kriterion 0.0.1

data/standards/stig_remote_access_policy.json

@@ -0,0 +1,317 @@
+{
+  "name": "stig_remote_access_policy",
+  "date": "2016-03-28",
+  "description": "None",
+  "title": "Remote Access Policy STIG",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-14751",
+      "title": "Sites allowing contractors, non-DoD entities, or other DoD organization to remotely connect to the enclave will establish written Memorandum of Agreements (MOAs) with the contractor or other orgranization.  ",
+      "description": "To provide the maximum level of security for both the DoD network and the remote corporate enterprise, an MOA is needed that allows administrative oversight and confiscation of compromised equipment.\n\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-18535",
+      "title": "Ensure the use a vendor-supported version of the remote access server, remote access policy server, NAC appliance, VPN, and/or communications server software. ",
+      "description": "Unsupported versions will lack security enhancements as well as support provided by the vendors to address vulnerabilities.  The system administrator must monitor IAVM, OS, or OEM patch or vulnerability notices for the remote access, VPN, or communications appliance(s).  Patches, upgrades, and configuration changes should be tested to the greatest extent possible prior to installation. The vendor may be consulted to determine if the specific device is vulnerable. If the vendor does not recommend installing a patch or upgrade, and has stated that the device is not vulnerable, the administrator will retain this documentation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18536",
+      "title": "Ensure unused management interfaces, ports, protocols, and services are removed or disabled on devices providing remote access services to remote users. ",
+      "description": "When services, ports, and protocols are enabled by default or are not regularly used, SAs can neglect to secure or updates them. These services can then become a path for exploitation since they are often well known vulnerabilities to attackers. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18590",
+      "title": "Ensure a remote access security policy manager is used to manage the security policy on devices used for remote network connection or remote access.  ",
+      "description": "A centralized policy manager provides a consistent security policy, particularly in environments with multiple remote access devices such as multiple VPNs or RAS devices.  This is a best practice for centralized management in networks with multiple remote access gateways or products.  Use a single remote access policy server or configure a centralized access server which serves this purpose.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18622",
+      "title": "The remote access policy will provide separation of traffic based on sensitivity and user trust levels. \n",
+      "description": "Device authentication must be performed at the perimeter or on a subnet separated from the trusted internal enclave. User authentication ensures the user is authorized for access. However, user authentication does not mitigate the risk from an improperly configured client device.  Devices must be tested for policy compliance and assigned a trust level based on the results of a thorough integrity check.  This approach checks that devices connecting to the network are authenticated and compliant with network policy prior to allowing access to network resources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18680",
+      "title": "If  a policy assessment server or service is used as part of an automated access control decision point (to accept non-DoD owned and/or managed remote endpoints to the network), only devices that are both authenticated to the network and compliant with network policies are allowed access.",
+      "description": "In this STIG, a managed device is defined as a device that has installed software (i.e. an agent) that allows the device to be managed and queried from a remote server.  Thus, an unmanaged device does not have a pre-installed agent which has been obtained from and configured by an approved DoD source.  A device is also considerd unmanaged if the authorized agent is not operating properly and cannot communicate with the server.  \n\nDevices that are both non-GFE and unmanaged cannot be used.  To be authenticated to the network, the authentication information must be pre-configured by the site's system administrator and the device and the user must be authorized by the DAA for access to the system.\n\nTrusted computing environments require a process for ensuring that users and devices are authenticated and authorized.  In certain environments such as a development network, unmanaged devices may be justified by government policy or the mission.  Automated policy assessment may be implemented in various ways to increase trust and manage the risk posed by these guest devices.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18750",
+      "title": "Ensure remote endpoint policy assessment proceeds only after the endpoint attempting remote access has been identified using an approved method such as 802.1x or EAP tunneled within PPP.\n",
+      "description": "Trusted computing shoud require authentication and authorization of both the user's identity and the identity of the computing device. It is possible that an authorized user may be accessing the network remotely from a computer that does not meet DoD standards. This may compromise user information, particularly before or after a VPN tunnel is established.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18754",
+      "title": "When automated remediation is used, ensure the remote access solution is configured to notify the remote user before proceeding with remediation of the user's endpoint device.\n",
+      "description": "Notification will let the user know that installation is in progress and may take a while.  This notice may deter the user from disconnecting and retrying the connection before the remediation is completed. Premature disconnections may increase network demand and frustrate the user.\n\nNOTE: This policy does not require remediation but will apply if remediation services are used.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18833",
+      "title": "Ensure devices failing policy assessment that are not automatically remediated either before or during the remote access session, will be flagged for future manual or automated remediation. ",
+      "description": "Devices not compliant with DoD secure configuration policies will not be permitted to use DoD licensed software.\n\nThe device status will be updated on the network and in the HBSS agent. A reminder will be sent to the user and the SA periodically or at a minimum each time a policy assessment is performed.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18834",
+      "title": "During security policy assessment, a procedure will exist that when critical security issues are found that put the network at risk, the remote endpoint will be placed immediately on the “blacklist” and the connection will be terminated. \n",
+      "description": "Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18835",
+      "title": "Configure the devices and servers in the network access control solution  (e.g., NAC, assessment server, policy decision point)  so they do not communicate with other network devices in the DMZ or subnet except as needed to perform a remote access client assessment or to identify itself.",
+      "description": "Since the network access control devices and servers should have no legitimate reason for communicating with other devices outside of the assessment solution, any direct communication with unrelated hosts would be suspect traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18836",
+      "title": "If a policy assessment server or service is used as part of an automated access control decision point (for authentication and authorization of  unmanaged remote endpoints to the network), the remote access solution must include the minimum required policy assessment checks for unmanaged devices prior to allowing remote access to the network.",
+      "description": "Automated policy assessment must validate the organization's minimum security requirements so entry control decisions do not put the organization at risk because of a compromised remote device. Outdated or disabled security functions on remote endpoints present an immediate threat to the trusted network if allowed entry based solely on the user’s access and authorization, particularly if the user has elevated access or management access to data and systems. The goal of this policy is centralized policy assessment for remote access devices. Each of the checks required in this policy serves to mitigate known risks to the trusted network using the endpoint as an attack vector, thus all must be configured to meet this requirement.",
+      "severity": "high"
+    },
+    {
+      "id": "V-18837",
+      "title": "Ensure that for unmanaged client endpoints, the system must automatically scan the device once it has connected to the physical network but before giving access to the trusted internal LAN. ",
+      "description": "Unmanaged devices that are not controlled or configured by DoD should not be used on the network. Contractor and partner equipment must also comply with DoD endpoint configuration requirements and kept updated.  Automated assessment will allow these devices to be used safely while minimizing risk to the Enclave.  ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18838",
+      "title": "Automated access control solution is validated under the National Information Assurance Partnership (NIAP) Common Criteria as meeting U.S. Government protection requirements.",
+      "description": "DOD requires that products used for IA be NIAP compliant.  ",
+      "severity": "low"
+    },
+    {
+      "id": "V-18841",
+      "title": "Regardless of the type of endpoint used, the communication between the policy enforcement device (e.g., NAC appliance) and the agent must be protected by encryption (e.g., SSL/TLS over HTTP, EAP-TLS, EAP over PPP).",
+      "description": "Communications between the remote client and the system which makes the decision to allow or terminate access to the network is privileged traffic. Privileged communication should be separated and/or encrypted.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18842",
+      "title": "The network access control solution (e.g., NAC appliance, policy server) will provide the capability to implement integrity checking to ensure the client agent itself has not been altered or otherwise compromised.",
+      "description": "Remote access devices are often lost or stolen. They represent a threat to the enclave if the agent is compromised as this is the data collection entity in the policy assessment solution.  An integrity check allows for detection in case the agent is compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18843",
+      "title": "Client agents which have been customized with DoD restricted, non-public information or information which may divulge network details (e.g., internal IP ranges or network host names) will not be installed on unmanaged, non-government client endpoints such as kiosks and public computers.",
+      "description": "Unmanaged clients such as partner or contractor-owned devices should not contain restricted government informaiton.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18844",
+      "title": "The policy assessment/enforcement device will be configured to use a separate authentication server (e.g., IAS, Active Directory, RADIUS, TACACS+) to perform user authentication.  ",
+      "description": "The remote user policy assessment/enforcement device will be installed on a separate host from the authentication server.  This device interacts directly with public networks and devices and should not contain user authentication information for all users.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18846",
+      "title": "Where automated remediation is used for remote access clients, traffic separation will be implemented and authorized and unauthorized network traffic use separate security domains (e.g., Virtual Local Area Networks (VLANs)).",
+      "description": "A device can pass authentication by presenting valid credentials. However, in a properly configured automated admission access control solution, the device must also be compliant with security policy.  When this technology is used, policy compliance and remediation is performed before the device is allowed unto the trusted network.  If the device does not pass the security policy compliance inspection, then it may contain malicious code which may endanger the network.  After the device has been authenticated, it can be logically moved into a new VLAN and given access to the trusted network depending on user authorization.\n\nNOTE: This policy does not mandate automated remediation.",
+      "severity": "low"
+    },
+    {
+      "id": "V-18847",
+      "title": "If the device requesting remote network access fails the network policy assessment tests, then the policy server will communicate with the remote access device (e.g., VPN gateway or RAS) to perform an approved action based on the requirements of this policy. \n",
+      "description": "If a device fails the sites approved security policy assessment test, then it may contain compromised data.  Using a VLAN to keep trusted and untrusted traffic safe his kept separated while the failure is either redirected for remediation or the communication terminated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18851",
+      "title": "The DAA will approve all remote access connections that bypass the policy enforcment/assessment solution.",
+      "description": "Remote access connections that bypass established security controls should be only in cases of administrative need.  These procedures and use cases must be approved by the DAA.",
+      "severity": "high"
+    },
+    {
+      "id": "V-18852",
+      "title": "For networks which do not allow unmanaged devices, remote endpoints that fail the device authentication check will not proceed with the policy assessment checks (authorization checks) and remote access will be denied. ",
+      "description": "Devices that fail authentication are not permitted on the network.  These devices may contain malware or content which is harmful to the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18853",
+      "title": "Endpoints accessing the remediation server will not have access to other network resources that are not part of the remediation process.",
+      "description": "This type of access could permit an unauthorized endpoint onto the network. Depending on the critical nature of the authorization failure (e.g., virus detected) this type of access could place the enclave at risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18854",
+      "title": "After remediation, unmanaged (non-DoD owned or controlled) endpoints will not be given access to network resources, but will be forced to reapply via the network policy assessment server and be reassessed for compliance. ",
+      "description": "After initial remediation, unmanaged devices should be tested again prior to authorization and admittance. This will mitigate the risk that the remediation did not completely eliminate the cause of the initial assessment failure.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18855",
+      "title": "Remote access to perform privileged or network management tasks must employ endpoint devices that are controlled (documented), managed (e.g., use a transient NAC agent), and kept updated and compliant with applicable DoD security policies.",
+      "description": "If endpoint devices used to access restricted networks and systems are not compliant with security policies and able to pass policy assessment then privileged information and systems may be at immediate risk. Devices are government owned (GFE), contractor owned, or personally owned. Devices are categorized as government owned (GFE), contractor owned, or personally owned. \n\nA personally-owned device is not managed, owned, or leased by the government. Personally owned devices do not meet DoD security standards for privileged access. This type of access from an untrusted device puts the network at immediate risk since these devices may have ensured confidentiality and integrity requirements. These devices may be managed devices. However, even when subjected to policy assessment, personally owned devices are not allowed for processing classified or for remote access to privileged data or functions. The intention is to allow approved and limited usage (e.g., for email). However, note that a policy assessment solution must be in place for all unmanaged devices to enter trusted zones.\n\nContractor owned endpoints are provided in compliance with a government contract to perform management services. These endpoints must be STIG compliant using the OS STIG and other applicable STIGs and must follow DoD requirements for remaining compliant. The configuration and connection method for privileged access must also comply with government confidentiality and integrity requirements. Thus, the configuration of devices must be approved by the government as STIG compliant and kept up to date. Remote access for these devices must meet network access control and automated policy assessment requirements.",
+      "severity": "high"
+    },
+    {
+      "id": "V-19139",
+      "title": "Develop a user agreement to be signed by all remote users prior to obtaining access.  This agreement may be integrated with the site's remote access usage training.  ",
+      "description": "Lack of user training and understanding of responsibilities to safeguard wireless technology are a significant vulnerability to the enclave.  Once policies are established, users must be trained to meet these requirements or the risk to the network remains.  User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise, thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-19140",
+      "title": "Ensure remote endpoints that are owned, controlled, and/or managed by DoD for processing or accessing DoD sensitive, non-public assets and comply the requirements.\n",
+      "description": "Unmanaged endpoints must be configured according to the organization's security policy and standards before these devices can be allowed access to even the most non-sensitive areas of the network such as the DMZ.  Unmanaged endpoints will never be allowed to traverse or access to the protected inner enclave regardless of configuration.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19142",
+      "title": "Develop a computer security checklist to be completed and signed by the remote user.  This checklist will inform and remind the user of the potential security risks inherent with remote access methods.   ",
+      "description": "Lack of user training and understanding of responsibilities to safeguard the network are a significant vulnerability to the enclave.  Once policies are established, users must be trained to these requirements or the risk to the network remains.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19143",
+      "title": "Remote user agreement will contain a Standard Mandatory Notice and Consent Provision. ",
+      "description": "Lack of user training as evidenced by signed documentation may indicate the users lack understanding of their responsibilities to safeguard the network and be a significant vulnerability to the enclave.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19144",
+      "title": "Train users not to connect remote clients which process sensitive information directly into the broadband modem. ",
+      "description": "If a telework devices connect directly to the teleworker’s ISP, such as plugging the device directly into a cable modem, then the device is directly accessible from the Internet and at high risk of being attacked. To prevent this from occurring, the home network should have a security device between the ISP and the telework device. This is most commonly accomplished by using a broadband router (e.g., cable modem router, DSL router) or a firewall appliance.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19145",
+      "title": "Users who telework regularly are informed of the requirement to configure home networking router or firewall appliances to implement NAT. ",
+      "description": "Configuring NAT on the network security gateway or firewall will help prevent hosts on the Internet from accessing the DOD teleworker computer directly.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19146",
+      "title": "Train users to configure the home networking router or firewall appliance to protect devices on the home network from each other (isolate), the devices are logically separated by the appliance or router (on a different logical segment of the network).",
+      "description": "If a personal firewall on a computer malfunctioned, the appliance or router would still protect the computer from unauthorized network communications from external computers. In some cases, the appliance or router also can protect devices on the home network from each other—if the devices are logically separated by the appliance or router.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19147",
+      "title": "Provide teleworkers training on best practices for operating a secure network.\n\n",
+      "description": "Changing the default passwords on the devices helps protect against attackers using these LANs  to gain access to the device.  List of manufacturer default passwords are widely available on the Internet.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19148",
+      "title": "When connected to a non-DoD owned network, remote users are trained to either disable the wireless radio or disconnect the network cable when communication is no longer needed or the VPN is disconnected. ",
+      "description": "Endpoints that are directly connected to public networks are vulnerable to various forms of attack the longer they remain connected.  A properly configured VPN adds defense in depth protection.\n\nNOTE: Users who are trained and provide documentation (screen-prints) showing compliance with the telework isolation policy are compliant with the requirement. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-19149",
+      "title": "When connected via the public Internet, users will be trained to immediately establish a connection to the DoD network via the VPN client. ",
+      "description": "The DoD architechure is extensive and is designed to protect the enclave and it's endpoints. When a remote user accesses the internet directly, this infrastucture is not leveraged.  All connections for Government official business to the Internet via the hotel wireless network will be through the DoD VPN connection only. This requirement should be automatically enforced by an enforcement agent or other technical means on the endpoint.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19150",
+      "title": "Remote/telework endpoints not capable (e.g., lacks enough memory or resources) of meeting the compliance requirements for anti-virus, firewall, and web browser configuration will not be permitted access to the DoD network.",
+      "description": "If the client is incapable of employing critical security protections then allowing access to that devices could expose the network to potentially significant risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19151",
+      "title": "Ensure an NSA certified remote access security solution (e.g., HARA) is used for remote access to a classified network and will only be used from an approved location.\n",
+      "description": "Use of improperly configured or lower assurance equipment and solutions could compromise high value information.",
+      "severity": "high"
+    },
+    {
+      "id": "V-19152",
+      "title": "Endpoints accessing the classified network will be Government owned/leased equipment and protected to the classification level of the data that the device is able to access.",
+      "description": "Equipment owned or controlled by non-DoD entities may contain malware or other vulnerabilities which may present a danger to the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19381",
+      "title": "Ensure that prior to purchasing a TLS VPN, the system has the capability to require RSA key establishment. ",
+      "description": "NOTE:  TLS 1.0 and later uses the ephemeral Diffie-Hellman key establishment method, but this does not meet the requirements of NIST SP 800-56A. NIST has granted a waiver from this requirement for systems using SSL until the end of 2010 and this may be extended indefinitely. However, the current requirement for SSL key establishment now and beyond 2010 is the RSA method.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19382",
+      "title": "Ensure that devices to be used in FIPS-compliant applications will use FIPS-compliant functions and procedures. ",
+      "description": "It is not enough to enable FIPS encryption. To gain the full security implied by the FIPS standard, the functions and procedures required by the FIPS 140-2 documents must also be implemented.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19383",
+      "title": "Ensure that when TLS VPN is used, endpoints that fail “required” critical endpoint security checks will receive either no access or only limited access. ",
+      "description": "Remote endpoint devices requesting TLS portal access will either be disconnected or given limited access as designated by the DAA and system owner if the device fails the authentication or security assessment.  ",
+      "severity": "low"
+    },
+    {
+      "id": "V-19830",
+      "title": "Ensure the classified or sensitive information is transmitted over approved communications systems or non-DoD systems, and an NSA Type 1 certified remote access security solution is in place for remote access to a classified network and is only used from an approved location.",
+      "description": "Failure to use approved communications equipment and security measure can lead to unauthorized disclosure, loss, or compromise of classified information.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-19831",
+      "title": "Ensure the required accreditation documentation (e.g. DIP) is kept updated. ",
+      "description": "The most critical part of a remote access solution is to create a centralized point of access and authentication close to the network edge. This device manages access to network resources on the internal LAN.  DoD requires that all information technology devices attached to the network be documented in the DIP.",
+      "severity": "low"
+    },
+    {
+      "id": "V-19832",
+      "title": "Ensure the traffic for remote access network devices (e.g., RAS, NAC, VPN) is inspected by the network firewall and IDS/IPS using an approved architecture.",
+      "description": "The incorrect placement of the external NIDS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network. Use of the existing network inspection architecture will ensure remote communications are subject to the same rigorous standards as other network traffic and lower the risk of misconfiguration presented by multiple traffic inspection systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19833",
+      "title": "Ensure the remote access server (RAS) is located in a dual homed screened subnet.",
+      "description": "Without a screened subnet architecture traffic that would be normally destined for the DMZ would have to be redirected to the site's internal network. This would allow for a greater opportunity for hackers to exploit.\n\nNOTE: This check does not apply to the remote access VPN gateway. If an integrated RAS/VPN gateway is used where dial-up services are provided, then this check also applies.  The DMZ architecture and placement will comply with the requirements of the applicable Network Infrastructure STIG.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19834",
+      "title": "Ensure remote access for privileged tasks such as network devices, host, or application administration is compliant.",
+      "description": "If remote access is used to connect to a network or host for privileged access, stringent security controls will be implemented.  AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers  It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.",
+      "severity": "high"
+    },
+    {
+      "id": "V-21799",
+      "title": "Do not process, store, or transmit DoD information on public computers (e.g., those available for use by the general public in kiosks or hotel business centers) or computers that do not have access controls.",
+      "description": "There may be hardware or keyboard capture software which could monitor computer usage and keystrokes.  Also, these computers may contain virus' and other malicious code which may infect DoD systems being accessed.  This policy is in accordance with Directive-Type Memorandum (DTM) 08-027, 31 July 2009, Security of Unclassified DoD Information on Non-DoD Information Systems.  ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-21800",
+      "title": "Where non-DoD information systems are used for processing unclassified emails for the teleworker whose normal duty location in the mobile or telework location (s), the user will have the ability to send and receive digitally encrypted and signed email.",
+      "description": "DoD Instruction 8510.01, “DoD Information Assurance Certification and Accreditation Process (DIACAP).  Users need this capability to read and send digitally signed email and to ensure non-repudiation.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25034",
+      "title": "Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device.",
+      "description": "Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized people. Without adequate training remote access users are more likely to engage in behaviors that make DoD networks and information more vulnerable to security exploits.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25035",
+      "title": "The site must have a Wireless Remote Access Policy signed by the site AO, Commander, Director, or other appropriate authority.",
+      "description": "Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25036",
+      "title": "The site physical security policy must include a statement if CMDs with digital cameras (still and video) are permitted or prohibited on or in the DoD facility.",
+      "description": "Wireless client, networks, and data could be compromised if unapproved wireless remote access is used.  In most cases, unapproved devices are not managed and configured as required by the appropriate STIG and the site’s overall network security controls are not configured to provide adequate security for unapproved devices.  When listed in the SSP, the site has shown that security controls have been designed to account for the wireless devices.",
+      "severity": "low"
+    }
+  ]
+}

data/standards/stig_removable_storage_and_external_connection_technologies.json

@@ -0,0 +1,143 @@
+{
+  "name": "stig_removable_storage_and_external_connection_technologies",
+  "date": "2011-01-18",
+  "description": "None",
+  "title": "Removable Storage and External Connection Technologies STIG",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-22110",
+      "title": "Require approval prior to allowing use of portable storage devices.",
+      "description": "Use of unapproved devices to process non-publicly releasable data increases the risk to the network.  Devices attached to or inserted into the end point's plug-and-play ports and slots can be a vector for the insertion of malware when used to access the network.  Storage devices are portable and can be easily concealed. Devices with volatile memory (erased when not connected) may contain internal batteries that also pose a threat to attached systems.  Requiring approval prior to use of these devices heightens awareness of the threat, limits the potential use of contaminated devices, and allows for proper tracking and control. Designated Approval Authority (DAA) approval of flash memory devices is required by the United States Cyber Command (USCYBERCOM) Communications Task Order (CTO) 10-004A Removable Flash Media Device Implementation within and between Department of Defense (DoD) Networks (U/FOUO) (or latest version of this CTO).  ",
+      "severity": "high"
+    },
+    {
+      "id": "V-22111",
+      "title": "Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.",
+      "description": "If USB media and devices are not protected by strong access control techniques, unauthorized access may put sensitive data at risk. Data-at-rest encryption products will be configured to require a user-chosen PIN prior to unencrypting the drive. Users must choose a strong PIN.  Implementation of access control on persistent memory devices helps to ensure that sensitive information is accessed only by authorized and authenticated individuals.",
+      "severity": "high"
+    },
+    {
+      "id": "V-22112",
+      "title": "For all USB flash media (thumb drives) and external hard disk drives, use an approved method to wipe the device before using for the first-time.  ",
+      "description": "Removable media often arrives from the vendor with many files already stored on the drive.  These files may contain malware or spyware which present a risk to DoD resources.  ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22113",
+      "title": "Encrypt sensitive but unclassified data when stored on a USB flash drive and external hard disk drive. ",
+      "description": "If information deemed sensitive (non-publicly releasable) by the data-owner is not encrypted when stored on removable storage media, this can lead to the compromise of unclassified sensitive data. These devices are portable and are often lost or stolen which makes the data more vulnerable than other storage devices.  ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22114",
+      "title": "Train all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program. ",
+      "description": "Written user guidance gives the users a place to learn about updated guidance on user responsibilities for safeguarding DoD information assets. Most security breaches occur when users violate security policy because they lack training.  ",
+      "severity": "low"
+    },
+    {
+      "id": "V-22115",
+      "title": "Set boot order of computers approved for use with removable storage such that the Basic Input Output System (BIOS) does not allow default booting from devices attached to a USB, firewire, or eSATA port.",
+      "description": "If the BIOS is left set to allow the end point to boot from a device attached to the USB, firewire, or eSATA port, an attacker could use a USB device to force a reboot by either performing a hardware reset or cycling the power. This can lead to a denial of service attack or the compromise of sensitive data on the system and the network to which it is connected.",
+      "severity": "high"
+    },
+    {
+      "id": "V-22169",
+      "title": "For Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy. \n",
+      "description": "The use of unauthorized wireless devices can compromise DoD computers, networks, and data. The receiver for a wireless end point provides a wireless port on the computer that could be attacked by a hacker. Wireless transmissions can be intercepted by a hacker and easily viewed if required security is not used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22172",
+      "title": "Maintain a list of approved removable storage media or devices.",
+      "description": "Many persistent memory media or devices are portable, easily stolen, and contain sensitive data. If these devices are lost or stolen, it may take a while to discover that sensitive information has been lost.  Inventory and bar-coding of authorized devices will increase the organization’s ability to uncover unauthorized portable storage devices.",
+      "severity": "low"
+    },
+    {
+      "id": "V-22173",
+      "title": "Permit only government-procured and -owned devices.",
+      "description": "Persistent memory devices (e.g., thumb drives, memory cards, external hard drives, or other removable storage devices) may contain malware installed on the drive or within the firmware. Personally- or contractor-owned devices may not be compliant with rigorous standards for encryption, anti-virus, and data wiping that is required for the use of removable storage devices in DoD.  Therefore, use of personal devices in PCs attached to the network may put the network at risk. ",
+      "severity": "high"
+    },
+    {
+      "id": "V-22174",
+      "title": "Firmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures. ",
+      "description": "Several security incidents have occurred when the firmware on devices contained malware. For devices used to store or transfer sensitive information, if the firmware is signed, then this provides added assurance that the firmware has not been compromised.",
+      "severity": "low"
+    },
+    {
+      "id": "V-22175",
+      "title": "Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-004(A or most recent version) and these procedures will be documented.",
+      "description": "USB flash media may have malware installed on the drive which may adversely impact the DoD network. Even the use of approved devices does not eliminate this risk. Use of  sound security practices and procedures will further mitigate this risk when using flash media.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22176",
+      "title": "Install and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use USB flash media (thumb drives). ",
+      "description": "Because of the innate security risks involved with using a USB flash media, an access control and authorization method is needed.  DCM software provides granular end point access control and management of removable media. Currently, DCM only supports the Windows operating system (OS).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-22177",
+      "title": "For end points using Windows operating systems, USB flash media will be restricted by a specific device or by a unique identifier (e.g., serial number) to specific users and machines.",
+      "description": "Because of the innate security risks involved with using USB flash media, users must follow required access procedures. Restricting specific devices to each user allows for non-repudiation and audit tracking.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-23894",
+      "title": "Maintain a list of all personnel that have been authorized to use flash media.",
+      "description": "Many USB flash media devices are portable, easily stolen, and may be used to temporarily store sensitive information.  If these devices are lost or stolen, it will assist the investigation if personnel who use these devices are readily identified with contact information.",
+      "severity": "low"
+    },
+    {
+      "id": "V-23895",
+      "title": "Maintain a list of all end point systems that have been authorized for use with flash media.",
+      "description": "Many USB persistent memory devices are portable and easily overlooked. They may be used as a vector for exfiltrating data.  To help mitigate this risk, end points must be designated as properly authorized and configured for use with USB flash drives within the DoD. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-23896",
+      "title": "DoD components will purchase removable storage media and Data at Rest (DAR) products from the DoD Enterprise Software Initiative (ESI) blanket purchase agreements program.",
+      "description": "The DoD Policy Memorandum \"Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media\" requires that remote and mobile\ndrives be encrypted using FIPS 140-2 modules. With a few exceptions, products must be\nprocured from the DAR contract. DoD components must purchase DAR encryption products to\nprotect DoD DAR on mobile computing devices and removable storage media through the ESI or\nGSA SmartBuy BPAs. Exceptions would be if those encryption products were FIPS 140-2\ncompliant and included as an integral part of other products, such as Vista BitLocker, or if the\ncryptographic modules are approved by NSA (with formal NSA Approval Letter).",
+      "severity": "low"
+    },
+    {
+      "id": "V-23919",
+      "title": "The host system will perform on-access anti-virus and malware checking, regardless of whether the external storage or flash drive has software or hardware malware features.\n",
+      "description": "Like the traditional hard drive, removable storage devices and media may contain malware which may threaten DoD systems to which they eventually directly or indirectly attach. To mitigate this risk, DoD policy requires anti-virus and malware detection solutions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-23920",
+      "title": "For higher risk data transfers using thumb drives, use the File Sanitization Tool (FiST) with Magik Eraser (ME) to protect against malware and data compromise.",
+      "description": "These NSA-approved tools are built upon the Assured File Transfer guard, which is an approved Unified Cross Domain Management Office (UCDMO) file transfer Cross Domain Solution. Use of these tools with the procedures listed in the Check section is the only authorized method for using flash media for higher risk data transfers.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-23921",
+      "title": "Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation.",
+      "description": "Failure to maintain proper control of storage devices used in sensitive systems may mean that the firmware or other files could have been compromised.  Action is needed to scan for malicious code.  Although, the data on the device is most likely protected by encryption and authentication controls, it is still possible that a sophisticated attacker may have compromised the device. The risk to the system and the network increases if the device is used on a server or by a user with administrator privileges.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-23950",
+      "title": "Organizations that do not have a properly configured HBSS with DCM configuration will not use flash media.",
+      "description": "Because of the innate security risks involved with using flash media, an access control and authorization method is needed.  DCM software provides granular end point access control and management of removable media. Currently, DCM only supports the Windows operating system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24176",
+      "title": "Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.",
+      "description": "The DoD DAR policy requires encryption for portable and mobile storage. However, even when a FIPS140-2 validated cryptographic module is used, the implementation must be configured to use a NIST-approved algorithm. Advanced Encryption Standard (AES) is the most commonly available FIPS-approved algorithm and is required for use with USB thumb drives by CTO 10-004 (latest version). The encryption algorithm must also be configured.  Without this granular configuration, full protection of data encryption is not achieved and the data may be accessible if the drive is lost or stolen.",
+      "severity": "low"
+    },
+    {
+      "id": "V-24177",
+      "title": "Use a National Security Agency (NSA)-approved, Type 1 certified data encryption and hardware solution when storing classified information on USB flash media and other removable storage devices.",
+      "description": "The exploitation of this vulnerability will directly and immediately result in loss of, unauthorized disclosure of, or access to classified data or materials. An NSA-approved, Type 1 solution includes the hardware, software, and proof of coordination/approval with NSA for the level of classified processed by the external storage solution.\n",
+      "severity": "high"
+    }
+  ]
+}