kriterion 0.0.1

data/standards/stig_akamai_ksd_service_impact_level_2_alg.json

@@ -0,0 +1,209 @@
+{
+  "name": "stig_akamai_ksd_service_impact_level_2_alg",
+  "date": "2017-09-15",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
+  "title": "Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-76391",
+      "title": "Kona Site Defender must immediately use updates made to policy enforcement mechanisms to enforce that all traffic flows over HTTPS port 443.",
+      "description": "Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the PPSM CAL, vulnerability assessments, or mission conditions. Changing conditions include changes in the threat environment and detection of potentially harmful or adverse events.\n\nChanges to the ALG must take effect when made by an authorized administrator and the new configuration is put in place or committed, including upon restart of the application or reboot of the system. With some devices, the changes take effect as the configuration is changed, while with others, the new configuration must be submitted to the device. In any case, the behavior of the ALG must immediately be affected to reflect the configuration change.",
+      "severity": "high"
+    },
+    {
+      "id": "V-76393",
+      "title": "Kona Site Defender must immediately apply updates to the Kona Rule Set to block designated traffic of interest in response to new or emerging threats.",
+      "description": "Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the PPSM CAL, vulnerability assessments, or mission conditions. Changing conditions include changes in the threat environment and detection of potentially harmful or adverse events.\n\nChanges to the ALG must take effect when made by an authorized administrator and the new configuration is put in place or committed, including upon restart of the application or reboot of the system. With some devices, the changes take effect as the configuration is changed, while with others, the new configuration must be submitted to the device. In any case, the behavior of the ALG must immediately be affected to reflect the configuration change.",
+      "severity": "high"
+    },
+    {
+      "id": "V-76395",
+      "title": "Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined geographic regions.",
+      "description": "Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the PPSM CAL, vulnerability assessments, or mission conditions. Changing conditions include changes in the threat environment and detection of potentially harmful or adverse events.\n\nChanges to the ALG must take effect when made by an authorized administrator and the new configuration is put in place or committed, including upon restart of the application or reboot of the system. With some devices, the changes take effect as the configuration is changed, while with others, the new configuration must be submitted to the device. In any case, the behavior of the ALG must immediately be affected to reflect the configuration change.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76397",
+      "title": "Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined IP addresses (i.e., IP blacklist).",
+      "description": "Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the PPSM CAL, vulnerability assessments, or mission conditions. Changing conditions include changes in the threat environment and detection of potentially harmful or adverse events.\n\nChanges to the ALG must take effect when made by an authorized administrator and the new configuration is put in place or committed, including upon restart of the application or reboot of the system. With some devices, the changes take effect as the configuration is changed, while with others, the new configuration must be submitted to the device. In any case, the behavior of the ALG must immediately be affected to reflect the configuration change.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76399",
+      "title": "Kona Site Defender must immediately use updates made to policy enforcement mechanisms to allow traffic from organizationally defined IP addresses (i.e., IP whitelist).",
+      "description": "Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the PPSM CAL, vulnerability assessments, or mission conditions. Changing conditions include changes in the threat environment and detection of potentially harmful or adverse events.\n\nChanges to the ALG must take effect when made by an authorized administrator and the new configuration is put in place or committed, including upon restart of the application or reboot of the system. With some devices, the changes take effect as the configuration is changed, while with others, the new configuration must be submitted to the device. In any case, the behavior of the ALG must immediately be affected to reflect the configuration change.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76401",
+      "title": "Kona Site Defender that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.",
+      "description": "NIST SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nThis requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and therefore are in scope for this requirement. NIST SP 800-52 provides guidance.\n\nNIST SP 800-52 sets TLS version 1.1 as a minimum version; thus, no versions of SSL are allowed (including for client negotiation) on either DoD only or public-facing servers.",
+      "severity": "high"
+    },
+    {
+      "id": "V-76403",
+      "title": "To protect against data mining, Kona Site Defender providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.",
+      "description": "Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections.\n\nCompliance requires the ALG to have the capability to prevent code injections. Examples include web application firewalls (WAFs) or database application gateways.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76405",
+      "title": "To protect against data mining, Kona Site Defender providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.",
+      "description": "Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections.\n \nCompliance requires the ALG to have the capability to prevent code injections. Examples include web application firewalls (WAFs) or database application gateways.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76407",
+      "title": "To protect against data mining, Kona Site Defender providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.",
+      "description": "Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information.\n\nSQL injection attacks are the most prevalent attacks against web applications and databases. These attacks inject SQL commands that can read, modify, or compromise the meaning of the original SQL query. An attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; or gain unauthorized privileges on the database server.\n\nCompliance requires the ALG to have the capability to prevent SQL code injections. Examples include a web application firewalls (WAFs) or database application gateways.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76409",
+      "title": "To protect against data mining, Kona Site Defender providing content filtering must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.",
+      "description": "Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections.\n \nALGs with anomaly detection must be configured to protect against unauthorized code injections. These devices must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses. Examples include web application firewalls (WAFs) or database application gateways.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76411",
+      "title": "To protect against data mining, Kona Site Defender providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.",
+      "description": "Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result in the compromise of information.\n\nSQL injection attacks are the most prevalent attacks against web applications and databases. These attacks inject SQL commands that can read, modify, or compromise the meaning of the original SQL query. An attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; or gain unauthorized privileges on the database server.\n\nALGs with anomaly detection must be configured to protect against unauthorized data mining attacks. These devices must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses. Examples include web application firewalls (WAFs) or database application gateways.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76413",
+      "title": "To protect against data mining, Kona Site Defender providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.",
+      "description": "Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational applications may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections.\n\nALGs with anomaly detection must be configured to protect against unauthorized code injections. These devices must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses. Examples include web application firewalls (WAFs) or database application gateways.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76415",
+      "title": "Kona Site Defender must off-load audit records onto a centralized log server.",
+      "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nThis does not apply to audit logs generated on behalf of the device itself (management).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76417",
+      "title": "Kona Site Defender must off-load audit records onto a centralized log server in real time.",
+      "description": "Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised.\n\nOff-loading is a common process in information systems with limited audit storage capacity. The audit storage on the ALG is used only in a transitory fashion until the system can communicate with the centralized log server designated for storing the audit records, at which point the information is transferred. However, DoD requires that the log be transferred in real time, which indicates that the time from event detection to off-loading is seconds or less.\n\nThis does not apply to audit logs generated on behalf of the device itself (management).",
+      "severity": "low"
+    },
+    {
+      "id": "V-76419",
+      "title": "Kona Site Defender must not strip origin-defined HTTP session headers.",
+      "description": "Lack of authentication enables anyone to gain access to the network or possibly a network element that provides the opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly.\n\nNon-organizational users will be uniquely identified and authenticated for all accesses other than accesses explicitly identified and documented by the organization when related to the use of anonymous access. Authorization requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof.\n\nThis control applies to application layer gateways that provide content filtering and proxy services on network segments (e.g., DMZ) that allow access by non-organizational users. It focuses on authentication requests to the proxied application for access to destination resources and policy filtering decisions rather than administrator and management functions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76421",
+      "title": "Kona Site Defender providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.",
+      "description": "If the network does not provide safeguards against DoS attacks, network resources may not be available to users during an attack.\n\nInstallation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.\n\nDetection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks, which are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components.\n \nThis requirement applies to the communications traffic functionality of the ALG as it pertains to handling communications traffic, rather than to the ALG device itself.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76423",
+      "title": "Kona Site Defender providing content filtering must protect against known types of denial-of-service (DoS) attacks by employing signatures.",
+      "description": "If the network does not provide safeguards against DoS attacks, network resources may not be available to users during an attack.\n\nInstallation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage.\n\nDetection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the ALG component vendor.\n \nThis requirement applies to the communications traffic functionality of the ALG as it pertains to handling communications traffic, rather than to the ALG device itself.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76425",
+      "title": "Kona Site Defender that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.",
+      "description": "Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits that exploit weaknesses of commonly used protocols.\n\nSince protocol anomaly analysis examines the application payload for patterns or anomalies, an HTTP proxy must be included in the ALG. This ALG will be configured to inspect inbound and outbound HTTP communications traffic to detect protocol anomalies such as malformed message and command insertion attacks.\n\nAll inbound and outbound traffic, including HTTPS, must be inspected. However, the intention of this policy is not to mandate HTTPS inspection by the ALG. Typically, HTTPS traffic is inspected at the source or destination and/or is directed for inspection by an organizationally defined network termination point.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76427",
+      "title": "Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nThis requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC).",
+      "severity": "high"
+    },
+    {
+      "id": "V-76429",
+      "title": "Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nThis requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76431",
+      "title": "Kona Site Defender providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nThis requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC).",
+      "severity": "high"
+    },
+    {
+      "id": "V-76433",
+      "title": "Kona Site Defender providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.",
+      "description": "Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place that are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.\n\nThe authoritative list of DoD-approved PKIs is published at http://iase.disa.mil/pki-pke/interoperability. DoD-approved PKI CAs may include Category I, II, and III certificates. Category I DoD-approved external PKIs are PIV issuers. Category II DoD-approved external PKIs are Non-Federal Agency PKIs cross-certified with the Federal Bridge Certification Authority (FBCA). Category III DoD-approved external PKIs are Foreign, Allied, or Coalition Partner PKIs.\n\nDeploying the ALG with TLS enabled will require the installation of DoD and/or DoD-approved CA certificates in the trusted root certificate store of each proxy to be used for TLS traffic. \n\nThis requirement focuses on communications protection for the application session rather than for the network packet.",
+      "severity": "high"
+    },
+    {
+      "id": "V-76435",
+      "title": "Kona Site Defender providing content filtering must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.",
+      "description": "Malicious code protection mechanisms include but are not limited to anti-virus and malware detection software. To minimize any potential negative impact to the organization caused by malicious code, malicious code must be identified and eradicated. Malicious code includes viruses, worms, trojan horses, and spyware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76437",
+      "title": "Kona Site Defender providing content filtering must block malicious code upon detection.",
+      "description": "Taking an appropriate action based on local organizational incident handling procedures minimizes the impact of malicious code on the network.\n\nThis requirement is limited to ALGs, web content filters, and packet inspection firewalls that perform malicious code detection as part of their functionality.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76439",
+      "title": "Kona Site Defender providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection.",
+      "description": "Without an alert, security personnel may be unaware of an impending failure of the audit capability. This will impede the ability to perform forensic analysis and detect rate-based and other anomalies.\n\nThe ALG generates an immediate (within seconds) alert that notifies designated personnel of the incident. Sending a message to an unattended log or console does not meet this requirement since that will not be seen immediately. These messages should include a severity level indicator or code as an indicator of the criticality of the incident.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76441",
+      "title": "Kona Site Defender providing content filtering must be configured to integrate with a system-wide intrusion detection system.",
+      "description": "Without coordinated reporting between separate devices, it is not possible to identify the true scale and possible target of an attack.\n\nIntegration of the ALG with a system-wide intrusion detection system supports continuous monitoring and incident response programs. This requirement applies to monitoring at internal boundaries using TLS gateways, web content filters, email gateways, and other types of ALGs.\n\nALGs can work as part of the network monitoring capabilities to off-load inspection functions from the external boundary IDPS by performing more granular content inspection of protocols at the upper layers of the OSI reference model.",
+      "severity": "low"
+    },
+    {
+      "id": "V-76443",
+      "title": "Kona Site Defender providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.",
+      "description": "If inbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traffic monitoring serves as input to continuous monitoring and incident response programs.\n\nInternal monitoring includes the observation of events occurring on the network that cross internal boundaries at managed interfaces such as web content filters. Depending on the type of ALG, organizations can monitor information systems by monitoring audit activities, application access patterns, characteristics of access, content filtering, or unauthorized exporting of information across boundaries. Unusual/unauthorized activities or conditions may include large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76445",
+      "title": "Kona Site Defender providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.",
+      "description": "Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.\n\nSince these incidents require immediate action, these messages are assigned a critical or Level 1 priority/severity, depending on the system's priority schema.\n\nIn accordance with CCI-001242, the ALG that provides content inspection services is a real-time intrusion detection system. These systems must generate an alert when detection events from real-time monitoring occur. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The ALG must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76447",
+      "title": "Kona Site Defender providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.",
+      "description": "Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.\n\nThe ALG generates an alert that notifies designated personnel of the Indicators of Compromise (IOCs) that require real-time alerts. These messages should include a severity level indicator or code as an indicator of the criticality of the incident. These indicators reflect the occurrence of a compromise or a potential compromise.\n\nSince these incidents require immediate action, these messages are assigned a critical or Level 1 priority/severity, depending on the system's priority schema.\n\nAlerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The ALG must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76449",
+      "title": "Kona Site Defender providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected.",
+      "description": "Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.\n\nThe ALG generates an alert that notifies designated personnel of the Indicators of Compromise (IOCs) that require real-time alerts. These messages should include a severity level indicator or code as an indicator of the criticality of the incident. These indicators reflect the occurrence of a compromise or a potential compromise.\n\nSince these incidents require immediate action, these messages are assigned a critical or Level 1 priority/severity, depending on the system's priority schema.\n\nCJCSM 6510.01B, \"Cyber Incident Handling Program\", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM 6510.01B Major Indicators (category 1, 2, 4, or 7 detection events) will require an alert when an event is detected.\n\nAlerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The ALG must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76451",
+      "title": "Kona Site Defender must check the validity of all data inputs except those specifically identified by the organization.",
+      "description": "Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid input is one of the primary methods employed when attempting to compromise an application.\n\nNetwork devices with the functionality to perform application layer inspection may be leveraged to validate data content of network communications. Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software typically follows well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components.\n\nStructured messages can contain raw or unstructured data interspersed with metadata or control information. If network elements use attacker-supplied inputs to construct structured messages without properly encoding such messages, the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly.\n\nPre-screening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.\n\nThis requirement applies to gateways and firewalls that perform content inspection or have higher-layer proxy functionality.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76453",
+      "title": "Kona Site Defender must reveal error messages only to the ISSO, ISSM, and SCA.",
+      "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can give configuration details about the network element.\n\nLimiting access to system logs and administrative consoles to authorized personnel will help to mitigate this risk. However, user feedback and error messages should also be restricted by type and content in accordance with security best practices (e.g., ICMP messages).",
+      "severity": "high"
+    },
+    {
+      "id": "V-76455",
+      "title": "Kona Site Defender must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.",
+      "description": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nAccess control policies and access control lists implemented on devices that control the flow of network traffic (e.g., application level firewalls and Web content filters), ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet or CDS) must be kept separate.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_akamai_ksd_service_impact_level_2_ndm.json

@@ -0,0 +1,155 @@
+{
+  "name": "stig_akamai_ksd_service_impact_level_2_ndm",
+  "date": "2017-09-15",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
+  "title": "Akamai KSD Service Impact Level 2 NDM Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-76457",
+      "title": "Upon successful login, the Akamai Luna Portal must notify the administrator of the date and time of the last login.",
+      "description": "Administrators need to be aware of activity that occurs regarding their network device management account. Providing administrators with information regarding the date and time of their last successful login allows them to determine if any unauthorized activity has occurred. This incorporates all methods of login, including but not limited to SSH, HTTP, HTTPS, and physical connectivity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76459",
+      "title": "The Akamai Luna Portal must notify the administrator of the number of successful login attempts.",
+      "description": "Administrators need to be aware of activity that occurs regarding their network device management account. Providing administrators with information regarding the date and time of their last successful login allows the administrator to determine if any unauthorized activity has occurred. This incorporates all methods of login, including but not limited to SSH, HTTP, HTTPS, and physical connectivity. The organization-defined time period is dependent on the frequency with which administrators typically log in to the network device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76461",
+      "title": "The Akamai Luna Portal must initiate a session logoff after a 15-minute period of inactivity.",
+      "description": "A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating the vicinity, network devices need to be able to identify when a management session has idled and take action to initiate the session lock. Once invoked, the session lock must remain in place until the administrator reauthenticates. No other system activity aside from reauthentication must unlock the management session.\n\nWhen the network device is remotely administered, a session logoff may be the only practical option in lieu of a session lock. For a web portal, a session logoff must be invoked when idle time is exceeded for an administrator.\n\nNote that CCI-001133 requires that administrative network sessions be disconnected after 10 minutes of idle time.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76463",
+      "title": "The Akamai Luna Portal must automatically audit account creation.",
+      "description": "Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76465",
+      "title": "The Akamai Luna Portal must automatically audit account modification.",
+      "description": "Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. Account management by a designated authority ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. If modifications to management accounts are not audited, reconciliation of account management procedures cannot be tracked.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76467",
+      "title": "The Akamai Luna Portal must automatically audit account removal actions.",
+      "description": "Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76469",
+      "title": "The Akamai Luna Portal must generate alerts that can be forwarded to the SAs and ISSO when accounts are created.",
+      "description": "Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the creation of accounts and notifies the SAs and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76471",
+      "title": "The Akamai Luna Portal must generate alerts that can be forwarded to the SAs and ISSO when accounts are modified.",
+      "description": "Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the modification of device administrator accounts and notifies the SAs and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes.\n\nThe network device must generate the alert. Notification may be done by a management server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76473",
+      "title": "The Akamai Luna Portal must generate alerts that can be forwarded to the SAs and ISSO when accounts are removed.",
+      "description": "When application accounts are removed, administrator accessibility is affected. Accounts are used for identifying individual device administrators or for identifying the device processes themselves. \n\nIn order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76475",
+      "title": "The Akamai Luna Portal must automatically audit account enabling actions.",
+      "description": "Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a new or disabled account.\n\nNotification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the creation of application user accounts and notifies administrators and ISSOs. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76477",
+      "title": "The Akamai Luna Portal must notify the SAs and ISSO when accounts are created, or enabled when previously disabled.",
+      "description": "Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies the SAs and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes.\n\nIn order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76479",
+      "title": "The Akamai Luna Portal must audit the execution of privileged functions.",
+      "description": "Misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76481",
+      "title": "The Akamai Luna Portal must provide audit record generation capability for DoD-defined auditable events within the network device.",
+      "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the network device (e.g., process, module). Certain specific device functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the device will provide an audit record generation capability as the following:\n\n(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n(ii) Access actions, such as successful and unsuccessful login attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logins from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and\n(iii) All account creation, modification, disabling, and termination actions.",
+      "severity": "low"
+    },
+    {
+      "id": "V-76483",
+      "title": "The Akamai Luna Portal must generate audit records when successful/unsuccessful attempts to access privileges occur.",
+      "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).",
+      "severity": "low"
+    },
+    {
+      "id": "V-76485",
+      "title": "The Akamai Luna Portal must enforce a minimum 15-character password length.",
+      "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.\n\nThe shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76487",
+      "title": "If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one upper-case character be used.",
+      "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76489",
+      "title": "If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one lower-case character be used.",
+      "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76491",
+      "title": "If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one numeric character be used.",
+      "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76493",
+      "title": "If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one special character be used.",
+      "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76495",
+      "title": "The Akamai Luna Portal must enforce a 60-day maximum password lifetime restriction.",
+      "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.\n\nOne method of minimizing this risk is to use complex passwords and periodically change them. If the network device does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the passwords could be compromised.\n\nThis requirement does not include emergency administration accounts, which are meant for access to the network device in case of failure. These accounts are not required to have maximum password lifetime restrictions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76497",
+      "title": "The Akamai Luna Portal must prohibit password reuse for a minimum of five generations.",
