STIGQter STIGQter: STIG Summary: ForeScout CounterACT ALG Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 26 Jan 2018

CheckedNameTitle
SV-90593r1_ruleCounterACT, when providing user access control intermediary services, must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network.
SV-90619r1_ruleCounterACT, when providing user access control intermediary services, must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
SV-90621r1_ruleCounterACT, when providing user access control intermediary services for publicly accessible applications, must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.
SV-90623r1_ruleCounterACT must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs.
SV-90625r1_ruleIf user authentication services are provided, CounterACT must be configured with a pre-established trust relationship and mechanisms with a central directory service that validates user account access authorizations and privileges.
SV-90627r1_ruleIf user authentication services are provided, CounterACT must restrict user authentication traffic to specific authentication server(s).
SV-90629r1_ruleCounterACT, when providing user authentication intermediary services, must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
SV-90631r1_ruleCounterACT must off-load audit records onto a centralized log server.
SV-90873r1_ruleCounterACT, when providing user authentication intermediary services, must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
SV-90875r1_ruleCounterACT, when providing user authentication intermediary services, must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
SV-90877r1_ruleCounterACT must off-load audit records onto a centralized log server in real time.
SV-90879r2_ruleCounterACT must use an Enterprise Manager or other high availability solution to ensure redundancy in case of audit failure in this critical network access control and security service.