| Checked | Name | Title |
|---|
| ☐ | SV-85907r1_rule | The CA API Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies. |
| ☐ | SV-85909r1_rule | The CA API Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. |
| ☐ | SV-85911r1_rule | The CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. |
| ☐ | SV-85913r1_rule | The CA API Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network. |
| ☐ | SV-85915r1_rule | The CA API Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. |
| ☐ | SV-85917r1_rule | The CA API Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. |
| ☐ | SV-85919r1_rule | The CA API Gateway providing user access control intermediary services must limit users to two concurrent sessions. |
| ☐ | SV-85923r1_rule | The CA API Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. |
| ☐ | SV-85931r1_rule | The CA API Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. |
| ☐ | SV-85939r1_rule | The CA API Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52. |
| ☐ | SV-85949r2_rule | The CA API Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions. |
| ☐ | SV-85953r1_rule | The CA API Gateway must produce audit records containing information to establish the source of the events. |
| ☐ | SV-85957r1_rule | The CA API Gateway must produce audit records containing information to establish the outcome of the events. |
| ☐ | SV-85959r1_rule | The CA API Gateway must generate audit records containing information to establish the identity of any individual or process associated with the event. |
| ☐ | SV-85961r1_rule | The CA API Gateway must protect audit information from unauthorized read access. |
| ☐ | SV-85963r1_rule | The CA API Gateway must protect audit information from unauthorized deletion. |
| ☐ | SV-85965r1_rule | The CA API Gateway must protect audit tools from unauthorized access. |
| ☐ | SV-85967r1_rule | The CA API Gateway must not have unnecessary services and functions enabled. |
| ☐ | SV-85969r1_rule | The CA API Gateway must be configured to remove or disable unrelated or unneeded application proxy services. |
| ☐ | SV-85971r1_rule | The CA API Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-85973r1_rule | The CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
| ☐ | SV-85975r1_rule | The CA API Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) that validate user account access authorizations and privileges. |
| ☐ | SV-85977r1_rule | The CA API Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s). |
| ☐ | SV-85979r1_rule | The ALG providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts. |
| ☐ | SV-85981r1_rule | The CA API Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| ☐ | SV-85983r1_rule | The CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account. |
| ☐ | SV-85985r1_rule | The CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). |
| ☐ | SV-85987r1_rule | The CA API Gateway providing content filtering must block outbound traffic containing known and unknown Denial of Service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints. |
| ☐ | SV-85989r1_rule | The CA API Gateway must terminate all network connections associated with a Policy Manager session at the end of the session or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity within the Policy Manager, and for user sessions simply viewing the contents of Policy Manager or viewing Audit Logs for tracking purposes (non-privileged session), the session must be terminated after 15 minutes of inactivity. |
| ☐ | SV-85991r1_rule | The CA API Gateway must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment. |
| ☐ | SV-85993r1_rule | The CA API Gateway must protect the authenticity of communications sessions. |
| ☐ | SV-85995r1_rule | The CA API Gateway must invalidate session identifiers upon user logout or other session termination. |
| ☐ | SV-85997r1_rule | The CA API Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator. |
| ☐ | SV-85999r1_rule | The CA API Gateway providing content filtering must integrate with an ICAP-enabled Intrusion Detection System that updates malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures. |
| ☐ | SV-86001r1_rule | The CA API Gateway providing content filtering must be configured to perform real-time scans of files from external sources at network entry/exit points as they are downloaded and prior to being opened or executed. |
| ☐ | SV-86003r1_rule | The CA API Gateway providing content filtering must block malicious code upon detection. |
| ☐ | SV-86005r1_rule | The CA API Gateway providing content filtering must delete or quarantine malicious code in response to malicious code detection. |
| ☐ | SV-86007r1_rule | The CA API Gateway providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection. |
| ☐ | SV-86009r1_rule | The CA API Gateway providing content filtering must automatically update malicious code protection mechanisms. |
| ☐ | SV-86011r1_rule | The CA API Gateway must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries. |
| ☐ | SV-86013r1_rule | The CA API Gateway providing content filtering must block or restrict detected prohibited mobile code. |
| ☐ | SV-86015r1_rule | The CA API Gateway providing content filtering must prevent the download of prohibited mobile code. |
| ☐ | SV-86017r1_rule | The CA API Gateway providing intermediary services for remote access communications traffic must control remote access methods. |
| ☐ | SV-86019r1_rule | To protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. |
| ☐ | SV-86021r1_rule | To protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. |
| ☐ | SV-86023r1_rule | To protect against data mining, the CA API Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. |
| ☐ | SV-86045r1_rule | To protect against data mining, the CA API Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. |
| ☐ | SV-86047r1_rule | To protect against data mining, the CA API Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. |
| ☐ | SV-86049r1_rule | To protect against data mining, the CA API Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. |
| ☐ | SV-86051r1_rule | The CA API Gateway must off-load audit records onto a centralized log server. |
| ☐ | SV-86053r1_rule | The CA API Gateway providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. |
| ☐ | SV-86055r1_rule | The CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| ☐ | SV-86057r1_rule | The CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| ☐ | SV-86059r1_rule | The CA API Gateway must prohibit the use of cached authenticators after an organization-defined time period. |
| ☐ | SV-86061r1_rule | The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. |
| ☐ | SV-86063r1_rule | The CA API Gateway providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM) issued profiles. |
| ☐ | SV-86065r1_rule | The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions. |
| ☐ | SV-86067r1_rule | The CA API Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis. |
| ☐ | SV-86069r1_rule | The CA API Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks. |
| ☐ | SV-86071r1_rule | The CA API Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
| ☐ | SV-86073r1_rule | The CA API Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
| ☐ | SV-86075r1_rule | The CA API Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system. |
| ☐ | SV-86077r1_rule | The CA API Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur. |
| ☐ | SV-86079r1_rule | The CA API Gateway providing content filtering must generate a notification on the console when root-level intrusion events that attempt to provide unauthorized privileged access are detected. |
| ☐ | SV-86081r1_rule | The CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user-level intrusions that provide non-privileged access are detected. |
| ☐ | SV-86083r1_rule | The CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when Denial of Service (DoS) incidents are detected. |
| ☐ | SV-86085r1_rule | The ALG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting
DoD systems or malicious code adversely affecting the operations and/or security
of DoD systems is detected. |
| ☐ | SV-86087r1_rule | The CA API Gateway providing user authentication intermediary services must transmit only encrypted representations of passwords. |
| ☐ | SV-86089r1_rule | The CA API Gateway must check the validity of all data inputs except those specifically identified by the organization. |
| ☐ | SV-86091r1_rule | The CA API Gateway must reveal error messages only to the ISSO, ISSM, and SCA. |
| ☐ | SV-86093r1_rule | The CA API Gateway providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur. |
| ☐ | SV-86095r1_rule | The CA API Gateway providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system. |
| ☐ | SV-86097r1_rule | The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes. |
| ☐ | SV-86099r1_rule | The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures. |
| ☐ | SV-86101r1_rule | The CA API Gateway that provides intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies. |
| ☐ | SV-86103r1_rule | The CA API Gateway that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies. |
| ☐ | SV-86105r1_rule | The CA API Gateway providing user access control intermediary services must automatically terminate a user session when organization-defined conditions or trigger events that require a session disconnect occur. |
| ☐ | SV-86107r1_rule | The CA API Gateway providing user access control intermediary services must provide a logoff capability for user-initiated communications sessions. |
| ☐ | SV-86109r1_rule | The CA API Gateway providing user access control intermediary services must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. |
| ☐ | SV-86111r1_rule | The CA API Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. |
| ☐ | SV-86113r1_rule | The CA API Gateway must off-load audit records onto a centralized log server in real time. |
STIGQter: STIG Summary: