| Checked | Name | Title |
|---|
| ☐ | SV-79471r1_rule | The DataPower Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device. |
| ☐ | SV-79553r1_rule | The DataPower Gateway must enforce approved authorizations for controlling the flow of management information within DataPower based on information flow control policies. |
| ☐ | SV-79555r1_rule | The DataPower Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. |
| ☐ | SV-79557r1_rule | The DataPower Gateway must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. |
| ☐ | SV-79559r1_rule | The DataPower Gateway must provide audit record generation capability for DoD-defined auditable events within DataPower. |
| ☐ | SV-79561r1_rule | The DataPower Gateway must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. |
| ☐ | SV-79563r1_rule | The DataPower Gateway must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. |
| ☐ | SV-79565r1_rule | The DataPower Gateway must protect audit information from any type of unauthorized read access. |
| ☐ | SV-79567r1_rule | The DataPower Gateway must protect audit tools from unauthorized access. |
| ☐ | SV-79569r1_rule | The DataPower Gateway must protect audit tools from unauthorized modification. |
| ☐ | SV-79571r1_rule | The DataPower Gateway must protect audit tools from unauthorized deletion. |
| ☐ | SV-79573r1_rule | The DataPower Gateway must back up audit records at least every seven days onto a different system or system component than the system or component being audited. |
| ☐ | SV-79575r1_rule | The DataPower Gateway must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
| ☐ | SV-79577r1_rule | The DataPower Gateway must limit privileges to change the software resident within software libraries. |
| ☐ | SV-79579r1_rule | The DataPower Gateway must have SSH and web management bound to the management interface and Telnet disabled. |
| ☐ | SV-79581r1_rule | The DataPower Gateway must enforce a minimum 15-character password length. |
| ☐ | SV-79583r1_rule | The DataPower Gateway must prohibit password reuse for a minimum of five generations. |
| ☐ | SV-79585r1_rule | If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one upper-case character be used. |
| ☐ | SV-79587r1_rule | If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one lower-case character be used. |
| ☐ | SV-79589r1_rule | If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one numeric character be used. |
| ☐ | SV-79591r1_rule | If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one special character be used. |
| ☐ | SV-79593r1_rule | The DataPower Gateway must map the authenticated identity to the user account for PKI-based authentication. |
| ☐ | SV-79595r1_rule | The DataPower Gateway must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. |
| ☐ | SV-79597r1_rule | The DataPower Gateway must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. |
| ☐ | SV-79599r1_rule | The DataPower Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator. |
| ☐ | SV-79601r1_rule | The DataPower Gateway must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected. |
| ☐ | SV-79603r1_rule | The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are created. |
| ☐ | SV-79605r1_rule | The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified. |
| ☐ | SV-79607r1_rule | The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are disabled. |
| ☐ | SV-79609r1_rule | The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are removed. |
| ☐ | SV-79611r2_rule | The DataPower Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect. |
| ☐ | SV-79613r2_rule | The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions. |
| ☐ | SV-79615r1_rule | The DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions. |
| ☐ | SV-79617r1_rule | The DataPower Gateway must automatically audit account enabling actions. |
| ☐ | SV-79619r1_rule | The DataPower Gateway must generate an immediate alert for account enabling actions. |
| ☐ | SV-79621r1_rule | The DataPower Gateway must be compliant with at least one IETF standard authentication protocol. |
| ☐ | SV-79625r1_rule | If the DataPower Gateway uses discretionary access control, the DataPower Gateway must enforce organization-defined discretionary access control policies over defined subjects and objects. |
| ☐ | SV-79627r1_rule | If the DataPower Gateway uses role-based access control, the DataPower Gateway must enforce role-based access control policies over defined subjects and objects. |
| ☐ | SV-79629r1_rule | The DataPower Gateway must audit the execution of privileged functions. |
| ☐ | SV-79631r1_rule | The DataPower Gateway must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time. |
| ☐ | SV-79633r1_rule | The DataPower Gateway must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. |
| ☐ | SV-79635r1_rule | The DataPower Gateway must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. |
| ☐ | SV-79637r1_rule | The DataPower Gateway must generate an immediate real-time alert of all audit failure events. |
| ☐ | SV-79639r1_rule | The DataPower Gateway must compare internal information system clocks at least every 24 hours with an authoritative time server. |
| ☐ | SV-79641r1_rule | The DataPower Gateway must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second. |
| ☐ | SV-79643r1_rule | The DataPower Gateway must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. |
| ☐ | SV-79645r1_rule | The DataPower Gateway must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
| ☐ | SV-79647r1_rule | The DataPower Gateway must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner. |
| ☐ | SV-79649r1_rule | The DataPower Gateway must enforce access restrictions associated with changes to device configuration. |
| ☐ | SV-79651r1_rule | The DataPower Gateway must audit the enforcement actions used to restrict access associated with changes to the device. |
| ☐ | SV-79653r1_rule | The DataPower Gateway must require users to re-authenticate when privilege escalation or role changes occur. |
| ☐ | SV-79655r1_rule | The DataPower Gateway must use SNMPv3. |
| ☐ | SV-79657r1_rule | The DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period. |
| ☐ | SV-79659r1_rule | The IBM DataPower Gateway must only allow the use of protocols that implement cryptographic mechanisms to protect the integrity and confidentiality of management communications. |
| ☐ | SV-79661r1_rule | The DataPower Gateway must off-load audit records onto a different system or media than the system being audited. |
| ☐ | SV-79663r1_rule | The DataPower Gateway must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in accordance with CJCSM 6510.01B. |
| ☐ | SV-79665r1_rule | The DataPower Gateway must generate audit log events for a locally developed list of auditable events. |
| ☐ | SV-79667r1_rule | The DataPower Gateway must employ automated mechanisms to centrally manage authentication settings. |
| ☐ | SV-79669r1_rule | The DataPower Gateway must employ automated mechanisms to centrally apply authentication settings. |
| ☐ | SV-79671r1_rule | The DataPower Gateway must employ automated mechanisms to centrally verify authentication settings. |
| ☐ | SV-79673r1_rule | The DataPower Gateway must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner. |
| ☐ | SV-79675r1_rule | The DataPower Gateway must employ automated mechanisms to assist in the tracking of security incidents. |
| ☐ | SV-79677r1_rule | The DataPower Gateway must obtain its public key certificates from an appropriate certificate policy through an approved service provider. |
| ☐ | SV-79679r1_rule | The DataPower Gateway must not use 0.0.0.0 as the management IP address. |
STIGQter: STIG Summary: