Checked | Name | Title |
---|
☐ | SV-224760r505933_rule | The ISEC7 EMM Suite must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. |
☐ | SV-224761r505933_rule | The ISEC7 EMM Suite must initiate a session lock after a 15-minute period of inactivity. |
☐ | SV-224762r505933_rule | The ISEC7 EMM Suite must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. |
☐ | SV-224763r505933_rule | The ISEC7 EMM Suite must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the ISEC7 EMM Suite. |
☐ | SV-224764r505933_rule | The ISEC7 EMM Suite server must be configured to have at least one user in the following Administrator roles: Security Administrator, Site Administrator, Help Desk User. |
☐ | SV-224765r505933_rule | The ISEC7 EMM Suite must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. |
☐ | SV-224766r505933_rule | The ISEC7 EMM Suite must back up audit records at least every seven days onto a different system or system component than the system or component being audited, provide centralized management and configuration of the content to be captured in audit records generated by all ISEC7 EMM Suite components, and off-load audit records onto a different system or media than the system being audited. |
☐ | SV-224767r505933_rule | ISEC7 EMM Suite must disable or delete local account created during application installation and configuration. |
☐ | SV-224768r505933_rule | When using PKI-based authentication for user access, the ISEC7 EMM Suite must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
☐ | SV-224769r505933_rule | The ISEC7 EMM Suite must accept Personal Identity Verification (PIV) credentials. |
☐ | SV-224770r505933_rule | Before establishing a local, remote, and/or network connection with any endpoint device, the ISEC7 EMM Suite must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device. |
☐ | SV-224771r505933_rule | The ISEC7 EMM Suite must allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. |
☐ | SV-224772r505933_rule | The ISEC7 EMM Suite must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms. |
☐ | SV-224773r505933_rule | The ISEC7 EMM Suite must be configured to leverage the enterprise directory service accounts and groups for ISEC7 EMM Suite server admin identification and authentication. |
☐ | SV-224774r505933_rule | The ISEC7 EMM Suite must configure the timeout for the console to be 15 minutes or less. |
☐ | SV-224775r505933_rule | The ISEC7 EMM Suite, Tomcat installation, and ISEC7 Suite monitor must be configured to use the Windows Trust Store for the storage of digital certificates and keys. |
☐ | SV-224776r505933_rule | If cipher suites using pre-shared keys are used for device authentication, the ISEC7 EMM Suite must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are Government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission. |
☐ | SV-224777r505933_rule | The ISEC7 EMM Suite must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use). |
☐ | SV-224778r505933_rule | The ISEC7 EMM Suite must use a FIPS-validated cryptographic module to provision digital signatures. |
☐ | SV-224779r505933_rule | The ISEC7 EMM Suite must use a FIPS 140-2-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, generate cryptographic hashes, and to configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. |
☐ | SV-224780r505933_rule | The Apache Tomcat Manager Web app password must be cryptographically hashed with a DoD approved algorithm. |
☐ | SV-224781r505933_rule | All Web applications included with Apache Tomcat that are not required must be removed. |
☐ | SV-224782r505933_rule | LockOutRealm must not be removed from Apache Tomcat. |
☐ | SV-224783r505933_rule | The LockOutRealm must be configured with a login failure count of 3. |
☐ | SV-224784r505933_rule | The LockOutRealm must be configured with a login lockout time of 15 minutes. |
☐ | SV-224785r505933_rule | The Manager Web app password must be configured as follows: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character |
☐ | SV-224786r505933_rule | The ISEC7 EMM Suite must configure Enable HTTPS to use HTTP over SSL in Apache Tomcat. |
☐ | SV-224787r505933_rule | The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file. |
☐ | SV-224788r505933_rule | Stack tracing must be disabled in Apache Tomcat. |
☐ | SV-224789r505933_rule | The Apache Tomcat shutdown port must be disabled. |
☐ | SV-224790r505933_rule | The ISEC7 EMM Suite must remove any unnecessaryusers or groups that have permissions to the server.xml file in Apache Tomcat. |
☐ | SV-224791r505933_rule | A manager role must be assigned to the Apache Tomcat Web apps (Manager, Host-Manager). |
☐ | SV-224792r505933_rule | SSL must be enabled on Apache Tomcat. |
☐ | SV-224793r505933_rule | Tomcat SSL must be restricted except for ISEC7 EMM Suite tasks. |
☐ | SV-225096r505933_rule | The ISEC7 Sphere server must be maintained at a supported version. |