STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to STIGs

Ivanti Policy Secure NDM Security Technical Implementation Guide

Version

V1R1

Release Date

Jul 9, 2026

SCAP Benchmark ID

Ivanti_PS_NDM

Total Checks

31

Tags

other
CAT I: 10CAT II: 21CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (31)

V-284518MEDIUMThe Ivanti Policy Secure must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.V-284519MEDIUMThe Ivanti Policy Secure must be configured to display the Standard Mandatory DoW Notice and Consent Banner before granting access to the device.V-284520MEDIUMThe Ivanti Policy Secure must be configured to enable "Detailed Log Note".V-284521MEDIUMThe Ivanti Policy Secure must be configured to use internal system clocks to generate time stamps for audit records.V-284522HIGHThe Ivanti Policy Secure must be configured to map group definitions to role assignments for administrators based on access authorizations.V-284523MEDIUMThe Ivanti Policy Secure must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.V-284524MEDIUMThe Ivanti Policy Secure must enforce a minimum 15-character password length.V-284525MEDIUMThe Ivanti Policy Secure must enforce password complexity by requiring least one uppercase and at least one lowercase character be used.V-284526MEDIUMThe Ivanti Policy Secure must enforce password complexity by requiring that at least one numeric character be used.V-284527MEDIUMThe Ivanti Policy Secure must enforce password complexity by requiring that at least one special character be used.V-284528MEDIUMThe Ivanti Policy Secure must require that when a password is changed, the characters are changed in at least eight of the positions within the password.V-284529HIGHThe Ivanti Policy Secure must be configured to transmit only encrypted representations of passwords.V-284530HIGHThe Ivanti Policy Secure must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.V-284531HIGHThe Ivanti Policy Secure must be configured to prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.V-284532MEDIUMThe Ivanti Policy Secure must be configured to authenticate SNMPv3 messages using a Ivanti Policy Secure-validated keyed-Hash Message Authentication Code (HMAC).V-284533MEDIUMThe Ivanti Policy Secure must use an NTP service that is hosted by a trusted source or a DoW-compliant enterprise or local NTP server.V-284534HIGHThe Ivanti Policy Secure must be configured to connect to the management network if used to authenticate privileged users for device management.V-284535HIGHThe Ivanti Policy Secure must enable IPS, JITC, and NDcPP compliance modes to ensure only FIPS 140-2/140-3 algorithms are used.V-284536MEDIUMThe Ivanti Policy Secure must be configured to send the user access events audit log records to a centralized syslog server.V-284537MEDIUMThe Ivanti Policy Secure must send events audit log records to a centralized syslog server.V-284538HIGHThe Ivanti Policy Secure must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.V-284539MEDIUMThe Ivanti Policy Secure must be configured to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.V-284540MEDIUMThe Ivanti Policy Secure must obtain its public key certificates from an appropriate certificate policy through an approved service provider.V-284541MEDIUMThe Ivanti Policy Secure must limit the number of concurrent sessions to one for each administrator account/or administrator type.V-284542HIGHThe Ivanti Policy Secure must be configured to use DoW public key infrastructure (PKI) as multifactor authentication (MFA) for administrator login via the sign-in URL.V-284543HIGHThe Ivanti Policy Secure must be configured to use DoW-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for public key infrastructure (PKI)-based authentication.V-284544MEDIUMThe Ivanti Policy Secure must be configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.V-284545MEDIUMThe Ivanti Policy Secure must enable the admin access audit log.V-284546MEDIUMThe Ivanti Policy Secure must install software updates within 30 days from publication.V-284547HIGHThe Ivanti Policy Secure must be configured to use a version supported by the vendor.V-284638MEDIUMThe Ivanti Policy Secure must send admin access audit log records to a centralized syslog server.