| Checked | Name | Title |
|---|
| ☐ | SV-234275r617395_rule | The UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions. |
| ☐ | SV-234276r617355_rule | The UEM server must conceal, via the session lock, information previously visible on the display with a publicly viewable image. |
| ☐ | SV-234277r617355_rule | The UEM server must initiate a session lock after a 15-minute period of inactivity. |
| ☐ | SV-234278r617355_rule | The MDM server must provide the capability for users to directly initiate a session lock. |
| ☐ | SV-234279r617355_rule | The MDM server must retain the session lock until the user reestablishes access using established identification and authentication procedures. |
| ☐ | SV-234283r617355_rule | The UEM server must use TLS 1.2, or higher, to protect the confidentiality of sensitive data during electronic dissemination using remote access. |
| ☐ | SV-234286r617355_rule | The UEM server must provide automated mechanisms for supporting account management functions. |
| ☐ | SV-234287r617355_rule | The UEM server must automatically remove or disable temporary user accounts after 72 hours if supported by the UEM server. |
| ☐ | SV-234288r617355_rule | The UEM server must automatically disable accounts after a 35-day period of account inactivity. |
| ☐ | SV-234289r617355_rule | The UEM server must automatically audit account creation. |
| ☐ | SV-234290r617355_rule | The UEM server must automatically audit account modification. |
| ☐ | SV-234291r617355_rule | The UEM server must automatically audit account disabling actions. |
| ☐ | SV-234292r617355_rule | The UEM server must automatically audit account removal actions. |
| ☐ | SV-234310r617396_rule | The UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. |
| ☐ | SV-234311r617355_rule | The UEM server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. |
| ☐ | SV-234312r617355_rule | The UEM server must retain the access banner until the user acknowledges acceptance of the access conditions. |
| ☐ | SV-234315r617355_rule | The UEM server must notify the user, upon successful logon (access) to the application, of the date and time of the last logon (access). |
| ☐ | SV-234316r617355_rule | The UEM server must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). |
| ☐ | SV-234318r617355_rule | The UEM server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
| ☐ | SV-234323r617355_rule | The UEM server must provide audit record generation capability for DoD-defined auditable events within all application components. |
| ☐ | SV-234324r617355_rule | The UEM server must be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information. |
| ☐ | SV-234325r617355_rule | The UEM server must be configured to allow only specific administrator roles to select which auditable events are to be audited. |
| ☐ | SV-234326r617355_rule | The UEM server must generate audit records when successful/unsuccessful attempts to access privileges occur. |
| ☐ | SV-234327r617355_rule | The UEM server must initiate session auditing upon startup. |
| ☐ | SV-234328r617355_rule | The UEM server must be configured to produce audit records containing information to establish what type of events occurred. |
| ☐ | SV-234329r617355_rule | The UEM server must be configured to produce audit records containing information to establish when (date and time) the events occurred. |
| ☐ | SV-234330r617355_rule | The UEM server must be configured to produce audit records containing information to establish where the events occurred. |
| ☐ | SV-234331r617355_rule | The UEM server must be configured to produce audit records containing information to establish the source of the events. |
| ☐ | SV-234332r617355_rule | The UEM server must be configured to produce audit records that contain information to establish the outcome of the events. |
| ☐ | SV-234333r617355_rule | The UEM server must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event. |
| ☐ | SV-234334r617355_rule | The UEM server must be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. |
| ☐ | SV-234335r617355_rule | The UEM SRG must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. |
| ☐ | SV-234340r617403_rule | The UEM server must use host operating system clocks to generate time stamps for audit records. |
| ☐ | SV-234341r617355_rule | The UEM server must protect audit information from any type of unauthorized read access. |
| ☐ | SV-234342r617355_rule | The UEM server must protect audit information from unauthorized modification. |
| ☐ | SV-234343r617355_rule | The UEM server must protect audit information from unauthorized deletion. |
| ☐ | SV-234347r617355_rule | The UEM server must back up audit records at least every seven days onto a log management server. |
| ☐ | SV-234349r617355_rule | The UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
| ☐ | SV-234351r617355_rule | The UEM server must limit privileges to change the software resident within software libraries. |
| ☐ | SV-234352r617355_rule | The UEM server must be configured to disable non-essential capabilities. |
| ☐ | SV-234353r617355_rule | The firewall protecting the UEM server platform must be configured so only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services). |
| ☐ | SV-234354r617397_rule | The UEM server must be configured to use only documented platform APIs. |
| ☐ | SV-234355r617404_rule | The UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
| ☐ | SV-234356r617405_rule | The UEM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts. |
| ☐ | SV-234358r617355_rule | All UEM server local accounts created during application installation and configuration must be removed.
Note: In this context local accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication. |
| ☐ | SV-234360r617406_rule | The UEM server must ensure users are authenticated with an individual authenticator prior to using a group authenticator. |
| ☐ | SV-234361r617355_rule | The UEM server must be configured to use DoD PKI for multifactor authentication. This requirement is included in SRG-APP-000149. |
| ☐ | SV-234363r617407_rule | The UEM server must use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. |
| ☐ | SV-234364r617408_rule | The UEM server must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| ☐ | SV-234366r617355_rule | The UEM server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. |
| ☐ | SV-234367r617355_rule | The UEM server must enforce a minimum 15-character password length. |
| ☐ | SV-234368r617355_rule | The UEM server must prohibit password reuse for a minimum of five generations. |
| ☐ | SV-234369r617355_rule | The UEM server must enforce password complexity by requiring that at least one uppercase character be used. |
| ☐ | SV-234370r617355_rule | The UEM server must enforce password complexity by requiring that at least one lowercase character be used. |
| ☐ | SV-234371r617355_rule | The UEM server must enforce password complexity by requiring that at least one numeric character be used. |
| ☐ | SV-234372r617355_rule | The UEM server must enforce password complexity by requiring that at least one special character be used. |
| ☐ | SV-234373r617355_rule | The UEM server must require the change of at least 15 of the total number of characters when passwords are changed. |
| ☐ | SV-234374r617355_rule | For UEM server using password authentication, the application must store only cryptographic representations of passwords. |
| ☐ | SV-234375r617355_rule | For UEM server using password authentication, the network element must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. |
| ☐ | SV-234376r617355_rule | The UEM server must enforce 24 hours/1 day as the minimum password lifetime. |
| ☐ | SV-234377r617355_rule | The UEM server must enforce a 60-day maximum password lifetime restriction. |
| ☐ | SV-234378r617412_rule | When using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
| ☐ | SV-234379r617355_rule | When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate. |
| ☐ | SV-234380r617355_rule | The UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key. |
| ☐ | SV-234381r617409_rule | The UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication. |
| ☐ | SV-234382r617355_rule | The UEM server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
| ☐ | SV-234383r617355_rule | The UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications. |
| ☐ | SV-234390r617355_rule | The UEM server must be configured to provide a trusted communication channel between itself and authorized IT entities using [selection:
-IPsec,
-SSH,
-mutually authenticated TLS,
-mutually authenticated DTLS,
-HTTPS]. |
| ☐ | SV-234391r617355_rule | The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:-IPsec,-SSH,-TLS, -HTTPS]. |
| ☐ | SV-234392r617355_rule | The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:-TLS, -HTTPS]. |
| ☐ | SV-234405r617355_rule | The UEM server must protect the authenticity of communications sessions. |
| ☐ | SV-234406r617355_rule | The UEM server must invalidate session identifiers upon user logout or other session termination. |
| ☐ | SV-234407r617355_rule | The UEM server must recognize only system-generated session identifiers. |
| ☐ | SV-234408r617355_rule | The UEM server must generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. |
| ☐ | SV-234409r617355_rule | The UEM server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. |
| ☐ | SV-234410r617413_rule | In the event of a system failure, the UEM server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. |
| ☐ | SV-234421r617398_rule | The UEM server must check the validity of all data inputs. |
| ☐ | SV-234424r617355_rule | The UEM server must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
| ☐ | SV-234425r617355_rule | The UEM server must reveal error messages only to the Information System Security Manager (ISSM) and Information System Security Officer (ISSO). |
| ☐ | SV-234426r617355_rule | The UEM server must, when a component failure is detected, activate an organization-defined alarm and/or automatically shut down the application or the component. |
| ☐ | SV-234430r617355_rule | The application must notify the Information System Security Manager (ISSM) and Information System Security Officer (ISSO) of failed security verification tests. |
| ☐ | SV-234438r617355_rule | The UEM server must notify system administrators and the Information System Security Officer (ISSO) when accounts are created. |
| ☐ | SV-234439r617355_rule | The UEM server must notify system administrators and the Information System Security Officer (ISSO) when accounts are modified. |
| ☐ | SV-234440r617355_rule | The UEM server must notify system administrators and the Information System Security Officer (ISSO) for account disabling actions. |
| ☐ | SV-234441r617414_rule | The UEM server must notify system administrators and the Information System Security Officer (ISSO) for account removal actions. |
| ☐ | SV-234442r617355_rule | The UEM server must automatically terminate a user session after an organization-defined period of user inactivity. |
| ☐ | SV-234443r617355_rule | The UEM server must provide logout capability for user-initiated communication sessions. |
| ☐ | SV-234444r617355_rule | The UEM server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions. |
| ☐ | SV-234465r617355_rule | The UEM server must automatically audit account-enabling actions. |
| ☐ | SV-234466r617399_rule | The UEM server must notify system administrator and Information System Security Officer (ISSO) of account enabling actions. |
| ☐ | SV-234473r617355_rule | The UEM server must employ an audited override of automated access control mechanisms under organization-defined conditions. |
| ☐ | SV-234475r617355_rule | The UEM server must be configured to have at least one user in defined administrator roles. |
| ☐ | SV-234489r617355_rule | The UEM server must audit the execution of privileged functions. |
| ☐ | SV-234491r617355_rule | The UEM server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. |
| ☐ | SV-234500r617411_rule | The UEM server must be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices. |
| ☐ | SV-234516r617355_rule | The UEM server must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
| ☐ | SV-234517r617355_rule | The UEM server must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. |
| ☐ | SV-234519r617355_rule | The UEM server must verify the digital signature of software before installation and alert the Information System Security Officer (ISSO), Information System Security Manager (ISSM), and other designated personnel if unauthorized software is detected. |
| ☐ | SV-234520r617355_rule | The UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation. |
| ☐ | SV-234521r617355_rule | The UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications. |
| ☐ | SV-234523r617355_rule | The UEM server must enforce access restrictions associated with changes to the server configuration. |
| ☐ | SV-234524r617355_rule | The UEM server must audit the enforcement actions used to restrict access associated with changes to the application. |
| ☐ | SV-234526r617355_rule | The UEM server must disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure. |
| ☐ | SV-234532r617355_rule | The UEM server must require users (administrators) to reauthenticate when roles change. |
| ☐ | SV-234533r617355_rule | The UEM server must require end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication. |
| ☐ | SV-234538r617415_rule | Before establishing a connection to any endpoint device being managed, the UEM server must establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device. |
| ☐ | SV-234543r617355_rule | The UEM server must prohibit the use of cached authenticators after an organization-defined time period. |
| ☐ | SV-234544r617355_rule | The UEM server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. |
| ☐ | SV-234555r617355_rule | The UEM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. |
| ☐ | SV-234556r617355_rule | The UEM server must verify remote disconnection when non-local maintenance and diagnostic sessions are terminated. |
| ☐ | SV-234573r617355_rule | The UEM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. |
| ☐ | SV-234574r617355_rule | The UEM server must be configured to use X.509v3 certificates for code signing for system software updates. |
| ☐ | SV-234575r617355_rule | The UEM server must be configured to use X.509v3 certificates for code signing for integrity verification. |
| ☐ | SV-234588r617355_rule | The UEM server must connect to [assignment: [list of applications]] and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information. |
| ☐ | SV-234596r617355_rule | The UEM server must be configured to write to the server event log when invalid inputs are received. |
| ☐ | SV-234603r617355_rule | The UEM server must remove old software components after updated versions have been installed. |
| ☐ | SV-234605r617355_rule | The UEM server must be maintained at a supported version. |
| ☐ | SV-234622r617355_rule | The UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device. |
| ☐ | SV-234623r617355_rule | The UEM server must run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server. |
| ☐ | SV-234624r617355_rule | The UEM server must alert the system administrator when anomalies in the operation of security functions are discovered. |
| ☐ | SV-234629r617355_rule | The UEM server must be configured to verify software updates to the server using a digital signature mechanism prior to installing those updates. |
| ☐ | SV-234642r617355_rule | The UEM server must generate audit records when successful/unsuccessful attempts to access security objects occur. |
| ☐ | SV-234645r617401_rule | The UEM server must generate audit records when successful/unsuccessful attempts to modify privileges occur. |
| ☐ | SV-234646r617355_rule | The UEM server must generate audit records when successful/unsuccessful attempts to modify security objects occur. |
| ☐ | SV-234649r617355_rule | The UEM server must generate audit records when successful/unsuccessful attempts to delete privileges occur. |
| ☐ | SV-234651r617355_rule | The UEM server must generate audit records when successful/unsuccessful attempts to delete security objects occur. |
| ☐ | SV-234653r617355_rule | The UEM server must generate audit records when successful/unsuccessful logon attempts occur. |
| ☐ | SV-234654r617355_rule | The UEM server must generate audit records for privileged activities or other system-level access. |
| ☐ | SV-234655r617355_rule | The UEM server must generate audit records showing starting and ending time for user access to the system. |
| ☐ | SV-234656r617355_rule | The UEM server must generate audit records when concurrent logons from different workstations occur. |
| ☐ | SV-234657r617355_rule | The UEM server must generate audit records when successful/unsuccessful accesses to objects occur. |
| ☐ | SV-234658r617355_rule | The UEM server must generate audit records for all direct access to the information system. |
| ☐ | SV-234659r617355_rule | The UEM server must generate audit records for all account creations, modifications, disabling, and termination events. |
| ☐ | SV-234664r617355_rule | The UEM server must use a FIPS-validated cryptographic module to generate cryptographic hashes. |
| ☐ | SV-234665r617355_rule | The UEM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly. |
| ☐ | SV-234666r617355_rule | The UEM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
| ☐ | SV-234667r617355_rule | The UEM server must be configured to allow authorized administrators to read all audit data from audit records on the server. |
| ☐ | SV-234668r617355_rule | The UEM server must be configured to implement FIPS 140-2 mode for all server and agent encryption. |
| ☐ | SV-234669r617355_rule | The UEM server must be configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0. |
| ☐ | SV-234673r617355_rule | The UEM server must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |
| ☐ | SV-234674r617355_rule | If cipher suites using pre-shared keys are used for device authentication, the UEM server must have a minimum security strength of 112 bits or higher. |
| ☐ | SV-234676r617355_rule | The UEM server must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation. |
| ☐ | SV-234677r617355_rule | The application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification. |
STIGQter: STIG Summary: