kriterion 0.0.1

data/standards/stig_google_chrome_v24_windows_benchmark.json

@@ -0,0 +1,227 @@
+{
+  "name": "stig_google_chrome_v24_windows_benchmark",
+  "date": "2013-03-07",
+  "description": "None",
+  "title": "Google Chrome v24 Windows Benchmark",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-35464",
+      "title": "Firewall traversal from remote host must be disabled",
+      "description": "Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted.\n\n\"Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35619",
+      "title": "Site tracking users location must be disabled",
+      "description": "Tracking of user location data over time poses a significant OPSEC issue.\n\n\"allows you to set whether websites are allowed to track the users' physical location. Tracking the users' physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. If this policy is left not set, 'AskGeolocation' will be used and the user will be able to change it.\n\t1 = Allow sites to track the users' physical location\n\t2 = Do not allow any site to track the users' physical location\n\t3 = Ask whenever a site wants to track the users' physical location\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35620",
+      "title": "Sites ability for showing desktop notifications must be disabled",
+      "description": "\"Allows you to set whether websites are allowed to display desktop notifications. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications. If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it.\n    1 = Allow sites to show desktop notifications\n    2 = Do not allow any site to show desktop notifications\n    3 = Ask every time a site wants to show desktop notifications\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35621",
+      "title": "Sites ability to show pop-ups must be disabled",
+      "description": "\"Allows you to set whether websites are allowed to show pop-ups. Showing popups can be either allowed for all websites or denied for all websites. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it.\n    1 = Allow all sites to show pop-ups\n    2 = Do not allow any site to show popups\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35622",
+      "title": "Extensions must be blacklisted by default",
+      "description": "Extensions are developed by third party sources. They are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. \n\n\"Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.\" - Google Chrome Administrators Policy List",
+      "severity": "high"
+    },
+    {
+      "id": "V-35623",
+      "title": "Extensions that are approved for use must be whitelisted",
+      "description": "The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension.\n\n\"Allows you to specify which extensions are not subject to the blacklist. A blacklist value of * means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35624",
+      "title": "The default search providers name must be set",
+      "description": "\"Specifies the name of the default search provider. If left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled.\n    When doing internet searches it is important to used an encrypted connection via https.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35625",
+      "title": "The default search provider URL must be set",
+      "description": "\"Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case..\" - Google Chrome Administrators Policy List\n\n    When doing internet searches it is important to used an encrypted connection via https. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35626",
+      "title": "Default search provider must be enabled",
+      "description": "\"Enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text In the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35757",
+      "title": "Use of cleartext passwords in the Password Manager must be disabled",
+      "description": "Cleartext passwords would allow another individual to see password via shouldersurfing.\n\n\"Controls whether the user may show passwords in clear text in the password manager. If you disable this setting, the password manager does not allow showing stored passwords in clear text in the password manager window. If you enable or do not set this policy, users can view their passwords in clear text in the password manager..\" - Google Chrome Administrators Policy List",
+      "severity": "high"
+    },
+    {
+      "id": "V-35758",
+      "title": "The Password Manager must be disabled",
+      "description": "\"Enables saving passwords and using saved passwords in Google Chrome. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.\" - Google Chrome Administrators Policy List\n\nPassword manager should not be used as it stores passwords locally.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35759",
+      "title": "The HTTP Authentication must be set to negotiate",
+      "description": "\"Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35760",
+      "title": "The running of outdated plugins must be disabled",
+      "description": "Running outdated plugins could lead to system compromise through the use of known exploits.Having plugins that udpated to the most current version ensures the smallest attack surfuce possible.\n\n\"Allows Google Chrome to run plugins that are outdated. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.\" - Google Chrome Administrators Policy List",
+      "severity": "high"
+    },
+    {
+      "id": "V-35761",
+      "title": "Plugins requiring authorization must ask for user permission",
+      "description": "\"Allows Google Chrome to run plugins that require authorization. If you enable this setting, plugins that are not outdated always run. If this setting is disabled or not set, users will be asked for permission to run plugins that require authorization. These are plugins that can compromise security.\" - Google Chrome Administrators Policy List",
+      "severity": "high"
+    },
+    {
+      "id": "V-35762",
+      "title": "Third party cookies must be blocked",
+      "description": "\"Blocks third party cookies. Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting. If this policy is left not set, third party cookies will be enabled but the user will be able to change that.\" - Google Chrome Administrators Policy List",
+      "severity": "low"
+    },
+    {
+      "id": "V-35763",
+      "title": "Site data must not be wiped on closing the browser",
+      "description": "\"This policy is an override for the \"Clear cookies and other site data when I close my browser\" content settings option. When set to enabled Google Chrome will delete all locally stored data from the browser when it is shut down. If set to disabled site data will not be cleared on exit. If this policy is left not set Google Chrome will use the default which is to preserve site data on shut down and the user will be able to change this. If the \"RestoreOnStartup\" policy is set to restore URLs from previous sessions this policy will not clear cookies or other data relevant to restoring the previous browsing session completely.\" - Google Chrome Administrators Policy List\n\t\t\t\n    The site data must be retained for forensics purposes. If a system is compromised, it is important to have as much information available as possible to ensure that it can be determined how the system was compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35764",
+      "title": "Background processing must be disabled",
+      "description": "\"Determines whether a Google Chrome process is started on OS login and keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.\" - Google Chrome Administrators Policy List\n\nThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35765",
+      "title": "The SPDY protocol must be disabled",
+      "description": "\"Disables use of the SPDY protocol in Google Chrome. If this policy is enabled the SPDY protocol will not be available in Google Chrome. Setting this policy to disabled will allow the usage of SPDY. If this policy is left not set, SPDY will be available.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35767",
+      "title": "3D Graphics APIs must be disabled",
+      "description": "\"Disable support for 3D graphics APIs. Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages can not access the WebGL API and plugins can not use the Pepper 3D API. Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs.\" - Google Chrome Administrators Policy List\n\nChrome uses WebGL to render graphics using the GPU. There are few sites that currently take advantage of this feature. Since there is unlikely to be an operational impact, it is recommended that this feature is turned off in order to reduce the attack surface.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35769",
+      "title": "Google Data Synchronization must be disabled",
+      "description": "\"Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set Google Sync will be available for the user to choose whether to use it or not.\nThis feature is used to sync information between different user devices. This data is stored on Google owned servers. The data consists of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization has not control over the servers the data is stored on.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35771",
+      "title": "The URL protocol schemas file and javascript must be disabled",
+      "description": "\"Disables the listed protocol schemes in Google Chrome. URLs using a scheme from this list will not load and can not be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.\" - Google Chrome Administrators Policy List",
+      "severity": "high"
+    },
+    {
+      "id": "V-35773",
+      "title": "AutoFill must be disabled",
+      "description": "\"Enables Google Chrome's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information. If you disable this setting, AutoFill will be inaccessible to users. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35776",
+      "title": "Cloud print sharing must be disabled",
+      "description": "\"Enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it's printers with Google Cloud Print. If this policy is left not set, this will be enabled but the user will be able to change it.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35777",
+      "title": "Google Chrome Instant must be disabled",
+      "description": "\"Enables Google Chrome's Instant feature and prevents users from changing this setting. If you enable this setting, Google Chrome Instant is enabled. If you disable this setting, Google Chrome Instant is disabled. If you enable or disable this setting, users cannot change or override this setting. If this setting is left not set the user can decide to use this function or not.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35779",
+      "title": "Network prediction must be disabled",
+      "description": "\"Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35780",
+      "title": "Metrics reporting to Google must be disabled",
+      "description": "\"Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35781",
+      "title": "Search suggestions must be disabled",
+      "description": "\"Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35784",
+      "title": "Importing of saved passwords must be disabled",
+      "description": "\"This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35785",
+      "title": "Incognito mode must be disabled",
+      "description": "Incognito mode prevents saving of anything from the current session. This is bad from a foreignics standpoint. This information needs to be retained in case a compromise happens. \n\n\"pecifies whether the user may open pages in Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode.\n    0 = Incognito mode available.\n    1 = Incognito mode disabled.\n    2 = Incognito mode forced.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35787",
+      "title": "The user data location must be set",
+      "description": "\"Configures the directory that Google Chrome will use for storing user data. If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35788",
+      "title": "Plugins must be disabled by default",
+      "description": "\"Specifies a list of plugins that are disabled in Google Chrome and prevents users from changing this setting. The wildcard characters * and ? can be used to match sequences of arbitrary characters. * matches an arbitrary number of characters while ? specifies an optional single character, i.e. matches zero or one characters. The escape character is \\, so to match actual *, ?, or \\ characters, you can put a \\ in front of them. If you enable this setting, the specified list of plugins is never used in Google Chrome. The plugins are marked as disabled in about:plugins and users cannot enable them. Note that this policy can be overridden by EnabledPlugins and DisabledPluginsExceptions. If this policy is left not set the user can use any plugin installed on the system except for hard-coded incompatible, outdated or dangerous plugins. - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35790",
+      "title": "Automated installation of missing plugins must be disabled",
+      "description": "\"If you set this setting to enabled the automatic search and installation of missing plugins will be disabled in Google Chrome.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35791",
+      "title": "Online revocation checks must be done",
+      "description": "\"By setting this policy to true, the previous behaviour is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks in Chrome 19 and later..\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35792",
+      "title": "Safe Browsing must be enabled",
+      "description": "\"Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.\" - Google Chrome Administrators Policy List\n\nSafe browsing uses a signature database to test sites when they are be loaded to ensure they don't contain any known maleware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35793",
+      "title": "Browser history must be saved",
+      "description": "\"Disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.\" - Google Chrome Administrators Policy List",
+      "severity": "medium"
+    },
+    {
+      "id": "V-35794",
+      "title": "Default behavior must block plugin usage",
+      "description": "\"Allows you to set whether websites are allowed to automatically run plugins. Automatically running plugins can be either allowed for all websites or denied for all websites. If this policy is left not set, 'AllowPlugins' will be used and the user will be able to change it.\n    1 = Allow all sites to automatically run plugins\n    2 = Block all plugins\n    3 = Click to play.\" - Google Chrome Administrators Policy List\n",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_google_search_appliance.json

@@ -0,0 +1,209 @@
+{
+  "name": "stig_google_search_appliance",
+  "date": "2015-07-07",
+  "description": "Developed by Microsoft in coordination with DISA for use in the DoD. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "Google Search Appliance Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-60395",
+      "title": "Google Search Appliances providing remote access capabilities must utilize approved cryptography to protect the confidentiality of remote access sessions.",
+      "description": "Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.  \n\nRemote network access is accomplished by leveraging common communication protocols and establishing a remote connection.  These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN).  Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised.  Cryptography provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60717",
+      "title": "Google Search Appliances must provide automated mechanisms for supporting user account management. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities.",
+      "description": "A comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. Examples include but are not limited to using automation to take action on multiple accounts designated as inactive, suspended or terminated or by disabling accounts located in non-centralized account stores such as multiple servers.\n\nEnterprise environments make application user account management challenging and complex.  A user management process requiring administrators to manually address account management functions adds risk of potential oversight.\n\nAutomated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60719",
+      "title": "Google Search Appliance users must utilize a separate, distinct administrative account when accessing application security functions or security-relevant information. Non-privileged accounts must be utilized when accessing non-administrative application functions. The application must provide this functionality itself or leverage an existing technology providing this capability.",
+      "description": "This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy such as Role Based Access Control (RBAC) is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. \n\nAudit of privileged activity may require physical separation employing information systems on which the user does not have privileged access.\n\nTo limit exposure and provide forensic history of activity when operating from within a privileged account or role, the application must support organizational requirements that users of information system accounts, or roles, with access to organization-defined list of security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other (non-security) system functions.\n\nIf feasible, applications should provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60721",
+      "title": "Google Search Appliances must have the capability to limit the number of failed logon attempts to 3 attempts in 15 minutes.",
+      "description": "Anytime an authentication method is exposed so as to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. \n\nTo defeat these attempts, organizations define the number of times a user account may consecutively fail a login attempt. The organization also defines the period of time in which these consecutive failed attempts may occur. \n\nBy limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60723",
+      "title": "The Google Search Appliance must enforce the 15 minute time period during which the limit of consecutive invalid access attempts by a user is counted.",
+      "description": "Anytime an authentication method is exposed, so as to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. \n\nTo aid in defeating these attempts, organizations define the number of times that a user account may consecutively fail a login attempt. The organization also defines the period of time in which these consecutive failed attempts may occur. \n\nBy limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60725",
+      "title": "Google Search Appliances, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account/node for an organization-defined time period or lock the account/node until released by an administrator IAW organizational policy.",
+      "description": "Anytime an authentication method is exposed so as to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. \n\nTo defeat these attempts, organizations define the number of times a user account may consecutively fail a login attempt. The organization also defines the period of time in which these consecutive failed attempts may occur. \n\nBy limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.  Limits are imposed by locking the account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60727",
+      "title": "Google Search Appliances must display an approved system use notification message or banner before granting access to the system.",
+      "description": "Applications are required to display an approved system use notification message or banner before granting access to the system providing privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: \n\n(i) users are accessing a U.S. Government information system; \n(ii) system usage may be monitored, recorded, and subject to audit; \n(iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and \n(iv) the use of the system indicates consent to monitoring and recording.\n\nSystem use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. \n\nSystem use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist.  \n\nUse this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\".\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"                                     \n\nFor Blackberries and other PDAs/PEDs with severe character limitations use the following:\n\n\"I've read & consent to terms in IS user agreem't.\"",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60729",
+      "title": "The Google Search Appliance must retain the notification message or banner on the screen until users take explicit actions to logon to or further access.",
+      "description": "To establish acceptance of system usage policy, a click-through banner at application logon is required. The banner must prevent further activity on the application unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\". The text of this banner should be customizable in the event of future user agreement changes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60731",
+      "title": "Google Search Appliances must display an approved system use notification message or banner before granting access to the system.",
+      "description": "Applications must display an approved system use notification message or banner before granting access to the system.  \n\nThe banner must be formatted in accordance with the DoD policy \"Use of DoD Information Systems - Standard Consent and User Agreement\".  The message banner shall provide privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and shall state that:\n \n(i) users are accessing a U.S. Government information system; \n(ii) system usage may be monitored, recorded, and is subject to audit; \n(iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties;\n(iv) the use of the system indicates consent to monitoring and recording;\n(v) in the notice given to public users of the information system, shall provide a description of the authorized uses of the system.\n\nSystem use notification messages are implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access including an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist. \n\nThe banner shall state:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided\nfor USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the\nfollowing conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes\nincluding, but not limited to, penetration testing, COMSEC monitoring, network\noperations and defense, personnel misconduct (PM), law enforcement (LE), and\ncounterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine\nmonitoring, interception, and search, and may be disclosed or used for any USG authorized\npurpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect\nUSG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI\ninvestigative searching or monitoring of the content of privileged communications, or\nwork product, related to personal representation or services by attorneys,\npsychotherapists, or clergy, and their assistants. Such communications and work product\nare private and confidential. See User Agreement for details.\"",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60733",
+      "title": "To support DoD requirements to centrally manage the content of audit records, Google Search Appliances must provide the ability to write specified audit record content to a centralized audit log repository.",
+      "description": "Information system auditing capability is critical for accurate forensic analysis.  Audit record content that may be necessary to satisfy the requirement of this control, includes but is not limited:  time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. \n\nCentralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records.  When organizations define application components requiring centralized audit log management, applications need to support that requirement.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60747",
+      "title": "The Google Search Appliance must provide a real-time alert when all audit failure events occur.",
+      "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include:  software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. \n\nOrganizations must define audit failure events requiring an application to send an alarm.  When those defined events occur, the application will provide a real-time alert to the appropriate personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60749",
+      "title": "The Google Search Appliance must alert designated organizational officials in the event of an audit processing failure.",
+      "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include; software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60751",
+      "title": "The Google Search Appliance must be capable of taking organization-defined actions upon audit failure (e.g., overwrite oldest audit records, stop generating audit records, cease processing, notify of audit failure).",
+      "description": "It is critical when a system is at risk of failing to process audit logs as required; it detects and takes action to mitigate the failure.  Audit processing failures include:  software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.  Applications are required to be capable of either directly performing or calling system level functionality performing defined actions upon detection of an application audit log processing failure.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60753",
+      "title": "The Google Search Appliance must synchronize with internal information system clocks which in turn, are synchronized on a 24 hour frequency with a 24 hour authoritative time source.",
+      "description": "Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.  \n\nSynchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. To meet that requirement the organization will define an authoritative time source and frequency to which each system will synchronize its internal clock.  \n\nAn example is utilizing the NTP protocol to synchronize with centralized NTP servers. Time stamps generated by the information system must include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \n\nApplications not purposed to provide NTP services should not try to compete with or replace NTP functionality and should synchronize with internal information system clocks that are in turn synchronized with an organization defined authoritative time source.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60767",
+      "title": "The Google Search Appliance must support the requirement to back up audit data and records onto a different system or media than the system being audited at least every seven days.",
+      "description": "Protection of log data includes assuring log data is not accidentally lost or deleted.  Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60769",
+      "title": "The Google Search Appliance must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).",
+      "description": "To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. \n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). \n\nUsers (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization which outlines specific user actions that can be performed on the information system without identification or authentication.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60771",
+      "title": "The Google Search Appliance must be configured to prevent browsers from saving user credentials.",
+      "description": "Web services are web applications providing a method of communication between two or more different electronic devices.  They are normally used by applications to provide each other with data.  \n\nThe W3C defines a web service as:\n\"a software system designed to support interoperable machine to machine interaction over a network. It has an interface described in a machine processable format (specifically Web Services Description Language or WSDL). Other systems interact with the web service in a manner prescribed by its description using SOAP messages typically conveyed using HTTP with an XML serialization in conjunction with other web-related standards\".\n\nWeb services provide different challenges in managing access than what is presented by typical user based applications. In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, many service-oriented architecture implementations rely on run time access control decisions facilitated by dynamic privilege management.  While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization. \n\nIn contrast to conventional approaches to identification and authentication which employ static information system accounts for preregistered users, many service-oriented architecture implementations rely on establishing identities at run time for entities that were previously unknown. Dynamic establishment of identities and association of attributes and privileges with these identities are anticipated and provisioned. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.",
+      "severity": "high"
+    },
+    {
+      "id": "V-60773",
+      "title": "The Google Search Appliance must support DoD requirements to enforce minimum password length.",
+      "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60775",
+      "title": "The Google Search Appliance must support DoD requirements to enforce password complexity by the number of upper case characters used.",
+      "description": "Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nUse of a complex password helps to increase the time and resources required to compromise the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60777",
+      "title": "The Google Search Appliance must support DoD requirements to enforce password complexity by the number of lower case characters used.",
+      "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. \n\nThe more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nUse of a complex password helps to increase the time and resources required to compromise the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60779",
+      "title": "The Google Search Appliance must support DoD requirements to enforce password complexity by the number of numeric characters used.",
+      "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. \n\nThe more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nUse of a complex password helps to increase the time and resources required to compromise the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60783",
+      "title": "The Google Search Appliance must support DoD requirements to enforce password complexity by the number of special characters used.",
+      "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor in determining how long it takes to crack a password. \n\nThe more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nUse of a complex password helps to increase the time and resources required to compromise the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60785",
+      "title": "The Google Search Appliance must support organizational requirements to enforce password encryption for transmission.",
+      "description": "Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60787",
+      "title": "Google Search Appliances must enforce password minimum lifetime restrictions.",
+      "description": "Password minimum lifetime is defined as:  the minimum period of time, (typically in days) a user's password must be in effect before the user can change it. \n\nRestricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy based intervals, however if the application allows the user to immediately and continually change their password then the password could be repeatedly changed in a short period of time so as to defeat the organizations policy regarding password reuse.\n\nThis would allow users to keep using the same password over and over again by immediately changing their password X number of times.  This would effectively negate password policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60789",
+      "title": "The Google Search Appliances must respond to security function anomalies by notifying the system administrator.",
