STIGQter STIGQter: STIG Summary:

ISEC7 Sphere Security Technical Implementation Guide

Version: 2

Release: 1 Benchmark Date: 23 Oct 2020

CheckedNameTitle
SV-224760r505933_ruleThe ISEC7 EMM Suite must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
SV-224761r505933_ruleThe ISEC7 EMM Suite must initiate a session lock after a 15-minute period of inactivity.
SV-224762r505933_ruleThe ISEC7 EMM Suite must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
SV-224763r505933_ruleThe ISEC7 EMM Suite must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the ISEC7 EMM Suite.
SV-224764r505933_ruleThe ISEC7 EMM Suite server must be configured to have at least one user in the following Administrator roles: Security Administrator, Site Administrator, Help Desk User.
SV-224765r505933_ruleThe ISEC7 EMM Suite must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-224766r505933_ruleThe ISEC7 EMM Suite must back up audit records at least every seven days onto a different system or system component than the system or component being audited, provide centralized management and configuration of the content to be captured in audit records generated by all ISEC7 EMM Suite components, and off-load audit records onto a different system or media than the system being audited.
SV-224767r505933_ruleISEC7 EMM Suite must disable or delete local account created during application installation and configuration.
SV-224768r505933_ruleWhen using PKI-based authentication for user access, the ISEC7 EMM Suite must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SV-224769r505933_ruleThe ISEC7 EMM Suite must accept Personal Identity Verification (PIV) credentials.
SV-224770r505933_ruleBefore establishing a local, remote, and/or network connection with any endpoint device, the ISEC7 EMM Suite must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.
SV-224771r505933_ruleThe ISEC7 EMM Suite must allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
SV-224772r505933_ruleThe ISEC7 EMM Suite must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms.
SV-224773r505933_ruleThe ISEC7 EMM Suite must be configured to leverage the enterprise directory service accounts and groups for ISEC7 EMM Suite server admin identification and authentication.
SV-224774r505933_ruleThe ISEC7 EMM Suite must configure the timeout for the console to be 15 minutes or less.
SV-224775r505933_ruleThe ISEC7 EMM Suite, Tomcat installation, and ISEC7 Suite monitor must be configured to use the Windows Trust Store for the storage of digital certificates and keys.
SV-224776r505933_ruleIf cipher suites using pre-shared keys are used for device authentication, the ISEC7 EMM Suite must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are Government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.
SV-224777r505933_ruleThe ISEC7 EMM Suite must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
SV-224778r505933_ruleThe ISEC7 EMM Suite must use a FIPS-validated cryptographic module to provision digital signatures.
SV-224779r505933_ruleThe ISEC7 EMM Suite must use a FIPS 140-2-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, generate cryptographic hashes, and to configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
SV-224780r505933_ruleThe Apache Tomcat Manager Web app password must be cryptographically hashed with a DoD approved algorithm.
SV-224781r505933_ruleAll Web applications included with Apache Tomcat that are not required must be removed.
SV-224782r505933_ruleLockOutRealm must not be removed from Apache Tomcat.
SV-224783r505933_ruleThe LockOutRealm must be configured with a login failure count of 3.
SV-224784r505933_ruleThe LockOutRealm must be configured with a login lockout time of 15 minutes.
SV-224785r505933_ruleThe Manager Web app password must be configured as follows: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character
SV-224786r505933_ruleThe ISEC7 EMM Suite must configure Enable HTTPS to use HTTP over SSL in Apache Tomcat.
SV-224787r505933_ruleThe version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.
SV-224788r505933_ruleStack tracing must be disabled in Apache Tomcat.
SV-224789r505933_ruleThe Apache Tomcat shutdown port must be disabled.
SV-224790r505933_ruleThe ISEC7 EMM Suite must remove any unnecessaryusers or groups that have permissions to the server.xml file in Apache Tomcat.
SV-224791r505933_ruleA manager role must be assigned to the Apache Tomcat Web apps (Manager, Host-Manager).
SV-224792r505933_ruleSSL must be enabled on Apache Tomcat.
SV-224793r505933_ruleTomcat SSL must be restricted except for ISEC7 EMM Suite tasks.
SV-225096r505933_ruleThe ISEC7 Sphere server must be maintained at a supported version.