Checked | Name | Title |
---|
☐ | SV-82291r1_rule | The Mainframe Product must limit the number of concurrent sessions to three for all accounts and/or account types. |
☐ | SV-82599r1_rule | The Mainframe Product must conceal, via the session lock, information previously visible on the display with a publicly viewable image. |
☐ | SV-82601r1_rule | The Mainframe Product must initiate a session lock after a 15-minute period of inactivity. |
☐ | SV-82603r1_rule | The Mainframe Product must provide the capability for users to directly initiate a session lock. |
☐ | SV-82605r1_rule | The Mainframe Product must retain the session lock until the user reestablishes access using established identification and authentication procedures. |
☐ | SV-82607r1_rule | The Mainframe Product must automatically terminate a user session after conditions, as defined in site security plan, are met or trigger events requiring session disconnect. |
☐ | SV-82609r1_rule | Mainframe Products requiring user access authentication must provide a logoff capability for a user-initiated communication session. |
☐ | SV-82611r1_rule | The Mainframe Product must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. |
☐ | SV-82613r1_rule | The Mainframe Product must associate types of security attributes having security attribute values as defined in site security plan with information in storage. |
☐ | SV-82615r1_rule | The Mainframe Product must associate types of security attributes having security attribute values as defined in site security plan with information in process. |
☐ | SV-82617r1_rule | The Mainframe Product must use an external security manager for all account management functions. |
☐ | SV-82619r1_rule | The Mainframe Product must terminate shared/group account credentials when members leave the group. |
☐ | SV-82621r1_rule | The Mainframe Product must automatically remove or disable temporary user accounts after 72 hours. |
☐ | SV-82623r1_rule | The Mainframe Product must be configured such that emergency accounts are never automatically removed or disabled. |
☐ | SV-82625r1_rule | The Mainframe Product must automatically disable accounts after 35 days of account inactivity. |
☐ | SV-82627r1_rule | The Mainframe Product must automatically audit account creation. |
☐ | SV-82629r1_rule | The Mainframe Product must automatically audit account modification. |
☐ | SV-82631r1_rule | The Mainframe Product must automatically audit account disabling actions. |
☐ | SV-82633r1_rule | The Mainframe Product must automatically audit account removal actions. |
☐ | SV-82635r2_rule | The Mainframe Product must notify system programmers and security administrators when accounts are created. |
☐ | SV-82637r2_rule | The Mainframe Product must notify system programmers and security administrators when accounts are modified. |
☐ | SV-82639r2_rule | The Mainframe Product must notify system programmers and security administrators for account disabling actions. |
☐ | SV-82641r2_rule | The Mainframe Product must notify system programmers and security administrators for account removal actions. |
☐ | SV-82643r2_rule | The Mainframe Product must automatically audit account enabling actions. |
☐ | SV-82647r2_rule | The Mainframe Product must notify system programmers and security administrators of account enabling actions. |
☐ | SV-82649r1_rule | The Mainframe Product must enforce approved authorizations for logical access to sensitive information and system resources in accordance with applicable access control policies. |
☐ | SV-82651r1_rule | The Mainframe Product must enforce approved authorizations for security administrator access to sensitive information and system resources in accordance with applicable access control policies. |
☐ | SV-82653r1_rule | The Mainframe Product must enforce organization-defined discretionary access control policies over defined subjects and objects. |
☐ | SV-82655r1_rule | The Mainframe Product must enforce approved authorizations for system programmer access to sensitive information and system resources in accordance with applicable access control policies. |
☐ | SV-82657r1_rule | The Mainframe Product must enforce approved authorizations for controlling the flow of information within the system based on site security plan information flow control policies. |
☐ | SV-82659r1_rule | The Mainframe Product must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
☐ | SV-82661r1_rule | The Mainframe Product must prevent software as identified in the site security plan from executing at higher privilege levels than users executing the software. |
☐ | SV-82663r1_rule | The Mainframe Product must audit the execution of privileged functions. |
☐ | SV-82665r1_rule | The Mainframe Product must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period. |
☐ | SV-82667r1_rule | The Mainframe Product must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded. |
☐ | SV-82669r1_rule | The Mainframe Product must protect against an individual (or process acting on behalf of an individual) falsely denying having performed actions defined in the site security plan to be covered by non-repudiation. |