+      "description": "The need to verify security functionality applies to all security functions. \n\nFor those security functions not able to execute automated self-tests the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. Information system transitional states include startup, restart, shutdown, and abort.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60791",
+      "title": "Google Search Appliance must ensure authentication of both client and server during the entire session. An example of this is SSL Mutual Authentication.",
+      "description": "This control focuses on communications protection at the session, versus packet level. \n\nAt the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tokens or session IDs in order to establish application user identity.  Proper use of session IDs addressed man-in-the-middle attacks including session hijacking or insertion of false information into a session. This control is only implemented where deemed necessary by the organization (e.g., sessions in service-oriented architectures providing web-based services).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60793",
+      "title": "The Google Search Appliance must employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications.",
+      "description": "Applications will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within the application.  This information can then be used for diagnostic purposes, forensics purposes or other purposes relevant to ensuring the availability and integrity of the application.  \n\nWhile it is important to log events identified as being critical and relevant to security, it is equally important to notify the appropriate personnel in a timely manner so they are able to respond to events as they occur.\n\nSolutions that include a manual notification procedure do not offer the reliability and speed of an automated notification solution. Applications must employ automated mechanisms to alert security personnel of inappropriate or unusual activities that have security implications.  If this capability is not built directly into the application, the application must be able to integrate with existing security infrastructure that provides this capability.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60795",
+      "title": "The Google Search Appliance must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.",
+      "description": "Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission.  This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. \n\nAlternative physical protection measures include, Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60797",
+      "title": "The Google Search Appliance must notify appropriate individuals when accounts are created.",
+      "description": "Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. \n\nNotification of account creation is one method and best practice for mitigating this risk. A comprehensive account management process will ensure that an audit trail which documents the creation of application user accounts and notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.  \n\nTo address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements.  Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. \n\nExamples of enterprise level authentication/access mechanisms include but are not limited to Active Directory and LDAP. \n\nApplications must support the requirement to notify appropriate individuals upon account creation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60799",
+      "title": "The Google Search Appliance must notify appropriate individuals when accounts are modified.",
+      "description": "Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify or copy an existing account.\n\nNotification of account modification is one method and best practice for mitigating this risk. A comprehensive account management process will ensure that an audit trail which documents the modification of application user accounts and notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created or modified and provides logging that can be used for forensic purposes.\n\nTo address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements.  Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.\n\nExamples of enterprise level authentication/access mechanisms include but are not limited to Active Directory and LDAP.\n\nApplications must support the requirement to notify appropriate individuals when accounts are modified.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60801",
+      "title": "The Google Search Appliance must notify appropriate individuals when account disabling actions are taken.",
+      "description": "When application accounts are disabled, user accessibility is affected.  Accounts are utilized for identifying individual application users or for identifying the application processes themselves. \n\nIn order to detect and respond to events that affect user accessibility and application processing, applications must audit account disabling actions and, as required, notify as required the appropriate individuals so they can investigate the event.  Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.    \n\nTo address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements.  Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. \n\nExamples of enterprise level authentication/access mechanisms include but are not limited to Active Directory and LDAP.\n\nApplications must notify, or leverage other mechanisms that notify, the appropriate individuals when accounts disabling actions are taken.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60803",
+      "title": "The Google Search Appliance must notify appropriate individuals when accounts are terminated.",
+      "description": "When application accounts are terminated, user accessibility is affected.  Accounts are utilized for identifying individual application users or for identifying the application processes themselves. \n\nIn order to detect and respond to events that affect user accessibility and application processing, applications must notify the appropriate individuals when an account is terminated so they can investigate the event.  Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. \n\nTo address the multitude of policy based audit requirements, and to ease the burden of meeting these requirements, many application developers choose to integrate their applications with enterprise level authentication/access/audit mechanisms that meet or exceed access control policy requirements. Examples include but are not limited to Active Directory and LDAP.\n\nThe application must automatically notify the appropriate individuals when accounts are terminated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-60805",
+      "title": "The Google Search Appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. IP restriction must be implemented.",
+      "description": "Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_harris_secnet_11_54.json

@@ -0,0 +1,89 @@
+{
+  "name": "stig_harris_secnet_11_54",
+  "date": "2016-11-14",
+  "description": "This STIG contains the technical security controls for the operation of the Harris SecNet 11 or 54 classified WLAN devices in the DoD environment.",
+  "title": "Harris SecNet 11 / 54 Security Technical Implementation Guide (STIG)",
+  "version": "6",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-14002",
+      "title": "A device’s wired network interfaces (e.g., Ethernet) must be disconnected or otherwise disabled when wireless connections are in use.",
+      "description": "If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can then route traffic through the device’s wired interface to attack devices on the wired network or obtain sensitive DoD information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-14846",
+      "title": "WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc. ",
+      "description": "An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability.",
+      "severity": "low"
+    },
+    {
+      "id": "V-14886",
+      "title": "Wireless access points and bridges must be placed in dedicated subnets outside the enclave’s perimeter.",
+      "description": "If an adversary is able to compromise an access point or controller that is directly connected to an enclave network, then the adversary can easily surveil and attack other devices from that beachhead. A defense-in-depth approach requires an additional layer of protection exist between the WLAN and the enclave network. This is particularly important for wireless networks, which may be vulnerable to attack from outside physical perimeter of the facility or base given the inherent nature of radio communications to penetrate walls, fences, and other physical boundaries.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-15300",
+      "title": "Any wireless technology used to transmit classified information must be an NSA Type 1 product. ",
+      "description": "NSA Type 1 certification provides the level of assurance required for transmission of classified data.  Systems without this certification are more likely to be compromised by a determined and resourceful adversary.",
+      "severity": "high"
+    },
+    {
+      "id": "V-18582",
+      "title": "A Secure WLAN (SWLAN) connected to the SIPRNet must have a SIPRNet connection approval package must be on file with the Classified Connection Approval Office (CCAO). ",
+      "description": "The CCAO approval process provides assurance that the SWLAN use is appropriate and does not introduce unmitigated risks into the SIPRNET.",
+      "severity": "high"
+    },
+    {
+      "id": "V-18583",
+      "title": "Before a Secure WLAN (SWLAN) becomes operational and is connected to the SIPRNet the Certified TEMPEST Technical Authority (CTTA) must be notified.",
+      "description": "Wireless signals are extremely vulnerable to both detection and interception, which can provide an adversary with the location and intensity of particular DoD activities and potentially reveal classified DoD information.  TEMPEST reviews provide assurance that unacceptable risks have been identified and mitigated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18584",
+      "title": "Physical security controls must be implemented for SWLAN access points. ",
+      "description": "If an adversary is able to gain physical access to a SWLAN device, it may be able to compromise the device in a variety of ways, some of which could enable the adversary to obtain classified data.  Physical security controls greatly mitigate this risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30359",
+      "title": "SWLAN access points must implement MAC filtering. ",
+      "description": "Medium access control (MAC) filtering is a mechanism for ensuring that only authorized devices connect to the WLAN.  While there are other methods to achieve similar protection with greater assurance, MAC filtering can be employed as a defense-in-depth measure. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-30369",
+      "title": "SWLAN must be rekeyed at least every 90 days.  ",
+      "description": "The longer a key remains in use, the more likely it will be compromised.   If an adversary can compromise an SWLAN key, then it can obtain classified information. ",
+      "severity": "high"
+    },
+    {
+      "id": "V-3512",
+      "title": "NSA Type1 products and required procedures must be used to protect classified data at rest (DAR) on wireless devices used on a classified WLAN or WMAN. ",
+      "description": "NSA Type 1 products provide a high level of assurance that cryptography is implemented correctly and meets the standards for storage of classified information.  Use of cryptography that is not Type 1 certified violates policy and increases the risk that classified data will be compromised. ",
+      "severity": "high"
+    },
+    {
+      "id": "V-4636",
+      "title": "A Secure WLAN (SWLAN) must conform to an approved network architecture.",
+      "description": "Approved network architectures have been assessed for IA risk.  Non-approved architectures provide less assurance than approved architectures because they have not undergone the same level of evaluation.",
+      "severity": "high"
+    },
+    {
+      "id": "V-7075",
+      "title": "The site must have written procedures for the protection, handling, accounting, and use of NSA Type 1 products.",
+      "description": "Written procedures provide assurance that personnel take the required steps to prevent loss of keys or other breaches of system security.",
+      "severity": "low"
+    },
+    {
+      "id": "V-72525",
+      "title": "Only supported versions of the Harris SecNet 11/54 should be used.",
+      "description": "If an unsupported version of the Harris SecNet wireless router is being used, the device is not being updated with security patches and may contain vulnerabilities that may expose classified data to unauthorized people. The SecNet 11 and 54 support old and obsolete wireless technologies and are no longer being supported by Harris.",
+      "severity": "high"
+    }
+  ]
+}