SRG-OS-000001-GPOS-00001 |
The operating system must provide automated mechanisms for supporting account management functions. |
SRG-OS-000002-GPOS-00002 |
The operating system must automatically remove or disable temporary user accounts after 72 hours. |
SRG-OS-000004-GPOS-00004 |
The operating system must audit all account creations. |
SRG-OS-000021-GPOS-00005 |
The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. |
SRG-OS-000023-GPOS-00006 |
The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system. |
SRG-OS-000024-GPOS-00007 |
The operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access. |
SRG-OS-000027-GPOS-00008 |
The operating system must limit the number of concurrent sessions to ten for all accounts and/or account types. |
SRG-OS-000028-GPOS-00009 |
The operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures. |
SRG-OS-000029-GPOS-00010 |
The operating system must initiate a session lock after a 15-minute period of inactivity for all connection types. |
SRG-OS-000030-GPOS-00011 |
The operating system must provide the capability for users to directly initiate a session lock for all connection types. |
SRG-OS-000031-GPOS-00012 |
The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image. |
SRG-OS-000032-GPOS-00013 |
The operating system must monitor remote access methods. |
SRG-OS-000033-GPOS-00014 |
The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions. |
SRG-OS-000037-GPOS-00015 |
The operating system must produce audit records containing information to establish what type of events occurred. |
SRG-OS-000038-GPOS-00016 |
The operating system must produce audit records containing information to establish when (date and time) the events occurred. |
SRG-OS-000039-GPOS-00017 |
The operating system must produce audit records containing information to establish where the events occurred. |
SRG-OS-000040-GPOS-00018 |
The operating system must produce audit records containing information to establish the source of the events. |
SRG-OS-000041-GPOS-00019 |
The operating system must produce audit records containing information to establish the outcome of the events. |
SRG-OS-000042-GPOS-00020 |
The operating system must generate audit records containing the full-text recording of privileged commands. |
SRG-OS-000042-GPOS-00021 |
The operating system must produce audit records containing the individual identities of group account users. |
SRG-OS-000046-GPOS-00022 |
The operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. |
SRG-OS-000047-GPOS-00023 |
The operating system must shut down by default upon audit failure (unless availability is an overriding concern). |
SRG-OS-000051-GPOS-00024 |
The operating system must provide the capability to centrally review and analyze audit records from multiple components within the system. |
SRG-OS-000054-GPOS-00025 |
The operating system must provide the capability to filter audit records for events of interest based upon all audit fields within audit records. |
SRG-OS-000055-GPOS-00026 |
The operating system must use internal system clocks to generate time stamps for audit records. |
SRG-OS-000057-GPOS-00027 |
The operating system must protect audit information from unauthorized read access. |
SRG-OS-000058-GPOS-00028 |
The operating system must protect audit information from unauthorized modification. |
SRG-OS-000059-GPOS-00029 |
The operating system must protect audit information from unauthorized deletion. |
SRG-OS-000062-GPOS-00031 |
The operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components. |
SRG-OS-000063-GPOS-00032 |
The operating system must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. |
SRG-OS-000064-GPOS-00033 |
The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur. |
SRG-OS-000066-GPOS-00034 |
The operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
SRG-OS-000067-GPOS-00035 |
The operating system, for PKI-based authentication, must enforce authorized access to the corresponding private key. |
SRG-OS-000068-GPOS-00036 |
The operating system must map the authenticated identity to the user or group account for PKI-based authentication. |
SRG-OS-000069-GPOS-00037 |
The operating system must enforce password complexity by requiring that at least one uppercase character be used. |
SRG-OS-000070-GPOS-00038 |
The operating system must enforce password complexity by requiring that at least one lowercase character be used. |
SRG-OS-000071-GPOS-00039 |
The operating system must enforce password complexity by requiring that at least one numeric character be used. |
SRG-OS-000072-GPOS-00040 |
The operating system must require the change of at least 50 percent of the total number of characters when passwords are changed. |
SRG-OS-000073-GPOS-00041 |
The operating system must store only encrypted representations of passwords. |
SRG-OS-000074-GPOS-00042 |
The operating system must transmit only encrypted representations of passwords. |
SRG-OS-000075-GPOS-00043 |
Operating systems must enforce 24 hours/1 day as the minimum password lifetime. |
SRG-OS-000076-GPOS-00044 |
Operating systems must enforce a 60-day maximum password lifetime restriction. |
SRG-OS-000078-GPOS-00046 |
The operating system must enforce a minimum 15-character password length. |
SRG-OS-000079-GPOS-00047 |
The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
SRG-OS-000080-GPOS-00048 |
The operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
SRG-OS-000095-GPOS-00049 |
The operating system must be configured to disable non-essential capabilities. |
SRG-OS-000096-GPOS-00050 |
The operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
SRG-OS-000104-GPOS-00051 |
The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users). |
SRG-OS-000105-GPOS-00052 |
The operating system must use multifactor authentication for network access to privileged accounts. |
SRG-OS-000106-GPOS-00053 |
The operating system must use multifactor authentication for network access to non-privileged accounts. |
SRG-OS-000107-GPOS-00054 |
The operating system must use multifactor authentication for local access to privileged accounts. |
SRG-OS-000108-GPOS-00055 |
The operating system must use multifactor authentication for local access to nonprivileged accounts. |
SRG-OS-000109-GPOS-00056 |
The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator. |
SRG-OS-000112-GPOS-00057 |
The operating system must implement replay-resistant authentication mechanisms for network access to privileged accounts. |
SRG-OS-000113-GPOS-00058 |
The operating system must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts. |
SRG-OS-000114-GPOS-00059 |
The operating system must uniquely identify peripherals before establishing a connection. |
SRG-OS-000118-GPOS-00060 |
The operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. |
SRG-OS-000120-GPOS-00061 |
The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. |
SRG-OS-000121-GPOS-00062 |
The operating system must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users). |
SRG-OS-000122-GPOS-00063 |
The operating system must provide an audit reduction capability that supports on-demand reporting requirements. |
SRG-OS-000123-GPOS-00064 |
The information system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. |
SRG-OS-000125-GPOS-00065 |
The operating system must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. |
SRG-OS-000132-GPOS-00067 |
The operating system must separate user functionality (including user interface services) from operating system management functionality. |
SRG-OS-000134-GPOS-00068 |
The operating system must isolate security functions from nonsecurity functions. |
SRG-OS-000138-GPOS-00069 |
Operating systems must prevent unauthorized and unintended information transfer via shared system resources. |
SRG-OS-000142-GPOS-00071 |
The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. |
SRG-OS-000163-GPOS-00072 |
The operating system must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. |
SRG-OS-000184-GPOS-00078 |
The operating system must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. |
SRG-OS-000185-GPOS-00079 |
The operating system must protect the confidentiality and integrity of all information at rest. |
SRG-OS-000205-GPOS-00083 |
The operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
SRG-OS-000206-GPOS-00084 |
The operating system must reveal error messages only to authorized users. |
SRG-OS-000228-GPOS-00088 |
Any publically accessible connection to the operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. |
SRG-OS-000239-GPOS-00089 |
The operating system must audit all account modifications. |
SRG-OS-000240-GPOS-00090 |
The operating system must audit all account disabling actions. |
SRG-OS-000241-GPOS-00091 |
The operating system must audit all account removal actions. |
SRG-OS-000250-GPOS-00093 |
The operating system must implement cryptography to protect the integrity of remote access sessions. |
SRG-OS-000254-GPOS-00095 |
The operating system must initiate session audits at system start-up. |
SRG-OS-000255-GPOS-00096 |
The operating system must produce audit records containing information to establish the identity of any individual or process associated with the event. |
SRG-OS-000256-GPOS-00097 |
The operating system must protect audit tools from unauthorized access. |
SRG-OS-000257-GPOS-00098 |
The operating system must protect audit tools from unauthorized modification. |
SRG-OS-000258-GPOS-00099 |
The operating system must protect audit tools from unauthorized deletion. |
SRG-OS-000259-GPOS-00100 |
The operating system must limit privileges to change software resident within software libraries. |
SRG-OS-000266-GPOS-00101 |
The operating system must enforce password complexity by requiring that at least one special character be used. |
SRG-OS-000269-GPOS-00103 |
In the event of a system failure, the operating system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. |
SRG-OS-000274-GPOS-00104 |
The operating system must notify system administrators and ISSOs when accounts are created. |
SRG-OS-000275-GPOS-00105 |
The operating system must notify system administrators and ISSOs when accounts are modified. |
SRG-OS-000276-GPOS-00106 |
The operating system must notify system administrators and ISSOs when accounts are disabled. |
SRG-OS-000277-GPOS-00107 |
The operating system must notify system administrators and ISSOs when accounts are removed. |
SRG-OS-000278-GPOS-00108 |
The operating system must use cryptographic mechanisms to protect the integrity of audit tools. |
SRG-OS-000279-GPOS-00109 |
The operating system must automatically terminate a user session after inactivity time-outs have expired or at shutdown. |
SRG-OS-000280-GPOS-00110 |
The operating system must provide a logoff capability for user-initiated communications sessions when requiring user access authentication. |
SRG-OS-000281-GPOS-00111 |
The operating system must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions. |
SRG-OS-000297-GPOS-00115 |
The operating system must control remote access methods. |
SRG-OS-000298-GPOS-00116 |
The operating system must provide the capability to immediately disconnect or disable remote access to the operating system. |
SRG-OS-000299-GPOS-00117 |
The operating system must protect wireless access to and from the system using encryption. |
SRG-OS-000300-GPOS-00118 |
The operating system must protect wireless access to the system using authentication of users and/or devices. |
SRG-OS-000303-GPOS-00120 |
The operating system must audit all account enabling actions. |
SRG-OS-000304-GPOS-00121 |
The operating system must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions. |
SRG-OS-000312-GPOS-00122 |
The operating system must allow operating system admins to pass information to any other operating system admin or user. |
SRG-OS-000312-GPOS-00123 |
The operating system must allow operating system admins to grant their privileges to other operating system admins. |
SRG-OS-000312-GPOS-00124 |
The operating system must allow operating system admins to change security attributes on users, the operating system, or the operating systems components. |
SRG-OS-000324-GPOS-00125 |
The operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
SRG-OS-000326-GPOS-00126 |
The operating system must prevent all software from executing at higher privilege levels than users executing the software. |
SRG-OS-000327-GPOS-00127 |
The operating system must audit the execution of privileged functions. |
SRG-OS-000329-GPOS-00128 |
The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. |
SRG-OS-000337-GPOS-00129 |
The operating system must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time. |
SRG-OS-000341-GPOS-00132 |
The operating system must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility. |
SRG-OS-000342-GPOS-00133 |
The operating system must offload audit records onto a different system or media from the system being audited. |
SRG-OS-000343-GPOS-00134 |
The operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. |
SRG-OS-000344-GPOS-00135 |
The operating system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. |
SRG-OS-000348-GPOS-00136 |
The operating system must provide an audit reduction capability that supports on-demand audit review and analysis. |
SRG-OS-000349-GPOS-00137 |
The operating system must provide an audit reduction capability that supports after-the-fact investigations of security incidents. |
SRG-OS-000350-GPOS-00138 |
The operating system must provide a report generation capability that supports on-demand audit review and analysis. |
SRG-OS-000351-GPOS-00139 |
The operating system must provide a report generation capability that supports on-demand reporting requirements. |
SRG-OS-000352-GPOS-00140 |
The operating system must provide a report generation capability that supports after-the-fact investigations of security incidents. |
SRG-OS-000353-GPOS-00141 |
The operating system must not alter original content or time ordering of audit records when it provides an audit reduction capability. |
SRG-OS-000354-GPOS-00142 |
The operating system must not alter original content or time ordering of audit records when it provides a report generation capability. |
SRG-OS-000355-GPOS-00143 |
The operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). |
SRG-OS-000356-GPOS-00144 |
The operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second. |
SRG-OS-000358-GPOS-00145 |
The operating system must record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision. |
SRG-OS-000359-GPOS-00146 |
The operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
SRG-OS-000360-GPOS-00147 |
The operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process. |
SRG-OS-000362-GPOS-00149 |
The operating system must prohibit user installation of system software without explicit privileged status. |
SRG-OS-000363-GPOS-00150 |
The operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. |
SRG-OS-000364-GPOS-00151 |
The operating system must enforce access restrictions. |
SRG-OS-000365-GPOS-00152 |
The operating system must audit the enforcement actions used to restrict access associated with changes to the system. |
SRG-OS-000366-GPOS-00153 |
The operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. |
SRG-OS-000368-GPOS-00154 |
The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage. |
SRG-OS-000370-GPOS-00155 |
The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. |
SRG-OS-000375-GPOS-00160 |
The operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. |
SRG-OS-000376-GPOS-00161 |
The operating system must accept Personal Identity Verification (PIV) credentials. |
SRG-OS-000377-GPOS-00162 |
The operating system must electronically verify Personal Identity Verification (PIV) credentials. |
SRG-OS-000378-GPOS-00163 |
The operating system must authenticate peripherals before establishing a connection. |
SRG-OS-000379-GPOS-00164 |
The operating system must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |
SRG-OS-000383-GPOS-00166 |
The operating system must prohibit the use of cached authenticators after one day. |
SRG-OS-000384-GPOS-00167 |
The operating system, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. |
SRG-OS-000392-GPOS-00172 |
The operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions. |
SRG-OS-000393-GPOS-00173 |
The operating system must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. |
SRG-OS-000394-GPOS-00174 |
The operating system must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. |
SRG-OS-000395-GPOS-00175 |
The operating system must verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions, when used for nonlocal maintenance sessions. |
SRG-OS-000396-GPOS-00176 |
The operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
SRG-OS-000403-GPOS-00182 |
The operating system must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system. |
SRG-OS-000404-GPOS-00183 |
The operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components. |
SRG-OS-000405-GPOS-00184 |
The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all operating system components. |
SRG-OS-000420-GPOS-00186 |
The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. |
SRG-OS-000423-GPOS-00187 |
The operating system must protect the confidentiality and integrity of transmitted information. |
SRG-OS-000424-GPOS-00188 |
The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). |
SRG-OS-000425-GPOS-00189 |
The operating system must maintain the confidentiality and integrity of information during preparation for transmission. |
SRG-OS-000426-GPOS-00190 |
The operating system must maintain the confidentiality and integrity of information during reception. |
SRG-OS-000432-GPOS-00191 |
The operating system must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
SRG-OS-000433-GPOS-00192 |
The operating system must implement non-executable data to protect its memory from unauthorized code execution. |
SRG-OS-000433-GPOS-00193 |
The operating system must implement address space layout randomization to protect its memory from unauthorized code execution. |
SRG-OS-000437-GPOS-00194 |
The operating system must remove all software components after updated versions have been installed. |
SRG-OS-000445-GPOS-00199 |
The operating system must verify correct operation of all security functions. |
SRG-OS-000446-GPOS-00200 |
The operating system must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days. |
SRG-OS-000447-GPOS-00201 |
The operating system must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. |
SRG-OS-000458-GPOS-00203 |
The operating system must generate audit records when successful/unsuccessful attempts to access security objects occur. |
SRG-OS-000461-GPOS-00205 |
The operating system must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. |
