Network Infrastructure Policy Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
NET0130
<GroupDescription></GroupDescription>Group -
All external connections must be validated and approved by the Authorizing Official (AO) and the Connection Approval Office (CAO) and meeting Connection Approval Process (CAP) requirements.
<VulnDiscussion>Every site must have a security policy to address filtering of the traffic to and from those connections. This documentation...Rule Medium Severity -
NET0131
<GroupDescription></GroupDescription>Group -
Prior to having external connection provisioned between enclaves, a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU) must be established.
<VulnDiscussion>Prior to establishing a connection with another activity, a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA...Rule Medium Severity -
NET0135
<GroupDescription></GroupDescription>Group -
External connections to the network must be reviewed and the documentation updated semi-annually.
<VulnDiscussion>A network is only as secure as its weakest link. It is imperative that all external connections be reviewed and kept to a min...Rule Medium Severity -
NET0168
<GroupDescription></GroupDescription>Group -
If the site has a non-DoD external connection (i.e. Approved Gateway), an Intrusion Detection and Prevention System (IDPS) must be located between the sites Approved Gateway and the perimeter router.
<VulnDiscussion>The incorrect placement of the external IDPS may allow unauthorized access to go undetected and limit the ability of security...Rule Medium Severity -
NET0170
<GroupDescription></GroupDescription>Group -
External network connections must not bypass the enclaves perimeter security.
<VulnDiscussion>Without taking the proper safeguards, external networks connected to the organization will impose security risks unless prope...Rule Medium Severity -
NET0180
<GroupDescription></GroupDescription>Group -
All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).
<VulnDiscussion>If network address space is not properly configured, managed, and controlled, the network could be accessed by unauthorized p...Rule Medium Severity -
NET0185
<GroupDescription></GroupDescription>Group -
Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.
<VulnDiscussion>The DoD has an enterprise level security-focused configuration management (SecCM) requirement to support end-to-end monitorin...Rule Medium Severity -
NET0198
<GroupDescription></GroupDescription>Group -
Dynamic Host Configuration Protocol (DHCP) audit and event logs must record sufficient forensic data to be stored online for thirty days and offline for one year.
<VulnDiscussion>In order to identify and combat IP address spoofing, it is highly recommended that the DHCP server logs MAC addresses and hos...Rule Medium Severity -
NET0199
<GroupDescription></GroupDescription>Group -
Dynamic Host Configuration Protocol (DHCP) servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of 30 days.
<VulnDiscussion>In order to trace, audit, and investigate suspicious activity, DHCP servers within the SIPRNet infrastructure must have the m...Rule Low Severity -
NET0210
<GroupDescription></GroupDescription>Group -
All network infrastructure devices must be located in a secure room with limited access.
<VulnDiscussion>If all communications devices are not installed within controlled access areas, risk of unauthorized access and equipment fai...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.