diff --git a/benchmarks/DISA/U_Ivanti_Connect_Secure_NDM_STIG_V1R1_Manual-xccdf.xml b/benchmarks/DISA/U_Ivanti_Connect_Secure_NDM_STIG_V1R1_Manual-xccdf.xml
new file mode 100644
index 000000000..a83892a9c
--- /dev/null
+++ b/benchmarks/DISA/U_Ivanti_Connect_Secure_NDM_STIG_V1R1_Manual-xccdf.xml
@@ -0,0 +1,525 @@
+acceptedIvanti Connect Secure NDM Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 08 Nov 20233.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000412-NDM-000331<GroupDescription></GroupDescription>IVCS-NM-000010The ICS must be configured to implement cryptographic mechanisms using a FIPS 140-2/3 approved algorithm.<VulnDiscussion>This configuration protects to protect the confidentiality of Web UI session and guards against DoS attacks.
+
+This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.
+
+When JITC and FIPS mode is enabled, it enables DoS attacks such as flooding and replay attack audit logs inherently. JITC and FIPS mode are required for ICS use in DOD.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-003123Enable compliance modes to ensure only FIPS 140-2/3 algorithms are used and to guard against DoS attacks. JITC, NDcPP, and FIPS modes are required for ICS use in DOD.
+
+In the ICS Web UI, navigate to System >> Configuration >> Security >> Inbound SSL Options.
+1. Under "DOD Certification Option", check (enabled) "Turn on JITC mode" to enable the JITC mode security features.
+2. Once "Turn on JITC mode" is checked, "Turn on NDcPP mode" and "Turn on FIPS mode" are also checked automatically.
+3. Click "Save changes" and confirm after the web UI asks for SSL cipher configuration changes.Verify all settings to ensure only FIPS 140-2/3 algorithms are enabled.
+
+In the ICS Web UI, navigate to System >> Configuration >> Security >> Inbound SSL Options.
+1. Verify "Turn on JITC mode" checkbox is enabled (checked).
+2. Verify "Turn on NDcPP mode" checkbox is enabled (checked).
+3. Verify "Turn on FIPS mode" checkbox is enabled (checked).
+
+If the use of FIPS 140-2 approved algorithms is not enabled, this is a finding.SRG-APP-000516-NDM-000350<GroupDescription></GroupDescription>IVCS-NM-000030The ICS must be configured to send admin log data to a redundant central log server.<VulnDiscussion>The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.
+
+Satisfies: SRG-APP-000516-NDM-000350, SRG-APP-000360-NDM-000295, SRG-APP-000515-NDM-000325</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-001851CCI-001858CCI-002605Configure the ICS with the address information for the redundant central log servers.
+
+In the ICS Web UI:
+1. Navigate to System >> Log/Monitoring >> Events >> Settings.
+2. Under "Syslog Servers" add an IP address/server name/IP.
+3. Set the facility to LOCAL0.
+4. Set type to TLS.
+5. If a client cert is required for the syslog server, select the client certificate to use for the syslog traffic. If none exists, import the DOD-signed client key pair to the ICS under System >> Configuration >> Certificates >> Client Auth Certificates.
+6. Set the standard filer.
+7. Set the source interface as the management interface.
+8. Click "Add".
+9. Click "Save Changes".
+10. Repeat these steps for the admin logs under System >> Log/Monitoring >> Admin Access >> Settings.
+11. Repeat these steps to add a redundant syslog server.Verify the ICS is configured with address information so it sends admin log event records to a central log server.
+
+In the ICS Web UI, navigate to System >> Log/Monitoring >> Events >> Settings.
+
+Under "Syslog Servers", verify a server name/IP address, facility of LOCAL0, type TLS, and the management source interface are defined.
+
+In the ICS Web UI, navigate to System >> Log/Monitoring >> Admin Access >> Settings.
+
+Under "Syslog Servers", verify server names/IP addresses are added. Also ensure facility of LOCAL0, type TLS, and them management source interface are not defined.
+
+If the ICS is not configured to send log admin log events data to redundant central log servers, this is a finding.SRG-APP-000340-NDM-000288<GroupDescription></GroupDescription>IVCS-NM-000050The ICS must be configured to prevent nonprivileged users from executing privileged functions.<VulnDiscussion>Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
+
+Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations.
+
+Satisfies: SRG-APP-000340-NDM-000288, SRG-APP-000380-NDM-000304, SRG-APP-000378-NDM-000302, SRG-APP-000133-NDM-000244, SRG-APP-000123-NDM-000240, SRG-APP-000121-NDM-000238, SRG-APP-000231-NDM-000271, SRG-APP-000408-NDM-000314, SRG-APP-000329-NDM-000287, SRG-APP-000153-NDM-000249, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000033-NDM-000212, SRG-APP-000516-NDM-000335, SRG-APP-000516-NDM-000336, SRG-APP-000177-NDM-000263, SRG-APP-000080-NDM-000220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000163CCI-000164CCI-000166CCI-000187CCI-000213CCI-000345CCI-000366CCI-000370CCI-000764CCI-000770CCI-001199CCI-001493CCI-001495CCI-001499CCI-001812CCI-001813CCI-002169CCI-002235CCI-002883Configure Realms and Roles as needed to meet mission requirements.
+
+Note: The ".Administrators" role is a default role name, other administrator role names can be used. Groups must be used, separate usernames or an allow-all username of * is not acceptable.
+
+In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms.
+1. Click the admin realm that is currently being used on the ICS for administrator logins. By default, it is "Admin Users".
+2. In the "General" tab, under Servers >> Directory/Attribute, select the previously configured LDAP Directory. If none is configured, follow vendor supplied instructions for creating an LDAP Authentication Server.
+3. In the "Role Mapping" tab, under "when users meet these conditions", select new rule.
+4. Under rule based on, select "Group Membership".
+5. Give the rule a name.
+6. Select "is".
+7. Provide the exact group name in the text box. This name must match the "CN=" attribute name. For example, if the group is "CN=ivanti.adm.group" then add the "ivanti.adm.group" to the text box.
+8. Under "then assign these roles", select the admin role used by ICS for admin logins. By default this is ".Administrators".
+9. Click "Save Changes".
+10. Under "Role Mapping", if there are more roles needed for more specific role-based access to the ICS, configure more of them here.
+11. Once complete, click "Save Changes".Verify Realms and Roles are configured as needed to meet mission requirements.
+
+In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms.
+1. Click the admin realm that is currently being used on the ICS for administrator logins. By default, it is "Admin Users".
+2. In the "General" tab, under Servers >> Directory/Attribute, verify it does not say "none".
+3. In the "Role Mapping" tab, under "when users meet these conditions", verify the following:
+- "Group" must be used, and the local site's administrator active directory group must be selected and assigned to the ".Administrators" role. Note that this role could be different if using something other than the default ".Administrators" role.
+- Verify separate usernames are not used. Verify an allow-all username of * is used.
+
+If a realm or role is not configured to prevent nonprivileged users from executing privileged functions, this is a finding.SRG-APP-000343-NDM-000289<GroupDescription></GroupDescription>IVCS-NM-000060The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
+
+Satisfies: SRG-APP-000343-NDM-000289, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000505-NDM-000322, SRG-APP-000506-NDM-000323, SRG-APP-000319-NDM-000283, SRG-APP-000381-NDM-000305, SRG-APP-000100-NDM-000230, SRG-APP-000029-NDM-000211, SRG-APP-000028-NDM-000210, SRG-APP-000027-NDM-000209, SRG-APP-000038-NDM-000213, SRG-APP-000099-NDM-000229, SRG-APP-000098-NDM-000228, SRG-APP-000097-NDM-000227, SRG-APP-000096-NDM-000226, SRG-APP-000095-NDM-000225, SRG-APP-000026-NDM-000208, SRG-APP-000412-NDM-000331, SRG-APP-000411-NDM-000330, SRG-APP-000435-NDM-000315, SRG-APP-000156-NDM-000250, SRG-APP-000224-NDM-000270, SRG-APP-000179-NDM-000265, SRG-APP-000142-NDM-000245</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000018CCI-000130CCI-000131CCI-000132CCI-000133CCI-000134CCI-000172CCI-000382CCI-000803CCI-001188CCI-001368CCI-001403CCI-001404CCI-001405CCI-001487CCI-001814CCI-001941CCI-002130CCI-002234CCI-002385CCI-002890CCI-003123Enable logging for admin event actions.
+
+In the ICS Web UI, navigate to System >> Log/Monitoring >> Admin Access >> Settings.
+1. Check the box for Administrator changes under the section "Select Events to Log".
+2. Click "Save Changes".In the ICS Web UI, navigate to System >> Log/Monitoring >> Admin Access >> Settings, under the section "Select Events to Log".
+
+If Administrator changes is enabled for events logging, this is a finding.SRG-APP-000395-NDM-000310<GroupDescription></GroupDescription>IVCS-NM-000090If SNMP is used, the ICS must be configured to use SNMPv3 with FIPS-140-2/3 validated Keyed-Hash Message Authentication Code (HMAC).<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
+
+A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).
+
+Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-001967This is applicable if SNMP is enabled. Though the entire SNMP configuration is given to prevent misconfiguration, note that this requirement is focused on the use of v3.
+
+In the ICS Web UI, navigate to System >> Log/Monitoring >> SNMP.
+1. Under "SNMP version data", select v3.
+2. Under "Agent Properties", select SNMP Queries.
+3. Define the System Name.
+4. Define the System Location.
+5. Define the System Contact.
+6. Under "SNMPv3 Configuration" and "User 1" type the username.
+7. Select the "Security Level" of Auth, Priv.
+8. Select SHA as the Auth Protocol.
+9. Type the Auth password.
+10. Select "CFB-AES-128" as the Priv Protocol.
+11. Type the Priv password.
+12. Under Optional Traps, select "Critical and Major log events".
+13. Click "Save Changes".If SNMP is not used, this is not applicable.
+
+In the ICS Web UI, navigate to System >> Log/Monitoring >> SNMP.
+
+Under "SNMP version data", verify v2c is not selected.
+
+If the ICS does not use properly configured SNMPv3, this is a finding.SRG-APP-000395-NDM-000347<GroupDescription></GroupDescription>IVCS-NM-000100The ICS must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.<VulnDiscussion>If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-001967In the ICS Web UI, navigate to System >> Status >> Dashboard.
+1. Click the "Overview" tab.
+2. Under "Appliance Details" and "System Date and Time" select "Edit".
+3. Select the Time Zone to use - DOD may require GMT.
+4. Select "Use Pool of NTP servers".
+5. Enter the IP/hostname of each NTP server in the "NTP Server 1", "NTP Server 2", etc.
+6. Under the key section input the key in the following format: <keynumber> <algorithm> <key>
+For example, it would be entered like this: 1 SHA1 NtPKey123.
+Note: there must be a space between each section of <keynumber> <algorithm> <key>
+7. Click "Save Changes".
+8. Navigate to System >> Log/Monitoring >> Events.
+9. Ensure an event log stating the time sync is successful.In the ICS Web UI, navigate to System >> Status >> Dashboard.
+1. Click the "Overview" tab.
+2. Under "Appliance Details" and "System Date and Time", select "Edit".
+3. Verify the "Use Pool of NTP servers" is checked with NTP server IPs defined.
+4. Verify the NTP server IP/hostname is defined with a key.
+
+If the ICS does not authenticate NTP sources using authentication that is cryptographically based, this is a finding.SRG-APP-000374-NDM-000299<GroupDescription></GroupDescription>IVCS-NM-000120The ICS must be configured to record time stamps for audit records that can be mapped to Greenwich Mean Time (GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
+
+Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-001890In the ICS Web UI, navigate to System >> Status >> Dashboard.
+1. Click the "Overview" tab.
+2. Under "Appliance Details" and "System Date and Time", select "Edit".
+3. Select "(GMT) Coordinated Universal Time".
+4. Click "Save Changes".In the ICS Web UI, navigate to System >> Status >> Dashboard.
+1. Click the "Overview" tab.
+2. Under "Appliance Details" and "System Date and Time", select "Edit".
+3. Verify the "Time Zone" is set to "(GMT) Coordinated Universal Time".
+
+If the ICS must be configured to record time stamps for audit records that can be mapped to GMT, this is a finding.SRG-APP-000357-NDM-000293<GroupDescription></GroupDescription>IVCS-NM-000150The ICS must be configured to allocate local audit record storage capacity in accordance with organization-defined audit record storage requirements.<VulnDiscussion>In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
+
+The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-001849In the ICS Web UI, navigate to System >> Log Monitoring >> User Access >> Settings.
+
+Go to "Minimum Log Size", set the Max Log Size to the value required by the site. By default, it is set to 200MB.In the ICS Web UI, navigate to System >> Log Monitoring >> User Access >> Settings.
+
+Under the "Minimum Log Size", verify the Max Log Size is equal to or greater than the site's required limit as documented in the SSP (the default is 200 MB).
+
+If the ICS is not configured with a Max Log Size that is equal to or greater than the site's required limit, this is a finding.SRG-APP-000169-NDM-000257<GroupDescription></GroupDescription>IVCS-NM-000190The ICS must be configured to enforce password complexity by requiring that at least one special character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
+
+Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-001619In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Enable the setting for "Password must have at least __ special characters".
+2. In the box, enter "1".
+3. Click "Save Changes".In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Verify the setting for "Password must have at least __ letters" is checked.
+2. Verify the value for the setting for "Password must have at least __ special characters" is set to "1".
+
+If the ICS does not require that at least one special character be used for passwords, this is a finding.SRG-APP-000148-NDM-000346<GroupDescription></GroupDescription>IVCS-NM-000271The ICS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.<VulnDiscussion>Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.
+
+The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-001358CCI-002111In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Click the tab "Users".
+2. Create the emergency local user, or click the default admin user.
+3. Click the box for "Enabled".
+4. Click the box for "Allow Console Access".
+5. Click "Save Changes".In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+
+Click the tab "Users" and verify that more than one user does not exist.
+
+If the ICS is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.SRG-APP-000190-NDM-000267<GroupDescription></GroupDescription>IVCS-NM-000300The ICS must be configured to terminate after 10 minutes of inactivity except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
+
+Upon the termination of a session, the Ivanti ICS inherently ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-001133In the ICS Web UI, navigate to Administrators >> Admins Role >> Delegated Admin Roles.
+
+1. Click the configured admin role being used for CAC/PKI token admin logins, by default it is .Administrators.
+2. Click the Session Options tab.
+3. In the "Session Lifetime" section, set the Idle Timeout to "10".
+4. Click "Save Changes".In the ICS Web UI, navigate to Administrators >> Admins Role >> Delegated Admin Roles.
+1. Click the configured admin role being used for CAC/PKI token admin logins (by default it is .Administrators).
+2. Click the Session Options tab.
+3. In the "Session Lifetime" section, verify the Idle Timeout is set to "10".
+
+If the ICS does not terminate after 10 minutes of inactivity except to fulfill documented and validated mission requirements, this is a finding.SRG-APP-000149-NDM-000247<GroupDescription></GroupDescription>IVCS-NM-000320The ICS must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.<VulnDiscussion>MFA is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user's biometric digital presence.
+
+Private industry recognizes and uses a wide variety of MFA solutions. However, DOD public key infrastructure (PKI) is the only prescribed method approved for DOD organizations to implement MFA. For authentication purposes, centralized DOD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates that have been generated by the issuing CA are downloaded and saved to smartcards which, within DOD, are referred to as common access cards (CAC) or personal identity verification (PIV) cards. This happens at designated DOD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users).
+
+Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate that was presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not utilized by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000765In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Server CAs.
+1. Click Import Trusted Server CAs.
+2. Import the Active Directory root CA certificate by clicking Browse, selecting the certificate file, and clicking Import Certificate.
+3. Repeat these steps for the intermediate CA certificate.
+
+In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs.
+1. Click Import CA Certificate.
+2. Import the DOD Client CAC root CA certificate by clicking Browse, selecting the certificate file, and clicking Import Certificate (e.g., DOD Root CA 3).
+3. Repeat these steps for the intermediate/issuing CAC CA certificate (e.g., DOD ID CA 59).
+4. Repeat these steps for each intermediate CAC CA certificate.
+5. Click the Root CA certificate that was imported.
+6. Under client certificate status checking, ensure the following is set:
+- Use OCSP with CRL Fallback.
+- Trusted for client Authentication must be checked.
+7. If the network the site is in must use a local OCSP repeater/responder, go to OCSP settings. Otherwise, move on to the Device Certificates.
+8. Click OSCP options, Use Manually Configured responders.
+9. Enter the URL for the primary and backup OCSP responder.
+10. If the OCSP responder requires request signing and Nonce usage, select those here.
+
+In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates.
+1. Click "New CSR".
+2. Under Common Name, ensure this has the FQDN for the ICS server. Fill out all other items.
+3. If using RSA, select 2048. If using ECC, select P-384.
+4. Click Create CSR. Export the CSR and import it into the DOD site's Registration Authority (RA). Ensure that Subject Alternative Names (SANs) are created for all FQDNs, server names, and cluster names on the web enrollment form.
+5. Once the certificate is approved, download it and import it in this same section of the ICS.
+
+In the ICS Web UI, navigate to Administrators >> Auth Servers.
+1. Click "New Servers", under server type, select "Certificate Server", then click "New Server".
+2. Type a Name, then under User Name template type <certAttr.altname.UPN>.
+3. Click "Save Changes".
+4. Navigate to Administrators >> Auth Servers.
+5. Click "New Servers". Under server type, select "LDAP Server". Click "New Server".
+6. Type a name for the primary LDAP server domain.
+7. LDAP server: the FQDN of the server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
+8. LDAP port: 636 (this is for LDAPS).
+9. Backup LDAP Server1: the FQDN of the secondary server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
+10. Backup LDAP Port1: 636.
+11. If a third LDAP server is needed, add this and the port info under Backup LDAP Server2 and Backup LDAP Port2.
+12. LDAP Server Type: Active Directory.
+13. Connection: LDAPS.
+14. Ensure Validate Server Certificate is checked.
+15. Connection Timeout: 15.
+16. Search Timeout: 60.
+17. Scroll down to the bottom and click "Save Changes", then click "Test Settings" to ensure valid communications are possible.
+NOTE: If there are failures in this testing, ensure that the step for Device Certificates and Trusted Server CAs were completed as this will cause LDAPS certificate issues.
+18. Under authentication required, click the box for Authentication required to search LDAP.
+19. Enter the service account's Admin DN using this as an example format: CN=PCS.SVC,OU=IVANTI,DC=dod,DC=mil
+20. Enter the service account's password.
+21. Under "Finding user entries" add the base DN of the domain as an example format: DC=dod,DC=mil
+22. Under filter, use this specific attribute configuration: userPrincipalName=<USER>
+23. Under group membership, add the base DN of where admin users that will access, using this as an example format: OU=IVANTI,DC=dod,DC=mil
+24. Under filter use the following: cn=<GROUPNAME>
+25. Under member attribute use the following: member.
+26. Click "Save Changes".
+27. In the same LDAP server configuration screen, scroll down and click the "Server Catalog" hyperlink.
+28. Under attributes, click New, Type: userPrincipalName, and save the changes.
+29. Under groups, click Search. In the search box, type the group name used for admin logins.
+30. Check the box next to the group that is found and click "Add Selected".
+31. Repeat these steps for all various groups needed for various roles on the ICS system. For example, groups for auditors, ISSOs, NOC, SOC, Viewer, etc.
+32. Click "Save Changes".
+
+In the ICS Web UI, navigate to Administrators >> Admin Realms.
+1. Click the admin realm being used. By default, "Admin Users" is defined.
+2. Under servers, go to Authentication and select the certificate authentication realm created that included the customized User template of <certAttr.altname.UPN>
+3. Under Directory/Attribute, select the previously created LDAP server.
+4. Check the box for "Enable dynamic policy evaluation".
+5. Check both "Refresh roles" and "refresh resource policies".
+6. Click "Save Changes".
+7. Go to the Role Mapping tab.
+8. Click "New Rule".
+9. Select "Rule based on Group Membership", click "Update".
+10. Type a name for this rule.
+11. Select "is".
+12. Type the group name exactly as it appears as the CN LDAP attribute.
+13. Select the role. The default is ".Administrators" for ICS admins.
+NOTE: if other roles for access to ICS management are needed, this can be configured in the Administrators >> Admin Roles section.
+14. Click "Save Changes".
+
+In the ICS Web UI, navigate to Authentication >> Sign-in >> Sign-in Policies.
+1. Create a New URL or edit the */admin/ URL - depending on the site.
+NOTE: it is recommended to create a new sign-in URL until this configuration is fully tested to ensure there is still web UI reachability in the troubleshooting process.
+2. Under authentication realm, click the "User picks from a list of authentication realms".
+3. Click "Save Changes".
+
+Test and verify the connection with CAC/Alt Token and LDAPS by attempting a web UI login using the token or CAC and entering the sign-in URL.In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms.
+1. Click the admin realm that is currently being used on the ICS for administrator logins; by default it is "Admin Users".
+2. In the general tab, under Servers >> Authentication, verify that a certificate authenticate server is configured.
+3. In the general tab, under Servers >> Directory/Attribute, verify it does not show "none".
+4. In the role mapping tab, under "when users meet these conditions", verify the following is configured:
+- "Group" must be used, and the local site's administrator active directory group must be selected and assigned to the ".Administrators" role.
+Note: this role could be different if using something other than the default ".Administrators" role.
+- Use of groups instead of individual user accounts.
+- Ensure the allow-all username of * is not used.
+
+If the ICS must be configured to use DOD PKI as MFA for interactive logins, this is a finding.SRG-APP-000373-NDM-000298<GroupDescription></GroupDescription>IVCS-NM-000360The ICS must be configured to synchronize internal information system clocks using redundant authoritative time sources.<VulnDiscussion>The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
+
+Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.
+
+DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000366CCI-001893In the ICS Web UI, navigate to System >> Status >> Overview.
+1. Under "Appliance Details", and "System Date and Time", click "Edit".
+2. Click "Use Pool of NTP Servers".
+3. Set the IP address or hostname of the first time source.
+4. In the "Key 1" box, type the number, algorithm, and key value using this format: 1 SHA1 testingkey
+5. Set the IP address or hostname of the second time source, noting that this must be a time source different from the first.
+6. In the "Key 2" box, type the number, algorithm, and key value using this format: 1 SHA1 testingkey.
+7. Click "Save Changes".
+8. Navigate to System >> Log/Monitoring >> Events >> Log on the Web UI.
+9. Look in the logs for successful or unsuccessful time sync messages.In the ICS Web UI, navigate to System >> Status >> Overview.
+
+Under "Appliance Details", and "System Date and Time", click "Edit".
+
+If the Time Source is not set to at least two NTP time sources, this is a finding.
+
+If the Time Sources are not specific to a DOD authoritative time source, this is a finding.
+
+If the Time Sources are not configured to use a SHA1 preshared key for authentication, this is a finding.SRG-APP-000516-NDM-000344<GroupDescription></GroupDescription>IVCS-NM-000370The ICS must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.<VulnDiscussion>For user certificates, each organization obtains certificates from an approved and shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000366CCI-001159In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates.
+1. Click "New CSR".
+2. Add a Common Name in FQDN format.
+3. Add a Country code of US.
+4. Under key type, if using RSA, select "RSA". If using ECC, select "ECC".
+5. Under the key length, if using RSA, select at least "2048". If using ECC, select "P-384".
+6. Type in "Random Data" in the text field.
+7. Click "Create CSR".
+8. Copy the Base 64/PEM encoded certificate request that is shown on the screen and paste it to a text file. Ensure the file has the file suffix of .csr.
+9. Go through the local RA process for DOD Web Server certificate requests. Ensure that SANs are added to the certificate by the issuing CA to include the hostname, cluster names, and all FQDNs.
+10. Once the certificate is provided by the CA, go to System >> Configuration >> Certificates >> Device Certificates.
+11. Click "Browse" and select the certificate file issued by the CA, then click "Import".
+12. Click "Save Changes".
+13. Click on the imported certificate.
+14. On the "Internal Port", click "add" for the cluster internal VIP and <Internal Port>.
+15. On the "External Port", click "add" for the cluster external VIP and <External Port>.
+16. Check the box for "Management Port".
+17. Under "Certificate Status Checking", click the box for "Use CRLs".
+18. Click "Save Changes".In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates.
+
+1. Verify there is a device certificate that is signed by a valid DOD CA.
+2. Verify the certificate is used by all interfaces on the ICS.
+
+If the ICS does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.SRG-APP-000516-NDM-000341<GroupDescription></GroupDescription>IVCS-NM-000380The ICS must be configured to support organizational requirements to conduct weekly backups of information system documentation, including security-related documentation.<VulnDiscussion>Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not backed up, and a system failure were to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur.
+
+This control requires the network device to support the organizational central backup process for user account information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000366CCI-000539In the ICS Web UI, navigate to Maintenance >> Archiving >> Archive Servers.
+1. Click "SCP" if using an SFTP/SCP server; other mechanisms may not be allowed due to local security policy. NOTE: Check with the ISSM before configuring anything other than SCP.
+2. Under "Archive Server" type the hostname or IPv4/IPv6 address.
+3. In "Destination Directory" type the path of the backup (e.g., "/backupfolder/ics/").
+4. In the "Username" field, type the username with SCP/SFTP permissions on the backup server.
+5. In the "Password" field, type the password.
+6. Under "Archive Schedule", select "Archive System Configuration", then click the day of the week and time when the backup should be sent.
+7. Under "Archive System Configuration", ensure a password is given to encrypt the backup.
+8. Under "Archive Schedule", select "Archive User Accounts", then click the day of the week and time when the backup should be sent.
+9. Under "Archive User Accounts", ensure a password is given to encrypt the backup.
+10. Click "Save Changes".In the ICS Web UI, navigate to Maintenance >> Archiving >> Archive Servers.
+1. Under "Archive Settings" verify an archive server is configured.
+2. Under "Archive Schedule" verify "Archive System Configuration", and "Archive User Accounts" are selected.
+3. Under "Archive Schedule" verify "Archive System Configuration", and "Archive User Accounts" are configured at a specific time and day of the week.
+4. Under "Archive Schedule", if "Archive System Configuration", and "Archive User Accounts" are configured with a password for backup encryption.
+
+If the ICS does not support organizational requirements to conduct backups of information system documentation, including security-related documentation weekly, this is a finding.SRG-APP-000516-NDM-000351<GroupDescription></GroupDescription>IVCS-NM-000410The ICS must be configured to run an operating system release that is currently supported by Ivanti.<VulnDiscussion>Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000366Navigate to the ICS support site https://my.pulsesecure.net/.
+1. Login using the valid support login.
+2. Click the link for "Software Licensing and Download".
+3. Click either virtual or physical appliance.
+4. Click "Software Download".
+5. Under Product Lines, click "Pulse Connect Secure" and again, "Pulse Connect Secure".
+6. Click "Current and Supported Releases".
+7. Click "Download" on the latest ICS images.
+
+Using the ICS Web UI navigate to Maintenance >> System >> Upgrade/Downgrade.
+1. Ensure the ICS is upgraded in accordance with the site's change management and change control policies, as this will cause a platform outage.
+2. Under "Install Service Package" click "Browse" and select the recently downloaded images.
+3. Click "Install".
+4. Follow all prompts for the upgrading the new images.Navigate to the ICS support site https://my.pulsesecure.net/.
+1. Login using the valid support login.
+2. Click the link for "Software Licensing and Download".
+3. Click "License and System Download".
+4. Click "Software Download".
+5. Under "Product Lines", click "Pulse Connect Secure" and again, "Pulse Connect Secure".
+6. Click the "End of Support" tab.
+7. Now using the ICS Web UI, navigate to Maintenance >> System >> Platform.
+
+If the version running under Current Version is on the list of End of Support images on the Ivanti support site, this is a finding.SRG-APP-000164-NDM-000252<GroupDescription></GroupDescription>IVCS-NM-000440The ICS must be configured to enforce a minimum 15-character password length.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.
+
+The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000205In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. For minimum length, type "15".
+2. Click "Save Changes".In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+
+If the minimum length is not 15 characters, this is a finding.SRG-APP-000172-NDM-000259<GroupDescription></GroupDescription>IVCS-NM-000450The ICS must be configured to transmit only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
+
+This is applicable to the account of last resort which uses a password. Secure password while in transit for admin access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000197In the ICS Web UI, navigate to System >> Configuration >> Inbound SSL Options.
+1. Under "Allowed SSL and TLS Version", check the box for "Accept only TLS 1.2 (maximize security)".
+2. Click "Save Changes".
+3. Click "Proceed" for acceptance of Cipher Change.
+
+Navigate to System >> Configuration >> Outbound SSL Options.
+1. Under "Allowed SSL and TLS Version", check the box for "Accept only TLS 1.2 (maximize security)".
+2. Click "Save Changes".
+3. Click "Proceed" for acceptance of Cipher Change.In the ICS Web UI, navigate to System >> Configuration >> Inbound SSL Options.
+
+Under "Allowed SSL and TLS Version", if "Accept only TLS 1.2 (maximize security)" is checked.
+
+Navigate to System >> Configuration >> Outbound SSL Options.
+
+Under "Allowed SSL and TLS Version", if "Accept only TLS 1.2 (maximize security)" is checked.
+
+If the ICS does not transmit only encrypted representations of passwords, this is a finding.SRG-APP-000170-NDM-000329<GroupDescription></GroupDescription>IVCS-NM-000460The ICS must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.<VulnDiscussion>If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
+
+The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
+
+Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000195In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Check the box for "new password must differ from the previous password position".
+2. In the box, enter "8".
+3. Click "Save Changes".In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Verify the setting for "new password must differ from the previous password position" is checked.
+2. Verify the value for the setting for "new password must differ from the previous password position" is set to "80".
+
+If the ICS is not configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password, this is a finding.SRG-APP-000168-NDM-000256<GroupDescription></GroupDescription>IVCS-NM-000470The ICS must be configured to enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
+
+Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000194In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Check the box for "Password must have at least __ digits".
+2. In the box, enter "1".
+3. Click "Save Changes".In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Verify the setting for "Password must have at least __ digits" is checked.
+2. Verify the value for the setting for "Password must have at least __ digits" is not set to "1".
+
+If the ICS is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.SRG-APP-000167-NDM-000255<GroupDescription></GroupDescription>IVCS-NM-000480The ICS must be configured to enforce password complexity by requiring that at least one lowercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
+
+Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000193In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. If the setting for "Password must have at least __ letters".
+2. In the box, enter "2".
+3. Check the box for "Password must have mix of UPPERCASE and lowercase letters".
+4. Click "Save Changes".In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Verify the setting for "Password must have at least __ letters" is checked.
+2. Verify the setting for "Password must have mix of UPPERCASE and lowercase letters" is checked.
+3. Verify the value for the setting for "Password must have at least __ letters" is set to "2".
+
+If the ICS is not configured to enforce password complexity by requiring that at least one lowercase character be used, this is a finding.SRG-APP-000166-NDM-000254<GroupDescription></GroupDescription>IVCS-NM-000490The ICS must be configured to enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.
+
+Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000192In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. If the setting for "Password must have at least __ letters".
+2. In the box, enter "2".
+3. Check the box for "Password must have mix of UPPERCASE and lowercase letters".
+4. Click "Save Changes".In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Verify the setting for "Password must have at least __ letters" is checked.
+2. Verify the setting for "Password must have mix of UPPERCASE and lowercase letters" is checked.
+3. Verify value for the setting for "Password must have at least __ letters" is set to "2".
+
+If the ICS is not configured to enforce password complexity by requiring that at least one upper-case character be used, this is a finding.SRG-APP-000175-NDM-000262<GroupDescription></GroupDescription>IVCS-NM-000500The ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.<VulnDiscussion>Once issued by a DOD certificate authority (CA), public key infrastructure (PKI) certificates are typically valid for three years or shorter within the DOD. However, there are many reasons a certificate may become invalid before the prescribed expiration date. For example, an employee may leave or be terminated and still possess the smartcard on which the PKI certificates were stored. Another example is that a smartcard containing PKI certificates may become lost or stolen. A more serious issue could be that the CA or server which issued the PKI certificates has become compromised, thereby jeopardizing every certificate keypair that was issued by the CA. These examples of revocation use cases and many more can be researched further using internet cybersecurity resources.
+
+PKI user certificates presented as part of the identification and authentication criteria (e.g., DOD PKI as multifactor authentication [MFA]) must be checked for validity by network devices. For example, valid PKI certificates are digitally signed by a trusted DOD certificate authority (CA). Additionally, valid PKI certificates are not expired, and valid certificates have not been revoked by a DOD CA.
+
+Network devices can verify the validity of PKI certificates by checking with an authoritative CA. One method of checking the status of PKI certificates is to query databases referred to as certificate revocation lists (CRL). These are lists which are published, updated, and maintained by authoritative DOD CAs. For example, once certificates are expired or revoked, issuing CAs place the certificates on a certificate revocation list (CRL). Organizations can download these lists periodically (i.e. daily or weekly) and store them locally on the devices themselves or even onto another nearby local enclave resource. Storing them locally ensures revocation status can be checked even if internet connectivity is severed at the enclave's point of presence (PoP). However, CRLs can be rather large in storage size and further, the use of CRLs can be rather taxing on some computing resources.
+
+Another method of validating certificate status is to use the online certificate status protocol (OCSP). Using OCSP, a requestor (i.e. the network device which the user is trying to authenticate to) sends a request to an authoritative CA challenging the validity of a certificate that has been presented for identification and authentication. The CA receives the request and sends a digitally signed response indicating the status of the user's certificate as valid, revoked, or unknown. Network devices should only allow access for responses that indicate the certificates presented by the user were considered valid by an approved DOD CA. OCSP is the preferred method because it is fast, provides the most current status, and is lightweight.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000185In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs.
+1. Click the first DOD client CA.
+2. Set the item to "Use OCSP with CRL fallback" under "Client certificate status checking".
+3. Repeat these steps for every other client certificate CA.In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs.
+1. Click the first DOD client CA.
+2. Verify the item "Use OCSP with CRL fallback" is selected under the "Client certificate status checking" setting.
+3. Check each other client certificate CA. Verify the setting "Use OCSP with CRL fallback" is selected.
+
+If the ICS is not configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication, this is a finding.SRG-APP-000091-NDM-000223<GroupDescription></GroupDescription>IVCS-NM-000510The ICS must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000172In the ICS Web UI, navigate to System >> Log/Monitoring >> Admin Access >> Settings.
+1. Check the box under the section "Select Events to Log" for "Administrator Logins".
+2. Click "Save Changes".In the ICS Web UI, navigate to System >> Log/Monitoring >> Admin Access >> Settings.
+
+1. Under the section "Select Events to Log", verify "Administrator Logins" is checked.
+
+If the ICS is not configured to generate audit records when successful/unsuccessful attempts to access privileges occur, this is a finding.SRG-APP-000001-NDM-000200<GroupDescription></GroupDescription>IVCS-NM-000690The ICS must be configured to limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.<VulnDiscussion>Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks.
+
+This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000054In the ICS Web UI, navigate to Administrators >> Admins Realms >> Admin Realms.
+1. Click the configured admin realm being used for CAC/PKI token admin logins.
+2. Click the "Authentication Policy" tab, then click "Limits".
+3. In "Maximum number of sessions per user", type the number "1".
+4. Click "Save Changes".In the ICS Web UI, navigate to Administrators >> Admins Realms >> Admin Realms.
+1. Click the configured admin realm being used for CAC/PKI token admin logins.
+2. Click the "Authentication Policy" tab.
+3. Click "Limits".
+
+If there is any number other than 1 in "Maximum number of sessions per user", this is a finding.SRG-APP-000068-NDM-000215<GroupDescription></GroupDescription>IVCS-NM-000710The ICS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to manage the device.<VulnDiscussion>Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users.
+
+The banner is retained until acknowledgement by default when the banner is selected in the sign-in policy.
+
+Satisfies: SRG-APP-000068-NDM-000215, SRG-APP-000069-NDM-000216</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000048CCI-000050Configure ICS to present a DOD-approved banner that is formatted in accordance with DTM-08-060. Do not alter the text or format. Configure */admin/ (or whatever custom URL is used for CAC/PKI token admin access) with a sign-in notice.
+
+In the ICS Web UI, navigate to Authentication >> Signing In >> Sign-In Notifications.
+1. Click "New Notification".
+2. For name, type: "DOD Notice and Consent".
+3. In the text box type the following:
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details".
+4. Click "Save Changes".
+5. Go to Authentication >> Signing In >> Sign-In Policies.
+6. Click the */admin/ (or whatever custom URL is used for CAC/PKI token admin access).
+7. Under "Configure SignIn Notifications", check the box for "Pre-Auth Sign-in Notification", and in the drop-down menu, assign the notification titled "DOD Notice and Consent".Determine if the network device is configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060.
+
+In the ICS Web UI, navigate to Authentication >> Signing In >> Sign-In Policies/
+1. Click the */admin/ (or whatever custom URL is used for CAC/PKI token admin access).
+2. Verify the DOD banner is entered exactly as required with no alterations.
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details".
+
+If the banner is not used, displayed, or the text/format is altered, this is a finding.SRG-APP-000065-NDM-000214<GroupDescription></GroupDescription>IVCS-NM-000720The ICS must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000044In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Under the section "Account Lockout", check the box for "Enable Account Lockout for users".
+2. Under the section "Account Lockout", set the box "Maximum wrong password attempts" to "3".
+3. Under the section "Account Lockout", set the box "Account Lockout Period in Minutes" to "15".
+4. Click "Save Changes".In the ICS Web UI, navigate to Authentication >> Auth Servers >> Administrators.
+1. Under the section "Account Lockout", verify "Enable Account Lockout for users" is checked.
+2. Under the section "Account Lockout", verify "Maximum wrong password attempts" is set to "3".
+3. Under the section "Account Lockout", verify "Account Lockout Period in Minutes" is set to "15".
+
+If the ICS must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes, this is a finding.SRG-APP-000516-NDM-000340<GroupDescription></GroupDescription>IVCS-NM-000740The ICS must be configured to conduct backups of system level information contained in the information system when changes occur.<VulnDiscussion>System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component.
+
+This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure NDMDISADPMS TargetIvanti Connect Secure NDM5558CCI-000366CCI-000537In the ICS Web UI, navigate to Maintenance >> Archiving >> Archive Servers.
+1. Click "SCP" if using an SFTP/SCP server, other mechanisms may not be allowed due to local security policy. Check with the ISSM before configuring anything other than SCP.
+2. Under "Archive Server", type the hostname or IPv4/IPv6 address.
+3. In "Destination Directory" type the path of the backup (e.g., "/backupfolder/ics/").
+4. In the "Username" field, type the username with SCP/SFTP permissions on the backup server.
+5. In the "Password" field, type the password.
+6. Under "Archive Schedule", select "Archive System Configuration", then click the day of the week and time when the backup should be sent.
+7. Under "Archive System Configuration", ensure a password is given to encrypt the backup.
+8. Under "Archive Schedule", select "Archive User Accounts", then click the day of the week and time when the backup should be sent.
+9. Under "Archive User Accounts", ensure a password is given to encrypt the backup.
+10. Click "Save Changes".In the ICS Web UI, navigate to Maintenance >> Archiving >> Archive Servers.
+
+Under "Archive Settings", if there is no archive server configured, this is a finding.
+
+Under "Archive Schedule", if "Archive System Configuration", and "Archive User Accounts" are not selected, this is a finding.
+
+Under "Archive Schedule", if "Archive System Configuration", and "Archive User Accounts" are not configured at a specific time and day of the week, this is a finding.
+
+Under "Archive Schedule", if "Archive System Configuration", and "Archive User Accounts" are not configured with a password for backup encryption, this is a finding.
\ No newline at end of file
diff --git a/benchmarks/DISA/U_Ivanti_Connect_Secure_VPN_STIG_V1R1_Manual-xccdf.xml b/benchmarks/DISA/U_Ivanti_Connect_Secure_VPN_STIG_V1R1_Manual-xccdf.xml
new file mode 100644
index 000000000..03990fecd
--- /dev/null
+++ b/benchmarks/DISA/U_Ivanti_Connect_Secure_VPN_STIG_V1R1_Manual-xccdf.xml
@@ -0,0 +1,476 @@
+acceptedIvanti Connect Secure VPN Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 08 Nov 20233.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-NET-000019-VPN-000040<GroupDescription></GroupDescription>IVCS-VN-000010The ICS must be configured to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.<VulnDiscussion>Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.
+
+VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-001414Establish Access Control policy in accordance with the site's system security plan. Policies will vary based on security policies and architecture.
+
+In the ICS Web UI, navigate to Users >> Resource Policies >> VPN Tunneling >> Access Control.
+1. Click "New Policy".
+2. Enter a name.
+3. Under IPv4 Resources, add all allowed ports and protocols required for users. Examples provided below:
+- For ICMP configure the following: icmp://10.0.0.0/255.255.255.0 to allow ICMP communications for the 10.0.0.0/24 subnet.
+- For TCP configure the following: tcp://*:80,443 to allow TCP communications for all IPv4 addresses going to TCP port 80 and 443 (web traffic).
+- For UDP configure the following: udp://10.0.0.0/255.255.255.0:53,123 to allow UDP communications for the 10.0.0.0/24 IPv4 addresses going to UDP port 53 (DNS) and 123 (NTP).
+4. Under IPv6 Resources, add all allowed ports and protocols required for users. Examples provided below:
+- For ICMP configure the following: icmpv6://[2001:db8:1::/64] to allow ICMPv6 communications for the 2001:db8:1::/64 subnet.
+- For TCP configure the following: tcp://[*]:80,443 to allow TCP communications for all IPv6 addresses going to TCP port 80 and 443 (web traffic).
+- For UDP configure the following: udp://[2001:db8:2::/64]:53,123 to allow UDP communications for the 2001:db8:2::/64 IPv6 addresses going to UDP port 53 (DNS) and 123 (NTP).
+5. For FQDN, add specific URLs to allow, if needed.
+6. Select "Policy applies to SELECTED roles" and select the role that remote access VPN users are assigned. If there are multiple, select each one and click "Add".
+7. Click "Allow Access".
+8. Click "Save Changes".In the ICS Web UI, navigate to Users >> Resource Policies >> VPN Tunneling >> Access Control.
+1. Verify that an Access Control Policy exists.
+2. Verify the Access Control Policy is not configured to allows all IPv4/IPv6 addresses or all TCP/UDP ports.
+
+If the ICS does not use one or more Access Control Policies to restrict inbound and outbound traffic compliance with the sites documented information flow control policy, this is a finding.SRG-NET-000041-VPN-000110<GroupDescription></GroupDescription>IVCS-VN-000020The ICS must display the Standard Mandatory DOD Notice and Consent Banner before granting access to users.<VulnDiscussion>Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+Satisfies: SRG-NET-000041-VPN-000110, SRG-NET-000042-VPN-000120, SRG-NET-000043-VPN-000130</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-000048CCI-000050CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060. Configure the remote access VPN user access sign-in notice. This may or may not be the same as the admin portal.
+
+In the ICS Web UI, navigate to Authentication >> Signing In >> Sign-In Notifications.
+1. Click "New Notification".
+2. For name, type: "DOD Notice and Consent".
+3. In the text box type the following:
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+- The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+- At any time, the USG may inspect and seize data stored on this IS.
+- Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+- This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
+- Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details".
+4. Click "Save Changes".
+5. Go to Authentication >> Signing In >> Sign-In Policies.
+6. Click the "*/" (or whatever custom URL is used for remote access VPN user access).
+7. Under "Configure SignIn Notifications", check the box for "Pre-Auth Sign-in Notification" in the drop-down menu, and assign the notification titled "DOD Notice and Consent".Determine if the network device is configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060. Verify the remote access VPN user access sign-in notice is configured and displayed. This may or may not be the same as the admin portal.
+
+1. In the ICS Web UI, navigate to Authentication >> Signing In >> Sign-In Notifications.
+
+Verify the use of the following verbiage for applications that can accommodate banners of 1300 characters:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+-At any time, the USG may inspect and seize data stored on this IS.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details".
+
+Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
+"I've read & consent to terms in IS user agreem't".
+
+2. In the ICS Web UI, navigate to Authentication >> Signing In >> Sign-In Policies.
+3. Click the "*/" (or whatever custom URL is used for remote access VPN user access).
+
+Under "Configure SignIn Notifications", if the "Pre-Auth Sign-in Notification" is not checked, or if the previously mentioned notification text is not assigned to this policy, this is a finding.SRG-NET-000053-VPN-000170<GroupDescription></GroupDescription>IVCS-VN-000050The ICS must be configured to limit the number of concurrent sessions for user accounts to one.<VulnDiscussion>VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.
+
+This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
+
+The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-000054In the ICS Web UI, navigate to Users >> User Realms >> User Realms.
+1. If using the default user realm, click "User". Otherwise, click the configured user realm that will be used for user remote access VPN using DOD CAC authentication.
+2. Click the "Authentication Policy" tab, then click "Limits".
+3. In "Maximum number of sessions per user", type the number "1".
+4. Click "Save Changes".In the ICS Web UI, navigate to Users >> User Realms >> User Realms.
+1. If using the default user realm, click "User". Otherwise, click the configured user realm that will be used for user remote access VPN using DOD CAC authentication.
+2. Click the "Authentication Policy" tab, then click "Limits".
+
+If the ICS does not limit the number of concurrent sessions for user accounts to "1", this is a finding.SRG-NET-000062-VPN-000200<GroupDescription></GroupDescription>IVCS-VN-000060The ICS must be configured to use TLS 1.2, at a minimum.<VulnDiscussion>Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
+
+NIST SP 800-52 Rev2 provides guidance for client negotiation on either DOD-only or public-facing servers.
+
+Satisfies: SRG-NET-000062-VPN-000200, SRG-NET-000371-VPN-001650, SRG-NET-000530-VPN-002340, SRG-NET-000540-VPN-002350</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-000068CCI-001453CCI-002418Configure the ICS to uses TLS 1.2 to protect remote access transmissions.
+
+In the ICS Web UI, navigate to System >> Configuration >> Inbound SSL Options.
+1. Under Allowed SSL and TLS Version, check the box for "Accept only TLS 1.2 (maximize security)".
+2. Click "Save Changes".
+3. Click "Proceed" for acceptance of Cipher Change.
+
+Navigate to System >> Configuration >> Outbound SSL Options.
+1. Under Allowed SSL and TLS Version, check the box for "Accept only TLS 1.2 (maximize security)".
+2. Click "Save Changes".
+3. Click "Proceed" for acceptance of Cipher Change.Determine if the ICS uses TLS 1.2 to protect remote access transmissions.
+
+In the ICS Web UI, navigate to System >> Configuration >> Inbound SSL Options.
+1. Under Allowed SSL and TLS Version, verify "Accept only TLS 1.2 (maximize security)" is checked.
+2. Navigate to System >> Configuration >> Outbound SSL Options.
+3. Under Allowed SSL and TLS Version, verify "Accept only TLS 1.2 (maximize security)" is checked.
+
+If the ICS does not use TLS 1.2, at a minimum, this is a finding.SRG-NET-000078-VPN-000290<GroupDescription></GroupDescription>IVCS-VN-000090The ICS must be configured to generate log records containing sufficient information about where, when, identity, source, or outcome of the events.<VulnDiscussion>Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
+
+VPN gateways often have a separate audit log for capturing VPN status and other information about the traffic (as opposed to the log capturing administrative and configuration actions).
+
+Associating event types with detected events in the network audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured VPN gateway.
+
+Satisfies: SRG-NET-000078-VPN-000290, SRG-NET-000079-VPN-000300, SRG-NET-000088-VPN-000310, SRG-NET-000089-VPN-000330, SRG-NET-000091-VPN-000350, SRG-NET-000077-VPN-000280, SRG-NET-000313-VPN-001050, SRG-NET-000492-VPN-001980</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-000130CCI-000131CCI-000132CCI-000133CCI-000134CCI-000172CCI-001487CCI-002314In the ICS Web UI, navigate to System >> Log/Monitoring >> User Access >> Settings.
+1. Under "Select Events to Log", check all items.
+2. Set the standard filer.
+3. Click "Add".
+4. Click "Save Changes".
+
+Note: If the site uses SNMP, the configuration can be used in conjunction with this requirement which is recommended. By default, SNMP is disabled. The device only supports Simple Network Management Protocol version 3 (SNMPv3) in a DOD configuration. The device supports queries only, traps only, or both when enabling SNMP. Refer to SRG-NET-000335-VPN-001270 for configuration.In the ICS Web UI, navigate to System >> Log/Monitoring >> User Access >> Settings.
+
+Under "Select Events to Log", verify all items are checked.
+
+If the ICS must be configured to generate log records containing information investigate the events, this is a finding.SRG-NET-000138-VPN-000490<GroupDescription></GroupDescription>IVCS-VN-000180The ICS must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
+
+Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following.
+
+(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and
+
+(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals' in-group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
+
+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-000764Configure an authentication server for the user realm.
+
+In the ICS Web UI, navigate to Users >> User Realms >> User Realms.
+1. Click the user realm that is currently being used on the ICS for standard remote access VPN logins.
+2. In the "General" tab, under Servers >> Authentication.
+3. Click "New Servers". Under "server type", select Certificate Server >> New Server.
+4. Type a Name, then under User Name template type this exactly: <certAttr.altname.UPN>
+5. Click "Save Changes".
+6. Navigate to Authentication >> Auth Servers.
+7. Click "New Servers". Under "server type", select LDAP Server >> New Server.
+8. Type a name for the primary LDAP server domain.
+9. LDAP server: the FQDN of the server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
+10. LDAP port: 636 (this is for LDAPS).
+11. Backup LDAP Server1: the FQDN of the secondary server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
+12. Backup LDAP Port1: 636.
+13. If a third LDAP server is needed, add this and the port info under Backup LDAP Server2 and Backup LDAP Port2.
+14. LDAP Server Type: Active Directory.
+15. Connection: LDAPS.
+16. Ensure "Validate Server Certificate" is checked.
+17. Connection Timeout: 15.
+18. Search Timeout: 60.
+19. Scroll down to the bottom and click "Save Changes". Click "Test Settings" to ensure valid communications are possible.
+NOTE: If there are failures in this testing, ensure that the step for Device Certificates and Trusted Server CAs were completed, as this will cause LDAPS certificate issues.
+20. Under "authentication required", click the box for "Authentication required" to search LDAP.
+21. Enter the service account's Admin DN using this as an example format: CN=PCS.SVC,OU=IVANTI,DC=DOD,DC=mil
+22. Enter the service account's password.
+23. Under "Finding user entries", add the base DN of the domain as an example format: DC=DOD,DC=mil
+24. Under "filter", use this specific attribute configuration: userPrincipalName=<USER>
+25. Under "group membership", add the base DN of where admin users that will access, using this as an example format: OU=IVANTI,DC=DOD,DC=mil
+26. Under "filter", use the following: cn=<GROUPNAME>
+27. Under "member attribute", use the following: member.
+28. Click "Save Changes".
+29. In the same LDAP server configuration screen, scroll down and click the "Server Catalog" hyperlink.
+30. Under "attributes", click "New", Type: userPrincipalName, and click "Save Changes".
+31. Under "groups", click "Search". In the search box, type the group name used for user logins.
+32. Check the box next to the group that is found and click "Add Selected".
+33. Repeat these steps for all various groups needed for various user/computer roles on the ICS system.
+34. Click "Save Changes".In the ICS Web UI, navigate to Users >> User Realms >> User Realms.
+1. Click the user realm that is currently being used on the ICS for standard remote access VPN logins.
+2. View "General" tab, under Servers >> Authentication. Verify a certificate authentication server is configured.
+3. View "General" tab, under Servers >> Directory/Attribute. Verify there is an entry defined.
+4. View "Role Mapping" tab, under "when users meet these conditions", verify "Group" is used with the local user active directory group selected and assigned to the role that was created.
+
+If the ICS does not use DOD PKI for network access to nonprivileged accounts, this is a finding.SRG-NET-000140-VPN-000500<GroupDescription></GroupDescription>IVCS-VN-000190The ICS must be configured to use multifactor authentication (e.g., DOD PKI) for network access to nonprivileged accounts.<VulnDiscussion>To ensure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and compromise of the system.
+
+Multifactor authentication uses two or more factors to achieve authentication. Use of password for user remote access for nonprivileged account is not authorized.
+
+Factors include:
+(i) Something you know (e.g., password/PIN);
+(ii) Something you have (e.g., cryptographic identification device, token); or
+(iii) Something you are (e.g., biometric).
+
+A nonprivileged account is any information system account with authorizations of a nonprivileged user.
+
+Network access is any access to a network element by a user (or a process acting on behalf of a user) communicating through a network.
+
+The DOD CAC with DOD-approved PKI is an example of multifactor authentication.
+
+Satisfies: SRG-NET-000140-VPN-000500, SRG-NET-000342-VPN-001360</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-000766CCI-001954Configure the user realm to use DOD PKI and the site's authentication servers. A sign-in policy is then applied in accordance with the site's access configuration. The focus for this requirement is on the path so the installation of the device certificates is not included.
+
+In the ICS Web UI, navigate to Authentication >> Auth Servers.
+1. Click "New Servers". Under "server type", select Certificate Server >> New Server.
+2. Type a Name. Under User Name template type this exactly: <certAttr.altname.UPN>
+3. Click "Save Changes".
+4. Navigate to Authentication >> Auth Servers.
+5. Click "New Servers". Under "server type", select LDAP Server >> New Server.
+6. Type a name for the primary LDAP server domain.
+7. LDAP server: the FQDN of the server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
+8. LDAP port: 636 (this is for LDAPS).
+9. Backup LDAP Server1: the FQDN of the secondary server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
+10. Backup LDAP Port1: 636.
+11. If a third LDAP server is needed, add this and the port info under Backup LDAP Server2 and Backup LDAP Port2.
+12. LDAP Server Type: Active Directory.
+13. Connection: LDAPS.
+14. Ensure Validate Server Certificate is checked.
+15. Connection Timeout: 15.
+16. Search Timeout: 60.
+17. Scroll down to the bottom and click "Save Changes". Click "Test Settings" to ensure valid communications are possible.
+NOTE: If there are failures in this testing, ensure that the step for Device Certificates and Trusted Server CAs were completed as this will cause LDAPS certificate issues.
+18. Under authentication required, click the box for Authentication required to search LDAP.
+19. Enter the service account's Admin DN using this as an example format: CN=PCS.SVC,OU=IVANTI,DC=DOD,DC=mil
+20. Enter the service account's password.
+21. Under "Finding user entries", add the base DN of the domain as an example format: DC=DOD,DC=mil
+22. Under "filter", use this specific attribute configuration: userPrincipalName=<USER>
+23. Under "group membership", add the base DN of where admin users that will access, using this as an example format: OU=IVANTI,DC=DOD,DC=mil
+24. Under "filter", use the following: cn=<GROUPNAME>
+25. Under "member attribute", use the following: member.
+26. Click "Save Changes".
+27. Now back in the same LDAP server configuration screen, scroll down and click the "Server Catalog" hyperlink.
+28. Under "attributes", click "New", Type: userPrincipalName, and click "Save Changes".
+29. Under "groups", click "Search". In the search box, type the group name used for user logins.
+30. Check the box next to the group that is found and click "Add Selected".
+31. Repeat these steps for all various groups needed for various user/computer roles on the ICS system.
+
+In the ICS Web UI, navigate to Users >> Users Realms.
+1. Click the user realm being used for remote access VPN logins.
+2. Under "servers", go to "Authentication" and select the certificate authentication realm created that included the customized User template of <certAttr.altname.UPN>.
+3. Under "Directory/Attribute", select the previously created LDAP server.
+4. Check the box for "Enable dynamic policy evaluation".
+5. Check both the "Refresh roles" and "refresh resource policies".
+6. Click "Save Changes".
+7. Go to the "Role Mapping" tab.
+8. Click "New Rule".
+9. Select "Rule based on Group Membership" and click "Update".
+10. Type a name for this rule.
+11. Select "is".
+12. Type the group name exactly as it appears as the CN LDAP attribute.
+13. Select the role needed for these VPN logins.
+14. Click "Save Changes".In the ICS Web UI, navigate to Users >> User Realms >> User Realms.
+1. Click the user realm that is currently being used on the ICS for standard remote access VPN logins.
+2. View "General" tab, under Servers >> Authentication. Verify a certificate authentication server is configured.
+3. View "General" tab, under Servers >> Directory/Attribute. Verify there is an entry defined.
+4. View "Role Mapping" tab, under "when users meet these conditions", verify "Group" is used with the local user active directory group selected and assigned to the role that was created.
+
+If the ICS does not use DOD PKI for network access to nonprivileged accounts, this is a finding.SRG-NET-000164-VPN-000560<GroupDescription></GroupDescription>IVCS-VN-000210The ICS, when utilizing PKI-based authentication, must be configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information system must create trusted channels between itself and remote trusted authorized IT product (e.g., syslog server) entities that protect the confidentiality and integrity of communications. The information system must create trusted paths between itself and remote administrators and users that protect the confidentiality and integrity of communications.
+
+A trust anchor is an authoritative entity represented via a public key and associated data. It is most often used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. However, applications that do not use a trusted path are not approved for nonlocal and remote management of DOD information systems.
+
+Use of SSHv2 to establish a trusted channel is approved. Use of FTP, TELNET, HTTP, and SNMPV1 is not approved since they violate the trusted channel rule set. Use of web management tools that are not validated by common criteria may also violate the trusted channel rule set.
+
+When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.
+
+This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.
+
+Satisfies: SRG-NET-000164-VPN-000560, SRG-NET-000512-VPN-002230, SRG-NET-000580-VPN-002410</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-000185CCI-000366Configure status checking on the ICS. The focus for this requirement is on the path, so the installation of the device certificates is not included.
+
+In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs.
+1. Click the first DOD client CA.
+2. Enable "Use OCSP with CRL fallback" under "Client certificate status checking".
+3. Repeat these steps for every remaining client certificate CA.In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs.
+1. Click the first DOD client CA.
+2. Verify the item "Use OCSP with CRL fallback" is selected under the "Client certificate status checking" setting.
+3. Check each client certificate CA. Verify the setting "Use OCSP with CRL fallback" is selected.
+
+For PKI-based authentication, if the ICS does not validate certificates by constructing a certification path (which includes revocation status information) to an accepted trust anchor, this is a finding.SRG-NET-000213-VPN-000721<GroupDescription></GroupDescription>IVCS-VN-000260The ICS must terminate remote access network connections after an organization-defined time period.<VulnDiscussion>This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment.
+
+Best practice is to terminate inactive user sessions after a period; however, when setting timeouts to any VPN connection, the organization must take into consideration the risk to the mission and the purpose of the VPN. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement.
+
+To determine if and when the VPN connections warrant termination, the organization must perform a risk assessment to identify the use case for the VPN and determine if periodic VPN session termination puts the mission at significant risk.
+
+The organization must document the results and the determination of the risk assessment in the VPN section of the SSP. The organization must also configure VPN session terminations in accordance with the risk assessment.
+This SRG requirement is in response to the DOD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment.
+
+Best practice is to terminate inactive user sessions after a period; however, when setting timeouts to any VPN connection, the organization must take into consideration the risk to the mission and the purpose of the VPN. VPN connections that provide user access to the network are the prime candidates for VPN session termination and are the primary focus of this requirement.
+
+To determine if and when the VPN connections warrant termination, the organization must perform a risk assessment to identify the use case for the VPN and determine if periodic VPN session termination puts the mission at significant risk.
+
+The organization must document the results and the determination of the risk assessment in the VPN section of the SSP. The organization must also configure VPN session terminations in accordance with the risk assessment.
+
+Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
+
+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection.
+
+This requirement applies to any network element that tracks individual sessions (e.g., stateful inspection firewall, ALG, or VPN).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-000057CCI-001133Configure the user role being used for CAC/PKI token VPN client logins with a session timeout.
+
+In the ICS Web UI, navigate to Administrators >> Users Roles >> User Roles.
+1. Click the configured user role being used for CAC/PKI token VPN client logins.
+2. Click the "Session Options" tab.
+3. In the "Session Lifetime" section, set the Idle Timeout to "10".
+4. Click "Save Changes".Verify the user role being used for CAC/PKI token VPN client logins is configured with a session timeout.
+
+In the ICS Web UI, navigate to Administrators >> Users Roles >> User Roles.
+1. Click the configured user role being used for CAC/PKI token VPN client logins.
+2. Click the "Session Options" tab.
+
+In the "Session Lifetime" section, if Idle Timeout is not set to "10", this is a finding.SRG-NET-000334-VPN-001260<GroupDescription></GroupDescription>IVCS-VN-000305The ICS must be configured to send user traffic log data to redundant central log server.<VulnDiscussion>The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.
+
+This requirement applies only to components where this is specific to the function of the device (e.g., IDPS sensor logs, firewall logs). This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-001851Direct user access log events to the central log server.
+
+In the ICS Web UI, navigate to System >> Log/Monitoring >> User Access >> Settings.
+1. Under "Select Events to Log", check all items.
+2. Under "Syslog Servers", add an IP address/server name/IP.
+3. Set the facility to "LOCAL0".
+4. Set type to "TLS".
+5. If a client cert is required for the syslog server, select the client certificate to use for the syslog traffic. If none exists, import the DOD-signed client key pair to the ICS under System >> Configuration >> Certificates >> Client Auth Certificates.
+6. Set the standard filer.
+7. Set the source interface as either the management or internal interface.
+8. Click "Add".
+9. Click "Save Changes".
+10. Repeat these steps to add a redundant syslog server for user log events.Verify user access log events are being sent to the central log server.
+
+In the ICS Web UI, navigate to System >> Log/Monitoring >> User Access >> Settings.
+1. Under "Select Events to Log", verify all items are checked.
+2. Under "Syslog Servers", verify redundant server name/IP address, facility of LOCAL0, type TLS, and the source interface are defined.
+
+If the ICS must be configured to send admin log data to redundant central log server, this is a finding.SRG-NET-000335-VPN-001270<GroupDescription></GroupDescription>IVCS-VN-000310The ICS must be configured to forward all log failure events where the detection and/or prevention function is unable to write events to local log record or send an SNMP trap that can be forwarded to the SCA and ISSO.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
+
+Alerts provide organizations with urgent messages. Automated alerts can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded.
+
+The VPN daemon facility and log facility are messages in the log, which capture actions performed or errors encountered by system processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-001858Event logs are also updated to local logs by default in addition to the central syslog server. However, if the site uses SNMP, the following must be configured since SNMP is disabled by default.
+
+In the ICS Web UI, navigate to System >> Log/Monitoring >> SNMP.
+1. Under "SNMP Version data", select "v3".
+2. Under "Agent Properties", check "SNMP Traps".
+3. Under "Agent Properties", configure a System Name, Location, and Contact.
+4. Under "User 1", type in a valid username. Select "AuthPriv".
+- The auth protocol must be set to at least SHA. Type the Auth Password.
+- The priv protocol must be set to at least CFB-AES-128. Type in the priv password.
+5. Under "Trap Thresholds", ensure "Check Frequency" is 180 seconds, "Log Capacity" is 75%, "Users" is 100%, "Physical Memory" is 0%, "Swap Memory" is 0%, "Disk" is 75%, "CPU" is 0%, and "Meeting Users" is 100%.
+6. Under "Optional Traps", check the boxes for "Critical and Major Log Events".
+7. Under "SNMP Trap Servers", configure an IPv4/IPv6 address for the valid trap server/receiver, type in the port (default is 162), and select the user to use (use the user from step #4 above).If SNMP is used, verify the configuration is compliant. If SNMP is not used, this is not a finding.
+
+In the ICS Web UI, navigate to System >> Log/Monitoring >> SNMP.
+1. Under "Agent Properties", verify "SNMP Traps" is checked.
+2. Under "SNMP Version data", verify "v3" is selected.
+3. Under "User 1", verify a user configuration in AuthPriv is using at least SHA and CFB-AES-128.
+4. Verify "Optional Traps Critical and Major Log Events" are checked.
+5. Verify the SNMP server IPv4/IPv6 address is configured under "SNMP Trap Servers".
+
+If SNMP is incorrectly configured, this is a finding.SRG-NET-000343-VPN-001370<GroupDescription></GroupDescription>IVCS-VN-000340The ICS must be configured to authenticate all clients before establishing a connection.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
+
+For ICS, user authentication uses authentication servers, realms, roles, and sign-in policies. To the device, both machine and user authentication are treated as user logins and certificates (machine certs and CAC) are supported for authentication. Although both machine and human users are considered "users" to the device. The system supports separating admin from user/computer authentication by duplicating auth servers and only associating a single server to an admin realm or a user realm but not both. This supports the DOD best practice of authenticating admin authentication using a separate authentication server from user authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-001958Configure client certificates and enable them on an appropriate user/computer realm to enable client authentication.
+
+In the Ivanti ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Server CAs.
+1. Click "Import Trusted Server CAs".
+2. Import the Active Directory root CA certificate by clicking "Browse", selecting the certificate file, and clicking "Import Certificate".
+3. Repeat these steps for the intermediate CA certificate.
+NOTE: these certificates could be DOD-signed CA certificates, or they could be internal private CA certificates. Import certificates based on the use case of the site.
+
+In the Ivanti ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs.
+1. Click "Import CA Certificate".
+2. Import the DOD Client CAC root CA certificate by clicking "Browse", selecting the certificate file, and clicking "Import Certificate" (e.g., "DOD Root CA 3").
+3. Repeat these steps for the intermediate/issuing CAC CA certificate (e.g., "DOD ID CA 59").
+4. Repeat these steps for each intermediate CAC CA certificate.
+5. Click the Root CA certificate that was imported.
+6. Under client certificate status checking, ensure the following is set:
+- Use OCSP with CRL Fallback.
+- "Trusted for client Authentication" must be checked.
+7. Optionally, if the network the site is in must use a local OCSP repeater/responder, go to OCSP settings. Otherwise, move on to the Device Certificates.
+8. Click "OSCP options". Use "Manually Configured" responders.
+9. Enter the URL for the primary and backup OCSP responder.
+10. Optionally, if the OCSP responder requires request signing and nonce usage, select those here.
+
+In the Ivanti ICS Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates.
+1. Click "New CSR".
+2. Under Common Name, ensure this has the FQDN for the ICS server, then fill out all other items.
+3. If using RSA, select "2048". If using ECC, select "P-384".
+IMPORTANT NOTE: If the remote access VPN is carrying classified data, the certificate and key being used by ICS MUST be an ECC P-384 key pair.
+4. Click "Create CSR". Export the CSR and import it into the DOD site's Registration Authority (RA). Ensure that Subject Alternative Names (SANs) are created for all FQDNs, server names, and cluster names on the web enrollment form.
+5. Once the certificate is approved, download it and import it in this same section of the ICS.
+
+In the Ivanti ICS Web UI, navigate to Authentication >> Auth Servers
+1. Click "New Servers". Under "server type", select Certificate Server >> New Server.
+2. Type a Name. Under User Name template type this exactly: <certAttr.altname.UPN>
+3. Click "Save Changes".
+4. Navigate to Authentication >> Auth Servers.
+5. Click "New Servers". Under "server type", select LDAP Server >> New Server.
+6. Type a name for the primary LDAP server domain.
+7. LDAP server: the FQDN of the server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
+8. LDAP port: 636 (this is for LDAPS).
+9. Backup LDAP Server1: the FQDN of the secondary server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
+10. Backup LDAP Port1: 636.
+11. If a third LDAP server is needed, add this and the port info under Backup LDAP Server2 and Backup LDAP Port2.
+12. LDAP Server Type: Active Directory.
+13. Connection: LDAPS.
+14. Ensure Validate Server Certificate is checked.
+15. Connection Timeout: 15.
+16. Search Timeout: 60.
+17. Scroll down to the bottom and click "Save Changes". Click "Test Settings" to ensure valid communications are possible.
+NOTE: If there are failures in this testing ensure that the step for Device Certificates and Trusted Server CAs were completed, as this will cause LDAPS certificate issues.
+18. Under authentication required, click the box for "Authentication required" to search LDAP.
+19. Enter the service account's Admin DN using this as an example format: CN=PCS.SVC,OU=IVANTI,DC=DOD,DC=mil
+20. Enter the service account's password.
+21. Under "Finding user entries", add the base DN of the domain as an example format: DC=DOD,DC=mil
+22. Under "filter", use this specific attribute configuration: userPrincipalName=<USER>
+23. Under "group membership", add the base DN of where admin users that will access, using this as an example format: OU=IVANTI,DC=DOD,DC=mil
+24. Under "filter", use the following: cn=<GROUPNAME>
+25. Under "member attribute", use the following: member
+26. Click Save "Changes".