☐ | SV-82671r1_rule | For Mainframe Products providing audit record aggregation, the Mainframe Product must compile audit records from mainframe components into a system-wide audit trail that is time-correlated with a tolerance for the relationship between time stamps of individual records in the audit trail in accordance with the sites security plan. |
☐ | SV-82673r1_rule | The Mainframe Product must provide the capability for system programmers to change the auditing to be performed on all application components based on all selectable event criteria within time thresholds defined in the site security plan. |
☐ | SV-82675r1_rule | The Mainframe Product must provide the capability for security administrators to change the auditing to be performed on all application components based on all selectable event criteria within time thresholds defined in site security plan. |
☐ | SV-82677r1_rule | The Mainframe Product must provide audit record generation capability for DoD-defined auditable events within all application components. |
☐ | SV-82679r2_rule | The Mainframe Product must allow only the information system security manager (ISSM) or individuals or roles appointed by the ISSM to select which auditable events are to be audited. |
☐ | SV-82681r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to access privileges occur. |
☐ | SV-82683r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to access security objects occur. |
☐ | SV-82685r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to access security levels occur. |
☐ | SV-82687r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. |
☐ | SV-82689r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify privileges occur. |
☐ | SV-82691r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify security objects occur. |
☐ | SV-82695r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify security levels occur. |
☐ | SV-82697r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. |
☐ | SV-82699r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete privileges occur. |
☐ | SV-82701r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete security levels occur. |
☐ | SV-82703r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete security objects occur. |
☐ | SV-82705r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur. |
☐ | SV-82707r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful logon attempts occur. |
☐ | SV-82709r1_rule | The Mainframe Product must generate audit records for privileged activities or other system-level access. |
☐ | SV-82711r1_rule | The Mainframe Product must generate audit records showing starting and ending time for user access to the system. |
☐ | SV-82713r1_rule | The Mainframe Product must generate audit records when concurrent logons from different workstations occur. |
☐ | SV-82715r1_rule | The Mainframe Product must generate audit records when successful/unsuccessful accesses to objects occur. |
☐ | SV-82717r1_rule | The Mainframe Product must generate audit records for all direct access to the information system. |
☐ | SV-82719r1_rule | The Mainframe Product must generate audit records for all account creations, modifications, disabling, and termination events. |
☐ | SV-82721r1_rule | The Mainframe Product must generate audit records for all kernel module load, unload, and restart events, and for all program initiations. |
☐ | SV-82723r1_rule | The Mainframe Product must provide the capability for authorized users to select a user session to capture/record or view/hear. |
☐ | SV-82725r1_rule | The Mainframe Product must initiate session auditing upon startup. |
☐ | SV-82727r1_rule | The Mainframe Product must provide the capability for authorized users to capture, record, and log all content related to a user session. |
☐ | SV-82729r1_rule | The Mainframe Product must provide the capability for authorized users to remotely view/hear, in real time, all content related to an established user session from a component separate from the Mainframe Product being monitored. |
☐ | SV-82731r1_rule | The Mainframe Product must produce audit records containing information to establish what type of events occurred. |
☐ | SV-82733r1_rule | The Mainframe Product must produce audit records containing information to establish when (date and time) the events occurred. |
☐ | SV-82735r2_rule | The Mainframe Product must produce audit records containing information to establish where the events occurred. |
☐ | SV-82737r1_rule | The Mainframe Product must produce audit records containing information to establish the source of the events. |
☐ | SV-82739r1_rule | The Mainframe Product must produce audit records containing information to establish the outcome of the events. |
☐ | SV-82741r1_rule | The Mainframe Product must generate audit records containing information to establish the identity of any individual or process associated with the event. |
☐ | SV-82743r1_rule | The Mainframe Product must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. |
☐ | SV-82745r1_rule | The Mainframe Product must provide centralized management and configuration of the content to be captured in audit records generated by all application components. |
☐ | SV-82747r1_rule | The mainframe product must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. |