SRG-OS-000462-GPOS-00206 |
The operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur. |
SRG-OS-000463-GPOS-00207 |
The operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur. |
SRG-OS-000465-GPOS-00209 |
The operating system must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. |
SRG-OS-000466-GPOS-00210 |
The operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur. |
SRG-OS-000467-GPOS-00211 |
The operating system must generate audit records when successful/unsuccessful attempts to delete security levels occur. |
SRG-OS-000468-GPOS-00212 |
The operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur. |
SRG-OS-000470-GPOS-00214 |
The operating system must generate audit records when successful/unsuccessful logon attempts occur. |
SRG-OS-000471-GPOS-00215 |
The operating system must generate audit records for privileged activities or other system-level access. |
SRG-OS-000471-GPOS-00216 |
The audit system must be configured to audit the loading and unloading of dynamic kernel modules. |
SRG-OS-000472-GPOS-00217 |
The operating system must generate audit records showing starting and ending time for user access to the system. |
SRG-OS-000473-GPOS-00218 |
The operating system must generate audit records when concurrent logons to the same account occur from different sources. |
SRG-OS-000474-GPOS-00219 |
The operating system must generate audit records when successful/unsuccessful accesses to objects occur. |
SRG-OS-000475-GPOS-00220 |
The operating system must generate audit records for all direct access to the information system. |
SRG-OS-000476-GPOS-00221 |
The operating system must generate audit records for all account creations, modifications, disabling, and termination events. |
SRG-OS-000477-GPOS-00222 |
The operating system must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations. |
SRG-OS-000478-GPOS-00223 |
The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
SRG-OS-000479-GPOS-00224 |
The operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly. |
SRG-OS-000480-GPOS-00225 |
The operating system must prevent the use of dictionary words for passwords. |
SRG-OS-000480-GPOS-00226 |
The operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. |
SRG-OS-000480-GPOS-00227 |
The operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
SRG-OS-000480-GPOS-00228 |
The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. |
SRG-OS-000480-GPOS-00229 |
The operating system must not allow an unattended or automatic logon to the system. |
SRG-OS-000480-GPOS-00230 |
The operating system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders. |
SRG-OS-000480-GPOS-00232 |
The operating system must enable an application firewall, if available. |
SRG-OS-000481-GPOS-00481 |
The operating system must protect the confidentiality and integrity of communications with wireless peripherals. |
SRG-OS-000439-GPOS-00195 |
The operating system must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). |
SRG-OS-000590-GPOS-00110 |
The operating system must disable accounts when the accounts are no longer associated to a user. |
SRG-OS-000690-GPOS-00140 |
The operating system must prohibit the use or connection of unauthorized hardware components. |
SRG-OS-000705-GPOS-00150 |
The operating system must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements. |
SRG-OS-000710-GPOS-00160 |
The operating system must, for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). |
SRG-OS-000720-GPOS-00170 |
The operating system must for password-based authentication, require immediate selection of a new password upon account recovery. |
SRG-OS-000725-GPOS-00180 |
The operating system must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters. |
SRG-OS-000730-GPOS-00190 |
The operating system must, for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators. |
SRG-OS-000745-GPOS-00210 |
The operating system must accept only external credentials that are NIST-compliant. |
SRG-OS-000755-GPOS-00220 |
The operating system must monitor the use of maintenance tools that execute with increased privilege. |
SRG-OS-000775-GPOS-00230 |
The operating system must include only approved trust anchors in trust stores or certificate stores managed by the organization. |
SRG-OS-000780-GPOS-00240 |
The operating system must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store. |
SRG-OS-000785-GPOS-00250 |
The operating system must synchronize system clocks within and between systems or system components. |
SRG-OS-000805-GPOS-00260 |
The operating system must employ automated patch management tools to facilitate flaw remediation to the organization-defined system components. |