+27. Now back in the same LDAP server configuration screen, scroll down and click the "Server Catalog" hyperlink.
+28. Under "attributes", click "New", Type: userPrincipalName, and click "Save Changes".
+29. Under "groups", click "Search". In the search box, type the group name used for admin logins.
+30. Check the box next to the group that is found and click "Add Selected".
+31. Repeat these steps for all various groups needed for various roles on the ICS system. For example, groups for auditors, ISSOs, NOC, SOC, Viewer, etc.
+32. Click "Save Changes".
+
+In the Ivanti ICS Web UI, navigate to Users >> Users Realms.
+1. Click the user realm being used for remote access VPN logins.
+2. Under "servers", go to "Authentication" and select the certificate authentication realm created that included the customized User template of <certAttr.altname.UPN>.
+3. Under "Directory/Attribute", select the previously created LDAP server.
+4. Check the box for "Enable dynamic policy evaluation".
+5. Check both the "Refresh roles" and "refresh resource policies".
+6. Click "Save Changes".
+7. Go to the "Role Mapping" tab.
+8. Click "New Rule".
+9. Select "Rule based on Group Membership" and click "Update".
+10. Type a name for this rule.
+11. Select "is".
+12. Type the group name exactly as it appears as the CN LDAP attribute.
+13. Select the role needed for these VPN logins.
+14. Click "Save Changes".
+
+In the Ivanti ICS Web UI, navigate to Authentication >> Sign-in >> Sign-in Policies.
+1. Create a New URL or edit the */ URL (depending on the site).
+NOTE: it is recommended to create a new sign-in URL until this configuration is fully tested to ensure there is still web UI reachability in the troubleshooting process.
+2. Under authentication realm, click the "User picks from a list of authentication realms".
+3. Click "Save Changes".
+
+Test and verify the connection with CAC/Alt Token and LDAPS by attempting a remote access VPN web UI login using the token or CAC and entering the sign-in URL. Once successful, the user will click on the ICS client for completing the login connection.Verify client certificates are installed and assigned to applicable user/computer realm to enable client authentication for all remote clients.
+
+In the Ivanti ICS Web UI, navigate to Users >> User Realms >> User Realms.
+1. Click the user realm that is currently being used on the ICS for standard remote access VPN logins.
+2. In the "General" tab, under Servers >> Authentication, verify it is defined with a certificate authenticate server.
+3. In the "General" tab, under Servers >> Directory/Attribute, verify "none" is not displayed.
+4. In the "Role Mapping" tab, under "when users meet these conditions", verify "Group" must be used, and the local site's administrator active directory group must be selected and assigned to the role that was created.
+
+If the ICS is not configured to authenticate all client devices before establishing a connection, this is a finding.SRG-NET-000352-VPN-001460<GroupDescription></GroupDescription>IVCS-VN-000350The ICS must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
+
+The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables commercial products to be used in layered solutions to protect classified National Security Systems (NSS) data. Currently, Suite B cryptographic algorithms are specified by NIST and are used by NSA's Information Assurance Directorate in solutions approved for protecting classified and unclassified NSS. However, quantum resistant algorithms will be required for future required Suite B implementations.
+
+Satisfies: SRG-NET-000352-VPN-001460, SRG-NET-000565-VPN-002400, SRG-NET-000565-VPN-002390</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-002450In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates.
+1. Click "New CSR".
+2. Add a Common Name in FQDN format.
+3. Add a Country code of "US".
+4. Under key type, select "ECC".
+5. Under the key length, select "P-384".
+6. Click "Create CSR".
+7. Copy the Base 64/PEM encoded certificate request that is shown on the screen and paste it to a text file. Ensure the file has the file suffix of .csr.
+8. Go through the local RA process for DOD Web Server certificate requests. Ensure that SANs are added to the certificate by the issuing CA to include the hostname, cluster names, and all FQDNs.
+9. Once the certificate is provided by the CA, go to System >> Configuration >> Certificates >> Device Certificates.
+10. Click "Browse" and select the certificate file issued by the CA. Then click "Import".
+11. Click "Save Changes".
+12. Click on the imported certificate.
+13. On the "Internal Port", click "add" for the cluster internal VIP and <Internal Port>.
+14. On the "External Port" click "add" for the cluster external VIP and <External Port>.
+15. Check the box for "Management Port".
+16. Under "Certificate Status Checking", click the box for "Use CRLs".
+17. Click "Save Changes".
+
+In the ICS Web UI, navigate to System >> Configuration >> Inbound SSL Options.
+1. Under "Allowed Encryption Strength", click "SuiteB - Accept only SuiteB ciphers".
+2. Click "Save Changes" and accept the cipher suite changes.If the ICS VPN Gateway is not being used to carry classified data (e.g., Secret, Top Secret, etc.), this is Not Applicable.
+
+1. Navigate to System >> Configuration >> Inbound SSL Options. Verify that under "Allowed Encryption Strength", if "SuiteB - Accept only SuiteB ciphers" is checked.
+2. Navigate to System >> Configuration >> Certificates >> Device Certificates. Verify the certificate being used by the ICS is an ECC P-384 Public Key.
+
+If the ICS is not configured to use only SuiteB ciphers with ECC P-384 keys for transporting classified traffic, this is a finding.SRG-NET-000369-VPN-001620<GroupDescription></GroupDescription>IVCS-VN-000360The ICS must be configured to disable split-tunneling for remote client VPNs.<VulnDiscussion>Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.
+
+A VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the internet. With split tunneling enabled, a remote client has access to the internet while at the same time has established a secured path to the enclave via an IPsec tunnel. A remote client connected to the internet that has been compromised by an attacker on the internet, provides an attack base to the enclave's private network via the IPsec tunnel. Hence, it is imperative that the VPN gateway enforces a no split-tunneling policy to all remote clients.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-002397In the ICS Web UI, navigate to Users >> Resource Policies >> Split Tunneling Networks.
+1. If there are any split-tunnel network policies configured, select all of them and delete them.
+2. If the split tunneling policies are needed for debugging or testing only, ensure the role being applied is only for the debugging or test group.In the ICS Web UI, navigate to Users >> Resource Policies >> Split Tunneling Networks.
+
+If there are any split-tunnel network policies, this is a finding.SRG-NET-000550-VPN-002360<GroupDescription></GroupDescription>IVCS-VN-000440The ICS that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm.<VulnDiscussion>Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
+
+SNMPv3 supports authentication, authorization, access control, and privacy, while previous versions of the protocol contained well-known security weaknesses, which were easily exploited. SNMPv3 can be configured for identification and bidirectional, cryptographically based authentication.
+
+A typical SNMP implementation includes three components: managed device, SNMP agent, and NMS. The SNMP agent is the SNMP process that resides on the managed device and communicates with the network management system. The NMS is a combination of hardware and software that is used to monitor and administer a network. The SNMP data is stored in a highly structured, hierarchical format known as a management information base (MIB). The SNMP manager collects information about network connectivity, activity, and events by polling managed devices.
+
+SNMPv3 defines a user-based security model (USM), and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM provides access control to determine whether a specific type of access (read or write) to the management information is allowed. Implement both VACM and USM for full protection.
+
+SNMPv3 server services must not be configured on products whose primary purpose is not to provide SNMP services. SNMP client services may be configured on the VPN gateway, application, or operating system to allow limited monitoring or querying of the device from by an SNMP server for management purposes. SNMP of any version will not be used to make configuration changes to the device. SNMPv3 must be disabled by default and enabled only if used. SNMP v3 provides security feature enhancements to SNMP, including encryption and message authentication.
+
+Currently, the AES cipher block algorithm can be used for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption) in DOD. The use of FIPS-approved algorithms for both cryptographic mechanisms is required. If any version of SNMP is used for remote administration, default SNMP community strings such as "public" and "private" should be removed before real community strings are put into place. If the defaults are not removed, an attacker could retrieve real community strings from the device using the default string.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Ivanti Connect Secure VPNDISADPMS TargetIvanti Connect Secure VPN5559CCI-001967Only the relevant portion of the SNMP configuration is highlighted here.
+
+In the ICS Web UI, navigate to System >> Log/Monitoring >> SNMP.
+1. Under "User 1", type in a valid username. Select "AuthPriv". The priv protocol must be set to at least CFB-AES-128.
+2. Type in the priv password.In the ICS Web UI, navigate to System >> Log/Monitoring >> SNMP.
+
+Under "User 1", if a user configuration in AuthPriv is not using at least SHA and CFB-AES-128, this is a finding.
\ No newline at end of file
diff --git a/stigs.json b/stigs.json
index 7d83bfee1..b69f89530 100644
--- a/stigs.json
+++ b/stigs.json
@@ -4426,13 +4426,6 @@
"url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y23M10_STIG.zip",
"size": "3.39 MB"
},
- {
- "id": "d26758ae-2548-4fa4-a716-433cbd9e1a68",
- "name": "z/OS RACF Products - Ver 6, Rel 59",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_RACF_V6R59_Products.zip",
- "size": "8.96 MB",
- "version": "V6R59"
- },
{
"id": "0da5c279-2d69-47c0-b0fa-60e37e606d79",
"name": "Samsung Android 14 with Knox 3.x STIG",
@@ -4440,10 +4433,16 @@
"size": "3.02 MB"
},
{
- "id": "bfd1fe5e-d2bb-49a3-8641-d9ef3bee2413",
- "name": "z/OS ACF2 Products - Ver 6, Rel 59",
- "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_ACF2_V6R59_Products.zip",
- "size": "9.7 MB",
+ "id": "407936fb-cce4-4a5d-8427-051dc9255039",
+ "name": "Ivanti Connect Secure STIG",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Ivanti_Connect_Secure_Y23M11_STIG.zip",
+ "size": "1.16 MB"
+ },
+ {
+ "id": "9de16f80-40a4-44e0-a3cb-7caf5db3c3e2",
+ "name": "z/OS SRR Scripts - Ver 6, Rel 59",
+ "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_V6R59_SRR.zip",
+ "size": "1.89 MB",
"version": "V6R59"
}
]
\ No newline at end of file