| Checked | Name | Title |
|---|
| ☐ | SV-90881r1_rule | For the local account, CounterACT must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. |
| ☐ | SV-90883r1_rule | CounterACT must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. |
| ☐ | SV-90885r1_rule | CounterACT must enforce password complexity by requiring that at least one numeric character be used. |
| ☐ | SV-90887r1_rule | CounterACT must enforce a 60-day maximum password lifetime restriction. |
| ☐ | SV-90889r1_rule | CounterACT must prohibit password reuse for a minimum of five generations. |
| ☐ | SV-90891r1_rule | CounterACT must enforce a minimum 15-character password length. |
| ☐ | SV-90893r1_rule | CounterACT must enforce access restrictions associated with changes to the system components. |
| ☐ | SV-90895r1_rule | CounterACT must generate audit log events for a locally developed list of auditable events. |
| ☐ | SV-90897r1_rule | CounterACT must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner. |
| ☐ | SV-90899r1_rule | CounterACT must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner. |
| ☐ | SV-90901r1_rule | CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider. |
| ☐ | SV-90903r1_rule | CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider. |
| ☐ | SV-90905r1_rule | CounterACT must enable Threat Protection notifications to alert security personnel to Cyber events detected by a CounterACT IAW CJCSM 6510.01B. |
| ☐ | SV-90907r1_rule | CounterACT appliances performing maintenance functions must restrict use of these functions to authorized personal only. |
| ☐ | SV-90909r1_rule | CounterACT must employ automated mechanisms to centrally apply authentication settings. |
| ☐ | SV-90911r1_rule | CounterACT must disable all unnecessary and/or nonsecure plugins. |
| ☐ | SV-90913r1_rule | CounterACT must terminate all network connections associated with an Enterprise Manager Console session upon Exit, or session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements. |
| ☐ | SV-90915r1_rule | CounterACT must terminate all network connections associated with an SSH connection session upon Exit, session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements. |
| ☐ | SV-90917r1_rule | CounterACT must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media. |
| ☐ | SV-90919r1_rule | If any logs are stored locally which are not sent to the centralized audit server, CounterACT must back up audit records at least every seven days onto a different system or system component than the system or component being audited. |
| ☐ | SV-90921r1_rule | CounterACT must limit privileges to change the software resident within software libraries. |
| ☐ | SV-90923r1_rule | CounterACT must enforce password complexity by requiring that at least one special character be used. |
| ☐ | SV-90925r1_rule | CounterACT must sent audit logs to a centralized audit server (i.e., syslog server). |
| ☐ | SV-90927r1_rule | CounterACT must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC). |
| ☐ | SV-90929r1_rule | CounterACT must be configured to synchronize internal information system clocks with the organizations primary and secondary NTP servers. |
| ☐ | SV-90931r1_rule | CounterACT must restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrators role or to other roles or individuals. |
| ☐ | SV-90933r1_rule | CounterACT must authenticate any endpoint used for network management before establishing a local, remote, and/or network connection using cryptographically based bidirectional authentication. |
| ☐ | SV-90935r1_rule | CounterACT must authenticate SNMPv3 endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |
| ☐ | SV-90937r1_rule | In the event the authentication server is unavailable, one local account must be created for use as the account of last resort. |
| ☐ | SV-90939r1_rule | CounterACT must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded. |
| ☐ | SV-90941r1_rule | The network device must terminate shared/group account credentials when members leave the group. |
| ☐ | SV-90943r1_rule | The network device must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management. |
| ☐ | SV-90945r1_rule | CounterACT must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. |
| ☐ | SV-90947r1_rule | CounterACT must compare internal information systems clocks at least every 24 hours with an authoritative time server. |
| ☐ | SV-90949r1_rule | Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort). |
| ☐ | SV-90951r1_rule | If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one upper-case character be used. |
| ☐ | SV-90953r1_rule | If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one lower-case character be used. |
| ☐ | SV-90955r1_rule | CounterACT must limit the number of concurrent sessions to an organization-defined number for each administrator account type. |
STIGQter: STIG Summary: