STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure NDM Security Technical Implementation Guide

V-284533

CAT II (Medium)

The Ivanti Policy Secure must use an NTP service that is hosted by a trusted source or a DoW-compliant enterprise or local NTP server.

Rule ID

SV-284533r1244995_rule

STIG

Ivanti Policy Secure NDM Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001967CCI-004922CCI-004923

Discussion

If a trusted time source is not used, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate which may hide attacks or result in inaccurate forensic analysis. The recommended solution is that the application or endpoint is configured to point to an enterprise or site-owned time server that is DoW-compliant (instead of directly to an NTP source as implied by the current wording of the requirement). Most products are unable to meet the requirement, but DISA can mitigate the risk by using a trusted time source. So, the requirement should state that NTPS is used with USNO NTP as an alternative mitigation for this to be considered not a finding. More information can be found at https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/DOD-Customer-Servers/. DoW users should not use tick, tock, or ntp2. There are instructions for obtaining authenticated NTP at the site listed above. Satisfies: SRG-APP-000395-NDM-000347, SRG-APP-000920-NDM-000320, SRG-APP-000925-NDM-000330

Check Content

1. In the Web UI, navigate to System >> Status >> Dashboard.
2. Click the "Overview" tab.
3. Under "Appliance Details" and "System Date and Time", select "Edit".
4. Verify "Use Pool of NTP servers" is checked.
5. Verify at least two NTP servers are configured.
6. Verify a key is configured.

If Policy Secure is not configured to use redundant NTP services that is hosted by a trusted source or a DoW-compliant enterprise or local NTP server, this is a finding.

Fix Text

1. In the Web UI, navigate to System >> Status >> Dashboard.
2. Click the "Overview" tab.
3. Under "Appliance Details" and "System Date and Time", select "Edit".
4. Select "(GMT) Coordinated Universal Time".
5. Select "Use Pool of NTP servers".
6. Enter the IP/hostname of each NTP server in the "NTP Server 1", "NTP Server 2", etc.
7. Under the key section, input the key in the following format: <keynumber> <algorithm> <key>.
Note: There must be a space between each section of <keynumber> <algorithm> <key>.
8. Click "Save changes".