<?xml version="1.0" encoding="UTF-8"?>
<CHECKLIST>
  <ASSET>
    <ROLE>None</ROLE>
    <ASSET_TYPE>Computing</ASSET_TYPE>
    <HOST_NAME></HOST_NAME>
    <HOST_IP></HOST_IP>
  </ASSET>
  <STIGS>
    <iSTIG>
      <STIG_INFO>
        <SI_DATA>
          <SID_NAME>title</SID_NAME>
          <SID_DATA>Cisco Secure Network Analytics (SNA) Security Technical Implementation Guide</SID_DATA>
        </SI_DATA>
        <SI_DATA>
          <SID_NAME>version</SID_NAME>
          <SID_DATA>1</SID_DATA>
        </SI_DATA>
        <SI_DATA>
          <SID_NAME>releaseinfo</SID_NAME>
          <SID_DATA>Release: 1</SID_DATA>
        </SI_DATA>
      </STIG_INFO>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284853</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284853r1212030_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to limit the number of concurrent sessions to an organization-defined number for each administrator account.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks.

This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the Cisco SNA appliance is configured to limit the number of concurrent sessions to an organization-defined number for all administrator accounts.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Session Settings &gt;&gt; Maximum Number of Concurrent Sessions.

If the Cisco SNA appliance is not configured to limit the number of concurrent sessions to an organization-defined number for each administrator account, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the SNA appliance to limit the number of concurrent sessions to an organization-defined number for all administrator accounts and/or administrator account types.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Session Settings. 

Input Maximum Number of Concurrent Sessions. 

Apply Configuration.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284862</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284862r1227142_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to assign appropriate user roles or access levels to authenticated users.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoW systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.

Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.

Some network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions and access levels for members of the group, and then assign the ISSM&apos;s user persona to the audit security group. This is still considered privileged access, but the ISSM&apos;s security group is more restrictive than the network administrator&apos;s security group.

Network devices that rely on AAA brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user&apos;s security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically, based on each user&apos;s directory service group membership.

This requirement also applies to Zero Trust initiatives.

Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000153-NDM-000249, SRG-APP-000329-NDM-000287</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the Cisco SNA is configured to assign appropriate user roles to authenticated users. This requirement may be verified by demonstrating users logging in with various privilege levels. The configuration may also be compared as shown below:

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; User Management &gt;&gt; Users &gt;&gt; Select a User &gt;&gt; Actions....

Examine the assigned Data Role.

If the Cisco SNA appliance does not enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to assign appropriate user roles or access levels to authenticated users:

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; User Management &gt;&gt; Create Dropdown (Top Right) &gt;&gt; Data Role.

Assign Data Read/Write privileges for the role.

Save.

Navigate to Users &gt;&gt; Select a User &gt;&gt; Actions....

Assign an appropriate Data Role.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284863</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284863r1212037_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. 

Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics).

Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.

This requirement also applies to Zero Trust initiatives.

Satisfies: SRG-APP-000038-NDM-000213, SRG-APP-000435-NDM-000315</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Cisco SNA appliance Sysconfig configuration to determine if it enforces approved authorizations for controlling the flow of management information within the network device based on information flow control policies. 

Log in to the appliance console as sysadmin. 

Select Network &gt;&gt; Trusted Hosts. 

Verify only required trusted IPs/hosts are listed, including other SNA appliances.

Note: The Trusted Hosts list acts as an access control list (ACL).

If the Cisco SNA appliance does not enforce these approved authorizations, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.

Log in to the appliance console as sysadmin.

Select Network &gt;&gt; Trusted Hosts. 

Input only required trusted IPs/hosts, including other SNA appliances.

Note: The Trusted Hosts list acts as an ACL.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284864</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284864r1205360_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Cisco SNA appliance configuration to verify it enforces the limit of three consecutive invalid logon attempts. 

Navigate to Cisco SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Session Settings &gt;&gt; Number of Unsuccessful Attempts and Duration of Lockout.

If the Cisco SNA appliance is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to enforce the limit of three consecutive invalid logon attempts during a 15-minute time period.

Navigate to Cisco SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Session Settings.

Input a number for &quot;Number of Unsuccessful Attempts and Duration of Lockout&quot;.

Apply the configuration.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284865</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284865r1227148_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to display the Standard Mandatory DoW Notice and Consent Banner before granting access to the device.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Display of the DoW-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via logon interfaces with human users.

Satisfies: SRG-APP-000068-NDM-000215, SRG-APP-000069-NDM-000216</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Determine if the Cisco SNA appliance is configured to present a DoW-approved banner that is formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters:

&quot;You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.&quot;

This is verified by navigating to the appliance login page where the banner should be displayed and accepted by clicking &quot;Continue&quot;.

If the DoW banner is not displayed, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to display the Standard Mandatory DoW Notice and Consent Banner before granting access to the device.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Opening Message.

Enter the following text:

&quot;You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.&quot;

Apply the configuration.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284884</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284884r1212060_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.

Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. 

To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Cisco SNA appliance configuration to determine if it prohibits the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

Navigate to Cisco SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; Appliance Tab &gt;&gt; SSH. Verify &quot;Enable&quot; is unchecked.

Navigate to Network Services tab &gt;&gt; SNMP Agent. Verify &quot;Enable&quot; is unchecked if not needed by the organization.

Navigate to Network Services tab &gt;&gt; Internet Proxy. Verify &quot;Enable&quot; is unchecked if not needed by the organization.

Navigate to General Tab &gt;&gt; External Services. Verify &quot;Enable&quot; is unchecked if not needed by the organization.

If any unnecessary or nonsecure functions are permitted, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

Navigate to Cisco SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; Appliance Tab. Ensure &quot;SSH&quot; is unchecked.

Navigate to Network Services tab &gt;&gt; SNMP Agent. Uncheck &quot;Enable&quot; if not needed by organization.

Navigate to Network Services tab &gt;&gt; Internet Proxy. Uncheck &quot;Enable&quot; if not needed by organization.

Navigate to General tab &gt;&gt; External Services. Uncheck &quot;Enable&quot; if not needed by organization.

Click &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284885</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284885r1212063_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured with only one local account to be used as the account of last resort if the authentication server is unavailable.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device&apos;s local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.

The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Cisco SNA appliance configuration to determine if an account of last resort is configured. Verify the username and password for the account of last resort is contained within a sealed envelope and kept in a safe.

Navigate to Cisco SNA Dashboard &gt;&gt; Configure &gt;&gt; User Management &gt;&gt; Users &gt;&gt; Select Account &gt;&gt; Actions... &gt;&gt; Edit.

The authentication service should only be &quot;local&quot; for the &quot;admin&quot; account.

Note: AAA centralized accounts are represented in this menu for role assignment, but cannot be logged into locally.

If one local account does not exist for use as the account of last resort, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to use an account of last resort. Verify the username and password for the account of last resort is contained within a sealed envelope and kept in a safe.

Navigate to Cisco SNA Dashboard &gt;&gt; Configure &gt;&gt; User Management &gt;&gt; Users &gt;&gt; Select Account &gt;&gt; Actions... &gt;&gt; Edit.

The authentication service should only be &quot;local&quot; for the &quot;admin&quot; account. Delete all others.

Note: AAA centralized accounts are represented in this menu for role assignment but cannot be logged into locally.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284886</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284886r1227140_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to use DoW public key infrastructure (PKI) as multifactor authentication (MFA) for interactive logins.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>MFA is when two or more factors are used to confirm the identity of an individual requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user&apos;s biometric digital presence.

Private industry recognizes and uses a wide variety of MFA solutions. However, DoW PKI is the only prescribed method approved for DoW organizations to implement MFA. For authentication purposes, centralized DoW certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates that have been generated by the issuing CA are downloaded and saved to smartcards which, within DoW, are referred to as common access cards (CAC) or personal identity verification (PIV) cards. This happens at designated DoW badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or &quot;alternate tokens&quot;, function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users).

Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate that was presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not used by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication.

Satisfies: SRG-APP-000149-NDM-000247, SRG-APP-000156-NDM-000250</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the Cisco SNA appliance is configured to use DoW PKI as MFA for interactive logins. 

Navigate to the login page and select Single Sign-on (SSO). At the SAML Identity Provider (IdP) login page, enter the certificate with PIN as managed by middleware, (e.g., ActivClient).

Note: The MFA requirement is met by the SSO server and will require coordination with the server&apos;s administrator.

If the Cisco SNA appliance is not configured to use SSO with DoW PKI as MFA for interactive logins, this is a finding. 

If the PKI authenticated user is not mapped to the effective local user account this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the network device to use SSO with DoW PKI as MFA for interactive logins.

A. Prepare for Configuration.
1. The following information is required to configure SSO: 
- The IdP URL must use the fully qualified domain name or IPv4 address. 
- If the IdP URL starts with HTTPS, download the CA certificate.
2. Certificate Requirements: If the URL for downloading the IdP URL starts with HTTPS, confirm the certificate was added to the appliance Trust Stores.

B. Configure the Service Provider.
1. Navigate to the management console webpage (SMC).
2. Log in as an admin with sufficient privileges.
3. Select Configure &gt;&gt; User Management.
4. Select Create (Dropdown) &gt;&gt; Authentication Service &gt;&gt; SSO.
5. Select IdP Type (Dropdown) &gt;&gt; Microsoft ADFS. 
6. Enter the URL to download the IdP&apos;s configuration file. Requirements: Enter the fully qualified domain name or IP address. Alternatively, upload an Identity Provider Metadata XML File.
7. Select &quot;Disable Requested Authentication Context&quot;.
8. Select Name Identifier Format &gt;&gt; Transient (if following schema note below). Otherwise, configure according to local format.
9. Add a Login Screen Label relevant to local configurations.
10. Select &quot;Save&quot;.
11. When redirected to the Authentication and Authorization tab, it may take up to five minutes to apply changes and SSO Status to become &quot;Ready&quot;.
12. Select Actions &gt;&gt; Enable SSO.

C. Configure ADFS according to local procedure to add the Relying Party Trust.

Note: For ADFS configuration, create and modify the following Claim Issuance Policy Custom Rule:

c:[Type == &quot;http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;]
 =&gt; issue(Type = &quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier&quot;, Issuer = c.Issuer, Value = c.Value, ValueType = c.ValueType, Properties[&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format&quot;] = &quot;urn:oasis:names:tc:SAML:2.0:nameid-format:transient&quot;, Properties[&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier&quot;] = &quot;http://YOURADFSFQDN./adfs/com/adfs/service/trust&quot;, Properties[&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier&quot;] = &quot;https://YOURSNAFQDN/fedlet&quot;);

D. Add an SSO User.
1. Log in to the SMC Web UI.
2. Select Configure &gt;&gt; User Management &gt;&gt; Users &gt;&gt; Create User.
3. Complete the fields to create a new user. 
- Authentication Service: Select SSO.
- User Name: Enter the first part of the email address for the IdP account. Ensure the ID is identical to the one that will be used for SSO at login. For example, for name@email.com, enter name in this field.
4. Click &quot;Save&quot;.
5. Confirm the SSO User is shown in User Management.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284887</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284887r1212067_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to enforce a minimum 15-character password length.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.

The shorter the password, the lower the number of possible combinations that must be tested before the password is compromised. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Password Policy configuration of the Cisco SNA appliance.

Navigate to SNA Dashboard &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy.

Verify the &quot;Password Minimum Character Length&quot; is 15 or greater.

If the Cisco SNA appliance is not configured to enforce a minimum 15-character password length for local accounts, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to enforce a minimum 15-character password length.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Password Minimum Character Length.

Set to &quot;15&quot; or greater. 

Click &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284888</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284888r1212069_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to enforce password complexity by requiring that at least one uppercase character be used.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.

Multifactor authentication (MFA) is required for all administrative and user accounts, except for an account of last resort. Passwords should only be used when MFA using public key infrastructure (PKI) is not available, and for the account of last resort.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Password Policy configuration of the Cisco SNA appliance. 

Navigate to SNA Dashboard &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Minimum Number of Upper Case Letters in Password. Verify the number is one or greater.

If the Cisco SNA appliance is not configured to require that at least one uppercase character be used in local account passwords, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to enforce password complexity by requiring at least one uppercase character be used.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Minimum Number of Upper Case Letters in Password. Set to &quot;1&quot; or greater.

Click &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284889</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284889r1212071_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to enforce password complexity by requiring that at least one lowercase character be used.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort. Passwords should only be used when MFA using public key infrastructure (PKI) is not available, and for the account of last resort.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Password Policy configuration of the Cisco SNA appliance.

Navigate to SNA Dashboard &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Minimum Number of Lower Case Letters in Password. Verify the number is &quot;1&quot; or greater.

If the Cisco SNA appliance is not configured to require at least one lowercase character be used in local account passwords, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to enforce password complexity by requiring at least one lowercase character be used.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Minimum Number of Lower Case Letters in Password. Set to &quot;1&quot; or greater.

Click &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284890</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284890r1212073_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to enforce password complexity by requiring that at least one numeric character be used.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort. Passwords should only be used when MFA using public key infrastructure (PKI) is not available, and for the account of last resort.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Password Policy configuration of the Cisco SNA appliance.

Navigate to SNA Dashboard &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Minimum Numbers in Password. Verify the number is &quot;1&quot; or greater.

If the Cisco SNA appliance is not configured to require that at least one numeric character be used in local account passwords, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to enforce password complexity by requiring at least one numeric character be used.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Minimum Numbers in Password. Set to &quot;1&quot; or greater.

Click &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284891</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284891r1212075_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to enforce password complexity by requiring that at least one special character be used.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort. Passwords should only be used when MFA using PKI is not available, and for the account of last resort.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Password Policy configuration of the Cisco SNA appliance. 

Navigate to SNA Dashboard &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Minimum Number of Symbols in Password. Verify the number is &quot;1&quot; or greater.

