| Checked | Name | Title |
|---|
| ☐ | SV-45260r2_rule | The IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-45262r2_rule | The IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. |
| ☐ | SV-45382r2_rule | The IDPS must produce audit records containing sufficient information to establish what type of event occurred, including, at a minimum, event descriptions, policy filter, rule or signature invoked, port, protocol, and criticality level/alert code or description. |
| ☐ | SV-45383r2_rule | The IDPS must produce audit records containing information to establish when (date and time) the events occurred. |
| ☐ | SV-45384r2_rule | The IDPS must produce audit records containing information to establish where the event was detected, including, at a minimum, network segment, destination address, and IDPS component which detected the event. |
| ☐ | SV-45385r2_rule | The IDPS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address. |
| ☐ | SV-45386r2_rule | The IDPS must produce audit records containing information to establish the outcome of events associated with detected harmful or potentially harmful traffic, including, at a minimum, capturing all associated communications traffic. |
| ☐ | SV-45397r2_rule | In the event of a logging failure caused by the lack of audit record storage capacity, the IDPS must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner. |
| ☐ | SV-45458r2_rule | The IDPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis. |
| ☐ | SV-45500r2_rule | The IDPS must be configured to remove or disable non-essential features, functions, and services of the IDPS application. |
| ☐ | SV-45593r2_rule | The IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic. |
| ☐ | SV-45652r2_rule | The IDPS must block any prohibited mobile code at the enclave boundary when it is detected. |
| ☐ | SV-45659r3_rule | The IDPS must fail to a secure state which maintains access control mechanisms when the IDPS hardware, software, or firmware fails on initialization/shutdown or experiences a sudden abort during normal operation. |
| ☐ | SV-45660r2_rule | In the event of a failure of the IDPS function, the IDPS must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted. |
| ☐ | SV-45683r2_rule | The IDPS must verify the integrity of updates obtained directly from the vendor. |
| ☐ | SV-45686r2_rule | The IDPS must block malicious code. |
| ☐ | SV-45716r2_rule | The IDPS must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages. |
| ☐ | SV-69563r1_rule | The IDPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions. |
| ☐ | SV-69565r1_rule | The IDPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis. |
| ☐ | SV-69567r2_rule | The IDPS must provide audit record generation with a configurable severity and escalation level capability. |
| ☐ | SV-69569r1_rule | IDPS must support centralized management and configuration of the content captured in audit records generated by all IDPS components. |
| ☐ | SV-69571r1_rule | The IDPS must off-load log records to a centralized log server. |
| ☐ | SV-69573r1_rule | The IDPS must off-load log records to a centralized log server in real-time. |
| ☐ | SV-69575r1_rule | The IDPS must assign a critical severity level to all audit processing failures. |
| ☐ | SV-69577r3_rule | The IDPS must provide an alert to, at a minimum, the system administrator and ISSO when any audit failure events occur. |
| ☐ | SV-69579r1_rule | In the event of a logging failure, caused by loss of communications with the central logging server, the IDPS must queue audit records locally until communication is restored or until the audit records are retrieved manually or using automated synchronization tools. |
| ☐ | SV-69581r1_rule | The IDPS must provide log information in a format that can be extracted and used by centralized analysis tools. |
| ☐ | SV-69583r1_rule | The IDPS must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices. |
| ☐ | SV-69585r1_rule | The IDPS must be configured to remove or disable non-essential capabilities which are not required for operation or not related to IDPS functionality (e.g., DNS, email client or server, FTP server, or web server). |
| ☐ | SV-69587r2_rule | The IDPS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-69589r1_rule | The IDPS must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment. |
| ☐ | SV-69591r1_rule | The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis. |
| ☐ | SV-69593r2_rule | The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based attack detection. |
| ☐ | SV-69595r1_rule | The IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures. |
| ☐ | SV-69597r1_rule | The IDPS must, for fragmented packets, either block the packets or properly reassemble the packets before inspecting and forwarding. |
| ☐ | SV-69601r1_rule | The IDPS must block malicious ICMP packets by properly configuring ICMP signatures and rules. |
| ☐ | SV-69603r1_rule | The IDPS must install updates for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures. |
| ☐ | SV-69605r1_rule | The IDPS must perform real-time monitoring of files from external sources at network entry/exit points. |
| ☐ | SV-69607r1_rule | The IDPS must quarantine and/or delete malicious code. |
| ☐ | SV-69609r2_rule | The IDPS must send an immediate (within seconds) alert to, at a minimum, the system administrator when malicious code is detected. |
| ☐ | SV-69611r1_rule | IDPS components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability. |
| ☐ | SV-69621r2_rule | The IDPS must detect network services that have not been authorized or approved by the ISSO or ISSM, at a minimum. |
| ☐ | SV-69623r1_rule | The IDPS must generate a log record when unauthorized network services are detected. |
| ☐ | SV-69625r3_rule | The IDPS must generate an alert to the ISSM and ISSO, at a minimum, when unauthorized network services are detected. |
| ☐ | SV-69627r1_rule | The IDPS must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions. |
| ☐ | SV-69629r1_rule | The IDPS must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions. |
| ☐ | SV-69631r3_rule | The IDSP must send an alert to, at a minimum, the ISSM and ISSO when intrusion detection events are detected which indicate a compromise or potential for compromise. |
| ☐ | SV-69633r3_rule | The IDPS must send an alert to, at a minimum, the ISSM and ISSO when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected which indicate a compromise or potential for compromise. |
| ☐ | SV-69635r3_rule | The IDPS must generate an alert to, at a minimum, the ISSM and ISSO when root level intrusion events which provide unauthorized privileged access are detected. |
| ☐ | SV-69637r3_rule | The IDPS must send an alert to, at a minimum, the ISSM and ISSO when user level intrusions which provide non-privileged access are detected. |
| ☐ | SV-69639r3_rule | The IDPS must send an alert to, at a minimum, the ISSM and ISSO when denial of service incidents are detected. |
| ☐ | SV-69641r2_rule | The IDPS must generate an alert to, at a minimum, the ISSM and ISSO when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security
of DoD systems is detected. |
| ☐ | SV-69643r1_rule | To protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. |
| ☐ | SV-69645r1_rule | To protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. |
| ☐ | SV-69647r1_rule | To protect against unauthorized data mining, the IDPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. |
| ☐ | SV-69649r1_rule | To protect against unauthorized data mining, the IDPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. |
| ☐ | SV-69653r1_rule | To protect against unauthorized data mining, the IDPS must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. |
| ☐ | SV-69655r1_rule | To protect against unauthorized data mining, the IDPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. |
| ☐ | SV-69843r2_rule | The IDPS must automatically install updates to signature definitions, detection heuristics, and vendor-provided rules. |
STIGQter: STIG Summary: