kriterion 0.0.1

data/standards/stig_network_security_requirements_guide.json

@@ -0,0 +1,1961 @@
+{
+  "name": "stig_network_security_requirements_guide",
+  "date": "2011-12-28",
+  "description": "None",
+  "title": "Network Security Requirements Guide",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-26709",
+      "title": "The network element must provide automated support for account management functions.",
+      "description": "Account management and distribution is vital to the security of any network element. Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. As accounts are created or terminated and privilege levels are updated, the network element will automatically recognize this activity and immediately enforce the current account policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26710",
+      "title": "The network element must automatically terminate temporary accounts after an organization-defined time period for each type of account. ",
+      "description": "Authentication for administrative access to the device is required at all times. A single account can be created on the device's local database for use in an emergency such as when the authentication server is down or connectivity between the device and the authentication server is not operable. Temporary accounts could be used for vendor support in order to perform diagnostic. There is a risk the temporary account may remain in place and active after the vendor support team has left. The temporary account could have the highest privilege level which would enable an administrator to gain unauthorized privileges to the device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26711",
+      "title": "The network element must automatically terminate emergency accounts after an organization-defined time period.",
+      "description": "Authentication for administrative access to the device is required at all times. A single account can be created on the device's local database for use in an emergency such as when the authentication server is down or connectivity between the device and the authentication server is not operable. The emergency account logon credentials must be stored in a sealed envelope and kept in a safe. Temporary accounts could be used for vendor support in order to perform diagnostic. There is a risk the temporary account may remain in place and active after the vendor support team has left.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26712",
+      "title": "The network element must automatically disable inactive accounts after an organization-defined time period of inactivity.",
+      "description": "There is always a risk for inactive accounts to be compromised by unauthorized users who could then gain full control of the device; thereby enabling them to trigger a Denial of Service, intercept sensitive information, or disrupt network availability.\n\nAttackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Network elements need to track periods of user inactivity and disable application accounts after an organization-defined period of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised. \n\nTo address the multitude of policy based access requirements, many network administrators choose to integrate their network elements with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the network administrator to off-load those access control functions and focus on core application features and functionality.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26713",
+      "title": "The network element must automatically audit the creation of accounts.",
+      "description": "Account management and distribution is vital to the security of any network element. Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Without a formal approval process for the deployment and modification of accounts, personnel without the proper security clearance may gain access to critical network nodes. It is imperative that all personnel who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority.  Auditing account creation and modification will provide the necessary reconciliation that account management procedures are being followed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26714",
+      "title": "The network element must notify the appropriate individuals when accounts are created.",
+      "description": "Account management and distribution is vital to the security of any network element. Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Without a formal approval process for the deployment and modification of accounts, personnel without the proper security clearance may gain access to critical network nodes. It is imperative that all personnel who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority. Auditing account creation and modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26715",
+      "title": "The network element must automatically audit account modification.",
+      "description": "Account management and distribution is vital to the security of any network element. Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Without a formal approval process for the deployment and modification of accounts, personnel without the proper security clearance may gain access to critical network nodes. It is imperative that all personnel who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority. Auditing account creation and modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26716",
+      "title": "The network element must notify the appropriate individuals when accounts are modified.",
+      "description": "Account management and distribution is vital to the security of any network element. Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Without a formal approval process for the deployment and modification of accounts, personnel without the proper security clearance may gain access to critical network nodes. It is imperative that all personnel  who are granted accounts have completed and submitted the proper request forms and have been approved by the designated authority. Auditing account creation and modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26717",
+      "title": "The network element must automatically audit account disabling actions.",
+      "description": "Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account creation and modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. It is also vital that the disablement of accounts is monitored to ensure that authorized active accounts remain enabled and available for use when required.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26718",
+      "title": "The network element must notify the appropriate individuals when account disabling actions are taken.",
+      "description": "Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account creation and modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. It is also vital that the disablement of accounts is monitored to ensure that authorized active accounts remain enabled and available for use when required. Notifying the individual whose account has been disabled will provide an alert so that the account can be enabled if it had been disabled by mistake.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26719",
+      "title": "The network element must automatically audit account termination.",
+      "description": "Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account creation and modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. It is also vital that the termination of accounts is monitored to ensure that authorized accounts remain active and available for use when required.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26720",
+      "title": "The network element must notify the appropriate individuals for account termination.",
+      "description": "Account management by a designated authority ensures access to network elements is being controlled in a secured manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account creation and modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. It is also vital that the termination of accounts is monitored to ensure that authorized accounts remain active and available for use when required. Notifying the individual whose account has been terminated will provide an alert so that the account can be reinstated if it had been terminated by mistake.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26721",
+      "title": "The network element must monitor for irregular usage of administrative user accounts.",
+      "description": "Atypical account usage is behavior that is not part of normal usage cycles, e.g., accounts logging in after hours or on weekends.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26722",
+      "title": "The network element must be configured to dynamically manage administrative privileges and associated command authorizations.",
+      "description": "Web services are web applications that provide a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. \n\nThe W3C defines a web service as;\n\"a software system designed to support interoperable machine to machine interaction over a network. It has an interface described in a machine processable format (specifically Web Services Description Language or WSDL). Other systems interact with the web service in a manner prescribed by its description using SOAP messages typically conveyed using HTTP with an XML serialization in conjunction with other web-related standards\".\n\nWeb services provide different challenges in managing access than what is presented by typical user based applications. In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, many service-oriented architecture implementations rely on run time access control decisions facilitated by dynamic privilege management. While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization. \n\nService Oriented Architecture (SOA) based applications need to take this possibility into account and leverage dynamic access control methodologies.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26723",
+      "title": "The network element must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.",
+      "description": "The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging.  Privilege levels as well as what commands each administrator is authorized to use based on the privilege level or account group membership must be controlled and assigned accordingly. By enabling AAA on the network elements in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups that contain their associated or required privilege level. By configuring the network element to collaborate with an authentication server, it can enforce the appropriate authorization for each administrator.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26724",
+      "title": "The network element must enforce dual authorization based on organizational policies and procedures for organization-defined privileged commands.",
+      "description": "Dual authorization mechanisms require two forms of approval to execute. An organization may determine certain commands or network element configuration changes require dual-authorization before being activated. However, an organization should not employ dual authorization mechanisms when an immediate response is necessary to ensure public and environmental safety.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26725",
+      "title": "The network element must implement nondiscretionary access control policies over an organization-defined set of users and resources.",
+      "description": "Access control policies (e.g., identity-based policies, role-based policies, etc.) and access enforcement mechanisms (e.g., access control lists, policy maps, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, data, destination addresses, etc.) within the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26726",
+      "title": "The information system must enforce an organization-defined Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user.",
+      "description": "Sharing is not applicable to network elements.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26727",
+      "title": "The network element must prevent access to organization-defined security-relevant information except during secure, non-operable system states.",
+      "description": "Security-relevant information is any information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information that requires protection. Filtering rules for routers and firewalls, cryptographic key management information, key configuration parameters for security services, and access control lists are examples of security-relevant information. \n\nSecure, nonoperable system states are states in which the network element is not performing mission or business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential that a security configuration or data may be dynamically and perhaps maliciously overwritten or changed without going through a formal system change process that can document the changes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26738",
+      "title": "The network element must enforce approved authorizations for controlling the flow of information within the network in accordance with applicable policy.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Examples of flow control restrictions include blocking outside traffic claiming to be from within the organization, and not passing any web requests to the Internet not from the internal web proxy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26739",
+      "title": "The network element must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. For example, a router or firewall at the perimeter must only allow web traffic outbound received from a web proxy and directing all returning web traffic to the web proxy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26740",
+      "title": "The network element must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Restrictions can be enforced based on source and destination IP addresses as well as the ports and services being requested. This requirement should enforce the deny-by-default policy whereby only the known and accepted traffic will be allowed outbound and inbound.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26741",
+      "title": "The network element must enforce the highest privilege level administrative access to enable or disable security policy filters.",
+      "description": "The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the network elements in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups containing their associated or required privilege level. The network element must be configured to restrict management access according to the privilege level the user has been granted. Authorization to add, modify, or delete security policy filters must require the highest privilege level.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26742",
+      "title": "The network element must provide the capability for a privileged administrator to configure the organization-defined security policy filters to support different security policies.",
+      "description": "The network element must be configured to restrict management access according to the privilege level the user has been granted. Authorization to add, modify, or delete security policies must require the highest privilege level which can be implemented by simply assigning privilege levels to administrators or via an Authentication, Authorization, and Accounting (AAA) solution.\n\nThe implementation of an AAA solution affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the network elements in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups that contain their associated or required privilege level.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26743",
+      "title": "The network element must identify information flows by data type specification and usage when transferring information between different security domains.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so that it does not introduce any unacceptable risk to the network infrastructure or data. Traffic flows must be identified by types and traffic rates when information is being transferred between different security domains.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26744",
+      "title": "The network element must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms when transferring information between different security domains.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information must be decomposed into policy-relevant subcomponents so the applicable policies and filters can be applied when information is being transferred between different security domains.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26745",
+      "title": "The network element must implement policy filters that constrain data structure and content to organization-defined information security policy requirements when transferring information between different security domains.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. It is imperative when information is being moved from one security domain to another, policy filters must be applied to the data to enforce the organizations security policy requirements.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26746",
+      "title": "The network element must detect unsanctioned information when transferring information between different security domains.",
+      "description": " Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. It is imperative when information is being moved from one security domain to another, mechanisms are deployed to detect traffic with payloads that are not in conformance with the policy of the DoD and the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26747",
+      "title": "The network element must prohibit the transfer of unsanctioned information in accordance with the security policy when transferring information between different security domains.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. It is imperative when information is being moved from one security domain to another, policy filters must be applied to the data to enforce the organizations security policy requirements. Actions to support this requirement include but are not limited to: checking packet payload for embedded malware, dropping packets not conforming to standards, and blocking packets using ports and protocols that are not allowed to cross these domains based on DoD and local policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26756",
+      "title": "The network element must enforce security policies regarding information on interconnected systems.",
+      "description": "Transferring information between interconnected information systems of differing security policies introduces the risk of the transfers violating one or more policies. It is imperative for policy guidance from information owners be implemented at the policy enforcement point between the interconnected systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26757",
+      "title": "The network element must uniquely identify source domains for information transfer.",
+      "description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element distinguishes between information systems and organizations, and between specific system components or individuals involved in sending and receiving information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26758",
+      "title": "The network element must uniquely authenticate source domains for information transfer.",
+      "description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element authenticates the source involved in sending information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26759",
+      "title": "The network element must uniquely identify and validate destination domains for information transfer.",
+      "description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element distinguishes between information systems and organizations, and between specific system components or individuals involved in sending and receiving information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26760",
+      "title": "The network element must uniquely authenticate destination domains for information transfer.",
+      "description": "Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element authenticates the source involved in receiving information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26761",
+      "title": "The information system must bind security attributes to information to facilitate information flow policy enforcement.",
+      "description": "Network elements do not transfer data (other than its configuration or image file to and from an FTP or TFTP server) - they merely forward received traffic to the next-hop towards its destination. There are no information owners.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26762",
+      "title": "The information system must track problems associated with the security attribute binding.",
+      "description": "Network elements do not transfer data (other than its configuration or image file to and from an FTP or TFTP server) - they merely forward received traffic to the next-hop towards its destination. There are no information owners.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26763",
+      "title": "The network element must implement security policies for all traffic flows by using security zones at various protection levels as a basis for flow control decisions.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Restrictions can be enforced using security zones at various protection levels as a basis for flow control decisions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26764",
+      "title": "The network must enforce dynamic traffic flow control based on policy allowing or disallowing flows based upon traffic types and rates within or out of profile.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Restrictions can be enforced based on policy allowing or disallowing flows based upon traffic types and rates within or out of profile.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26765",
+      "title": "All encrypted traffic must be decrypted prior to passing through content inspection and filtering mechanisms.",
+      "description": "Allowing traffic to bypass the security checkpoints such as firewalls and intrusion detection systems puts the network infrastructure and critical data at risk. Malicious traffic could enter the network undetected and attack a key network element or the server farm. Hence, it is imperative all encrypted traffic entering the network is decrypted prior to the content checking devices.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26766",
+      "title": "The network element must terminate all tunnels prior to passing through the perimeter security zone.",
+      "description": "Allowing traffic to bypass the security checkpoints such as firewalls and intrusion detection systems puts the network infrastructure and critical data at risk. Malicious traffic could enter the network undetected and attack a key network element or the server farm. Hence, it is imperative all tunneled traffic entering the network terminate prior to the content checking devices.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26781",
+      "title": "The network element must enforce information flow control on metadata.",
+      "description": "Metadata is defined as data providing information about one or more other pieces of data such as purpose of the data, author or creator of the data,  and network location of where data was created, and network specific information.\n\nInformation flow control regulates where information is allowed to travel within a network and between hosts as opposed to who is allowed to access the information.  Information flow enforcement mechanisms compare security attributes on all information such as source and destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by the information flow policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26783",
+      "title": "The network element must enforce organization-defined one-way traffic flows using hardware mechanisms.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26784",
+      "title": "The network element must enforce information flow control using organization-defined security policy filters as a basis for flow control decisions.",
+      "description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Restrictions can be enforced based on source and destination IP addresses as well as the ports and services being requested using security policy filters.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26793",
+      "title": " The information system must track problems associated with the information transfer.",
+      "description": "Network elements do not bind security attributes with packets it is forwarding. It may use Quality of Service (QoS) along with L2 and L3 headers, but not security attributes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26794",
+      "title": "The network element must implement separation of duties through assigned information system access authorizations.",
+      "description": "The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the network elements in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts, as well as, add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups containing their associated or required privilege levels establishing what commands and objects the authenticated administrator is authorized to access. This implementation would enforce the organization’s AAA policy for separation of duties and its responsibility assignments for each administrator.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26795",
+      "title": "The network element must audit the use of privileged accounts when accessing configuration and operational commands enabled for non-privileged accounts.",
+      "description": "Each account should grant access to only those privileges the system administrator is authorized for. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions. Network disruptions or outages could be caused by mistakes made by inexperienced system administrators. Monitoring account usage will reduce the risk of a privilege account being exploited by unauthorized persons and provides logging to be used for forensic investigation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26796",
+      "title": "The network element must provide the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.",
+      "description": "Each account should grant access to only those privileges the system administrator is authorized for. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions. Network disruptions or outages could be caused by mistakes made by inexperienced system administrators. Monitoring account usage will reduce the risk of a privilege account being exploited by unauthorized persons and provides logging to be used for forensic investigation. Only accounts with the highest privilege level should have the authorization to configure security policy filters.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26797",
+      "title": "The information system must provide additional protection for mobile devices accessed via login by purging information from the device after organization-defined number of consecutive, unsuccessful login attempts to the mobile device.",
+      "description": "This requirement applies only to mobile devices for which a login occurs (e.g., personal digital assistants and smart phones) and not to mobile devices accessed without a login such as removable media. In certain situations, this requirement may not apply to mobile devices if the information on the device is encrypted with sufficiently strong encryption mechanisms, making purging unnecessary. The login is to the mobile device, not to any one account on the device. \n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26798",
+      "title": "The network element must enforce the organization-defined limit of consecutive invalid access attempts by a user during the organization-defined time period.",
+      "description": "A malicious or unauthorized user could gain access to a network element by guessing or using methods such as dictionary attack, word list substitution, or brute force attack—all of which require multiple attempts. By limiting the number of failed login attempts within a defined period of time, the risk of unauthorized system access via user password guessing can be mitigated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26799",
+      "title": "The network element must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.",
+      "description": "A malicious or unauthorized user could gain access to a network element by guessing or using methods such as dictionary attack, word list substitution, or brute force attack—all of which require multiple attempts. By limiting the number of failed login attempts within a defined period of time, the risk of unauthorized system access via user password guessing can be mitigated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26800",
+      "title": "The network element must automatically lock out an account after the maximum number of unsuccessful attempts is exceeded and remain locked until released by an administrator.",
+      "description": "A malicious or unauthorized user could gain access to a network element by guessing or using methods such as dictionary attack, word list substitution, or brute force attack—all of which require multiple attempts. Locking out an account after a maximum number of unsuccessful attempts are exceeded will reduce the risk of unauthorized system access via password guessing.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26801",
+      "title": "The network element must display an approved system use notification message or banner before granting access to the system.",
+      "description": "All network devices must present a DoD approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required login warning banner prior to logon attempts will limit the ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA’s ability to monitor the device’s usage is limited unless a proper warning banner is displayed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26802",
+      "title": "The network element must display an approved banner to the administrator and is retained on the screen until the administrator takes explicit actions to log on.",
+      "description": "All network devices must present a DoD approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required login warning banner prior to logon attempts will limit DISA’s ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA’s ability to monitor the device’s usage is limited unless a proper warning banner is displayed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26803",
+      "title": "The network element must display must display an approved system use notification message or banner before granting access to the device.",
+      "description": "All network devices must present a DoD approved warning banner before granting access to the device.  The banner shall be formatted in accordance with the DoD policy \"Use of DoD Information Systems - Standard Consent and User Agreement\".  The message banner shall provide privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and shall state that:\n \n(i) users are accessing a U.S. Government information system; \n(ii) system usage may be monitored, recorded, and is subject to audit; \n(iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties;\n(iv) use of the system indicates consent to monitoring and recording;\n(v) in the notice given to public users of the information system, shall provide a description of the authorized uses of the system.\n\nSystem use notification messages are implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access that includes an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist. \n\nThe banner shall state:\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided\nfor USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the\nfollowing conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes\nincluding, but not limited to, penetration testing, COMSEC monitoring, network\noperations and defense, personnel misconduct (PM), law enforcement (LE), and\ncounterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine\nmonitoring, interception, and search, and may be disclosed or used for any USG authorized\npurpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect\nUSG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI\ninvestigative searching or monitoring of the content of privileged communications, or\nwork product, related to personal representation or services by attorneys,\npsychotherapists, or clergy, and their assistants. Such communications and work product\nare private and confidential. See User Agreement for details.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26808",
+      "title": "Upon successful logon the network element must display the date and time of the last logon of the user.",
+      "description": "Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26809",
+      "title": "Upon successful logon the network element must display to the user the number of unsuccessful logon attempts since the last successful logon.",
+      "description": "Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26812",
+      "title": "The network element must notify the user of the number of successful login attempts to the local device occurring during an organization-defined time period.",
+      "description": "Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26813",
+      "title": "The network element must notify the user of the number of unsuccessful login attempts to the local device occurring during organization-defined time period.",
+      "description": "Providing users with information regarding the date and time of their last unsuccessful login to the device allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26814",
+      "title": "The network element must notify the user of organization-defined security-related changes to the user’s account occurring during the organization-defined time period.",
+      "description": "Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. Changes to the user account during a specific time period could be an indication of the account being compromised. Hence, without notification to the user, the compromise could go undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26815",
+      "title": "The network element must limit the number of concurrent sessions for each account to an organization-defined number.",
+      "description": "This requirement addresses concurrent sessions for a given information system account and does not address concurrent sessions by a single user via multiple accounts. Limiting the number of concurrent sessions to the device per any given account mitigates the risk associated with a Denial of Service (DoS) attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26816",
+      "title": "The information system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.",
+      "description": "As configuration changes are made to a router, switch, or firewall, they are applied to the running configuration. There is nothing lost. If the user has not saved the running configuration to non-volatile random-access memory (NVRAM), it can be done by logging back in. Furthermore, a desktop or laptop is used to connect to the router, switch, or firewall. The routers, switches, and firewalls have the idle timeout capability where the session is taken down after a period of inactivity. This is a simple and straightforward solution.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26817",
+      "title": "The information system must initiate a session lock after the organization-defined time period of inactivity.",
+      "description": "As configuration changes are made to a router, switch, or firewall, they are applied to the running configuration. There is nothing lost. If the user has not saved the running configuration to non-volatile random-access memory (NVRAM), it can be done by logging back in. Furthermore, a desktop or laptop is used to connect to the router, switch, or firewall. The routers, switches, and firewalls have the idle timeout capability where the session is taken down after a period of inactivity. This is a simple and straightforward solution.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26818",
+      "title": "The information system must retain the session lock until the user reestablishes access using established identification and authentication procedures.",
+      "description": "With a router or firewall—at least Cisco, as any configuration changes are made, they are applied to the running configuration. There is nothing lost. If the user has not saved the running configuration to non-volatile random-access memory (NVRAM), it can be done by logging back in. Furthermore, a desktop or laptop is used to connect to the router, switch, or firewall. The routers, switches, and firewalls have the idle timeout capability where the session is taken down after a period of inactivity. This is a simple and straightforward solution.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26824",
+      "title": "The network element must support and maintain the binding of organization-defined security attributes to information in storage.",
+      "description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.  These attributes are typically associated with internal data structures (e.g., records, buffers, files) within the network element and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). These attributes may be assigned during data processing. However these assignments must also be maintained while the data is in storage such as the device’s on-volatile random-access memory (NVRAM) or flash. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26826",
+      "title": "The network element must support and maintain the binding of organization-defined security attributes to information in process.",
+      "description": "The binding of these attribute assignments to information must be maintained while the data is in process such as switching, traffic classification, QoS marking, packet filtering, address translation, etc. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26854",
+      "title": "The network element must support and maintain the binding of organization-defined security attributes to information in transmission.",
+      "description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.  These attributes are typically associated with internal data structures (e.g., records, buffers, files) within the network element and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). These attributes may be assigned during data processing however these assignments also need to be maintained while the data is in storage. Organizations define the security attributes  (e.g., classified, FOUO) of their data. The binding of these attribute assignments to information must be maintained while the data is being transmitted natively or encapsulated into layer 2 or layer 3 tunnels.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26877",
+      "title": "The network element must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.",
+      "description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., data records, buffers, files) within the network element and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). A security label is defined as: the means used to associate a set of security attributes with a specific information object as part of the data structure for that object. Examples of a security label of a packet could be traffic flow (source, destination, protocol combination),  traffic classification based on QoS markings for preferred treatment, VLAN identification, etc.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26885",
+      "title": "The network element must only allow authorized entities to change security attributes.",
+      "description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.  These attributes are typically associated with internal data structures (e.g., records, buffers, files) within the network element and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor).  Examples of a security label of a packet could be traffic flow (source, destination, protocol combination), traffic classification based on QoS markings for preferred treatment, VLAN identification, etc.  Examples of entities that can make these changes are configured policies on routers and multilayer switches, access switchport that are configured to mark the class of service or a set a VLAN identification of an ingress packet, and the administrators that are authorized to make and implement these configurations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26898",
+      "title": "The network element must maintain the binding of security attributes to information with sufficient assurance that the information-attribute association can be used as the basis for automated policy actions.",
+      "description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., records, buffers, files) within the network element and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Network elements that maintain the binding of organization defined security attributes to data must ensure that the information-attribute associations can be used as a basis for automated policy actions.\n\nExamples of automated policy actions include automated access control decisions (e.g., Mandatory Access Control decisions), or decisions to release (or not release) information (e.g., information flows via cross domain systems).\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26899",
+      "title": "The network element must allow authorized users to associate security attributes with information.",
+      "description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., records, buffers, files) within the network element and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \n\nThe term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). A security label is defined as the means used to associate a set of security attributes with a specific information object as part of the data structure for that object.\n\nThroughout the course of normal usage, authorized users of operating systems that handle sensitive data will have the need to associate security attributes with information. Operating systems that maintain the binding of organization defined security attributes to data must ensure that authorized users can associate security attributes with information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26982",
+      "title": "The network element must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions.",
+      "description": "Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., records, buffers, files, registry keys) within the information system and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Examples of application security attributes are classified, FOUO, sensitive, etc. \n\nThe term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). A security label is defined as: the means used to associate a set of security attributes with a specific information object as part of the data structure for that object.\n\nSecurity attributes need to be displayed in human readable form in order to determine how the data should be disseminated, handled and what distribution instructions apply to the data. When applications generate or output data, the associated security attributes need to be displayed.\nObjects output from the information system include, for example, pages, screens, or equivalent. Output devices include, for example, printers and video displays on computer terminals, monitors, screens on notebook/laptop computers and personal digital assistants.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26983",
+      "title": "The network element must employ automated mechanisms to facilitate the monitoring and control of remote access methods.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. Unless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally. Monitoring will ensure unauthorized access to the enclave’s resources and data will not go undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26984",
+      "title": "The network element must use approved cryptography to protect the confidentiality of remote access sessions.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Remote access sessions must use encryption to protect the confidentiality of information traveling through a public network such as the Internet. Requiring remote access sessions to the enclave to traverse an encrypted tunnel, authorized on a per client basis, makes the session difficult to snoop or spoof.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26985",
+      "title": "The network element must be configured to use cryptography to protect the integrity of remote access sessions.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Remote access sessions must use encryption to protect the integrity of information traveling through a public network such as the Internet. Requiring remote access sessions to the enclave to traverse an encrypted tunnel makes the session difficult to alter the content.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26986",
+      "title": "The network element must route all remote access traffic through managed access control points.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Regardless of the backbone networks used for transit between the user end-point and the remote access server (VPN appliance, firewall, ISDN), remote connections must be secured and must not be given direct access to the private network. Traffic between the remote access server and the private network must be secured. Therefore, the remote access server must forward traffic destined to the private network to the firewall interface inspecting all private network ingress traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26987",
+      "title": "The network element must monitor for unauthorized remote connections to specific information systems on an organization-defined frequency.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. Unless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally. Monitoring will ensure unauthorized access to the enclave’s resources and data will not go undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26988",
+      "title": "The network element must audit remote sessions for accessing an organization-defined list of security functions and security-relevant information.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Monitoring of remote access sessions allows organizations to audit user activities and to ensure compliance with the remote access policy. Unless restrictions are put in place, a user connecting to the LAN via remote access can access/perform everything he/she could access/perform as those connected internally. Monitoring will ensure unauthorized access to the enclave’s resources and data will not go undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26989",
+      "title": "The network element must disable use of organization-defined networking protocols within the device configuration deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.",
+      "description": "Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).  Examples of remote access methods include dial-up, broadband, and wireless. \n\nSome networking protocols that allow remote access may not meet security requirements to protect data and components. The organization can either make a determination as to the relative security of the networking protocol or base the security decision on the assessment of other entities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26990",
+      "title": "The network element must enforce requirements for remote connections to the network.",
+      "description": "Remote access services enable users outside of the enclave to have access to data and services within the private network. In many instances these connections traverse the Internet. Enabling access to the network from outside introduces security risks which must be addressed through implementation of strict controls and procedures such as authentication and defining what resources can be accessed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26991",
+      "title": "The network element must protect wireless access to the network using authentication.",
+      "description": "The security boundary of a Wireless LAN (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Within this boundary there must be two distinct, but related, security protection mechanisms: authentication and data-in-transit encryption. These protections ensure access control and protection from eavesdropping for both the WLAN system and the DoD network enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26992",
+      "title": "The network element must protect wireless access to the network using encryption.",
+      "description": "The security boundary of a Wireless LAN (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Within this boundary there must be two distinct, but related, security protection mechanisms: authentication and data-in-transit encryption. These protections ensure access control and protection from eavesdropping for both the WLAN system and the DoD network enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26993",
+      "title": "The network element must monitor for unauthorized connections of mobile devices to information systems.",
+      "description": "Wireless services enable users within close proximity of access points to have access to data and services within the private network. The security boundary of a Wireless LAN extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and thereby must be protected. Unless restrictions are put in place, a user connecting to the enclave via wireless access can access/perform everything he/she could access/perform as those connected via Ethernet. Monitoring will ensure unauthorized access to the enclave’s resources and data will not go undetected.\n\n\nUse of unapproved devices to process non-publicly releasable data increases the risk to the network. Devices attached to or inserted into the end point's plug-and-play ports and slots can be a vector for the insertion of malware when used to access the network. Storage devices are portable and can be easily concealed. Requiring approval prior to use these devices heightens awareness of the threat, limits the potential use of contaminated devices, and allows for proper tracking and control. Designated Approval Authority (DAA) approval of flash memory devices is required by the United States Cyber Command (USCYBERCOM) Communications Task Order (CTO) 10-004A Removable Flash Media Device Implementation within and between Department of Defense (DoD) Networks (U/FOUO) (or latest version of this CTO).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26994",
+      "title": "The network element must enforce requirements for the connection of mobile devices to organizational information systems.",
+      "description": "Wireless services enable users within close proximity of access points to have access to data and services within the private network. The security boundary of a Wireless LAN extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Wireless access introduces security risks which must be addressed through implementation of strict controls and procedures such as, authentication, encryption, and defining what resources can be accessed.\n\nUse of unapproved devices to process non-publicly releasable data increases the risk to the network. Devices attached to or inserted into the end point's plug-and-play ports and slots can be a vector for the insertion of malware when used to access the network. Storage devices are portable and can be easily concealed. Requiring approval prior to use these devices heightens awareness of the threat, limits the potential use of contaminated devices, and allows for proper tracking and control. Designated Approval Authority (DAA) approval of flash memory devices is required by the United States Cyber Command (USCYBERCOM) Communications Task Order (CTO) 10-004A Removable Flash Media Device Implementation within and between Department of Defense (DoD) Networks (U/FOUO) (or latest version of this CTO).\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26995",
+      "title": "The network element must be configured to disable functionality that provides the capability for automatic execution of code on mobile devices without user direction.",
+      "description": "Auto execution vulnerabilities can result in malicious programs being executed that can be used to cause a denial of service on the device and hence disrupt network services. Examples of information system functionality that provide the capability for automatic execution of code are AutoRun and AutoPlay.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26996",
+      "title": "The information system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.",
+      "description": "Network elements do not share information with partners.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26997",
+      "title": "The network element must produce log records that contain sufficient information to establish what type of events occurred.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26998",
+      "title": "The network element must produce log records containing sufficient information to establish when the events occurred.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the date and time are recorded in all log records.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26999",
+      "title": "The network element must produce log records containing sufficient information to establish where the events occurred.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the source or object of the log record is recorded in all log records.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27000",
+      "title": "The network element must produce log records containing sufficient information to determine if the event was a success or failure.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. Denied traffic must be logged. There may also be some instances were a packet that was permitted or other successful event (i.e., logon) should be logged to establish and correlate the series of events leading up to an outage or attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27001",
+      "title": "The network element must produce audit records that contain sufficient information to establish the identity of any user or subject associated with the event.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the originator of the log record is recorded in all log records.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27002",
+      "title": "The network element must produce log records containing sufficient information to establish the sources of the events.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, when and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to establish and correlate the series of events leading up to an outage or attack, it is imperative the originator of the log record is recorded in all log records.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27003",
+      "title": "The network element must produce log records that contain detailed information for events identified by type, location, and subject.",
+      "description": "Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27004",
+      "title": "The network element must support the requirement to centrally manage the content of audit records generated by network infrastructure components.",
+      "description": "Centrally managing audit data provides for easier management of network events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of audit data can facilitate troubleshooting when problems are encountered and can assist in performing root cause analysis. A repository of audit data can also be correlated in real time to identify suspicious behavior or be archived for review at a later time for research and analysis.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27005",
+      "title": "The network element must be configured to allocate audit record storage capacity.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the network element is configured to allocate storage capacity to contain log records.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27006",
+      "title": "The network element logging facility must be configured to reduce the likelihood of log record capacity being exceeded.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the network element is configured to allocate enough log record storage capacity that will not become exhausted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27007",
+      "title": "The network element must provide a warning when the logging storage capacity reaches an organization-defined percentage of maximum capacity.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the network element is configured to allocate storage capacity to contain log records and an alert is generated when the capacity reaches an organization-defined threshold.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27008",
+      "title": "The network element must provide a real-time alert when organization-defined audit failure events occur.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the network element is configured to generate an alarm when an audit failure occurs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27009",
+      "title": "The network element must enforce configurable traffic volume thresholds representing logging capacity for network traffic to be logged. ",
+      "description": "Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a Quality of Service (QoS) framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. Many DoS attacks target the network core by attempting to saturate link capacity and exhausting router processors. If hackers can compromise QoS trust boundaries, they can amplify the effect of their abuse. When attack traffic receives premium services, it not only forces priority traffic such as voice to compete for service, it robs critical control-plane and network management traffic the service it demands to ensure routing convergence and network availability. Furthermore, it enables the attacker to easily induce a sustained DoS attack on all network resources along the entire path where QoS has been hijacked.  It is imperative that traffic marked for premium service is strictly policed. Traffic that is out of profile must be marked down by placing it into a low priority class.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27010",
+      "title": "The network element must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization.",
+      "description": "Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a Quality of Service (QoS) framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. Many DoS attacks target the network core by attempting to saturate link capacity and exhausting router processors. If hackers can compromise QoS trust boundaries, they can amplify the effect of their abuse. When attack traffic receives premium services, it not only forces priority traffic such as voice to compete for service, it robs critical control-plane and network management traffic the service it demands to ensure routing convergence and network availability. Furthermore, it enables the attacker to easily induce a sustained DoS attack on all network resources along the entire path where QoS has been hijacked.  It is imperative that traffic marked for premium service is strictly policed. Traffic that is out of profile must be marked down by placing it into a low priority class.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27074",
+      "title": "The network element must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.",
+      "description": "It is critical that when a network device is at risk of failing to process audit logs as required, it takes action to mitigate the failure. If the device were to continue processing without auditing enabled, a network device or the network itself could be compromised without any information that can be used for the trace back of an attack and for forensic analysis.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27083",
+      "title": "The network element must be configured to send an alert to designated personnel in the event of an audit processing failure.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential that security personnel know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify a network element that has been configured improperly. It is imperative that the network element is configured to generate an alarm when an audit failure occurs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27091",
+      "title": "The network element must be configured to stop generating log records or overwrite the oldest log records when an audit failure occurs.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. To preserve recent audit information, if an audit failure occurs, the network element must either stop producing audit records to overwrite or purge the oldest records.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27098",
+      "title": "The network element must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. Collecting log data and presenting that data in a single, consolidated view achieves this objective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27108",
+      "title": " The network element must centralize the review and analysis of audit records from multiple network elements within the network.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. Collecting log data and presenting the data in a single, consolidated view achieves this objective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27112",
+      "title": "The network element must employ automated mechanisms to alert security personnel of any inappropriate or unusual activities with security implications.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. By immediately displaying an alarm message, identifying the potential security violation and making it accessible with the audit record contents associated with the event(s) that generated the alarm provides the staff prompt alert messages 24 x 7 regardless of if they are logged on.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27123",
+      "title": "The network element must provide an audit reduction capability.",
+      "description": "to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements acquiring a clear understanding as to what happened or is happening. Collecting log data and aggregating it to present the data in a single, consolidated view achieves this objective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27126",
+      "title": "The network element must provide a report generation capability.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27129",
+      "title": "The network element must provide the capability to automatically process log records for events of interest based upon selectable criteria.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. Collecting log data and enabling personnel to filter the data based on selection criteria to produce a meaningful view achieves this objective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27133",
+      "title": "The network element must use internal system clocks to generate time stamps for audit records.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. In order to correlate, time stamps are needed on all of the log records.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27138",
+      "title": "The network element must synchronize its internal clock on an organization-defined frequency with an organization-defined authoritative time source.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. In order to determine what is happening within the network infrastructure or to resolve and trace an attack, it is imperative to correlate the log data from multiple network elements to acquire a clear understanding as to what happened or is happening. In order to correlate, time stamps are needed on all of the log records. Furthermore, the various components within the network infrastructure providing the log records must have their clocks synchronized using a common time reference so the events can be correlated in exact order of time.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27192",
+      "title": "The network element must protect audit information from unauthorized read access.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the collected log data from the various network elements as well as the auditing tool are secured and can only be accessed by authorized personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27194",
+      "title": "The network element must protect audit information from unauthorized modification.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the collected log data from the various network elements as well as the auditing tool are secured and can only be accessed by authorized personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27196",
+      "title": "The network element must protect audit information from unauthorized deletion.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the collected log data from the various network elements as well as the auditing tool are secured and can only be accessed by authorized personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27199",
+      "title": "The network element must protect audit tools from unauthorized access.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the auditing tools are secured and can only be accessed by authorized personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27201",
+      "title": "The network element must protect audit tools from unauthorized modification.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the auditing tools are secured and can only be accessed by authorized personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27207",
+      "title": "The network element must protect audit tools from unauthorized deletion.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the auditing tools are secured and can only be accessed by authorized personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27208",
+      "title": "The network element must produce audit records on hardware-enforced write-once media.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the collected log data from the various network elements is secured and stored on write-once media for safe keeping.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27213",
+      "title": "The network element must backup log records on an organization-defined frequency onto a different system or media.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the collected log data from the various network elements is secured and backed up regularly unto a different system or off-line media.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27218",
+      "title": "The network element must use cryptographic mechanisms to protect the integrity of audit information.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. Mechanisms such as a signed hash using asymmetric cryptography must be used to protect the integrity of integrity of the collected audit data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27219",
+      "title": "The network element must use cryptography to protect the integrity of audit tools.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential that security personnel know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify a network element that has been configured improperly. Mechanisms such as a signed hash using asymmetric cryptography must be used to protect the integrity of the audit tools used for audit reduction and reporting.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27223",
+      "title": "The network element must protect the audit records of non-local accesses to privileged accounts and the execution of privileged functions.",
+      "description": "Auditing may not be reliable when performed by the network element to which the user being audited has privileged access. The privileged user may inhibit auditing or modify audit records. This control enhancement helps mitigate this risk by requiring that privileged access be further defined between audit-related privileges and other privileges, thus, limiting the users with audit-related privileges. Reducing the risk of audit compromises by privileged users can also be achieved, for example, by performing audit activity on a separate information system or by using storage media that cannot be modified (e.g., write-once recording devices).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27225",
+      "title": "The network must element protect against an individual falsely denying having performed a particular action.",
+      "description": "Non-repudiation of actions taken by an administrator is required in order to maintain integrity of the configuration management process. This requires that all configuration changes to the network element are logged as well as requiring network administrators to authenticate with 2-factor authentication or PKI prior to acquiring administrative access to the network element. Together, these processes will ensure the administrators can be held accountable for the configuration changes they implement.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27228",
+      "title": "The information system must associate the identity of the information producer with the information.",
+      "description": "Network elements do not have information created and maintained by information owners nor do they transfer information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27233",
+      "title": "The information system must validate the binding of the information producer’s identity to the information.",
+      "description": "Network elements are not incorporated for the purpose of creating information for production.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27234",
+      "title": "The information system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.",
+      "description": "Network elements are not incorporated for the purpose of creating information for production and release.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27235",
+      "title": "The information system must validate the binding of the reviewer’s identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.",
+      "description": "Network elements do not have information for review that is released and transferred from one security domain to another.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27255",
+      "title": "The network element must compile log data from multiple components into a network-wide audit trail that is time-correlated to within organization-defined level of tolerance.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27257",
+      "title": "The network element must produce a system-wide audit trail composed of log records in a standardized format.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27258",
+      "title": "The network element must generate log records for organization-defined events determined to be significant and relevant to the security of the network infrastructure.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27259",
+      "title": "The network element must allow administrators to select which events are to be logged by specific components of the system.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27260",
+      "title": "The network element must generate audit records for organization-defined list of auditable events.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27261",
+      "title": "The information system must initiate session audits at system start-up.",
+      "description": "Network elements do not provide user access. Hence, they would not provide any capability to enable users to establish a session. Therefore there would be no user session log information to capture and no reason to initiate a session audit; thereby making this vulnerability not applicable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27262",
+      "title": "The information system must provide the capability to capture/record and log all content related to a user session.",
+      "description": "Network elements do not provide user access. Hence, they would not provide any capability to enable users to establish a session. Therefore there would be no user session log information to capture; thereby making this vulnerability not applicable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27263",
+      "title": "The information system must provide the capability to remotely view/hear all content related to an established user session in real time.",
+      "description": "Users that establish sessions with network elements are administrators who have a session with the device for the sole purpose of administrative access. All in-band access sessions must be encrypted (SSH, HTTPS, etc.); hence, there is no way to capture and view the traffic remotely. There for this requirement would not be applicable.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27264",
+      "title": "The network element must enforce access restrictions associated with changes to the information system.",
+      "description": "Changes to the hardware or software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network element for implementing any changes or upgrades.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27265",
+      "title": "The network element must be configured to enable automated mechanisms to enforce access restrictions.",
+      "description": "Changes to the hardware or software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network element for implementing any changes or upgrades.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27267",
+      "title": "The network element must be configured to enable automated mechanisms to support auditing of the enforcement actions.",
+      "description": "Changes to the hardware or software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network element for implementing any changes or upgrades. Additionally, maintaining log records of access is essential for ensuring configuration change control is being implemented as intended and for supporting after-the-fact actions should the organization become aware of an unauthorized change to the information system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27269",
+      "title": "The network element must prevent the installation of organization-defined critical software programs not signed with a certificate that is recognized and approved by the organization.",
+      "description": "Changes to any software components of the network element can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor.  This ensures the software has not been tampered with and that it has been provided by a trusted vendor.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27273",
+      "title": "The network element must enforce a two-person rule for changes to organization-defined information system components and system-level information.",
+      "description": "Changes to any software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network element for implementing any changes or upgrades to system components. Enforcing a two-person rule will ensure the changes have been approved.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27287",
+      "title": "The network element must limit privileges to change software resident within software libraries.",
+      "description": "Changes to any software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network element for implementing any changes or upgrades. If the network element were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing the appropriate testing, validation, and approval.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27289",
+      "title": "The network element must implement automatic safeguards and countermeasures if security functions or mechanisms are changed inappropriately.",
+      "description": "Changes to any software components of the network element can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network element for implementing any changes or upgrades. In order to ensure a prompt response to unauthorized changes to network element security functions, the organizations may define safeguards the device shall undertake in the event these changes occur.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27291",
+      "title": "The network element must employ automated mechanisms to centrally manage configuration settings.",
+      "description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network elements can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an aid for troubleshooting network problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27292",
+      "title": "The network element must employ automated mechanisms to centrally apply configuration settings.",
+      "description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network elements can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an aid for troubleshooting network problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27293",
+      "title": "The network element must employ automated mechanisms to centrally verify configuration settings.",
+      "description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network elements can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an aid for troubleshooting network problems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27295",
+      "title": "The network element must employ automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.",
+      "description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network elements can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an automatic mechanism to initiate an alert when an unauthorized change has been detected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27296",
+      "title": "The network element must ensure that detected unauthorized security-relevant configuration changes are tracked.",
+      "description": "Uncoordinated or incorrect configuration changes to network components can potentially lead to network outages and possibly compromises. Centrally managing configuration changes for network elements can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an automatic mechanism to track detected unauthorized security-relevant configuration changes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27298",
+      "title": "The network element must not have unnecessary services and capabilities enabled.",
+      "description": "A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. To prevent network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy including securing each device connected to it. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each network element is to only enable the capabilities required for operation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27301",
+      "title": "The network element must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and services.",
+      "description": "A compromised network element introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. To prevent network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy including securing each device connected to it. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each network element is to only enable the ports, protocols, and services required for operation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27302",
+      "title": "The network element must employ automated mechanisms to prevent program execution in accordance with organization defined specifications.",
+      "description": "A compromised network element introduces risk to the entire network infrastructure as well as data resources accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. To prevent network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy including securing each device connected to it. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each network element is to only enable the services required for operation. Any form of automatic execution should be disabled as it can easily be exploited by hackers to infect hosts with malware and viruses.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27303",
+      "title": "The network element must employ automated mechanisms to detect the addition of unauthorized components or devices. The monitoring may be accomplished on an ongoing basis or by the periodic scanning. Automated mechanisms can be implemented within the network element or in a separate system.",
+      "description": "Centrally managing configuration changes for network elements can ensure they are done at the correct time and if necessary in synchronization with each other which can be vital for nodes that peer and require compatible configurations. Centralized configuration management also provides visibility and tracking of enterprise level activity promoting a sound configuration management procedure as well as an automatic mechanism to track the status of applicable vulnerabilities. Keeping an up-to-date inventory of all network elements and their components provides the framework for the implementation of a comprehensive configuration and problem management system. An inventory of components and their features provides a mechanism for tracking vulnerabilities of effected products which can be used for automated patch management and upgrades.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27304",
+      "title": "The information system must implement transaction recovery for systems that are transaction-based.",
+      "description": "A network element will not have transactions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27305",
+      "title": "The network element must support organizational requirements to conduct backups of user-level information contained in the device per organization-defined frequency that is consistent with recovery time and recovery point objectives.",
+      "description": "User information contained on a network element is associated to the users account and the resources the user is authorized to access. If this information becomes corrupted by hardware failures or by a malicious user, it must be restored immediately to ensure network access availability. Backing up this information is a critical step for data recovery.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27306",
+      "title": "The network element must support organizational requirements to conduct backups of system-level information contained in the information system per organization-defined frequency.",
+      "description": "System information contained on a network element contains default and customized attributes as well as software required for the execution and operation of the device. If this information becomes corrupted by hardware failures or by a malicious user, it must be restored immediately to ensure network availability. Backing up this information is a critical step for data recovery.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27307",
+      "title": "The network element must support organizational requirements to conduct backups of information system documentation including security-related documentation per organization-defined frequency that is consistent with recovery time and recovery point objectives.",
+      "description": "System information contained on a network element contains default and customized attributes as well as software required for the execution and operation of the device. If this information becomes corrupted by hardware failures or by a malicious user, it must be restored immediately to ensure network availability. Backing up this information is a critical step for data recovery.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27308",
+      "title": "The network element must enforce the identification and authentication of all organizational users.",
+      "description": "Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization’s security policy. Access to the network must be categorized as administrator, user, or guest so the appropriate authorization can be assigned to the user requesting access to the network or a network element. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multi-factor authentication, some combination thereof. Lack of authentication enables anyone to gain access to the network or possibly a network element providing opportunity for intruders to compromise resources within the network infrastructure.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27309",
+      "title": "The network element must use multifactor authentication for network access to privileged accounts.\n",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA privileged account is defined as: \nAn information system account with authorizations of a privileged user. \n\nNetwork Access is defined as: \nAccess to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27310",
+      "title": "The network element must use multifactor authentication for network access to non-privileged accounts.",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA non-privileged account is defined as: \nAn information system account with authorizations of a regular or non-privileged user. \n\nNetwork Access is defined as: \nAccess to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27311",
+      "title": "The network element must use multifactor authentication for local access to privileged accounts.\n",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA privileged account is defined as: An information system account with authorizations of a privileged user. \n\nLocal Access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27312",
+      "title": "The network element must use multifactor authentication for local access to non-privileged accounts.",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA non-privileged account is defined as: An information system account with authorizations of a regular or non-privileged user. \n\nLocal Access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27313",
+      "title": "The network element must support organizational requirements to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.\n",
+      "description": "To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated. \n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). \n\nUsers (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization which outlines specific user actions that can be performed on the information system without identification or authentication.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27314",
+      "title": "The network element must enforce multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the network element being accessed.",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA privileged account is defined as: An information system account with authorizations of a privileged user. \n\nWhen one of the authentication factors is provided by a device that is separate from the system that is gaining access, this is referred to as \"out of band two factor authentication\". OOB2FA employs separate communication channels at least one of which is independently maintained and trusted to authenticate an end user. One channel could be a mobile device that is registered to the user. Upon a logon attempt, the system sends instructions to the device in the form of on-screen prompts that instruct the user how to complete the login process.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27315",
+      "title": "The network element must enforce multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the network element being accessed.",
+      "description": "Multifactor authentication is defined as: using two or more factors to achieve authentication. \n\nFactors include: \n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric). \n\nA non-privileged account is defined as: An information system account with authorizations of a regular or non-privileged user. \n\nWhen one of the authentication factors is provided by a device that is separate from the system that is gaining access, this is referred to as \"out of band 2 factor authentication\".",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27316",
+      "title": "The network element must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. The authenticator must be a separate device than the target device for which the individual is requesting access to. Hence all authentication credentials must be maintained on an authentication server. Messages between the authenticator and the network element validating user credentials must not be vulnerable to a replay attack possibly enabling an unauthorized user to gain access to any network element. A replay attack is a form of a network attack in which a valid session or series of IP packets is intercepted by a malicious user who at a later time transmits the packets to gain access to the target device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27317",
+      "title": "The network element must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. The authenticator must be a separate device than the target device for which the individual is requesting access to. Therefore, all authentication credentials must be maintained on an authentication server. Messages between the authenticator and the network element validating user credentials must not be vulnerable to a replay attack possibly enabling an unauthorized user to gain access to any network element. A replay attack is a form of a network attack in which a valid session or series of IP packets is intercepted by a malicious user who at a later time transmits the packets to gain access to the target device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27318",
+      "title": "The network element must authenticate an organization-defined list of specific devices by device type before establishing a connection.",
+      "description": "A network element must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network or a router wanting to peer as a neighbor and establish a connection to exchange control plane and forwarding plane traffic. A network control plane is comprised of routing, signaling, and link management protocols; all used to establish the forwarding paths required by the data plane. Disrupting the flow of this information or injecting false information breaks down the integrity or believability of path information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27319",
+      "title": "The network element must authenticate devices before establishing remote network connections using bidirectional authentication between cryptographically based devices.",
+      "description": "A network element must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network or a router wanting to peer as a neighbor and establish a connection to exchange control plane and forwarding plane traffic. A network control plane is comprised of routing, signaling, and link management protocols; all used to establish the forwarding paths required by the data plane. Disrupting the flow of this information or injecting false information breaks down the integrity or believability of path information. To safeguard these connections it is imperative the connecting device authenticate itself prior to granting access. In the case of peering neighbors, the authentication must be bidirectional. Regardless of the paradigm, authentication must use a form of cryptography to ensure a high level of trust and authenticity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27320",
+      "title": "The network element must authenticate devices before establishing wireless network connections using bidirectional authentication between cryptographically based devices.",
+      "description": "Without authentication, an unauthorized user can easily connect to a nearby access-point (AP) within the enclave. In addition, a rogue AP owned by an attacker can accept connections from  wireless stations enabling it to intercept traffic and initiate man-in-the-middle attacks before allowing traffic to flow to the intended host. Hence, it is imperative that authentication is bi-directional using cryptography to ensure a high level of trust and authenticity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27330",
+      "title": "The network element must authenticate devices before establishing network connections using bidirectional authentication between cryptographically based devices.",
+      "description": "A network element must have a level of trust with any node wanting to connect to it. The remote node could be a host device requiring a layer 2 connection to the network or a router wanting to peer as a neighbor and establish a connection to exchange control plane and forwarding plane traffic. A network control plane is comprised of routing, signaling, and link management protocols; all used to establish the forwarding paths required by the data plane. Disrupting the flow of this information or injecting false information breaks down the integrity or believability of path information. To safeguard these connections it is imperative the connecting device authenticate itself prior to granting access. In the case of peering neighbors, the authentication must be bidirectional. Regardless of the paradigm, authentication must use a form of cryptography to ensure a high level of trust and authenticity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27331",
+      "title": "The network element must dynamically manage identifiers, attributes, and associated access authorizations to enable user access to the network with the appropriate and authorized privileges. ",
+      "description": "Web services are web applications that provide a method of communication between two or more different electronic devices. They are normally used by applications to provide each other with data. \n\nThe W3C defines a web service as;\n\"a software system designed to support interoperable machine to machine interaction over a network. It has an interface described in a machine processable format (specifically Web Services Description Language or WSDL). Other systems interact with the web service in a manner prescribed by its description using SOAP messages typically conveyed using HTTP with an XML serialization in conjunction with other web-related standards\".\n\nWeb services provide different challenges in managing access than what is presented by typical user based applications. In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, many service-oriented architecture implementations rely on run time access control decisions facilitated by dynamic privilege management. While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization. \n\nIn contrast to conventional approaches to identification and authentication which employ static information system accounts for preregistered users, many service-oriented architecture implementations rely on establishing identities at run time for entities that were previously unknown. Dynamic establishment of identities and association of attributes and privileges with these identities are anticipated and provisioned. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27332",
+      "title": "The network element must support organizational requirements to disable the user identifiers after an organization-defined time period of inactivity.",
+      "description": "Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to the operating system. Operating systems need to track periods of user inactivity and disable accounts after an organization-defined period of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27333",
+      "title": "The network element must enforce minimum password length.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Password length is one factor in determining password strength. Use of a longer password string will exponentially increase the time and/or resources required to compromise the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27334",
+      "title": "The network element must prohibit password reuse for the organization-defined number of generations.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. A password must have an expiration date to limit the amount of time a compromised password can be used by a malicious user.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27335",
+      "title": "The network element must enforce password complexity by the number of upper case characters used.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27336",
+      "title": "The network element must enforce password complexity by the number of lower case characters used.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27337",
+      "title": "The network element must enforce password complexity by the number of numeric characters used.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27339",
+      "title": "The network element must enforce the number of characters changed when passwords are changed.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. It is imperative when changing the password it results in a password not similar to the previous password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27340",
+      "title": "The network element must enforce password encryption for storage.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Network elements can be compromised by personnel with physical access to the communication room. It is imperative for passwords to be stored encrypted, so they cannot be viewed by unauthorized staff.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27341",
+      "title": "The network element must enforce password encryption for transmission.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. Network elements can be compromised by personnel with access to the network. Passwords sent in the clear can be intercepted and used by unauthorized personnel to gain administrative access to network elements. It is imperative to encrypt passwords before transmitting during any authentication process.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27342",
+      "title": "The network element must enforce minimum password lifetime restrictions.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. A password must have an expiration date to limit the amount of time a compromised password can be used by a malicious user. However, changing the password too frequently may result in the user changing a small portion of the password, or the user could mishandle the password in an attempt to remember the new password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27343",
+      "title": "The network element must enforce maximum password lifetime restrictions.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. A password must have an expiration date to limit the amount of time a compromised password can be used by a malicious user.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27344",
+      "title": "The network element must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor.",
+      "description": "A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the \"root certificate\" or \"trust anchors\" such as a Certification Authority (CA). A certification path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27345",
+      "title": "The network element must enforce authorized access to the corresponding private key for PKI-based authentication.",
+      "description": "The principle factor of PKI implementation is the private key used to encrypt or digitally sign information.  If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27346",
+      "title": "The network element must map the authenticated identity to the user account for PKI-based authentication.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure that only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27347",
+      "title": "The network element must obscure feedback of authentication information during the authentication process to protect the information from possible use by unauthorized individuals.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure that only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. During the authentication process, malicious users can gain knowledge of passwords during authentication process by sniffing local traffic between the network element and the authentication server or even walking by a user logging on and viewing what had been keyed in. It is imperative the network element prevents any form of authentication feedback that can be used to learn account passwords.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27348",
+      "title": "The network element must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.",
+      "description": "Network elements not protected with strong passwords provide the opportunity for anyone to crack the password thus gaining access to the system and the network. All passwords must be kept and known only by the account user who created the password. Malicious users can gain knowledge of passwords during authentication process by sniffing local traffic between the network element and the authentication server. It is imperative the authentication process implements cryptographic modules adhering to the higher standards approved by the federal government.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27349",
+      "title": "The network element must uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.",
+      "description": "Non-organizational users shall be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organizations security policy. Access to the network must be categorized as administrator, user, or guest so that the appropriate authorization can be assigned to the user requesting access to the network or a network element. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof.  Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27350",
+      "title": "The network element must be configured to automatically disable the device if any of the organization-defined list of security violations are detected.",
+      "description": "To reduce or eliminate the risk of the network or the network element itself to be compromised, the device must be configured to disable itself depending on the violation or when it is not able to contain or thwart an attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27351",
+      "title": "The network element must employ automated mechanisms to assist in the tracking of security incidents.",
+      "description": "Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the firewall. An automated incident response infrastructure allows network operations to immediately react to incidents by identifying, analyzing, and mitigating any compromised network or network elements. Incident response teams can perform root cause analysis, determine how the exploit proliferated, identify all affected nodes, as well as, contain and eliminate the threat.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27352",
+      "title": "The organization must check all media containing diagnostic and test programs for malicious code before the media are used in the information system.",
+      "description": "This requirement is to ensure that the media containing the application is scanned for malicious code prior to use. Hence, this would not be specific to a network element as it is a procedure for validate the media before it is used by an information system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27353",
+      "title": "The network element must automate mechanisms to restrict the use of maintenance tools to authorized personnel only.",
+      "description": "With the growth of widespread network-delivered malware infections, organizations tend to overlook the spread of malware from system to system through removable media. Once an infected media is connected to the information system, any worms on it will spread through the system. Maintenance tools connecting to a network element for diagnostics could be carrying malware; therefore, their use must be restricted to authorized personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27354",
+      "title": "The network element must log non-local maintenance and diagnostic sessions.",
+      "description": "Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done, what attempted to be done, where it was done, when it was done, and by whom in order to compile an accurate risk assessment. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. For sound configuration management, it is imperative events associated with a non-local administrative access or diagnostic session be logged.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27355",
+      "title": "The network element must protect non-local maintenance sessions through the use of multifactor authentication.",
+      "description": "Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organizations security policy. Authorization for access to any network element requires an individual account identifier that has been approved, assigned, and configured on an authentication server.  Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following:\n\n(i) something you know (e.g., password/PIN); \n(ii) something you have (e.g., cryptographic identification device, token); or \n(iii) something you are (e.g., biometric).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27358",
+      "title": "The organization (or information system) must enforce explicit rules governing the installation of software by users.",
+      "description": "Installation of software cannot be done on network appliances. Restrictions for any of the servers (NTP, syslog, AAA, etc.) would be covered under the OS SRG.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27359",
+      "title": "The information system must not share resources used to interface with systems operating at different security levels.",
+      "description": "A network element will not be interfacing with domains at different security levels.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27360",
+      "title": "The information system must fail securely in the event of an operational failure of a boundary protection device.",
+      "description": "Network elements cannot be taken down as a result of any upstream security violations or failures. If a network at the edge shuts down -- traffic will not enter nor exit.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27361",
+      "title": "The information system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communications path with resources in external networks.",
+      "description": "There is no way a network element connected to another node (via non-remote connection) is able to prevent one node from communicating to another node in an external network because the path may not necessarily be through the subject network element.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27363",
+      "title": "The information system or supporting environment must block both inbound and outbound traffic between instant messaging clients independently configured by end users and external service providers.",
+      "description": "There are no network elements within the network infrastructure that are collaborative computing devices.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27365",
+      "title": "The organization must prohibit remote activation of collaborative computing devices excluding the organization-defined exceptions where remote activation is allowed.",
+      "description": "There are no network elements within the network infrastructure that are collaborative computing devices.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27366",
+      "title": "The organization must ensure the development of mobile code being deployed in information systems meeting organization-defined mobile code requirements.",
+      "description": "Development of mobile code is not applicable to network elements.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27367",
+      "title": "The network element must prevent the download of prohibited mobile code.",
+      "description": "Decisions regarding the employment of mobile code within network elements are based on the potential for the code to cause damage to the system if used maliciously.  Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27369",
+      "title": "The network element must protect non-local maintenance sessions by separating the maintenance session from other network sessions with the device by either physically separated communications paths, or logically separated communications paths based upon encryption.",
+      "description": "Network management is the process of monitoring network elements and links, configuring network elements, and enabling network services. Network management also includes the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. From an architectural perspective, implementing out-of-band (OOB) management for network elements is a best practice and the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management and thereby provide traffic separation to increase security for all network management activities. The management network should have a direct link with local connection to the managed network elements. Where this is not possible, the management traffic can traverse over the production network or transient IP backbone via private encrypted tunnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27370",
+      "title": "The network element must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.",
+      "description": "Network management is the process of monitoring network elements and links, configuring network elements, and enabling network services. Network management also includes the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. To protect the integrity and confidentiality of non-local maintenance and diagnostics, all packets associated with these sessions must be encrypted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27371",
+      "title": "The network element must prevent the automatic execution of mobile code in organization-defined software applications and requires organization-defined actions prior to executing the code.",
+      "description": "Decisions regarding the employment of mobile code within network elements are based on the potential for the code to cause damage to the system if used maliciously.  Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27372",
+      "title": "The network element must enforce identification and authentication for the establishment of non-local maintenance and diagnostic sessions.",
+      "description": "Lack of authentication enables anyone to gain access to the network or possibly a network element providing opportunity for intruders to compromise resources within the network infrastructure. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organizations security policy. Authorization for access to any network element to perform maintenance and diagnostics requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of non-local maintenance and diagnostics sessions must be accomplished through two-factor authentication via the combination of passwords, tokens, and biometrics.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27373",
+      "title": "The network element must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, Web accesses, and removable media.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27374",
+      "title": "The network element must terminate all sessions when non-local maintenance is completed.",
+      "description": "In the event the remote node has abnormally terminated or an upstream link from the  managed device is down, the management session will be terminated; thereby, freeing device resources and eliminating any possibility of an unauthorized user being orphaned to an open idle session of the managed device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27375",
+      "title": "The network element must use cryptographic mechanisms to protect and restrict access to information on portable digital media.",
+      "description": "When data is written to portable digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27376",
+      "title": "The network element must employ cryptographic mechanisms to protect information in storage.",
+      "description": "When data is written to digital media, there is risk of loss of data along with integrity and data confidentiality. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring physical protection. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls to the facility where the media resides provide adequate protection. \n\nAs part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The employment of cryptography is at the discretion of the information owner/steward. The selection of the cryptographic mechanisms used is based upon maintaining the confidentiality and integrity of the information. The strength of mechanisms is commensurate with the classification and sensitivity of the information.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27377",
+      "title": "The information system must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.",
+      "description": "Secure Name/Address Resolution Service family is not applicable. DNS is covered under the Application SRG.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27378",
+      "title": "The network element must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.",
+      "description": "Malicious software such as Trojan horses, hacker tools, DDoS (Distributed Denial of Service) agents, and spyware can establish a base on individual desktops and servers. Many of these are not detected by anti-virus software or even host intrusion detection systems. Once they have residency within the network, unauthorized users are able to breach firewalls and access sensitive data by assuming the identity of authorized users. The goal of running vulnerability assessment scans is to identify devices on your network that are open to known vulnerabilities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27379",
+      "title": "The network element must separate user traffic from network management traffic.",
+      "description": "Network management is the process of monitoring network elements and links, configuring network elements to turn up and disable network services, the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. From an architectural perspective, implementing out-of-band (OOB) management for network elements is a best practice and the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management and thereby provide traffic separation to increase security for all network management activities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27380",
+      "title": "The network element must prevent the exposure of network management traffic onto a user or production network.",
+      "description": "Network management is the process of monitoring network elements and links, configuring network elements to turn up and disable network services, the collection of performance, diagnostics, and other relevant data about each element to ensure availability and that services are being delivered to meet or exceed service level agreements. Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. From an architectural perspective, implementing out of band (OOB) management for network elements is a best practice and the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management and thereby provide traffic separation to increase security for all network management activities. A network element must be configured to prevent the leak of management traffic into the production network and vice versa.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27381",
+      "title": "The network element must isolate security functions from non-security functions.",
+      "description": "The network element isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protects the integrity of, the hardware, software, and firmware performing those security functions. The network element maintains a separate execution domain (e.g., address space) for each executing process.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27383",
+      "title": "The network element must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, Web accesses, and removable media.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27384",
+      "title": "The network element must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.",
+      "description": "The network element isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protects the integrity of, the hardware, software, and firmware performing those security functions. The network element maintains a separate execution domain (e.g., address space) for each executing process.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27385",
+      "title": "The network element must fail to an organization-defined known-state for organization-defined types of failures.",
+      "description": "Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27386",
+      "title": "The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace.",
+      "description": "This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service.\n\nA domain name system (DNS) server is an example of an information system that provides name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. \n\nNetwork Elements that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. The DNS security controls are consistent with, and referenced from, OMB Memorandum 08-23.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27387",
+      "title": "The network element must implement isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.",
+      "description": "The network element isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protects the integrity of, the hardware, software, and firmware performing those security functions. The network element maintains a separate execution domain (e.g., address space) for each executing process.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27389",
+      "title": "The network element must preserve organization-defined system state information in the event of a system failure.",
+      "description": "Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving system state information facilitates system restart and return to the operational mode of the organization with less disruption of the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27390",
+      "title": "The network element must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.",
+      "description": "The network element isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protects the integrity of, the hardware, software, and firmware performing those security functions. The network element maintains a separate execution domain (e.g., address space) for each executing process.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27391",
+      "title": "The network element must prevent unauthorized and unintended information transfer via shared system resources.",
+      "description": "The purpose of this control is to prevent information produced by the actions of a prior user, role, or the actions of a process acting on behalf of a prior user/role from being available to any current user, role, or current process obtaining access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the network element. Control of information in shared resources is also referred to as object reuse.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27392",
+      "title": "The network element must employ malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware.  The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code.  Many of these are not detected by anti-virus software or even host intrusion detection systems. Once they have residency within the network, unauthorized users are able to breach firewalls and access sensitive data by assuming the identity of authorized users. Vulnerability assessment scans must be performed on a regular basis to identify devices that are vulnerable or have already been breached by malicious code.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27393",
+      "title": "The network element must protect against or limits the effects of Denial of Service (DoS) attacks.",
+      "description": "A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and eventually black hole production traffic. The device must be configured to thwart, counter, or prevent such attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27394",
+      "title": "The network element must include components to proactively seek to identify web-based malicious code.",
+      "description": "A honeypot simulates multiple platforms and services used to attract and contain the attackers. \nTo the attacker, it appears to be part of a production network providing services. A honeypot can be one or more hosts deployed within a DMZ or screened sub-net. Honeypots can be used for surveillance, as an early-warning tool, to discover security weaknesses, and to help assess threats. They also will tie up an attacker's resources as they burn time and effort. Honeypots should have no production value, and should not see any legitimate traffic or activity. Whatever they capture is malicious or unauthorized traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27395",
+      "title": "The network element must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.",
+      "description": "A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and eventually black hole production traffic. The device must be configured to block such attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27396",
+      "title": "The network element must manage excess bandwidth to limit the effects of packet flooding types of Denial of Service (DoS) attacks.",
+      "description": "A network element experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and eventually black hole production traffic. The device must be configured to contain and limit a DoS attack’s effect on the device’s resource utilization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27397",
+      "title": "The network element must protect the confidentiality and integrity of system information at rest.",
+      "description": "This control is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the network element. It is imperative that system data that is generated as well as device configuration data is protected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27398",
+      "title": "The network element must limit and reserve bandwidth based on priority of the traffic type.",
+      "description": "Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a Quality of Service (QoS) framework to differentiate traffic and provide a method to avoid and manage network congestion. When network congestion occurs, all traffic has an equal chance of being dropped. A QoS implementation categorizes network traffic into classes and provides priority treatment based on the classification.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27399",
+      "title": "The network element must check inbound traffic to ensure that the communications are coming from an authorized source and routed to an authorized destination.",
+      "description": "Spoofing source addresses occurs when a malicious user outside the network has created packets with source address belonging to the private address space of the target network. This is done in an attempt to slip through perimeter as a member host to gain access to internal resources or to conceal identity to perform an attack. It is imperative that all inbound and outbound traffic with spoofed or invalid source addresses are blocked.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27400",
+      "title": "The network element must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace.",
+      "description": "A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. \n\nAuthoritative DNS servers are examples of authoritative sources. Network elements that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27401",
+      "title": "The network element must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.",
+      "description": "This control is intended to address the confidentiality and integrity of system information at rest when it is located on a secondary storage device within the network element. It is imperative that system data that is generated as well as device configuration data is protected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27403",
+      "title": "The network element must implement host-based boundary protection mechanisms.",
+      "description": "Network elements, dependent on the underlying operating system, are at greater risk due to software vulnerabilities and access capabilities. It is critical these devices have host-based intrusion detection system (IDS) and firewalls installed and implemented to provide additional security for the network component.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27405",
+      "title": "The network element must isolate organization-defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets.",
+      "description": "Implementing defense-in-depth by deploying various network security elements at strategic locations and segregating the enclave into separate subnets with unique security policies to provide specific services (public content, remote access, perimeter protection, etc.) is the framework required for securing the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27406",
+      "title": "The network element must be configured to perform real-time scans of files from external sources as they are downloaded and prior to being opened or executed.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code.  Many of these are not detected by anti-virus software or even host intrusion detection systems. Once they have residency within the network, unauthorized users are able to breach firewalls and access sensitive data by assuming the identity of authorized users. Real-time scans must be performed on files from external sources as they are downloaded and prior to being opened or executed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27407",
+      "title": "The network element must receive all management traffic through a dedicated management interface for purposes of access control and auditing.",
+      "description": "From an architectural perspective, implementing out of band (OOB) management for network elements is a best practice and the first step in the deployment of a management network. OOBM networks isolate network users from communication channels dedicated to network management; thereby providing traffic separation that will increase security for all network management activities. The management network should have a direct connection to the managed network elements. Where this is not possible, the OOB management traffic can traverse over a transient IP backbone via private encrypted tunnel. Regardless of transport, all management traffic received by the managed network element must be received by a dedicated management interface connected to the OOBM network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27408",
+      "title": "The network element must be configured to perform organization-defined actions in response to malicious code detection.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Once they have residency within the network, unauthorized users are able to breach firewalls and access sensitive data by assuming the identity of authorized users. Upon detection of traffic transporting this code, the network element must perform organization-defined actions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27409",
+      "title": "The network element must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.",
+      "description": "Information can be subjected to unauthorized changes (e.g., malicious or unintentional modification) at information aggregation or protocol transformation points.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27410",
+      "title": "The network element must prevent discovery of specific system components or devices composing a managed interface.",
+      "description": "Allowing neighbor discovery messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack. In addition, responding to the sending node that a packet cannot be forwarded as the destination host is unreachable provides network mapping information. Furthermore, if a router receives a large number of packets that cannot be forwarded, the router processor could be overloaded if it must generate a high volume of unreachable messages.\nTo mitigate the risk of reconnaissance or a Denial of Service (DoS) attack, all external-facing interfaces must be configured to silently drop unreachable traffic, not announce network address information, and to ignore neighbor solicitation messages.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27412",
+      "title": "The network element must address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Once they have residency within the network, unauthorized users are able to breach firewalls and access sensitive data by assuming the identity of authorized users. Upon detection of traffic transporting this code, the network element must perform organization-defined actions and address false positives.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27413",
+      "title": "The network element must be configured to implement automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.",
+      "description": "It is imperative that the activity promptly installs security-relevant software updates to mitigate the risk of new vulnerabilities. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expeditiously. By requiring that flaw remediation be incorporated into the configuration management process, it is the intent of this control that required/anticipated remediation actions are tracked and verified.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27414",
+      "title": "The network element must employ automated mechanisms to enforce strict adherence to protocol format.",
+      "description": "Crafted packets not conforming to Institute of Electrical and Electronics Engineers (IEEE) standards can be used by malicious people to exploit a host’s protocol stack to create a Denial of Service (DoS) or force a device reset, bypass security gateway filtering, or compromise a vulnerable device. It is imperative these packets are recognized and discarded at the network perimeter.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27415",
+      "title": "The network element must automatically update malicious code protection mechanisms and signature definitions.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, Web accesses, removable media, or other common means. Malicious mobile code is a vehicle to remotely install malware on a computer. This type of code can be transmitted through interactive Web applications such as ActiveX controls, Flash animation, or JavaScript. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. The black hats and malicious code writers continuously find new methods to attack hosts and the network infrastructure. It is imperative that new protection mechanisms developed to mitigate their risks must be installed as quickly as possible.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27416",
+      "title": "The network element must prevent access into the organization’s internal networks except as explicitly permitted and controlled by employing boundary protection devices.",
+      "description": "The enclave’s internal network contains the servers where mission critical data and applications reside. There should never be connection attempts made to these devices from any host outside of the enclave. The initial defense for the internal network is to block any traffic at the perimeter attempting to make a connection to a host residing on the internal network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27418",
+      "title": "The network element must prevent non-privileged users from circumventing malicious code protection capabilities.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, Web accesses, removable media, or other common means. Malicious mobile code is a vehicle to remotely install malware on a computer. This type of code can be transmitted through interactive Web applications such as ActiveX controls, Flash animation, or JavaScript. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. The black hats and malicious code writers continuously find new methods to attack hosts and the network infrastructure. It is critical the protection mechanisms used to detect and contain this code are not tampered with by unauthorized users.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27419",
+      "title": "The network element must deny network traffic by default and allow network traffic by exception at all interfaces at the network perimeter.",
+      "description": "All inbound and outbound traffic must be denied by default. Firewalls and perimeter routers should only allow traffic through that is explicitly permitted. The initial defense for the internal network is to block any traffic at the perimeter that is attempting to make a connection to a host residing on the internal network. In addition, allowing unknown or undesirable outbound traffic by the firewall or router will establish state that will subsequently permit the return of this undesirable traffic inbound.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27420",
+      "title": "The network element must be configured to implement automated patch management tools to facilitate flaw remediation to network components.",
+      "description": "It is imperative that the activity promptly installs security-relevant software updates to mitigate the risk of new vulnerabilities. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expeditiously. By requiring that flaw remediation be incorporated into the configuration management process, it is the intent of this control that required/anticipated remediation actions are tracked and verified.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27421",
+      "title": "The network element must route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.",
+      "description": "A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network such as web server, web mail, and chat rooms. This prevents any hackers on the outside of learning IP addresses within the private network. With a proxy acting as the mediator, the client does not interact directly with the servers it is connecting to—the proxy server is in the middle handling both sides of the session. Hence, all routing devices must forward traffic to the appropriate proxy to filter the traffic and initiate the sessions with the external server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27422",
+      "title": "The network element must only update malicious code protection mechanisms when directed by a privileged user.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. It can be transported by electronic mail, mail attachments, Web accesses, removable media, or other common means. Malicious mobile code is a vehicle to remotely install malware on a computer. This type of code can be transmitted through interactive Web applications such as ActiveX controls, Flash animation, or JavaScript. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. The black hats and malicious code writers continuously find new methods to attack hosts and the network infrastructure. It is critical the protection mechanisms used to detect and contain this code are not tampered with by unauthorized users and are only updated when directed by a privileged user.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27424",
+      "title": "The network element must employ malicious code protection mechanisms to detect and eradicate malicious code at the network perimeter.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, Web accesses, and removable media. Traffic transporting this code must be blocked at the perimeter by firewalls and proxy servers that inspect the applicable traffic types.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27425",
+      "title": "The network element must deny network traffic and audits internal addresses posing a threat to external information systems.",
+      "description": "The firewall will build a state to allow return traffic for all initiated traffic that was allowed outbound. Monitoring and filtering the outbound traffic adds a layer of protection to the enclave, in addition to being a good Internet citizen by preventing your network from being used as an attack base.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27426",
+      "title": "The network element must not allow users to introduce removable media into the information system.",
+      "description": "Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. Malicious code can be transported by electronic mail, mail attachments, Web accesses, and removable media.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27427",
+      "title": "The network element must monitor and control traffic at both the external and internal boundary interfaces.",
+      "description": "Audit logs are necessary to provide a trail of evidence in case the network is compromised. With this information, the network administrator can devise ways to block the attack and possibly identify and prosecute the attacker. Information supplied by log data is used for forensic analysis in support of incident as well as to aid with normal traffic analysis. It is imperative all inbound and outbound blocked traffic be logged.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27428",
+      "title": "The network element must connect to external networks only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.",
+      "description": "The firewall will build a state to allow return traffic for all initiated traffic that was allowed outbound. Monitoring and filtering the outbound traffic adds a layer of protection to the enclave, in addition to being a good Internet citizen by preventing your network from being used as an attack base. All network elements must be configured to ensure all traffic is forwarded through the perimeter security infrastructure when sending traffic to external destinations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27430",
+      "title": "The network element must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.",
+      "description": "A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. \n\nAuthoritative DNS servers are examples of authoritative sources. Network elements that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27431",
+      "title": "The network element must issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.",
+      "description": "For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. This requirement focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations, for example, application-specific time services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27432",
+      "title": "The network element must protect the integrity of transmitted information.",
+      "description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission integrity. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27433",
+      "title": "The network element must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.",
+      "description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission integrity. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27435",
+      "title": "The network element  must implement detection and inspection mechanisms to identify unauthorized mobile code.",
+      "description": "The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for each piece of code to travel smoothly from one host to another. Mobile code systems range from simple applets to intelligent software agents. These systems offer several advantages over the more traditional distributed computing approach. However, mobile code introduces risk to the IT infrastructure. \n\nMalicious mobile code is a vehicle to remotely install malware on a computer. This type of code can be transmitted through interactive Web applications such as ActiveX controls, Flash animation, or JavaScript. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. This code must be detected before it infiltrates the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27436",
+      "title": "The network element must maintain the integrity of information during aggregation and encapsulation in preparation for transmission.",
+      "description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission integrity. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27437",
+      "title": "The network element must protect the confidentiality of transmitted information.",
+      "description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27438",
+      "title": "The network element must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.",
+      "description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27440",
+      "title": "The network element must maintain the confidentiality of information during aggregation and encapsulation in preparation for transmission.",
+      "description": "If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service for both internal and external connectivity, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27441",
+      "title": "The network element must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.",
+      "description": "A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. \n\nAuthoritative DNS servers are examples of authoritative sources that own DNS data. Network elements that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27443",
+      "title": "The network element must terminate the connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.",
+      "description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network element and a PC or terminal server when the later has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network element as well as reduce the risk of a management session from being hijacked.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27445",
+      "title": "The network element must establish a trusted communications path between the user and organization-defined security functions within the information system.",
+      "description": "To safeguard critical information that could be used by a malicious user to compromise the device or the entire network infrastructure, a trusted path is required for high-confidence connections between the security functions (i.e., login) of the network element and the user.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27446",
+      "title": "The network element must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes.",
+      "description": "The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial of Service. \nThe secure administration and distribution of cryptographic keys is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction.\nCryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protection to maintain the availability of the information in the event of the loss of cryptographic keys by users.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27448",
+      "title": "The network element that collectively provides name/address resolution service for an organization must be fault-tolerant.",
+      "description": "A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative domain name system (DNS) servers, one configured as primary and the other as secondary. Additionally, the two servers are commonly located in two different network subnets and geographically separated (i.e., not located in the same physical facility). \n\nWith regard to role separation, DNS servers with an internal role, only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks including the Internet). The set of clients that can access an authoritative DNS server in a particular role is specified by the organization (e.g., by address ranges, explicit lists). \n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27449",
+      "title": "The network element must take corrective action when unauthorized mobile code is identified.",
+      "description": "The mobile code paradigm encompasses programs that can be executed on one or several hosts other than the one they originate from. Mobility of such programs implies some built-in capability for each piece of code to travel smoothly from one host to another. Mobile code systems range from simple applets to intelligent software agents. These systems offer several advantages over the more traditional distributed computing approach. However, mobile code introduces risk to the IT infrastructure. \n\nMalicious mobile code is a vehicle to remotely install malware on a computer. This type of code can be transmitted through interactive Web applications such as ActiveX controls, Flash animation, or JavaScript. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. They also have the ability to run and attach programs, which provides a high risk potential for the distribution of malicious mobile code. This code must be detected before it infiltrates the enclave. When detected, the network element must log and drop the traffic containing the mobile code.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27450",
+      "title": "The network element must provide mechanisms to protect the authenticity of communications sessions.",
+      "description": "Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information shared between network elements can disrupt network operations by creating non-optimized forwarding of traffic and network outages. Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element authenticates the source involved in sending the information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27451",
+      "title": "The network elements that collectively provide name/address resolution service for an organization must implement internal/external role separation.",
+      "description": "A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative domain name system (DNS) servers, one configured as primary and the other as secondary. \n\nAdditionally, the two servers are commonly located in two different network subnets and geographically separated (i.e., not located in the same physical facility). With regard to role separation, DNS servers with an internal role, only process name/address resolution requests from within the organization (i.e., internal clients). \n\nDNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks including the Internet). The set of clients that can access an authoritative DNS server in a particular role is specified by the organization (e.g., by address ranges, explicit lists).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27452",
+      "title": "The information system must provide a readily observable logout capability whenever authentication is used to gain access to web pages.",
+      "description": "Network elements may provide https for administrative access, but not to provide Web pages.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27454",
+      "title": "The network element must invalidate session identifiers upon user logout or other session termination.",
+      "description": "Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information shared between network elements can disrupt network operations by creating non-optimized forwarding of traffic and network outages. Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element authenticates the source involved in sending the information. Unique session identifier must also be used to reduce the risk of session hi-jacking.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27459",
+      "title": "The organization must employ organization-defined information system components with no writeable storage persistent across component restart or power on/off.",
+      "description": "With the exception of auxiliary components hosted on servers, network elements will not have any CD drives.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27461",
+      "title": "The information system at organization-defined information system components must load and execute the operating environment from hardware-enforced, read-only media.",
+      "description": "With the exception of auxiliary components hosted on servers, network elements will not have any CD drives.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27462",
+      "title": "The network element must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.",
+      "description": "The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial-of-Service. \nThe secure administration and distribution of cryptographic keys is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction.\nCryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protection to maintain the availability of the information in the event of the loss of cryptographic keys by users.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27463",
+      "title": "The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.",
+      "description": "The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial-of-Service. \nThe secure administration and distribution of cryptographic keys is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction.\nCryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27464",
+      "title": "The network element must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key.",
+      "description": "The escalating use of cryptography has brought forth a huge challenge for organizations to protect and manage the hundreds and even thousands of cryptographic keys employed during daily cryptographic transactions. The most secure algorithm is rendered useless if the keys cannot be kept secured. Left unprotected keys are vulnerable to duplication or modification. Duplication enables an attacker to copy a key to be used for access to the service and steal information. An attacker will modify or corrupt a key to cause a Denial-of-Service. \nThe secure administration and distribution of cryptographic keys is a necessary and critical aspect of risk mitigation. Key management is the process of generating and securely distributing keys used in the encryption process. It is the practice of implementing a security key management policy to protect cryptographic operations from compromise and abuse. The policy must include key generation, distribution, storage, usage, lifetime duration, and destruction.\nCryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27465",
+      "title": "The network element must employ cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.",
+      "description": "Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. To protect the integrity and confidentiality of non-local maintenance and diagnostics, all packets associated with these sessions must be encrypted. During the authentication process, malicious users can gain knowledge of passwords during authentication process by sniffing local traffic between the network element and the authentication server. It is imperative the authentication process and the transmission of network management traffic implements cryptographic modules adhering to the higher standards approved by the federal government.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27466",
+      "title": "The information system at organization-defined information system components must load and execute organization-defined applications from hardware-enforced, read-only media.",
+      "description": "With the exception of auxiliary components hosted on servers, network elements will not have any CD drives.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27467",