If the Cisco SNA appliance is not configured to require that at least one special character be used in local account passwords, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to enforce password complexity by requiring at least one special character be used.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Minimum Numbers of Symbols in Password. Set to &quot;1&quot; or greater.

Click &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284892</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284892r1212078_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.

The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.

Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort. Passwords should only be used when MFA using PKI is not available, and for the account of last resort.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Password Policy configuration of the Cisco SNA appliance. 

Navigate to SNA Dashboard &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Number of Characters Different From Previous Password. Verify the number is &quot;8&quot; or greater.

If the Cisco SNA appliance does not require that when a local account password is changed, the characters are changed in at least eight of the positions within the password, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to require that when a password is changed, the characters are changed in at least eight of the positions within the password.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy &gt;&gt; Number of Characters Different From Previous Password. Set to &quot;8&quot; or greater.

Click &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284896</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284896r1227141_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must use FIPS 140-3-approved algorithms for authentication to a cryptographic module.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore, cannot be relied upon to provide confidentiality or integrity and DoW data may be compromised.

Network devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.

FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoW requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms.

Satisfies: SRG-APP-000179-NDM-000265, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the Cisco SNA appliance is configured to use FIPS 140-3-approved algorithms for authentication to a cryptographic module by restricting encryption to Compliance Mode.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; (Appliance) Actions &gt;&gt; Edit Appliance Configuration &gt;&gt; General tab &gt;&gt; Compliance Mode. 

Verify &quot;Enable FIPS Encryption Libraries&quot; is checked at a minimum.

If the Cisco SNA Appliance does not use FIPS-validated MAC to protect the integrity of nonlocal maintenance and diagnostic communications, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the network device to use FIPS-validated MAC to protect the integrity of nonlocal maintenance and diagnostic communications.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; (Appliance) Actions &gt;&gt; Edit Appliance Configuration &gt;&gt; General tab &gt;&gt; Compliance Mode.

Read the warnings and ensure all prerequisites are met. Then, check the boxes and type the requested number sequence to confirm.

Select &quot;Enable FIPS Encryption Libraries&quot; and &quot;Enable Common Criteria Encryption Libraries&quot; for the most restrictive combination.

Click &quot;Apply Settings&quot;.

Note: Review the Help Menu and configuration guides to ensure the configuration has met all prerequisites prior to enabling restricted libraries.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284897</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284897r1212085_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to terminate sessions after five minutes of inactivity and set an absolute session timeout value of eight hours or less for admin sessions, except to fulfill documented and validated mission requirements.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the Cisco SNA appliance.

Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Determine if the Cisco SNA appliance is configured to terminate the connection associated with a device management session after five minutes of inactivity.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Protected Sessions Time-Out &gt;&gt; Log Out User Due To Inactivity After this Many Minutes. Verify the number is &quot;5&quot; or fewer.

If the Cisco SNA appliance does not terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity, this is a finding.

Verify the Cisco SNA appliance is configured to close admin sessions after eight hours or fewer.

Navigate to Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Protected Sessions Time-Out &gt;&gt; Request User Re-authentication For Administrator-only Functions After This Many Minutes. Verify the number is &quot;480&quot; or less.

If the Cisco SNA appliance is not configured to close admin sessions after eight hours or less, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to terminate the connection associated with a device management session after five minutes of inactivity.

Navigate to SNA Dashboard &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Protected Sessions Time-Out &gt;&gt; Log Out User Due To Inactivity After this Many Minutes. Set to 5 or fewer. 

Click &quot;Apply Settings&quot;.

Configure the Cisco SNA appliance to close admin sessions after eight hours or less.

Navigate to Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General&gt;&gt; Protected Sessions Time-Out &gt;&gt; Request User Re-authentication For Administrator-only Functions After This Many Minutes. Set to &quot;480&quot; or fewer.

Click &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284901</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284901r1227145_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to encrypt information at rest using a DoW-accepted algorithm to protect the confidentiality and integrity of the information.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Data at rest is inactive data stored physically in any digital form (e.g., databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Data at rest includes, but is not limited to, archived data, data that is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and files stored off-site or on a storage area network.

While data at rest can reside in many places, data at rest for a web server is data on the hosting system storage devices. Data stored as a backup on tape or stored off-site is no longer under the protection measures covered by the web server.

There are several pieces of data the web server uses during operation. The web server must use an accepted encryption method, such as AES-256, to protect the confidentiality and integrity of the information.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Cisco SNA appliance configuration to verify information at rest (i.e., backup configuration file) are encrypted.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; (Appliance) Actions &gt;&gt; Edit Appliance Configuration &gt;&gt; General tab &gt;&gt; Backup Configuration Encryption.

Verify &quot;Enable Encryption&quot; is checked and &quot;Password&quot; has been set.

Note: The encryption method is automatically set to AES256-GCM for this feature.

If the information at rest (i.e., backup configuration file) is not encrypted using a DoW-accepted algorithm, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the SNA appliance to encrypt information at rest by enabling the &quot;Backup Configuration Encryption&quot; feature. 

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; (Appliance) Actions &gt;&gt; Edit Appliance Configuration &gt;&gt; General tab &gt;&gt; Backup Configuration Encryption.

Check &quot;Enable Encryption&quot; and enter a password in the &quot;Password&quot; boxes.

Click &quot;Apply Settings&quot;.

Note: The encryption method is automatically set to AES256-GCM for this feature.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284910</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284910r1212103_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. 

Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Satisfies: SRG-APP-000360-NDM-000295, SRG-APP-000795-NDM-000130</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Determine if the Cisco SNA appliance is configured to generate an immediate alert of all audit failure events requiring real-time alerts.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General Tab &gt;&gt; SMTP Configuration.

Verify an SMTP server is configured (e.g., port, From Email, User Name, Password and Encryption Type).

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General Tab &gt;&gt; DODIN Notifications.

Verify &quot;DODIN Notifications&quot; is &quot;Enabled&quot; and sent to an appropriate email address.

If an immediate alert of all audit failure events requiring real-time alerts is not generated, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to generate an immediate real-time alert of all audit failure events requiring real-time alerts.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General Tab &gt;&gt; SMTP Configuration.

Input the SMTP server settings (e.g., SMTP Server, Port, From Email, User Name, Password and Encryption Type).

Select &quot;Apply Settings&quot;.

Note: The encryption type must be SMTPS or STARTTLS.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General Tab &gt;&gt; DODIN Notifications.

Click &quot;Enable DODIN Notifications&quot; and set the appropriate email address.

Select &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284916</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284916r1212111_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.

A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).

Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Cisco SNA appliance configuration to verify SNMP messages are authenticated using a FIPS-validated Keyed-HMAC.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; Network Services. 

Verify &quot;SNMP Agent&quot; is &quot;Enabled&quot;.

Verify &quot;SNMP Versions&quot; is &quot;3&quot;.

Verify &quot;Authentication Protocol&quot; is set to &quot;HMAC192_SHA256&quot; or better.

If the Cisco SNA appliance is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to authenticate SNMP messages using a FIPS-validated Keyed-HMAC.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; Network Services. 

Set &quot;SNMP Agent&quot; to &quot;Enabled&quot;.

Set &quot;SNMP Versions&quot; to &quot;3&quot;. 

Set &quot;Authentication Protocol&quot; to &quot;HMAC192_SHA256&quot; or better.

Select &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284917</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284917r1212114_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.

Satisfies: SRG-APP-000395-NDM-000347, SRG-APP-000925-NDM-000330</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Cisco SNA appliance configuration to determine if the network device authenticates NTP endpoints before establishing a local, remote, or network connection using authentication that is cryptographically based.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; Network Services &gt;&gt; NTP Server. Verify a key symbol appears next to each NTP Server Entry.

If the Cisco SNA appliance does not authenticate Network Time Protocol sources using authentication that is cryptographically based, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to authenticate NTP sources using authentication that is cryptographically based.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; Network Services &gt;&gt; NTP Server &gt;&gt; Actions &gt;&gt; Authenticate Connection.

Enter a Key ID and Key Value.

Apply Authentication.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284919</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284919r1212118_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must install security-relevant firmware updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Security flaws with firmware are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant firmware updates. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify software updates are consistently applied to the Cisco SNA appliance within 30 days unless the time period is directed by an authoritative source. 

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Update Manager. 

View the &quot;Installed Version&quot; for each appliance. Compare each one to the authoritative source version.

If the Cisco SNA appliance administrator does not install security-relevant updates within 30 days unless the time period is directed by an authoritative source, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Ensure patches are consistently applied to the Cisco SNA appliance within the time allowed. 

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Update Manager &gt;&gt; Upload Update File (previously downloaded from Cisco Software Central) &gt;&gt; Select Appliance &gt;&gt; Actions... &gt;&gt; Install Update.

Note: The SNA Manager should always be updated first to avoid versioning conflicts.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284924</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284924r1212125_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must generate audit records for modifications of critical files on the system.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Cisco SNA Appliances provide Advanced Intrusion Detection Environment (AIDE) which is a host baselining system that detects modifications of critical files on a system.

When it is enabled, AIDE runs an audit of the current system once a day. It compares the hash sum, permissions, and time accessed of each monitored file on the current file system against the values stored in the appliance database.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the Cisco SNA appliance generates audit records for modification of critical system files.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Actions... &gt;&gt; Support &gt;&gt; Audit Logs. Verify AIDE logs are being produced.

If the network device does not generate audit records for modification of critical system files, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to generate audit records for modification of critical system files.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; (Appliance) Actions &gt;&gt; Edit Appliance Configuration &gt;&gt; Appliance Tab.

Enable AIDE checkbox.

Click &quot;Apply Settings&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284928</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284928r1212129_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to use HTTP/2 at a minimum.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>HTTP/2, like HTTPS, enhances security compared to HTTP/1.x by minimizing the risk of header-based attacks (e.g., header injection and manipulation).

Websites that fully use HTTP/2 are inherently protected and defend against smuggling attacks. HTTP/2 provides the method for specifying the length of a request, which removes any potential for ambiguity that can be leveraged by an attacker. 

This is applicable to all web architectures such as load balancing/proxy use cases. 
- The front-end and back-end servers should both be configured to use HTTP/2.
- HTTP/2 must be used for communications between web servers.
- Browser vendors have agreed to only support HTTP/2 only in HTTPS mode; thus, TLS must be configured to meet this requirement. TLS configuration is out of scope for this requirement.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify HTTP/1.x downgrading is disabled.

Navigate to Sysadmin Console &gt;&gt; Network &gt;&gt; HTTP Version &gt;&gt; Select &gt;&gt; Yes to Warning &gt;&gt; OK.

If the message displayed states &quot;There are no changes to HTTP/2 settings.&quot;, then HTTP/1.x has been disabled.

If the HTTP/1.x downgrading is enabled, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA Appliance to use HTTP/2.

Navigate to Sysadmin Console &gt;&gt; Network &gt;&gt; HTTP Version &gt;&gt; Select &gt;&gt; Yes to Warning &gt;&gt; OK.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284931</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284931r1212136_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization&apos;s network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000175-NDM-000262, SRG-APP-000177-NDM-000263, SRG-APP-000400-NDM-000313</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Review the Cisco SNA appliance configuration to verify the device is configured to use at least two authentication servers or a single sign-on (SSO) service as primary source for authentication.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; User Management &gt;&gt; Authentication and Authorization Tab &gt;&gt; Select a Service &gt;&gt; Actions... &gt;&gt; Edit. Observe whether multiple addresses have been configured.

Note: It is expected that an SSO using SAML will employ redundant/load-balanced servers on the service side. There is no configuration for multiple SSO services.

If the Cisco SNA appliance is not configured to use at least two authentication servers or an SSO service for the purpose of authenticating users prior to granting administrative access, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the SNA appliance to use at least two authentication servers or an SSO service.

TACACS+/RADIUS/LDAP Configuration:

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; User Management &gt;&gt; Authentication and Authorization Tab &gt;&gt; Create (dropdown) &gt;&gt; Authentication Service. 

Select Type (e.g., TACACS+, RADIUS, LDAP).

Input &quot;Name&quot; for service and &quot;Add New&quot; Server Information for each server of that service type. 

Save.

Navigate to Create (dropdown) &gt;&gt; User. 

Input User Name, Authentication service (previously created), Role Settings.

Save.

Apply Configuration.

OR

SSO Configuration: 

A. Prepare for Configuration.
1. The following information is required to configure SSO: 
-The Identity Provider (IdP) URL must use the fully qualified domain name or IPv4 address. 
- If the IdP URL starts with HTTPS, download the certificate authority (CA) certificate.
2. Certificate Requirements: If the URL for downloading the IDP URL starts with HTTPS, confirm the certificate is added to the appliance Trust Stores.

B. Configure the Service Provider.
1. Navigate to the management console webpage (SMC).
2. Log in as an admin with sufficient privileges.
3. Select Configure &gt;&gt; User Management.
4. Select Create (Dropdown) &gt;&gt; Authentication Service &gt;&gt; SSO.
5. Select IdP Type (Dropdown) &gt;&gt; Microsoft ADFS. 
6. Enter the URL to download the IdP&apos;s configuration file. Requirements: Enter the fully qualified domain name or IP address. Alternatively, upload an Identity Provider Metadata XML File.
7. Select &quot;Disable Requested Authentication Context&quot;.
8. Select Name Identifier Format &gt;&gt; Transient (if following schema note below). Otherwise configure according to local format.
9. Add a Login Screen Label relevant to local configurations.
10. Select &quot;Save&quot;.
11. When redirected to the Authentication and Authorization tab, it may take up to five minutes to apply changes and SSO Status to become &quot;Ready&quot;.
12. Select Actions &gt;&gt; Enable SSO.

