| Checked | Name | Title |
|---|
| ☐ | SV-79469r1_rule | The DataPower Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies. |
| ☐ | SV-79681r1_rule | The DataPower Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. |
| ☐ | SV-79683r1_rule | The DataPower Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. |
| ☐ | SV-79685r1_rule | The DataPower Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network. |
| ☐ | SV-79687r1_rule | The DataPower Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. |
| ☐ | SV-79689r1_rule | The DataPower Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. |
| ☐ | SV-79691r1_rule | The DataPower Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. |
| ☐ | SV-79693r1_rule | The DataPower Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. |
| ☐ | SV-79695r1_rule | The DataPower Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52. |
| ☐ | SV-79697r1_rule | The DataPower Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions. |
| ☐ | SV-79699r1_rule | The DataPower Gateway must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs. |
| ☐ | SV-79701r1_rule | The DataPower Gateway must protect audit information from unauthorized read access. |
| ☐ | SV-79703r1_rule | The DataPower Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-79705r1_rule | The DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
| ☐ | SV-79707r1_rule | The DataPower Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges. |
| ☐ | SV-79709r1_rule | The DataPower Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s). |
| ☐ | SV-79711r1_rule | The DataPower Gateway providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts. |
| ☐ | SV-79713r1_rule | The DataPower Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| ☐ | SV-79715r1_rule | The DataPower Gateway that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation. |
| ☐ | SV-79717r1_rule | The DataPower Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account. |
| ☐ | SV-79719r1_rule | The DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). |
| ☐ | SV-79721r1_rule | The DataPower Gateway providing content filtering must not have a front side handler configured facing an internal network. |
| ☐ | SV-79723r1_rule | The DataPower Gateway must protect the authenticity of communications sessions. |
| ☐ | SV-79725r1_rule | The DataPower Gateway must invalidate session identifiers upon user logout or other session termination. |
| ☐ | SV-79727r1_rule | The DataPower Gateway must recognize only system-generated session identifiers. |
| ☐ | SV-79729r1_rule | In the event of a system failure of the DataPower Gateway function, the DataPower Gateway must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted. |
| ☐ | SV-79731r1_rule | The DataPower Gateway must have ICMP responses disabled on all interfaces facing untrusted networks. |
| ☐ | SV-79733r1_rule | To protect against data mining, the DataPower Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. |
| ☐ | SV-79735r1_rule | To protect against data mining, the DataPower Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. |
| ☐ | SV-79737r1_rule | To protect against data mining, the DataPower Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. |
| ☐ | SV-79739r1_rule | To protect against data mining, the DataPower Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. |
| ☐ | SV-79741r1_rule | To protect against data mining, the DataPower Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. |
| ☐ | SV-79743r1_rule | To protect against data mining, the DataPower Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. |
| ☐ | SV-79745r1_rule | The DataPower Gateway providing user access control intermediary services must provide the capability for authorized users to select a user session to capture or view. |
| ☐ | SV-79747r1_rule | The DataPower Gateway must be configured to support centralized management and configuration. |
| ☐ | SV-79749r1_rule | The DataPower Gateway must off-load audit records onto a centralized log server. |
| ☐ | SV-79751r1_rule | The DataPower Gateway must provide an immediate real-time alert to, at a minimum, the SCA and ISSO, of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. |
| ☐ | SV-79753r1_rule | The DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period. |
| ☐ | SV-79755r1_rule | The DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. |
| ☐ | SV-79757r1_rule | The DataPower Gateway providing user authentication intermediary services must conform to FICAM-issued profiles. |
| ☐ | SV-79759r1_rule | The DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions. |
| ☐ | SV-79761r1_rule | The DataPower Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds). |
| ☐ | SV-79763r1_rule | The DataPower Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks. |
| ☐ | SV-79765r1_rule | The DataPower Gateway providing content filtering must protect against known types of Denial of Service (DoS) attacks by employing signatures. |
| ☐ | SV-79767r1_rule | The DataPower Gateway providing content filtering must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors. |
| ☐ | SV-79769r1_rule | The DataPower Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
| ☐ | SV-79771r1_rule | The DataPower Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
| ☐ | SV-79773r1_rule | The DataPower Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system. |
| ☐ | SV-79775r1_rule | The DataPower Gateway providing content filtering must generate a log record when unauthorized network services are detected. |
| ☐ | SV-79777r1_rule | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when unauthorized network services are detected. |
| ☐ | SV-79779r1_rule | The DataPower Gateway providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. |
| ☐ | SV-79781r1_rule | The DataPower Gateway providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions. |
| ☐ | SV-79783r1_rule | The DataPower Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur. |
| ☐ | SV-79785r1_rule | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected. |
| ☐ | SV-79787r1_rule | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when root level intrusion events which provide unauthorized privileged access are detected. |
| ☐ | SV-79789r1_rule | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user level intrusions which provide non-privileged access are detected. |
| ☐ | SV-79791r1_rule | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial of service incidents are detected. |
| ☐ | SV-79793r1_rule | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting
DoD systems or malicious code adversely affecting the operations and/or security
of DoD systems is detected. |
| ☐ | SV-79795r1_rule | The DataPower Gateway providing user access control intermediary services must provide the capability for authorized users to capture, record, and log all content related to a selected user session. |
| ☐ | SV-79797r1_rule | The DataPower Gateway must check the validity of all data inputs except those specifically identified by the organization. |
| ☐ | SV-79799r1_rule | The DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes. |
| ☐ | SV-79801r1_rule | The DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures. |
| ☐ | SV-79803r1_rule | The DataPower Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. |
| ☐ | SV-79805r1_rule | The DataPower Gateway must off-load audit records onto a centralized log server in real time. |
| ☐ | SV-79807r1_rule | The DataPower Gateway must not use 0.0.0.0 as a listening IP address for any service. |
STIGQter: STIG Summary: