| Checked | Name | Title |
|---|
| ☐ | SV-95525r1_rule | AAA Services must be configured to use secure protocols when connecting to directory services. |
| ☐ | SV-95527r1_rule | AAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-95529r1_rule | AAA Services must be configured to provide automated account management functions. |
| ☐ | SV-95531r1_rule | AAA Services must be configured to automatically remove authorizations for temporary user accounts after 72 hours. |
| ☐ | SV-95533r1_rule | AAA Services must be configured to prevent automatically removing emergency accounts. |
| ☐ | SV-95535r1_rule | AAA Services must be configured to prevent automatically disabling emergency accounts. |
| ☐ | SV-95537r1_rule | AAA Services must be configured to automatically disable accounts after a 35-day period of account inactivity. |
| ☐ | SV-95539r1_rule | AAA Services must be configured to automatically audit account creation. |
| ☐ | SV-95541r1_rule | AAA Services must be configured to automatically audit account modification. |
| ☐ | SV-95543r1_rule | AAA Services must be configured to automatically audit account disabling actions. |
| ☐ | SV-95545r1_rule | AAA Services must be configured to automatically audit account removal actions. |
| ☐ | SV-95547r1_rule | AAA Services must be configured to notify the system administrators and ISSO when accounts are created. |
| ☐ | SV-95549r1_rule | AAA Services must be configured to notify the system administrators and ISSO when accounts are modified. |
| ☐ | SV-95551r1_rule | AAA Services must be configured to notify the system administrators and ISSO for account disabling actions. |
| ☐ | SV-95553r1_rule | AAA Services must be configured to notify the system administrators and ISSO for account removal actions. |
| ☐ | SV-95555r1_rule | AAA Services must be configured to automatically audit account enabling actions. |
| ☐ | SV-95557r1_rule | AAA Services must be configured to notify system administrators and ISSO of account enabling actions. |
| ☐ | SV-95559r1_rule | AAA Services must be configured to use Role-Based Access Control (RBAC) policy for levels of access authorization. |
| ☐ | SV-95561r1_rule | AAA Services must be configured to automatically lock user accounts after three consecutive invalid logon attempts within a 15-minute time period. |
| ☐ | SV-95565r1_rule | AAA Services must be configured to maintain locks on user accounts until released by an administrator. |
| ☐ | SV-95567r1_rule | AAA Services configuration audit records must identify what type of events occurred. |
| ☐ | SV-95569r1_rule | AAA Services configuration audit records must identify when (date and time) the events occurred. |
| ☐ | SV-95571r1_rule | AAA Services configuration audit records must identify where the events occurred. |
| ☐ | SV-95573r1_rule | AAA Services configuration audit records must identify the source of the events. |
| ☐ | SV-95575r1_rule | AAA Services configuration audit records must identify the outcome of the events. |
| ☐ | SV-95577r1_rule | AAA Services configuration audit records must identify any individual user or process associated with the event. |
| ☐ | SV-95579r1_rule | AAA Services must be configured to send audit records to a centralized audit server. |
| ☐ | SV-95581r2_rule | AAA Services must be configured to alert the SA and ISSO when any audit processing failure occurs. |
| ☐ | SV-95583r1_rule | AAA Services must be configured to generate audit records overwriting the oldest audit records in a first-in-first-out manner. |
| ☐ | SV-95585r1_rule | AAA Services must be configured to queue audit records locally until communication is restored when any audit processing failure occurs. |
| ☐ | SV-95587r1_rule | AAA Services must be configured to use internal system clocks to generate time stamps for audit records. |
| ☐ | SV-95589r1_rule | AAA Services must be configured with a minimum granularity of one second to record time stamps for audit records. |
| ☐ | SV-95591r1_rule | AAA Services must be configured to use or map to Coordinated Universal Time (UTC) to record time stamps for audit records. |
| ☐ | SV-95593r1_rule | AAA Services must be configured to use at least two NTP servers to synchronize time. |
| ☐ | SV-95595r1_rule | AAA Services must be configured to authenticate all NTP messages received from NTP servers and peers. |
| ☐ | SV-95597r1_rule | AAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic. |
| ☐ | SV-95599r1_rule | AAA Services must be configured to audit each authentication and authorization transaction. |
| ☐ | SV-95601r1_rule | AAA Services must be configured to uniquely identify and authenticate organizational users. |
| ☐ | SV-95603r1_rule | AAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts. |
| ☐ | SV-95605r1_rule | AAA Services must be configured to require multifactor authentication using Common Access Card (CAC) Personal Identity Verification (PIV) credentials for authenticating non-privileged user accounts. |
| ☐ | SV-95607r1_rule | AAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection. |
| ☐ | SV-95609r1_rule | AAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection. |
| ☐ | SV-95611r1_rule | AAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP. |
| ☐ | SV-95613r1_rule | AAA Services must be configured to enforce a minimum 15-character password length. |
| ☐ | SV-95615r1_rule | AAA Services must be configured to enforce password complexity by requiring that at least one upper-case character be used. |
| ☐ | SV-95617r1_rule | AAA Services must be configured to enforce password complexity by requiring that at least one lower-case character be used. |
| ☐ | SV-95619r1_rule | AAA Services must be configured to enforce password complexity by requiring that at least one numeric character be used. |
| ☐ | SV-95621r1_rule | AAA Services must be configured to enforce password complexity by requiring that at least one special character be used. |
| ☐ | SV-95623r1_rule | AAA Services must be configured to require the change of at least eight of the total number of characters when passwords are changed. |
| ☐ | SV-95625r1_rule | AAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module. |
| ☐ | SV-95627r1_rule | AAA Services must be configured to enforce 24 hours as the minimum password lifetime. |
| ☐ | SV-95629r1_rule | AAA Services must be configured to enforce a 60-day maximum password lifetime restriction. |
| ☐ | SV-95631r1_rule | AAA Services must be configured to prohibit password reuse for a minimum of five generations. |
| ☐ | SV-95633r1_rule | AAA Services must be configured to allow the use of a temporary password at initial logon with an immediate change to a permanent password. |
| ☐ | SV-95635r1_rule | AAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication. |
| ☐ | SV-95637r1_rule | AAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication. |
| ☐ | SV-95639r1_rule | AAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication. |
| ☐ | SV-95641r1_rule | AAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication. |
| ☐ | SV-95643r1_rule | AAA Services must be configured to protect the confidentiality and integrity of all information at rest. |
| ☐ | SV-95645r1_rule | AAA Services must not be configured with shared accounts. |
| ☐ | SV-95647r1_rule | AAA Services used to authenticate privileged users for device management must be configured to connect to the management network. |
| ☐ | SV-95649r1_rule | AAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services. |
| ☐ | SV-95651r1_rule | AAA Services must be configured to use IP segments separate from production VLAN IP segments. |
| ☐ | SV-95653r1_rule | AAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access. |
| ☐ | SV-95655r1_rule | AAA Services must be configured to disable non-essential modules. |
| ☐ | SV-95657r1_rule | AAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-95659r1_rule | AAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
| ☐ | SV-95661r1_rule | AAA Services must be configured to automatically remove temporary user accounts after 72 hours. |
| ☐ | SV-95663r1_rule | AAA Services must be configured to encrypt locally stored credentials using a FIPS-validated cryptographic module. |
STIGQter: STIG Summary: