I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
NET1026
Group -
Syslog messages must be retained for a minimum of 30 days online and then stored offline for one year.
Logging is a critical part of router security. Maintaining an audit trail of system activity logs (syslog) can help identify configuration errors, understand past intrusions, troubleshoot service ...Rule Low Severity -
NET1040
Group -
Current and previous network element configurations must be stored in a secured location.
If the network element's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly...Rule Low Severity -
NET1050
Group -
The organization must encrypt all network device configurations while stored offline.
If a network device's non-volatile memory is lost without a recent configuration stored in an offline location, it may take time to recover that segment of the network. Users connected directly to...Rule Medium Severity -
NET1622
Group -
An Out-of-Band (OOB) management network must be deployed or 24x7 personnel must have console access for device management.
From an architectural point of view, providing Out-Of-Band (OOB) management of network systems is the best first step in any management strategy. No production traffic resides on an out-of-band net...Rule Medium Severity -
NET1815
Group -
All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA).
The ISSM will ensure Releasable Local Area Network (REL LAN) environments are documented in the SSAA.Rule Medium Severity -
NET1816
Group -
Annual reviews must be performed on all Releasable Local Area Network (REL LAN) environments.
The ISSM will ensure Releasable Local Area Network (REL LAN) reviews are performed annually.Rule Medium Severity -
NET1826
Group -
Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility.
Having a circuit provisioned that connects the SIPRNet enclave to a non-DoD, foreign, or contractor network puts the enclave and the entire SIPRNet at risk. If the termination point is not operated...Rule High Severity -
NET1827
Group -
Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.
Any exception to use SIPRNet must be documented in an update to the enclave's accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior...Rule Medium Severity -
NET1832
Group -
VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information.
When transporting classified data over an unclassified IP network, it is imperative that the network elements deployed to provision the encrypted tunnels are located in a facility authorized to pro...Rule Medium Severity -
NET2000
Group -
Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.
Spoofed TCP segments could be introduced into the connection streams for LDP sessions used to build LSPs. By configuring strict authentication between LSR peers, LDP TCP sessions can be restricted ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.