave has
developed a hierarchical
structure that allows the local
enclave (base, camp, post,
station) sensor data to be
exported to the regional
enclave management
network segment.
NET-IDPS- V0018496 II The IAO/NSO will ensure the
024 sensor traffic in transit will be
protected at all times via an
OOB network or an
authenticated tunnel
between site locations.
NET-IDPS- V0018497 II The SA will ensure IDPS
025 communication traffic from
the sensor to the
management and database
servers traverses a separate
VLAN logically separating
IDPS traffic from all other
enclave traffic.
NET-IDPS- V0018503 III The Network IDPS
026 administrator will review and
ensure thresholds and alert
settings are adjusted
periodically to compensate
for changes in the
environment.
NET-IDPS- V0018504 III The Network IDPS
027 administrator will ensure that
any products collecting
baselines for anomaly-based
detection have their
baselines rebuilt periodically
to support accurate
detection. Readiness is
required for INFOCON
levels, additional information
can be found in Strategic
Command Directive (SD)
527-1.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET-IDPS- V0018505 II The Network IDPS
028 administrator located at a
regional enterprise enclave
will establish an automated
update for enterprise sensor
update deployments to
Base, Camp, Post and
Station local networks.
NET-IDPS- V0018506 II The Network IDPS
029 administrator will ensure if a
SFTP server is used to
provide updates to the
sensors, the server is
configured to allow read-only
access to the files within the
directory on which the
signature packs are placed.
NET-IDPS- V0018507 II The Network IDPS
030 administrator will ensure if
an automated scheduler is
used to provide updates to
the sensors, an account is
defined that only the sensors
will use.
NET-IDPS- V0018510 III The Network IDPS
031 administrator will back up
configuration settings before
applying software or
signature updates to ensure
that existing settings are not
inadvertently lost.
NET-IDPS- V0018511 III The Network IDPS
032 administrator will compare
and verify IDPS update‟s file
checksums provided by the
vendor with checksums
computed from downloaded
files. If removable media
(CD) is used for updates, its'
content will be verified.
NET-IDPS- V0008078 II The IAO/NSO will establish
033 weekly data backup
procedures for the Network
IDS.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET-IDPS- V0008080 III The Network IDS
035 administrator will subscribe
to the vendor‟s vulnerability
mailing list. The Network IDS
administrator will update the
Network IDS when software
is provided by Field Security
Operations for the
RealSecure distribution, and
for all other Network IDS
software distributions when a
security-related update is
provided by the vendor.
NET-IDPS- V0015424 III The IDS administrator will
036 update the Network IDS
when updates are provided
by the vendor.
NET-IDPS- V0008072 II The IAO will ensure an
037 external IDPS is installed
and implemented so that all
external connections can be
monitored.
NET-IDPS- V0008073 II The IAO will ensure the
038 accredited CNDSP is
continuously monitoring the
external IDPS to detect any
unauthorized or suspicious
traffic.
NET-IPV6- V0018585 II The IAO will ensure IPv6 is
001 disabled by default on all
network interfaces and
nodes.
NET-IPV6- V0008053 II The IAO/NSO will ensure
002 that IPv6 implemented on
any DOD network that
transports production or
operations traffic is approved
by the DAA.
NET-IPV6- V0014636 III The IAO/NSO will ensure
003 that a devised hard to guess
IPv6 scheme is implemented
through out the infrastructure.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET-IPV6- V0014637 II The IAO/NSO will ensure
004 that all external interfaces on
Premise, AG, Backdoor and
Tunnel end-points have
Router Advertisements
suppressed.
NET-IPV6- V0018589 II The IAO will ensure firewalls
005 deployed in an IPv6 enclave
meet the requirements
defined by DITO and NSA
milestone objective 3
guidance.
NET-IPV6- V0014683 II The system administrator will
006 ensure the undetermined
transport packet is blocked
at the perimeter in an IPv6
enclave by the firewall or
router.
NET-IPV6- V0018610 II The IAO/NSO will ensure
008 IPv6 6bone address space is
blocked on the ingress and
egress filter, (3FFE::/16).
NET-IPV6- V0018618 II The IAO/NSO will ensure the
009 IPv6 router advertisement
interval is not set at an
unsafe interval .
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET-IPV6- V0014686 II The system administrator
010 can permit inbound ICMPv6
messages Packet-too-big
(type 2), Time Exceeded
(type 3), Parameter Problem
(type 4), Echo Reply (type
129), Network Discovery
(type 135-136). Remaining
ICMPv6 messages must be
blocked inbound.
NET-IPV6- V0014687 II The system administrator
011 can permit outbound
ICMPv6 messages Packet-
too-big (type 2), Echo
Request (type 128), Network
Discovery (type 135-136),
Router Discovery (type 133-
134).
NET-IPV6- V0014664 II The IAO/NSO will ensure
015 neighbor authentication is
implemented between
OSPFv3 peer routers within
the same or between
autonomous systems (AS)
using IPSec
NET-IPV6- V0014670 II The router administrator will
016 ensure ICMPv6 unreachable
notifications, and redirects
are disabled on all external
interfaces of the premise
router.
PDI VMSID CAT Requirement Vulnerability Status Finding Notes
NET-IPV6- V0014685 II The system administrator will
017 ensure the routing header
extension type 0, 1, and 3-
255 are rejected in an IPv6
enclave by the firewall or
router.
NET-IPV6- V0018599 II The IAO/NSO will ensure
022 IPv6 Link-Local Unicast
source addresses with a
prefix of FE80::/10 are
dropped at the enclave
perimeter by the ingress and
egress filters. Note: This
consists of addresses that
begin with FE8, FE9, FEA