I - Mission Critical Sensitive

SRG-APP-000171-DB-000074

If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords.

SRG-APP-000176-DB-000068

MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB.

SRG-APP-000177-DB-000069

MongoDB must map the PKI-authenticated identity to an associated user account.

SRG-APP-000178-DB-000083

MongoDB must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

SRG-APP-000180-DB-000115

MongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

SRG-APP-000224-DB-000384

MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.

SRG-APP-000231-DB-000154

MongoDB must protect the confidentiality and integrity of all information at rest.

SRG-APP-000243-DB-000128

Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.

SRG-APP-000251-DB-000160

MongoDB must check the validity of all data inputs except those specifically identified by the organization.

SRG-APP-000266-DB-000162

MongoDB must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

SRG-APP-000267-DB-000163

MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.

SRG-APP-000295-DB-000305

MongoDB must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

SRG-APP-000356-DB-000314

MongoDB must utilize centralized management of the content captured in audit records generated by all components of MongoDB.

SRG-APP-000357-DB-000316

MongoDB must allocate audit record storage capacity in accordance with site audit record storage requirements.

SRG-APP-000359-DB-000319

MongoDB must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.

SRG-APP-000378-DB-000365

MongoDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

SRG-APP-000380-DB-000360

MongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s).

SRG-APP-000389-DB-000372

MongoDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

SRG-APP-000400-DB-000367

MongoDB must prohibit the use of cached authenticators after an organization-defined time period.

SRG-APP-000427-DB-000385

MongoDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.

SRG-APP-000441-DB-000378

MongoDB must maintain the confidentiality and integrity of information during preparation for transmission.

SRG-APP-000442-DB-000379

MongoDB must maintain the confidentiality and integrity of information during reception.

SRG-APP-000447-DB-000393

When invalid inputs are received, MongoDB must behave in a predictable and documented manner that reflects organizational and system objectives.

SRG-APP-000454-DB-000389

When updates are applied to MongoDB software, any software components that have been replaced or made unnecessary must be removed.

SRG-APP-000456-DB-000390

Security-relevant software updates to MongoDB must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).