Security Requirements Guide - Mainframe Product STIG V3R2

View as one page
STIG ID Title
SRG-APP-000001-MFP-000001 The Mainframe Product must limit the number of concurrent sessions to three for all accounts and/or account types.
SRG-APP-000002-MFP-000002 The Mainframe Product must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
SRG-APP-000003-MFP-000003 The Mainframe Product must initiate a session lock after a 15-minute period of inactivity.
SRG-APP-000004-MFP-000004 The Mainframe Product must provide the capability for users to directly initiate a session lock.
SRG-APP-000005-MFP-000005 The Mainframe Product must retain the session lock until the user reestablishes access using established identification and authentication procedures.
SRG-APP-000023-MFP-000033 The Mainframe Product must use an external security manager for all account management functions.
SRG-APP-000024-MFP-000036 The Mainframe Product must automatically remove or disable temporary user accounts after 72 hours.
SRG-APP-000025-MFP-000038 The Mainframe Product must automatically disable accounts after 35 days of account inactivity.
SRG-APP-000026-MFP-000039 The Mainframe Product must automatically audit account creation.
SRG-APP-000027-MFP-000040 The Mainframe Product must automatically audit account modification.
SRG-APP-000028-MFP-000041 The Mainframe Product must automatically audit account disabling actions.
SRG-APP-000029-MFP-000042 The Mainframe Product must automatically audit account removal actions.
SRG-APP-000033-MFP-000056 The Mainframe Product must enforce approved authorizations for logical access to sensitive information and system resources in accordance with applicable access control policies.
SRG-APP-000033-MFP-000057 The Mainframe Product must enforce approved authorizations for security administrator access to sensitive information and system resources in accordance with applicable access control policies.
SRG-APP-000033-MFP-000066 The Mainframe Product must enforce approved authorizations for system programmer access to sensitive information and system resources in accordance with applicable access control policies.
SRG-APP-000038-MFP-000067 The Mainframe Product must enforce approved authorizations for controlling the flow of information within the system based on site security plan information flow control policies.
SRG-APP-000065-MFP-000093 The Mainframe Product must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
SRG-APP-000073-MFP-000255 Mainframe Products scanning for malicious code must scan all media used for system maintenance prior to use.
SRG-APP-000080-MFP-000102 The Mainframe Product must protect against an individual (or process acting on behalf of an individual) falsely denying having performed actions defined in the site security plan to be covered by non-repudiation.
SRG-APP-000086-MFP-000110 For Mainframe Products providing audit record aggregation, the Mainframe Product must compile audit records from mainframe components into a system-wide audit trail that is time-correlated with a tolerance for the relationship between time stamps of individual records in the audit trail in accordance with the site security plan.
SRG-APP-000089-MFP-000114 The Mainframe Product must provide audit record generation capability for DoD-defined auditable events within all application components.
SRG-APP-000090-MFP-000115 The Mainframe Product must allow only the information system security manager (ISSM) or individuals or roles appointed by the ISSM to select which auditable events are to be audited.
SRG-APP-000091-MFP-000116 The Mainframe Product must generate audit records when successful/unsuccessful attempts to access privileges occur.
SRG-APP-000092-MFP-000137 The Mainframe Product must initiate session auditing upon startup.
SRG-APP-000095-MFP-000140 The Mainframe Product must produce audit records containing information to establish what type of events occurred.
SRG-APP-000096-MFP-000141 The Mainframe Product must produce audit records containing information to establish when (date and time) the events occurred.
SRG-APP-000097-MFP-000142 The Mainframe Product must produce audit records containing information to establish where the events occurred.
SRG-APP-000098-MFP-000143 The Mainframe Product must produce audit records containing information to establish the source of the events.
SRG-APP-000099-MFP-000144 The Mainframe Product must produce audit records containing information to establish the outcome of the events.
SRG-APP-000100-MFP-000145 The Mainframe Product must generate audit records containing information to establish the identity of any individual or process associated with the event.
SRG-APP-000101-MFP-000146 The Mainframe Product must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
SRG-APP-000108-MFP-000154 The Mainframe Product must alert the system administrator (SA) and information system security officer (ISSO) (at a minimum) in the event of an audit processing failure.
SRG-APP-000109-MFP-000155 The Mainframe Product must shut down by default upon audit failure (unless availability is an overriding concern).
SRG-APP-000111-MFP-000156 The Mainframe Product must provide the capability to centrally review and analyze audit records from multiple components within the system.
SRG-APP-000112-MFP-000280 The Mainframe Product must prevent the execution of prohibited mobile code.
SRG-APP-000115-MFP-000157 The Mainframe Products must provide the capability to filter audit records for events of interest as defined in site security plan.
SRG-APP-000116-MFP-000171 The Mainframe Products must use internal system clocks to generate time stamps for audit records.
SRG-APP-000118-MFP-000174 The Mainframe Product must protect audit information from any type of unauthorized read access.
SRG-APP-000119-MFP-000175 The Mainframe Product must protect audit information from unauthorized modification.
SRG-APP-000120-MFP-000176 The Mainframe Product must protect audit information from unauthorized deletion.
SRG-APP-000121-MFP-000177 The Mainframe Product must protect audit tools from unauthorized access.
SRG-APP-000122-MFP-000178 The Mainframe Product must protect audit tools from unauthorized modification.
SRG-APP-000123-MFP-000179 The Mainframe Product must protect audit tools from unauthorized deletion.
SRG-APP-000131-MFP-000189 The Mainframe Product must prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization.
SRG-APP-000133-MFP-000192 The Mainframe Product must limit privileges to change the Mainframe Product installation datasets to system programmers and authorized users in accordance with applicable access control policies.
SRG-APP-000133-MFP-000193 The Mainframe Product must limit privileges to change Mainframe Product started task and job datasets to system programmers and authorized users in accordance with applicable access control policies.
SRG-APP-000133-MFP-000194 The Mainframe Product must limit privileges to change Mainframe Product user datasets to authorized individuals.
SRG-APP-000141-MFP-000200 The Mainframe Product must be configured to disable non-essential capabilities.
SRG-APP-000148-MFP-000206 The Mainframe Product must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SRG-APP-000149-MFP-000207 The Mainframe Product must use multifactor authentication for network access to privileged accounts.
SRG-APP-000150-MFP-000211 The Mainframe Product must use multifactor authentication for network access to non-privileged accounts.
SRG-APP-000151-MFP-000212 The Mainframe Product must use multifactor authentication for local access to privileged accounts.
SRG-APP-000152-MFP-000213 The Mainframe Product must use multifactor authentication for local access to nonprivileged accounts.
SRG-APP-000153-MFP-000214 The Mainframe Product must verify users are authenticated with an individual authenticator prior to using a group authenticator.
SRG-APP-000164-MFP-000227 The Mainframe Product must enforce a minimum 15-character password length.
SRG-APP-000166-MFP-000228 The Mainframe Product must enforce password complexity by requiring that at least one uppercase character be used.
SRG-APP-000167-MFP-000229 The Mainframe Product must enforce password complexity by requiring that at least one lowercase character be used.
SRG-APP-000168-MFP-000230 The Mainframe Product must enforce password complexity by requiring that at least one numeric character be used.
SRG-APP-000169-MFP-000231 The Mainframe Product must enforce password complexity by requiring that at least one special character be used.
SRG-APP-000170-MFP-000232 The Mainframe Product must require the change of at least eight of the total number of characters when passwords are changed.
SRG-APP-000171-MFP-000233 The Mainframe Product must store only cryptographically protected passwords.
SRG-APP-000172-MFP-000234 The Mainframe Product must transmit only cryptographically protected passwords.
SRG-APP-000173-MFP-000235 The Mainframe Product must enforce 24 hours/1 day as the minimum password lifetime.
SRG-APP-000174-MFP-000236 The Mainframe Product must enforce a 60-day maximum password lifetime restriction.
SRG-APP-000175-MFP-000242 The Mainframe Product, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SRG-APP-000176-MFP-000243 The Mainframe Product, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
SRG-APP-000177-MFP-000244 The Mainframe Product must map the authenticated identity to the individual user or group account for PKI-based authentication.
SRG-APP-000178-MFP-000246 The Mainframe Product must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
SRG-APP-000179-MFP-000247 The Mainframe Product must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
SRG-APP-000180-MFP-000248 The Mainframe Product must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SRG-APP-000181-MFP-000161 The Mainframe Product must provide an audit reduction capability that supports on-demand reporting requirements.
SRG-APP-000206-MFP-000277 The Mainframe Product must identify prohibited mobile code.
SRG-APP-000207-MFP-000278 The Mainframe Product must block, quarantine, and/or alert system administrators when prohibited mobile code is identified.
SRG-APP-000209-MFP-000279 The Mainframe Product must prevent the download of prohibited mobile code.
SRG-APP-000210-MFP-000281 The Mainframe Product must prevent the automatic execution of mobile code in, at a minimum, office applications, browsers, email clients, mobile code run-time environments, and mobile agent systems.
SRG-APP-000211-MFP-000283 The Mainframe Product must separate user functionality (including user interface services) from information system management functionality.
SRG-APP-000225-MFP-000300 The Mainframe Product must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
SRG-APP-000226-MFP-000301 In the event of application failure, Mainframe Products must preserve any information necessary to determine the cause of failure and any information necessary to return to operations with the least disruption to mission processes.
SRG-APP-000231-MFP-000302 The Mainframe Product must protect the confidentiality and integrity of all information at rest.
SRG-APP-000233-MFP-000305 The Mainframe Product must isolate security functions from nonsecurity functions.
SRG-APP-000234-MFP-000037 The Mainframe Product must be configured such that emergency accounts are never automatically removed or disabled.
SRG-APP-000251-MFP-000328 The Mainframe Product must check the validity of all data inputs except those specifically identified by the organization.
SRG-APP-000266-MFP-000334 The Mainframe Product must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
SRG-APP-000267-MFP-000335 The Mainframe Product must reveal full-text detail error messages only to system programmers and/or security administrators.
SRG-APP-000272-MFP-000347 The Mainframe Product must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy.
SRG-APP-000275-MFP-000372 The Mainframe product must notify the system programmer and security administrator of failed security verification tests.
SRG-APP-000276-MFP-000353 The Mainframe Product must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management procedures.
SRG-APP-000277-MFP-000354 The Mainframe Product must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
SRG-APP-000290-MFP-000182 The Mainframe Product must use cryptographic mechanisms to protect the integrity of audit tools.
SRG-APP-000291-MFP-000043 The Mainframe Product must notify system programmers and security administrators when accounts are created.
SRG-APP-000292-MFP-000044 The Mainframe Product must notify system programmers and security administrators when accounts are modified.
SRG-APP-000293-MFP-000045 The Mainframe Product must notify system programmers and security administrators for account disabling actions.
SRG-APP-000294-MFP-000046 The Mainframe Product must notify system programmers and security administrators for account removal actions.
SRG-APP-000295-MFP-000006 The Mainframe Product must automatically terminate a user session after conditions, as defined in site security plan, are met or trigger events requiring session disconnect.
SRG-APP-000296-MFP-000007 Mainframe Products requiring user access authentication must provide a logoff capability for a user-initiated communication session.
SRG-APP-000297-MFP-000008 The Mainframe Product must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.
SRG-APP-000311-MFP-000025 The Mainframe Product must associate types of security attributes having security attribute values as defined in site security plan with information in storage.
SRG-APP-000313-MFP-000026 The Mainframe Product must associate types of security attributes having security attribute values as defined in site security plan with information in process.
SRG-APP-000317-MFP-000034 The Mainframe Product must terminate shared/group account credentials when members leave the group.
SRG-APP-000319-MFP-000047 The Mainframe Product must automatically audit account enabling actions.
SRG-APP-000320-MFP-000048 The Mainframe Product must notify system programmers and security administrators of account enabling actions.
SRG-APP-000328-MFP-000061 The Mainframe Product must enforce organization-defined discretionary access control policies over defined subjects and objects.
SRG-APP-000340-MFP-000088 The Mainframe Product must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
SRG-APP-000342-MFP-000090 The Mainframe Product must prevent software as identified in the site security plan from executing at higher privilege levels than users executing the software.
SRG-APP-000343-MFP-000091 The Mainframe Product must audit the execution of privileged functions.
SRG-APP-000345-MFP-000094 The Mainframe Product must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
SRG-APP-000357-MFP-000148 The mainframe product must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
SRG-APP-000358-MFP-000149 The Mainframe Product must off-load audit records onto a different system or media than the system being audited.
SRG-APP-000359-MFP-000151 The Mainframe Product must provide an immediate warning to the system programmer and security administrator (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
SRG-APP-000360-MFP-000152 The Mainframe Product must provide an immediate real-time alert to the operations staff, system programmers, and/or security administrators, at a minimum, of all audit failure events requiring real-time alerts.
SRG-APP-000364-MFP-000160 The Mainframe Product must provide an audit reduction capability that supports on-demand audit review and analysis.
SRG-APP-000365-MFP-000162 The Mainframe Product must provide an audit reduction capability that supports after-the-fact investigations of security incidents.
SRG-APP-000366-MFP-000163 The Mainframe Product must provide a report generation capability that supports on-demand audit review and analysis.
SRG-APP-000367-MFP-000164 The Mainframe Product must provide a report generation capability that supports on-demand reporting requirements.
SRG-APP-000368-MFP-000165 The Mainframe Product must provide a report generation capability that supports after-the-fact investigations of security incidents.
SRG-APP-000369-MFP-000166 The Mainframe Product must provide an audit reduction capability that does not alter original content or time ordering of audit records.
SRG-APP-000370-MFP-000167 The Mainframe Product must provide a report generation capability that does not alter original content or time ordering of audit records.
SRG-APP-000378-MFP-000185 The Mainframe product must prohibit user installation of software without explicit privileged status.
SRG-APP-000379-MFP-000186 The Mainframe Product must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
SRG-APP-000380-MFP-000187 The Mainframe Product must enforce access restrictions associated with changes to application configuration.
SRG-APP-000381-MFP-000188 The Mainframe Product must audit the enforcement actions used to restrict access associated with changes to the application.
SRG-APP-000391-MFP-000208 The Mainframe Product must accept Personal Identity Verification (PIV) credentials.
SRG-APP-000392-MFP-000209 The Mainframe Product must electronically verify Personal Identity Verification (PIV) credentials.
SRG-APP-000400-MFP-000241 The Mainframe Product must prohibit the use of cached authenticators after one hour.
SRG-APP-000402-MFP-000249 The Mainframe Product must accept Personal Identity Verification (PIV) credentials from other federal agencies.
SRG-APP-000403-MFP-000250 The Mainframe Product must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.
SRG-APP-000404-MFP-000251 The Mainframe Product must accept Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials.
SRG-APP-000405-MFP-000252 The Mainframe Product must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
SRG-APP-000409-MFP-000257 Mainframe Products must audit nonlocal maintenance and diagnostic sessions audit events as defined in site security plan.
SRG-APP-000411-MFP-000260 Mainframe Products must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
SRG-APP-000412-MFP-000261 Mainframe Products must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
SRG-APP-000413-MFP-000262 Mainframe Products must verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions.
SRG-APP-000414-MFP-000265 The Mainframe Product must implement privileged access authorization to all information systems and infrastructure components for selected vulnerability scanning activities as defined in the site security plan.
SRG-APP-000428-MFP-000303 The Mainframe Product must implement cryptographic mechanisms to prevent unauthorized modification of all information not cleared for public release at rest on system components outside of organization facilities.
SRG-APP-000429-MFP-000304 The Mainframe Product must implement cryptographic mechanisms to prevent unauthorized disclosure of all information not cleared for public release at rest on system components outside of organization facilities.
SRG-APP-000431-MFP-000312 The Mainframe Product must maintain a separate execution domain for each executing process.
SRG-APP-000447-MFP-000332 The Mainframe Product must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
SRG-APP-000450-MFP-000338 The Mainframe Product must implement security safeguards to protect its memory from unauthorized code execution.
SRG-APP-000454-MFP-000343 The Mainframe Product must remove all upgraded/replaced software components that are no longer required for operation after updated versions have been installed.
SRG-APP-000456-MFP-000345 The Mainframe Product must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs).
SRG-APP-000472-MFP-000370 The Mainframe Product performing organization-defined security functions must verify correct operation of security functions.
SRG-APP-000473-MFP-000371 The Mainframe Product must perform verification of the correct operation of security functions upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days.
SRG-APP-000474-MFP-000373 The Mainframe Product must either shut down, restart, and/or notify the appropriate personnel when anomalies in the operation of the security functions as defined in site security plan are discovered.
SRG-APP-000475-MFP-000374 The Mainframe product must perform an integrity check of all software from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity at startup, at transitional states as defined in site security plan or security-relevant events, or annually.
SRG-APP-000477-MFP-000376 The Mainframe Product must perform an integrity check of information as defined in site security plan at startup, at transitional states as defined in site security plan or security-relevant events, or annually.
SRG-APP-000480-MFP-000379 The Mainframe Product must automatically shut down the information system, restart the information system, and/or implement security safeguards as conditions as defined in site security plan when integrity violations are discovered.
SRG-APP-000484-MFP-000383 The Mainframe Product must audit detected potential integrity violations.
SRG-APP-000485-MFP-000384 The Mainframe Product, upon detection of a potential integrity violation, must initiate one or more of the following actions: generate an audit record, alert the current user, alert personnel or roles as defined in the site security plan, and/or perform other actions as defined in the SSP.
SRG-APP-000488-MFP-000282 The Mainframe Product must prompt the user for action prior to executing mobile code.
SRG-APP-000492-MFP-000117 The Mainframe Product must generate audit records when successful/unsuccessful attempts to access security objects occur.
SRG-APP-000493-MFP-000118 The Mainframe Product must generate audit records when successful/unsuccessful attempts to access security levels occur.
SRG-APP-000494-MFP-000119 The Mainframe Product must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
SRG-APP-000495-MFP-000120 The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify privileges occur.
SRG-APP-000496-MFP-000121 The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify security objects occur.
SRG-APP-000497-MFP-000122 The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify security levels occur.
SRG-APP-000498-MFP-000123 The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
SRG-APP-000499-MFP-000124 The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete privileges occur.
SRG-APP-000500-MFP-000125 The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete security levels occur.
SRG-APP-000501-MFP-000126 The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete security objects occur.
SRG-APP-000502-MFP-000127 The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur.
SRG-APP-000503-MFP-000128 The Mainframe Product must generate audit records when successful/unsuccessful logon attempts occur.
SRG-APP-000504-MFP-000129 The Mainframe Product must generate audit records for privileged activities or other system-level access.
SRG-APP-000505-MFP-000130 The Mainframe Product must generate audit records showing starting and ending time for user access to the system.
SRG-APP-000506-MFP-000131 The Mainframe Product must generate audit records when concurrent logons from different workstations occur.
SRG-APP-000507-MFP-000132 The Mainframe Product must generate audit records when successful/unsuccessful accesses to objects occur.
SRG-APP-000508-MFP-000133 The Mainframe Product must generate audit records for all direct access to the information system.
SRG-APP-000509-MFP-000134 The Mainframe Product must generate audit records for all account creations, modifications, disabling, and termination events.
SRG-APP-000510-MFP-000135 The Mainframe Product must generate audit records for all kernel module load, unload, and restart events, and for all program initiations.
SRG-APP-000514-MFP-000270 The Mainframe Product must implement NIST FIPS-validated cryptography to provision digital signatures in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
SRG-APP-000514-MFP-000272 The Mainframe Product must implement NIST FIPS-validated cryptography to generate and validate cryptographic hashes in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
SRG-APP-000514-MFP-000274 The Mainframe Product must implement NIST FIPS-validated cryptography to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
SRG-APP-000516-MFP-000195 The Mainframe Product must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SRG-APP-000354-MFP-000136 The Mainframe Product must provide the capability for authorized users to select a user session to capture/record or view/hear.
SRG-APP-000355-MFP-000139 The Mainframe Product must provide the capability for authorized users to remotely view/hear, in real time, all content related to an established user session from a component separate from the Mainframe Product being monitored.
SRG-APP-000416-MFP-000269 The Mainframe Product must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
SRG-APP-000700-MFP-000100 The Mainframe Product must disable accounts when the accounts have expired.
SRG-APP-000705-MFP-000110 The Mainframe Product must disable accounts when the accounts are no longer associated to a user.
SRG-APP-000745-MFP-000120 The Mainframe Product must implement the capability to centrally review and analyze audit records from multiple components within the system.
SRG-APP-000795-MFP-000130 The Mainframe Product must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
SRG-APP-000820-MFP-000170 The Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
SRG-APP-000825-MFP-000180 The Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.
SRG-APP-000830-MFP-000190 The Mainframe Product must, for password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.
SRG-APP-000835-MFP-000200 The Mainframe Product must, for password-based authentication, update the list of passwords on an organization-defined frequency.
SRG-APP-000840-MFP-000210 The Mainframe Product must, for password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.
SRG-APP-000845-MFP-000220 The Mainframe Product must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
SRG-APP-000855-MFP-000240 The Mainframe Product must, for password-based authentication, require immediate selection of a new password upon account recovery.
SRG-APP-000860-MFP-000250 The Mainframe Product must, for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.
SRG-APP-000865-MFP-000260 The Mainframe Product must, for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.
SRG-APP-000875-MFP-000280 The Mainframe Product must for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.
SRG-APP-000880-MFP-000290 The Mainframe Product must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.
SRG-APP-000910-MFP-000300 The Mainframe Product must include only approved trust anchors in trust stores or certificate stores managed by the organization.
SRG-APP-000915-MFP-000310 The Mainframe Product must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.
SRG-APP-000920-MFP-000320 The Mainframe Product must synchronize system clocks within and between systems or system components.
SRG-APP-000925-MFP-000330 The Mainframe Product must compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.