C. Configure ADFS according to local procedure to add the Relying Party Trust.

Note: For ADFS configuration, create and modify the following Claim Issuance Policy Custom Rule:

c:[Type == &quot;http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;]
 =&gt; issue(Type = &quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier&quot;, Issuer = c.Issuer, Value = c.Value, ValueType = c.ValueType, Properties[&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format&quot;] = &quot;urn:oasis:names:tc:SAML:2.0:nameid-format:transient&quot;, Properties[&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier&quot;] = &quot;http://YOURADFSFQDN./adfs/com/adfs/service/trust&quot;, Properties[&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier&quot;] = &quot;https://YOURSNAFQDN/fedlet&quot;);


D. Add an SSO User.
1. Log in to the SMC Web UI.
2. Select Configure &gt;&gt; User Management &gt;&gt; Users &gt;&gt; Create User.
3. Complete the fields to create a new user. 
-Authentication Service: Select SSO.
- User Name: Enter the first part of the email address for the IdP account. Ensure the ID is identical to the one that will be used for SSO at login. For example, for name@email.com, enter name in this field.
4. Click &quot;Save&quot;.
5. Confirm the SSO User is shown in User Management.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284934</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284934r1227151_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority (CA) will suffice.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Determine if the Cisco SNA appliance obtains public key certificates from an appropriate certificate policy through an approved service provider.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Configuration &gt;&gt; Appliance Tab &gt;&gt; SSL/TLS Appliance Identity. Review the TLS certificate to determine if it is issued by a DoW CA.

If the Cisco SNA appliance does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the network device to obtain its public key certificates from an appropriate certificate policy through an approved service provider.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Configuration &gt;&gt; Appliance Tab &gt;&gt; SSL/TLS Appliance Identity &gt;&gt; Update Identity &gt;&gt; Generate CSR. Input RSA Key Length. Download CSR &gt;&gt; Submit CSR to DoW CA &gt;&gt; Click Replace Identity &gt;&gt; Apply Settings. 

For further details review the SNA SSL/TLS Certificates Guide:

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/certificates/7_5_3_SSL_TLS_Certificates_for_Managed_Appliances_Guide_DV_1_0.pdf.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284935</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284935r1212214_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to send log data to at least one central log server for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). For boundary devices, two log servers are required.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, is important for showing whether someone is an internal employee or an outside threat.

Satisfies: SRG-APP-000516-NDM-000350, SRG-APP-000515-NDM-000325</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the Cisco SNA appliance is configured to send log data to at least one central log server.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; Network Services tab &gt;&gt; Audit Log Destination (Syslog over TLS). Verify one syslog server is configured.

If the Cisco SNA appliance is not configured to send log data to at least one central log server, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to send log data to at least one central log server. Repeat these steps for each Syslog Server needed.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; Network Services tab &gt;&gt; Audit Log Destination (Syslog over TLS) &gt;&gt; Add New. 

Input a Server Name or IP Address, Destination Port, and Certificate Revocation Mode. 

Apply Settings.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284936</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284936r1212147_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be running an operating system release that is currently supported by the vendor.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Cisco SNA appliances running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.

Satisfies: SRG-APP-000516-NDM-000351, SRG-APP-001035-NDM-000340</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the Cisco SNA appliance is running an operating system release that is currently supported by the vendor.

SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Update Manager. View the &quot;Installed Version&quot; for each appliance. Compare to the supported versions on the vendor website.

If the Cisco SNA appliance is not a version supported by the vendor, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Upgrade the Cisco SNA appliance to an operating system that is supported by the vendor.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Update Manager &gt;&gt; Upload Update File (previously downloaded from Cisco Software Central) &gt;&gt; Select Appliance &gt;&gt; Actions... &gt;&gt; Install Update.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284937</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284937r1212207_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication (MFA) is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process.

Satisfies: SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the network device is configured to implement MFA for local, network, and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Navigate to the login page, then select Single Sign-on (SSO). At the SAML IdP login page, enter a certificate and pin (as managed by middleware such as ActivClient) when prompted.

Note: The MFA requirement is met by the SSO server and will require coordination with that server&apos;s administrator.

If the Cisco SNA appliance is not configured to implement multifactor authentication for local, network, and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to implement multifactor authentication for local, network, and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

A. Prepare for Configuration.
1. The following information is required to configure SSO: 
-The Identity Provider (IdP) URL must use the fully qualified domain name or IPv4 address. 
- If the IdP URL starts with HTTPS, download the certificate authority (CA) certificate.
2. Certificate Requirements: If the URL for downloading the IDP URL starts with HTTPS, confirm the certificate is added to the appliance Trust Stores.

B. Configure the Service Provider.
1. Navigate to the SMC.
2. Log in as an admin with sufficient privileges.
3. Select Configure &gt;&gt; User Management.
4. Select Create (Dropdown) &gt;&gt; Authentication Service &gt;&gt; SSO.
5. Select IdentityProvider (IdP) Type (Dropdown) &gt;&gt; Microsoft ADFS. 
6. Enter the URL where the Identity Provider&apos;s configuration file can be downloaded. Requirements: Enter the fully qualified domain name or IP address. Alternatively, upload an Identity Provider Metadata XML File.
7. Select &quot;Disable Requested Authentication Context&quot;.
8. Select Name Identifier Format &gt;&gt; Transient (if following schema note below). Otherwise, configure according to local format.
9. Add a Login Screen Label relevant to local configurations.
10. Select &quot;Save&quot;.
11. When redirected to the Authentication and Authorization tab, it may take up to five minutes to apply changes and SSO Status to become &quot;Ready&quot;.
12. Select Actions &gt;&gt; Enable SSO.

C. Configure ADFS according to local procedure to add the Relying Party Trust.

Note: For ADFS configuration, create and modify the following Claim Issuance Policy Custom Rule:

c:[Type == &quot;http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname&quot;]
 =&gt; issue(Type = &quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier&quot;, Issuer = c.Issuer, Value = c.Value, ValueType = c.ValueType, Properties[&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format&quot;] = &quot;urn:oasis:names:tc:SAML:2.0:nameid-format:transient&quot;, Properties[&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier&quot;] = &quot;http://YOURADFSFQDN./adfs/com/adfs/service/trust&quot;, Properties[&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier&quot;] = &quot;https://YOURSNAFQDN/fedlet&quot;);

D. Add an SSO User.
1. Log in to the SMC Web UI.
2. Select Configure &gt;&gt; User Management &gt;&gt; Users &gt;&gt; Create User.
3. Complete the fields to create a new user. For compliance, configure the user as follows: 
Authentication Service: Select SSO.
User Name: Enter the first part of the email address for the IdP account. Make sure the ID is identical to the one that will be used for SSO at login. For example, for name@email.com, enter &quot;name&quot; in this field.
4. Click &quot;Save&quot;.
5. Confirm the SSO User is shown in User Management.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284939</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284939r1212154_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters for password-based authentication.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the Cisco SNA appliance is configured to allow user selection of long passwords and passphrases, including spaces and all printable characters.

Navigate to SNA Dashboard &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy. 

Verify the &quot;Maximum Number of Characters in Password&quot; is greater than or equal to &quot;32&quot; (up to 256).

Verify the &quot;Minimum Number of Characters in Password&quot; is greater than or equal to &quot;15&quot;.

If the Cisco SNA appliance is not configured to allow user selection of long passwords and passphrases, including spaces and all printable characters, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to allow user selection of long passwords and passphrases, including spaces and all printable characters.

Navigate to SNA Dashboard &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Edit Appliance Configuration &gt;&gt; General &gt;&gt; Password Policy. 

Verify the &quot;Maximum Number of Characters in Password&quot; is greater than or equal to &quot;32&quot; (up to 256).

Verify the &quot;Minimum Number of Characters in Password&quot; is greater than or equal to &quot;15&quot;.

Apply Settings.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284940</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284940r1212209_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to implement certificate revocation checking to support path discovery and validation for public key-based authentication.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses like OCSP. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the Cisco SNA appliance is configured to implement certificate revocation checking to support path discovery and validation.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Network Services &gt;&gt; Audit Log Destination (Syslog Over TLS).

Verify &quot;Certificate Revocation&quot; set to &quot;Hard Fail&quot; for servers.

Note that other forms of public key authentication (inter-device HTTPS, SAML, etc.) automatically perform certificate checking without additional configuration.

If the Cisco SNA appliance is not configured to implement certificate revocation checking to support path discovery and validation, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Cisco SNA appliance to implement certificate revocation checking to support path discovery and validation using certificate revocation lists (CRLs), or Online Certificate Status Protocol (OCSP).

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; Network Services &gt;&gt; Audit Log Destination (Syslog Over TLS) &gt;&gt; Actions... &gt;&gt; Edit. 

Select &quot;Hard Fail&quot; for &quot;Certificate Revocation&quot;.

Note: Other forms of public key authentication (inter-device HTTPS, SAML, etc.) automatically perform certificate checking without additional configuration.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284942</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284942r1212160_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Cisco SNA appliance must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the Cisco SNA appliance is configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; General &gt;&gt; Trust Store. 

Verify only approved certificates and Certificate Authorities (CAs) are present.

If the Cisco SNA appliance is not configured to include only approved trust anchors in trust stores or certificate stores managed by the organization, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the network device to include only approved trust anchors in trust stores or certificate stores managed by the organization.

Navigate to SNA Dashboard &gt;&gt; Configure &gt;&gt; Central Management &gt;&gt; Inventory &gt;&gt; Actions... &gt;&gt; General &gt;&gt; Trust Store. 

Delete any untrusted certificates.

Note: Ensure all appliance certificates had their self-signed certificates replaced and are trusted in each other&apos;s store.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    </iSTIG>
  </STIGS>
</CHECKLIST>