Network Infrastructure Policy Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
External connections to the network must be reviewed and the documentation updated semi-annually.
A network is only as secure as its weakest link. It is imperative that all external connections be reviewed and kept to a minimum needed for operations. All external connections should be treated a...Rule Medium Severity -
External network connections must not bypass the enclaves perimeter security.
Without taking the proper safeguards, external networks connected to the organization will impose security risks unless properly routed through the perimeter security devices. Since external networ...Rule Medium Severity -
All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).
If network address space is not properly configured, managed, and controlled, the network could be accessed by unauthorized personnel resulting in security compromise of site information and resour...Rule Medium Severity -
Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.
The DoD has an enterprise level security-focused configuration management (SecCM) requirement to support end-to-end monitoring of SIPRNet, as a National Security System (NSS). The use of NAT and pr...Rule Medium Severity -
All network infrastructure devices must be located in a secure room with limited access.
If all communications devices are not installed within controlled access areas, risk of unauthorized access and equipment failure exists, which could result in denial of service or security comprom...Rule Medium Severity -
Two Network Time Protocol (NTP) servers must be deployed in the management network.
NTP provides an efficient and scalable method for managed network elements to actively synchronize to an accurate time source. Insuring that there are always NTP servers available to provide time i...Rule Low Severity -
A minimum of two syslog servers must be deployed in the management network.
Maintaining an audit trail of system activity logs can help identify configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of the network.Rule Low Severity -
Current and previous network element configurations must be stored in a secured location.
If the network element's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly...Rule Low Severity -
The organization must encrypt all network device configurations while stored offline.
If a network device's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to...Rule Medium Severity -
Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.
Any exception to use SIPRNet must be documented in an update to the enclave's accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.