+      "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nTo meet password policy requirements, passwords need to be changed at specific policy-based intervals. \n\nIf the network device allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76499",
+      "title": "The Akamai Luna Portal must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 15 minutes of inactivity except to fulfill documented and validated mission requirements.",
+      "description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-76501",
+      "title": "The Akamai Luna Portal must employ Security Assertion Markup Language (SAML) to automate central management of administrators.",
+      "description": "The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.",
+      "severity": "high"
+    },
+    {
+      "id": "V-76503",
+      "title": "The Akamai Luna Portal must employ Single Sign On (SSO) with Security Assertion Markup Language (SAML) integration to verify authentication settings.",
+      "description": "The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.",
+      "severity": "high"
+    }
+  ]
+}

data/standards/stig_android_2.2_dell.json

@@ -0,0 +1,311 @@
+{
+  "name": "stig_android_2.2_dell",
+  "date": "2014-08-26",
+  "description": "This STIG contains technical security controls required for the use of the Android 2.2 (Dell version) mobile operating system in the DoD environment when managed by the Good Mobility Suite.",
+  "title": "Android 2.2 (Dell) Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-18627",
+      "title": "The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks will be FIPS 140-2 validated.  This check is not applicable if the installed VPN client is not used for remote access to DoD networks.  ",
+      "description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.  FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18856",
+      "title": "Removable memory cards (e.g., MicroSD) must have data stored on the card encrypted with a FIPS 140-2 validated cryptographic module.   ",
+      "description": "Memory card used to transfer files between PCs and PDAs is a migration path for the spread of malware on DoD computers and handheld devices.  These risks are mitigated by the requirements listed in this check.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19897",
+      "title": "All wireless PDA clients used for remote access to DoD networks must enable AES encryption for the VPN. \n",
+      "description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19898",
+      "title": "All wireless PDA clients used for remote access to DoD networks must have a VPN supporting CAC authentication. ",
+      "description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-19899",
+      "title": "All wireless PDA and smartphone client VPNs must have split tunneling disabled. \n\n",
+      "description": "DoD data could be compromised if transmitted data is not secured with a compliant VPN.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24981",
+      "title": "Smartphone devices must have required operating system software versions installed.",
+      "description": "Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24982",
+      "title": "Smart Card Readers (SCRs) used with smartphone must have required software version installed.",
+      "description": "Required security features are not available in earlier software versions. In addition, there may be known vulnerabilities in earlier versions.",
+      "severity": "low"
+    },
+    {
+      "id": "V-24983",
+      "title": "S/MIME must be installed on smartphones so users can sign/encrypt email.",
+      "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is required by DoD policy.  Without S/MIME users will not be able to read encrypted email and will not be able to encrypt email with sensitive information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-24984",
+      "title": "If smartphone email auto signatures are used, the signature message must not disclose the email originated from a smartphone (e.g., “Sent From My Wireless Handheld”). ",
+      "description": "The disclaimer message may give information which may key an attacker in on the device. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-24985",
+      "title": "All Internet browsing on a DoD mobile operating system (OS) device will go through a DoD Internet proxy.  ",
+      "description": "A DoD Internet proxy provides additional security over the carrier's browser.  When using the DoD Internet proxy for a mobile device Internet connections, enclave Internet security controls will filter and monitor mobile device Internet connections.",
+      "severity": "low"
+    },
+    {
+      "id": "V-24986",
+      "title": "All non-core applications on the mobile OS device must be approved by the DAA or Command IT Configuration Control Board.  ",
+      "description": "Non-approved applications can contain malware.  Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).",
+      "severity": "high"
+    },
+    {
+      "id": "V-25003",
+      "title": "A compliance rule must be set up in the server defining required mobile OS software versions.",
+      "description": "Unapproved OS versions do not support required security features. The security baseline of the Android system could be compromised if required security features are not available.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25007",
+      "title": "Smartphones must be configured to require a password/passcode for device unlock.",
+      "description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set up on a DoD smartphones.",
+      "severity": "high"
+    },
+    {
+      "id": "V-25009",
+      "title": "Maximum password/passcode age must be set.",
+      "description": "Sensitive DoD data could be compromised if a strong device unlock passcode is not set up on a DoD smartphone and the passcode is not changed periodically.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25010",
+      "title": " The smartphone inactivity timeout must be set.",
+      "description": "Sensitive DoD data could be compromised if the smartphone does not automatically lock after 15 minutes of inactivity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25011",
+      "title": "Password/passcode maximum failed attempts must be set to required value.",
+      "description": "A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25012",
+      "title": "Access to public application stores must be disabled.",
+      "description": "Strong configuration management of all applications installed on DoD device is required to ensure the security baseline of the system is maintained.  Otherwise, sensitive DoD data could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25013",
+      "title": "Users must not be allowed to download applications on smartphones without SA control.",
+      "description": "Strong configuration management of all applications installed on DoD device is required to ensure the security baseline of the system is maintained.  Otherwise, sensitive DoD data could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25014",
+      "title": "Use of the smartphone camera must be approved and documented in site physical security policy.",
+      "description": "This is an operational security issue.   Sensitive DoD data could be compromised if cameras are allowed in areas not authorized by the site physical security plan.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25016",
+      "title": "Device minimum password/passcode length must be set. ",
+      "description": "Sensitive DoD data could be compromised if a device unlock password/passcode is not set to required length on a DoD smartphones.  ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25017",
+      "title": "The smartphone Auto-Lock must be set.",
+      "description": "Sensitive DoD data could be compromised if the smartphone does not automatically lock after a set period of inactivity.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25018",
+      "title": "The smartphone passcode history setting must be set.",
+      "description": "The password/passcode would be more susceptible to compromise if the user can select frequently used passwords/passcodes.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25019",
+      "title": "The smartphone Bluetooth radio must be disabled if not authorized for use.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25020",
+      "title": "The smartphone device Wi-Fi radio must be disabled as the default setting and is enabled only when Wi-Fi connectivity is required. \n",
+      "description": "The Wi-Fi radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25022",
+      "title": "All smartphones must display the required banner during device unlock/ logon.  ",
+      "description": "DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-25051",
+      "title": "Location services must be turned off on the smartphone during device provisioning.",
+      "description": "Smartphone location services allow applications to gather information about the location of the handheld device and possibly forward it to servers located on the Internet. This is an operational security issue for DoD smartphones devices.",
+      "severity": "low"
+    },
+    {
+      "id": "V-25842",
+      "title": "The site must set up local operating procedures for initial provisioning and subsequent software and application updates using the  procedures published in the STIG Overview document. ",
+      "description": "Strong configuration management of applications on a smartphone is a key malware control. Most smartphones must have individual commercial web portal (e.g., iTunes, Android Market, etc.) accounts and be connected to the commercial App Store to provision the smartphone. A DoD user can jailbreak a smartphone and bypass smartphone application and malware controls. To ensure strong configuration management of the security baseline of the smartphone, all software loading should be done by the SA.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-26559",
+      "title": "The Personal Hotspot feature of the mobile OS must be disabled if it does not meet DoD WLAN or Bluetooth security requirements and is not approved by the IAO. ",
+      "description": "The Wi-Fi radio and Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave. This setting would allow the device Wi-Fi radio to automatically connect to a Wi-Fi network.  The Bluetooth and Wi-Fi connections do not support DoD wireless encryption and authentication requirements.",
+      "severity": "low"
+    },
+    {
+      "id": "V-27629",
+      "title": "Full Device Administration must be implemented on the smartphone.",
+      "description": "If this configuration is not set as required, the security policy from the server will not be implemented on the smartphone.  Sensitive DoD data could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27630",
+      "title": "Enable Full Device Lock must be set.",
+      "description": "Sensitive DoD data could be exposed if this configuration is not set as required.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27631",
+      "title": "Enable remote device password reset must be set.",
+      "description": "Without this capability a user could be locked out of their smartphone for significant time periods, affecting the mission of the organization.",
+      "severity": "low"
+    },
+    {
+      "id": "V-27632",
+      "title": "Enable remote SD card wipe must be configured.",
+      "description": "Sensitive DoD data could be compromised if mobile OS device data could not be wiped when directed by the system administrator.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27633",
+      "title": "Allow SD card encryption must be configured.",
+      "description": "Sensitive DoD data could be compromised if a mobile OS device data is not encrypted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27634",
+      "title": "VPN must be configured as required.",
+      "description": "Sensitive DoD data could be compromised if the Android VPN client is used.  The VPN client is not currently FIPS 140-2 validated and does not support CAC authentication. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-27635",
+      "title": "Remote full device wipe must be enabled.",
+      "description": "Sensitive DoD data could be compromised if mobile OS device data could not be wiped when directed by the system administrator.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-28295",
+      "title": "The smartphone removable memory card (e.g., MicroSD) must be bound to the PDA or smartphone so it may not be read by any other PED or computer. ",
+      "description": "Memory cards used to transfer files between PCs and PDAs is a migration path for the spread of malware on DoD computers and handheld devices. These risks are mitigated by the requirements listed in this check.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-28297",
+      "title": "The smartphone password/passcode complexity (alphanumeric) must be set.",
+      "description": "Sensitive DoD data could be compromised if a strong device unlock password/passcode is not set up on a DoD smartphone.  The complexity of the password is a key factor in the strength of the password.  Complex passwords are harder to guess or obtain via a brute force attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-29524",
+      "title": "All mobile operating system (OS) device Bluetooth radio profiles must be disabled except for the serial port, handset and headset profiles.",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.  The serial port profile is used by the DoD approved Bluetooth smart card reader and the headset and handset profiles are used by the DoD approved Bluetooth headset.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-29525",
+      "title": "The pairing of Bluetooth devices to DoD mobile OS devices must be controlled so only approved devices can pair to the smartphone.  ",
+      "description": "The Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-29529",
+      "title": "The smartphone USB port must be configured as required.",
+      "description": "A smartphone can be jailbroken or rooted when connected to a PC with a jailbreak or rooting application installed on it.  When a smartphone is jailbroken/rooted, the user or malware has root access and can bypass all device security controls.  DoD sensitive data could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-29894",
+      "title": "A security risk analysis must be performed on a mobile operating (OS) system application by the DAA or DAA authorized approval authority prior to the application being approved for use.",
+      "description": "Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).",
+      "severity": "high"
+    },
+    {
+      "id": "V-29949",
+      "title": "A compliance rule must be set up in the server defining required mobile OS software build version.",
+      "description": "Unapproved OS build versions do not support required security features. The security baseline of the Android system could be compromised if required security features are not available.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30193",
+      "title": "The Bluetooth configuration application must be installed on the Android device.",
+      "description": "The Bluetooth monitor application ensures the Bluetooth configuration of the Android device is in compliance with the DoD Bluetooth security standard.  If not installed, it may be possible for a hacker to spoof the Bluetooth pairing process with the Android device, connect to the Android device via a Bluetooth connection, and steal sensitive DoD information.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30248",
+      "title": "Mobile OS devices (smartphones/tablets) must have a system integrity validation application installed or have validation scanning, using a PC based tool, completed on the required schedule.",
+      "description": "The purpose of this scan is to determine if there has been an unexplained change in the mobile OS file system that may indicate the device has been compromised by malware or by rooting the device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30249",
+      "title": "The results and mitigation actions from Mobile OS device integrity validation tool scans on site managed Mobile OS devices must be maintained by the site for at least 6 months (1 year recommended).",
+      "description": "Scan results must be maintained so that auditors can verify mitigation actions have been completed, so that a scan can be compared to a previous scan, and to determine if there is any security vulnerability trends for site managed mobile OS devices.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30250",
+      "title": "Mitigation actions identified by Mobile OS device integrity tool scans on site managed Mobile OS devices must be implemented.",
+      "description": "If mitigation actions identified by the Mobile OS device integrity tool are not implemented, DoD data and the enclave could be at risk of being compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30566",
+      "title": "Mobile OS devices (smartphones / tablets) must have a device integrity validation tool baseline scan on file. ",
+      "description": "The purpose of this scan is to determine if there has been an unexplained change in the mobile OS file system indicating the device has been compromised by malware or by rooting the device. A baseline scan provides a known good condition to compare with subsequent scans. A new baseline scan should be completed after the installation or removal of an application.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30567",
+      "title": "Mobile OS devices (smartphones/tablets) device integrity validation scan interval must be 6 hours or less.",
+      "description": "The purpose of this scan is to determine if there has been an unexplained change in the mobile OS file system that may indicate the device has been compromised by malware or by rooting the device.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-30568",
+      "title": "Mobile OS device integrity tool scans must be reviewed daily by the system administrator or IAO (or continuously by a server).",
+      "description": "If mitigation actions identified by the Mobile OS device integrity tool are not implemented, DoD data and the enclave could be at risk of being compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-53957",
+      "title": "Android 2.2 Dell mobile operating systems that are no longer supported by the vendor for security updates must not be installed on a system.",
+      "description": "Android 2.2 Dell mobile operating systems that are no longer supported by the vendor for security updates are not evaluated or updated for vulnerabilities, leaving them open to potential attack.  Organizations must transition to a supported mobile operating system to ensure continued support.",
+      "severity": "high"
+    }
+  ]
+}