☐ | SV-82749r1_rule | The Mainframe Product must off-load audit records onto a different system or media than the system being audited. |
☐ | SV-82751r1_rule | The Mainframe Product must provide an immediate warning to the system programmer and security administrator (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity. |
☐ | SV-82753r1_rule | The Mainframe Product must provide an immediate real-time alert to the operations staff, system programmers, and/or security administrators, at a minimum, of all audit failure events requiring real-time alerts. |
☐ | SV-82755r2_rule | The Mainframe Product must alert the system administrator (SA) and information system security officer (ISSO) (at a minimum) in the event of an audit processing failure. |
☐ | SV-82757r1_rule | The Mainframe Product must shut down by default upon audit failure (unless availability is an overriding concern). |
☐ | SV-82759r1_rule | The Mainframe Product must provide the capability to centrally review and analyze audit records from multiple components within the system. |
☐ | SV-82761r1_rule | The Mainframe Products must provide the capability to filter audit records for events of interest as defined in site security plan. |
☐ | SV-82763r1_rule | The Mainframe Product must provide an audit reduction capability that supports on-demand audit review and analysis. |
☐ | SV-82765r1_rule | The Mainframe Product must provide an audit reduction capability that supports on-demand reporting requirements. |
☐ | SV-82767r1_rule | The Mainframe Product must provide an audit reduction capability that supports after-the-fact investigations of security incidents. |
☐ | SV-82769r1_rule | The Mainframe Product must provide a report generation capability that supports on-demand audit review and analysis. |
☐ | SV-82771r1_rule | The Mainframe Product must provide a report generation capability that supports on-demand reporting requirements. |
☐ | SV-82773r1_rule | The Mainframe Product must provide a report generation capability that supports after-the-fact investigations of security incidents. |
☐ | SV-82775r1_rule | The Mainframe Product must provide an audit reduction capability that does not alter original content or time ordering of audit records. |
☐ | SV-82777r1_rule | The Mainframe Product must provide a report generation capability that does not alter original content or time ordering of audit records. |
☐ | SV-82779r1_rule | The Mainframe Products must use internal system clocks to generate time stamps for audit records. |
☐ | SV-82781r1_rule | The Mainframe Product must protect audit information from any type of unauthorized read access. |
☐ | SV-82783r1_rule | The Mainframe Product must protect audit information from unauthorized modification. |
☐ | SV-82785r1_rule | The Mainframe Product must protect audit information from unauthorized deletion. |
☐ | SV-82787r1_rule | The Mainframe Product must protect audit tools from unauthorized access. |
☐ | SV-82789r1_rule | The Mainframe Product must protect audit tools from unauthorized modification. |
☐ | SV-82791r1_rule | The Mainframe Product must protect audit tools from unauthorized deletion. |
☐ | SV-82793r1_rule | The Mainframe Product must use cryptographic mechanisms to protect the integrity of audit tools. |
☐ | SV-82795r1_rule | The Mainframe product must prohibit user installation of software without explicit privileged status. |
☐ | SV-82797r1_rule | The Mainframe Product must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner. |
☐ | SV-82799r1_rule | The Mainframe Product must enforce access restrictions associated with changes to application configuration. |
☐ | SV-82801r1_rule | The Mainframe Product must audit the enforcement actions used to restrict access associated with changes to the application. |
☐ | SV-82803r1_rule | The Mainframe Product must prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
☐ | SV-82805r1_rule | The Mainframe Product must limit privileges to change the Mainframe Product installation datasets to system programmers and authorized users in accordance with applicable access control policies. |
☐ | SV-82807r1_rule | The Mainframe Product must limit privileges to change Mainframe Product started task and job datasets to system programmers and authorized users in accordance with applicable access control policies. |
☐ | SV-82809r1_rule | The Mainframe Product must limit privileges to change Mainframe Product user datasets to authorized individuals. |
☐ | SV-82811r1_rule | The Mainframe Product must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
☐ | SV-82815r1_rule | The Mainframe Product must be configured to disable non-essential capabilities. |
☐ | SV-82817r1_rule | The Mainframe Product must require users to reauthenticate when circumstances or situations require reauthentication as defined in site security plan. |
☐ | SV-82819r1_rule | The Mainframe Product must require devices to reauthenticate when circumstances or situations require reauthentication as defined in site security plan. |
☐ | SV-82821r1_rule | The Mainframe Product must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
☐ | SV-82823r1_rule | The Mainframe Product must use multifactor authentication for network access to privileged accounts. |
☐ | SV-82825r1_rule | The Mainframe Product must accept Personal Identity Verification (PIV) credentials. |
☐ | SV-82827r1_rule | The Mainframe Product must electronically verify Personal Identity Verification (PIV) credentials. |
☐ | SV-82829r1_rule | The Mainframe Product must use multifactor authentication for network access to non-privileged accounts. |
☐ | SV-82859r1_rule | The Mainframe Product must verify users are authenticated with an individual authenticator prior to using a group authenticator. |
☐ | SV-82861r1_rule | The Mainframe Product must enforce a minimum 15-character password length. |
☐ | SV-82863r1_rule | The Mainframe Product must enforce password complexity by requiring that at least one uppercase character be used. |
☐ | SV-82865r1_rule | The Mainframe Product must enforce password complexity by requiring that at least one lowercase character be used. |
☐ | SV-82867r1_rule | The Mainframe Product must enforce password complexity by requiring that at least one numeric character be used. |
☐ | SV-82871r1_rule | The Mainframe Product must enforce password complexity by requiring that at least one special character be used. |
☐ | SV-82873r1_rule | The Mainframe Product must require the change of at least 8 of the total number of characters when passwords are changed. |
☐ | SV-82875r1_rule | The Mainframe Product must store only cryptographically protected passwords. |
☐ | SV-82877r1_rule | The Mainframe Product must transmit only cryptographically protected passwords. |
☐ | SV-82879r1_rule | The Mainframe Product must enforce 24 hours/1 day as the minimum password lifetime. |
☐ | SV-82881r1_rule | The Mainframe Product must enforce a 60-day maximum password lifetime restriction. |
☐ | SV-82883r1_rule | The Mainframe Product must prohibit password reuse for a minimum of five generations. |
☐ | SV-82885r1_rule | The Mainframe Product must allow the use of a temporary password for system logons with an immediate change to a permanent password. |
☐ | SV-82887r1_rule | The Mainframe Product must prohibit the use of cached authenticators after one hour. |
☐ | SV-82889r1_rule | The Mainframe Product, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
☐ | SV-82891r1_rule | The Mainframe Product, when using PKI-based authentication, must enforce authorized access to the corresponding private key. |
☐ | SV-82893r1_rule | The Mainframe Product must map the authenticated identity to the individual user or group account for PKI-based authentication. |
☐ | SV-82895r1_rule | The Mainframe Product must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
☐ | SV-82897r1_rule | The Mainframe Product must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. |
☐ | SV-82899r1_rule | The Mainframe Product must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). |
☐ | SV-82901r1_rule | The Mainframe Product must accept Personal Identity Verification (PIV) credentials from other federal agencies. |
☐ | SV-82903r1_rule | The Mainframe Product must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies. |
☐ | SV-82905r1_rule | The Mainframe Product must accept FICAM-approved third-party credentials. |
☐ | SV-82907r1_rule | The Mainframe Product must conform to FICAM-issued profiles. |
☐ | SV-82909r1_rule | Mainframe Products scanning for malicious code must scan all media used for system maintenance prior to use. |
☐ | SV-82911r1_rule | Mainframe Products must audit nonlocal maintenance and diagnostic sessions audit events as defined in site security plan. |
☐ | SV-82913r1_rule | Mainframe Products must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications. |
☐ | SV-82915r1_rule | Mainframe Products must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |
☐ | SV-82917r1_rule | Mainframe Products must verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions. |
☐ | SV-82919r1_rule | The Mainframe Product must terminate all sessions and network connections when nonlocal maintenance is completed. |
☐ | SV-82921r1_rule | The Mainframe Product must implement privileged access authorization to all information systems and infrastructure components for selected vulnerability scanning activities as defined in the site security plan. |
☐ | SV-82923r1_rule | The Mainframe Product must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards. |
☐ | SV-82925r1_rule | The Mainframe Product must implement NIST FIPS-validated cryptography to provision digital signatures in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards. |
☐ | SV-82927r1_rule | The Mainframe Product must implement NIST FIPS-validated cryptography to generate and validate cryptographic hashes in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards. |
☐ | SV-82929r1_rule | The Mainframe Product must implement NIST FIPS-validated cryptography to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards. |
☐ | SV-82935r1_rule | The Mainframe Product must identify prohibited mobile code. |
☐ | SV-82937r1_rule | The Mainframe Product must block, quarantine, and/or alert system administrators when prohibited mobile code is identified. |
☐ | SV-82939r1_rule | The Mainframe Product must prevent the download of prohibited mobile code. |
☐ | SV-82941r1_rule | The Mainframe Product must prevent the execution of prohibited mobile code. |
☐ | SV-82943r1_rule | The Mainframe Product must prevent the automatic execution of mobile code in, at a minimum, office applications, browsers, email clients, mobile code run-time environments, and mobile agent systems. |
☐ | SV-82945r1_rule | The Mainframe Product must prompt the user for action prior to executing mobile code. |
☐ | SV-82947r1_rule | The Mainframe Product must separate user functionality (including user interface services) from information system management functionality. |
☐ | SV-82949r1_rule | The Mainframe Product must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. |
☐ | SV-82951r1_rule | In the event of application failure, Mainframe Products must preserve any information necessary to determine the cause of failure and any information necessary to return to operations with the least disruption to mission processes. |
☐ | SV-82953r1_rule | The Mainframe Product must protect the confidentiality and integrity of all information at rest. |
☐ | SV-82955r1_rule | The Mainframe Product must implement cryptographic mechanisms to prevent unauthorized modification of all information not cleared for public release at rest on system components outside of organization facilities. |
☐ | SV-82957r1_rule | The Mainframe Product must implement cryptographic mechanisms to prevent unauthorized disclosure of all information not cleared for public release at rest on system components outside of organization facilities. |
☐ | SV-82959r1_rule | The Mainframe Product must isolate security functions from nonsecurity functions. |
☐ | SV-82961r1_rule | The Mainframe Product must maintain a separate execution domain for each executing process. |
☐ | SV-82963r1_rule | The Mainframe Product must check the validity of all data inputs except those specifically identified by the organization. |
☐ | SV-82965r1_rule | The Mainframe Product must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
☐ | SV-82967r1_rule | The Mainframe Product must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
☐ | SV-82969r1_rule | The Mainframe Product must reveal full-text detail error messages only to system programmers and/or security administrators. |
☐ | SV-82971r1_rule | The Mainframe Product must implement security safeguards to protect its memory from unauthorized code execution. |
☐ | SV-82973r1_rule | The Mainframe Product must remove all upgraded/replaced software components that are no longer required for operation after updated versions have been installed. |
☐ | SV-82975r1_rule | The Mainframe Product must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs). |
☐ | SV-82977r1_rule | The Mainframe Product must automatically update malicious code protection mechanisms. |
☐ | SV-82979r1_rule | The Mainframe Product must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. |
☐ | SV-82981r1_rule | The Mainframe Product must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days. |
☐ | SV-82983r1_rule | The Mainframe Product performing organization-defined security functions must verify correct operation of security functions. |
☐ | SV-82985r1_rule | The Mainframe Product must perform verification of the correct operation of security functions upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. |
☐ | SV-82987r1_rule | The Mainframe product must notify the system programmer and security administrator of failed security verification tests. |
☐ | SV-82989r1_rule | The Mainframe Product must either shut down, restart, and/or notify the appropriate personnel when anomalies in the operation of the security functions as defined in site security plan are discovered. |
☐ | SV-82991r1_rule | The Mainframe product must perform an integrity check of all software from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity at startup, at transitional states as defined in site security plan or security-relevant events, or annually. |
☐ | SV-82993r1_rule | The Mainframe Product must perform an integrity check of information as defined in site security plan at startup, at transitional states as defined in site security plan or security-relevant events, or annually. |
☐ | SV-82995r1_rule | The Mainframe Product must automatically shut down the information system, restart the information system, and/or implement security safeguards as conditions as defined in site security plan when integrity violations are discovered. |
☐ | SV-82997r1_rule | The Mainframe Product must audit detected potential integrity violations. |
☐ | SV-82999r1_rule | The Mainframe Product, upon detection of a potential integrity violation, must initiate one or more of the following actions: generate an audit record, alert the current user, alert personnel or roles as defined in the site security plan, and/or perform other actions as defined in site security plan. |
☐ | SV-83001r1_rule | The Mainframe Product must use multifactor authentication for local access to privileged accounts. |
☐ | SV-83003r2_rule | The Mainframe Product must use multifactor authentication for local access to non-privileged accounts. |