+      "title": "The network element must employ FIPS-validated cryptography to protect unclassified information.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. Hence it is imperative that transmission of traffic that requires privacy utilize FIPS-validated cryptography.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27468",
+      "title": "The network element must employ NSA-approved cryptography to protect classified information.",
+      "description": "Whether a network is being managed locally or from a Network Operations Center (NOC), achieving network management objectives depends on comprehensive and reliable network management solutions. To protect the integrity and confidentiality of non-local maintenance and diagnostics, all packets associated with these sessions must be encrypted. During the authentication process, malicious users can gain knowledge of passwords during authentication process by sniffing local traffic between the network element and the authentication server. It is imperative the authentication process and the transmission of network management traffic implements NSA-approved cryptography.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27470",
+      "title": "The network element must employ FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.",
+      "description": "Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. FIPS-validated cryptography must be used to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27472",
+      "title": "The network element must protect the integrity and availability of publicly available information and applications.",
+      "description": "Public-facing servers enable access to information to clients outside of the enclave. These servers are subject to greater exposure to attacks. It is imperative that the integrity of the data is maintained to ensure the enclave does not provide false or erroneous information. The network security element must provide the necessary protection to ensure availability and integrity of the data and to reduce or eliminate Denial-of-Service (DoS) attacks directed against the servers.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27473",
+      "title": "The network element must associate security attributes with information exchanged between network elements.",
+      "description": "Security attributes are associated with internal structures within the network element used to enable the implementation of access control and flow control policies or support other aspects of the information security policy. It is crucial these attributes are associated and validated to ensure access control and flow control policies are properly implemented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27475",
+      "title": "The network element must validate the integrity of security attributes exchanged between network elements.",
+      "description": "Security attributes are associated with internal structures within the network element used to enable the implementation of access control and flow control policies or support other aspects of the information security policy. It is crucial these attributes are associated and validated to ensure access control and flow control policies are properly implemented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27476",
+      "title": "The network element must interconnect and configure individual intrusion detection tools into a system-wide intrusion detection system using common protocols.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27477",
+      "title": "The organization must install software updates automatically.",
+      "description": "Network element updates must be planned for during a scheduled network outage.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27478",
+      "title": "The network element must monitor inbound and outbound communications for unusual or unauthorized activities or conditions.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27479",
+      "title": "The network element must provide near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occur.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, it is critical the appropriate personnel are notified via an alert mechanism.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27480",
+      "title": "The network element must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)  devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise or potential compromise or breach has been discovered by the intrusion detection system, it is critical the appropriate personnel are notified via an alert mechanism. The intrusion detection device must be configured to ensure non-privilege users are not able to circumvent the detection or alerting mechanisms.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27481",
+      "title": "The network element must notify an organization-defined list of incident response personnel of suspicious events.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, it is critical the appropriate personnel are notified via an alert mechanism.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27482",
+      "title": "The network element must take an organization-defined list of least-disruptive actions to terminate suspicious events.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. When a compromise, potential compromise, or breach has been discovered by the intrusion detection system, the network element must take action to thwart the attack using methods creating the least disruption to network availability.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27483",
+      "title": "The network element must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. The intrusion detection device must be configured to ensure non-privilege users are not able to circumvent the detection or alerting mechanisms. In addition, all information collected by the intrusion detection systems must be protected from unauthorized access, modification, and deletion.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27484",
+      "title": "The network element must generate a unique session identifier for each session.",
+      "description": "Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information shared between network elements can disrupt network operations by creating non-optimized forwarding of traffic and network outages. Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element authenticates the source involved in sending the information. Unique session identifier must also be used to reduce the risk of session hi-jacking.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27485",
+      "title": "The network element must ensure all encrypted traffic is visible to network monitoring tools.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Regardless of direction, all encrypted traffic must be decrypted prior to reaching the sensor or firewall so all traffic can be monitored.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27487",
+      "title": "The network element must analyze outbound traffic at the external boundary of the network.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27488",
+      "title": "The network element must analyze outbound communications traffic at selected interior points within the network as deemed necessary to discover anomalies.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)  devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. Monitoring outbound traffic can also detect abnormal traffic or mischievous activities by internal personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27490",
+      "title": "The organization must employ malicious code protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, Web accesses, removable media, or other common means.",
+      "description": "SI-8 is all for spam protection. Network elements do not receive mail.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27491",
+      "title": "The network element must detect attack attempts to the wireless network.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. \n\nEnclaves are at risk and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network. An IDS must be deployed capable of monitoring IEEE 802.11 transmissions within all DoD LAN environments and detect nearby unauthorized WLAN devices.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27492",
+      "title": "The network element must detect rogue wireless devices, attack attempts, and potential compromises or breaches to the wireless network.",
+      "description": "Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)  devices should be deployed at strategic locations within the network. At a minimum, they should be deployed within the DMZ and behind the firewall. It is important to not only monitor traffic entering the enclave but also leaving. Placing an IDS behind the firewall will provide a clear analysis of what type of traffic and potential attacks are passing through the firewall. Monitoring outbound traffic enables the network operator to detect an attack towards another network with the local enclave as the base. \n\nEnclaves are at risk and DoD data could be compromised if wireless scanning is not conducted to identify unauthorized WLAN clients and access points connected to or attempting to connect to the network. An IDS must be deployed capable of monitoring IEEE 802.11 transmissions within all DoD LAN environments and detect nearby unauthorized WLAN devices.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27493",
+      "title": "The organization must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, Web accesses, removable media, or other common means.",
+      "description": "SI-8 is all for spam protection. Network elements do not receive mail.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27495",
+      "title": "The network element must recognize only system-generated session identifiers.",
+      "description": "Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information shared between network elements can disrupt network operations by creating non-optimized forwarding of traffic and network outages. Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element authenticates the source involved in sending the information. Unique session identifier must also be used to reduce the risk of session hi-jacking.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27496",
+      "title": "The organization must update spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures.",
+      "description": " SI-8 is all for spam protection. Network elements do not receive mail.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27497",
+      "title": "The network element must generate unique session identifiers with organization-defined randomness requirements.",
+      "description": "Peering neighbors must have a level of trust with each other since information being shared is used to provide network services, connectivity, and optimized routing. Corrupted or erroneous information shared between network elements can disrupt network operations by creating non-optimized forwarding of traffic and network outages. Identifying source and destination addresses for information flows within the network allows forensic reconstruction of events when required, and increases policy compliance by attributing policy violations to specific individuals. Means to enforce this enhancement include ensuring the network element authenticates the source involved in sending the information. Unique session identifier must also be used to reduce the risk of session hi-jacking. The greater the randomization of the session identifier, the more difficult to guess or anticipate.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27498",
+      "title": "The information system must automatically update spam protection mechanisms (including signature definitions).",
+      "description": "SI-8 is all for spam protection. Network elements do not receive mail.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27499",
+      "title": "The information system must check the validity of information inputs.",
+      "description": "There is no applicability for any network element. This would be directly for an application receiving input for a database. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27501",
+      "title": "The network element must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).",
+      "description": "The need to verify security functionality is necessary to ensure that the network element’s defense is enabled. For those security functions that are not able to execute automated self-tests the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. If all security functions are not operating efficiently, the defense of the element and the network is left vulnerable and both could be breached.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27502",
+      "title": "The information system must reveal error messages only to authorized personnel.",
+      "description": "Any administrator with access to a network element at any privilege level, especially the operator at level 1, will need to see all error conditions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27503",
+      "title": "The network element must respond to security function anomalies in accordance with organization-defined responses and alternative actions.",
+      "description": "The need to verify security functionality is necessary to ensure that the network element’s defense is enabled.  For those security functions that are not able to execute automated self-tests the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. Upon detection of security function anomalies or failure of automated self-tests, the network element must respond in accordance with organization-defined responses and alternative actions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27504",
+      "title": "The network element must provide notification of failed automated security tests.",
+      "description": "Upon detection of a failure of an automated security self-test, the network element must respond in accordance with organization-defined responses and alternative actions. Without taking any self-healing actions or notifying an administrator, the defense of the element and the network is left vulnerable and both could be breached.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27505",
+      "title": "The network element must provide automated support for the management of distributed security testing.",
+      "description": "The need to verify security functionality is necessary to ensure that the network element’s defense is enabled.  To scale the deployment of the verification process, the network element must provide automated support for the management of distributed security testing.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27506",
+      "title": "The network element must detect unauthorized changes to software and information.",
+      "description": "Anomalous behavior and unauthorized changes must be detected before the network element is breeched or no longer in service. Identifying the source and method used to make the unauthorized change will help to determine what data is at risk and if other systems may be affected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27507",
+      "title": "The network element must be configured to identify and respond to potential security-relevant error conditions.",
+      "description": "Error messages generated by various components and services of the network element can indicate a possible security violation or breach. It is imperative the network element is configured to be able to recognize those error messages that can be a symptom of a compromise and to provide notification. The extent to which the network element is able to identify and handle error conditions should be guided by organizational policy, operational requirements, as well as best practices.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27508",
+      "title": "The network element must generate error messages providing information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.",
+      "description": "The extent to which the network element is able to identify and handle error conditions is guided by organizational policy and operational requirements. However, it is imperative that the network element does not reveal information in log data that could risk the compromise of the device or the network. Hence, the structure and content of error messages needs to be carefully considered by the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27509",
+      "title": "The network element must activate an organization-defined alarm when a system component failure is detected.",
+      "description": "A network element with a failing security component can potentially put the entire network at risk. If key components to maintaining network security fail to function, it is possible the network element will continue operating in an insecure state. It is imperative this not occur and therefore must immediately send an alarm or shut down.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27514",
+      "title": "The network element must enforce password complexity by the number of special characters used.",
+      "description": "Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account holder must create a strong password that is privately maintained and changed based on the organization-defined frequency. Password strength is a measure of the effectiveness of a password in resisting guessing, dictionary attacks, as well as, brute-force attacks. Combination of upper case, lower case, numbers, and special characters enhances the complexity of the password string.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30048",
+      "title": "The network element must disable network access by unauthorized devices and logs the information as a security violation.",
+      "description": "Local access to the private network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Remote access to the network can be accomplished via connection to a VPN gateway. Eliminating unauthorized access to the network is vital to maintaining a secured network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30371",
+      "title": "The information system must initiate a session lock after the organization-defined time period of inactivity.",
+      "description": "As you make configuration changes to a router, switch, or firewall, they are applied to the running configuration. There is nothing lost. If the user has not saved the running configuration to non-volatile random-access memory (NVRAM), it can be done by logging back in. Furthermore, a desktop or laptop is used to connect to the router, switch, or firewall. The routers, switches, and firewalls have the idle timeout capability where the session is taken down after a period of inactivity. This is a simple and straightforward solution.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30420",
+      "title": "The network element must prevent the execution of prohibited mobile code.",
+      "description": "Decisions regarding the employment of mobile code within network elements are based on the potential for the code to cause damage to the system if used maliciously.  Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30429",
+      "title": "The network element must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.",
+      "description": "Cryptography is only as strong as the encryption algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30474",
+      "title": "The organization must ensure the use of mobile code to be deployed in information systems meets organization-defined mobile code requirements.",
+      "description": "This is an operating system requirement and does not apply to network elements. Mobile code is not deployed in network elements.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30476",
+      "title": "The organization must ensure the acquisition of mobile code to be deployed in information systems meets organization-defined mobile code requirements.",
+      "description": "This is not applicable. Network elements do not acquire mobile code to be deployed in information systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30479",
+      "title": "The network element must enforce a Discretionary Access Control (DAC) policy that Limits propagation of access rights.",
+      "description": "Access control policies (e.g., identity-based policies, role-based policies, etc.) and access enforcement mechanisms (e.g., access control lists, policy maps, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, data, destination addresses, etc.) within in the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30480",
+      "title": "The network element must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.",
+      "description": "Access control policies (e.g., identity-based policies, role-based policies, etc.) and access enforcement mechanisms (e.g., access control lists, policy maps, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, data, destination addresses, etc.) within in the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30598",
+      "title": "The network element must protect against unauthorized physical connections across the boundary protections implemented at organization-defined list of managed interfaces.",
+      "description": "Local access to the network can easily be accomplished by merely connecting a workstation or laptop to any available wall plate or a wireless connection to a nearby access point. Eliminating unauthorized access to the network is vital to maintaining a secured network.",
+      "severity": "medium"
+    }
+  ]
+}