III - Administrative Public
Rules and Groups employed by this XCCDF Profile
-
NET0130
Group -
All external connections must be validated and approved by the Authorizing Official (AO) and the Connection Approval Office (CAO) and meeting Connection Approval Process (CAP) requirements.
Every site must have a security policy to address filtering of the traffic to and from those connections. This documentation along with diagrams of the network topology is required to be submitted...Rule Medium Severity -
NET0131
Group -
Prior to having external connection provisioned between enclaves, a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU) must be established.
Prior to establishing a connection with another activity, a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) must be established between the two sites prior to connecting with eac...Rule Medium Severity -
NET0135
Group -
External connections to the network must be reviewed and the documentation updated semi-annually.
A network is only as secure as its weakest link. It is imperative that all external connections be reviewed and kept to a minimum needed for operations. All external connections should be treated a...Rule Medium Severity -
NET0168
Group -
If the site has a non-DoD external connection (i.e. Approved Gateway), an Intrusion Detection and Prevention System (IDPS) must be located between the sites Approved Gateway and the perimeter router.
The incorrect placement of the external IDPS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. In orde...Rule Medium Severity -
NET0170
Group -
External network connections must not bypass the enclaves perimeter security.
Without taking the proper safeguards, external networks connected to the organization will impose security risks unless properly routed through the perimeter security devices. Since external networ...Rule Medium Severity -
NET0180
Group -
All global address ranges used on unclassified and classified networks must be properly registered with the DoD Network Information Center (NIC).
If network address space is not properly configured, managed, and controlled, the network could be accessed by unauthorized personnel resulting in security compromise of site information and resour...Rule Medium Severity -
NET0185
Group -
Network Address Translation (NAT) and private IP address space must not be deployed within the SIPRNet enclave.
The DoD has an enterprise level security-focused configuration management (SecCM) requirement to support end-to-end monitoring of SIPRNet, as a National Security System (NSS). The use of NAT and pr...Rule Medium Severity -
NET0198
Group -
Dynamic Host Configuration Protocol (DHCP) audit and event logs must record sufficient forensic data to be stored online for thirty days and offline for one year.
In order to identify and combat IP address spoofing, it is highly recommended that the DHCP server logs MAC addresses and hostnames on the DHCP server, in addition to standard data such as IP addre...Rule Medium Severity -
NET0199
Group -
Dynamic Host Configuration Protocol (DHCP) servers used within SIPRNet infrastructure must be configured with a minimum lease duration time of 30 days.
In order to trace, audit, and investigate suspicious activity, DHCP servers within the SIPRNet infrastructure must have the minimum lease duration time configured to 30 or more days.Rule Low Severity -
NET0210
Group -
All network infrastructure devices must be located in a secure room with limited access.
If all communications devices are not installed within controlled access areas, risk of unauthorized access and equipment failure exists, which could result in denial of service or security comprom...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.