| APAS-AT-000010 |
Automation Controller must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. |
| APAS-AT-000011 |
Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions. |
| APAS-AT-000012 |
Automation Controller must implement cryptography mechanisms to protect the integrity of information. |
| APAS-AT-000015 |
The Automation Controller management interface must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. |
| APAS-AT-000017 |
Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation. |
| APAS-AT-000031 |
Automation Controller must allocate log record storage capacity and shut down by default upon log failure (unless availability is an overriding concern). |
| APAS-AT-000032 |
Automation Controller must be configured to fail over to another system in the event of log subsystem failure. |
| APAS-AT-000034 |
Automation Controller's log files must be accessible by explicitly defined privilege. |
| APAS-AT-000044 |
Automation Controller must be capable of reverting to the last known good configuration in the event of failed installations and upgrades. |
| APAS-AT-000047 |
Automation Controller must be configured to use an enterprise user management system. |
| APAS-AT-000050 |
Automation Controller must be configured to authenticate users individually, prior to using a group authenticator. |
| APAS-AT-000055 |
Automation Controller must utilize encryption when using LDAP for authentication. |
| APAS-AT-000078 |
Automation Controller must use cryptographic mechanisms to protect the integrity of log tools. |
| APAS-AT-000093 |
Automation Controller must compare internal application server clocks at least every 24 hours with an authoritative time source. |
| APAS-AT-000110 |
Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions. |
| APAS-AT-000122 |
Automation Controller must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs). |