STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to STIGs

ArcGIS for Server 10.3 Security Technical Implementation Guide

Version

V2R1

Release Date

Jun 21, 2023

SCAP Benchmark ID

ArcGIS_Server_10-3_STIG

Total Checks

23

Tags

other
CAT I: 10CAT II: 13CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (23)

V-237320HIGHThe ArcGIS Server must protect the integrity of remote access sessions by enabling HTTPS with DoD-approved certificates.V-237321HIGHThe ArcGIS Server must use Windows authentication for supporting account management functions.V-237322HIGHThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.V-237323HIGHThe ArcGIS Server must provide audit record generation capability for DoD-defined auditable events within all application components.V-237324MEDIUMThe ArcGIS Server must protect audit information from any type of unauthorized read access, modification or deletion.V-237325MEDIUMThe ArcGIS Server must be configured to disable non-essential capabilities.V-237326MEDIUMThe ArcGIS Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-237327MEDIUMThe ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts.V-237328MEDIUMThe ArcGIS Server, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-237329HIGHThe ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.V-237330MEDIUMThe ArcGIS Server must recognize only system-generated session identifiers.V-237331HIGHThe ArcGIS Server must use a full disk encryption solution to protect the confidentiality and integrity of all information.V-237332MEDIUMThe ArcGIS Server must be configured such that emergency accounts are never automatically removed or disabled.V-237333MEDIUMThe ArcGIS Server must reveal error messages only to the ISSO, ISSM, and SA.V-237334MEDIUMThe ArcGIS Server must enforce access restrictions associated with changes to application configuration.V-237335MEDIUMThe organization must disable organization-defined functions, ports, protocols, and services within the ArcGIS Server deemed to be unnecessary and/or nonsecure.V-237336MEDIUMThe ArcGIS Server must accept and electronically verify Personal Identity Verification (PIV) credentials.V-237337HIGHThe ArcGIS Server Windows authentication must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.V-237338HIGHThe ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-237339HIGHThe ArcGIS Server keystores must only contain certificates of PKI established certificate authorities for verification of protected sessions.V-237340MEDIUMThe ArcGIS Server must maintain a separate execution domain for each executing process.V-237341MEDIUMThe ArcGIS Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-257297HIGHThe version of ArcGIS running on the system must be a supported version.