Security Requirements Guide - Mainframe Product v3r2

Released 2024-10-23


View as One Page
STIG IDTitle
SRG-APP-000001-MFP-000001The Mainframe Product must limit the number of concurrent sessions to three for all accounts and/or account types.
SRG-APP-000002-MFP-000002The Mainframe Product must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
SRG-APP-000003-MFP-000003The Mainframe Product must initiate a session lock after a 15-minute period of inactivity.
SRG-APP-000004-MFP-000004The Mainframe Product must provide the capability for users to directly initiate a session lock.
SRG-APP-000005-MFP-000005The Mainframe Product must retain the session lock until the user reestablishes access using established identification and authentication procedures.
SRG-APP-000023-MFP-000033The Mainframe Product must use an external security manager for all account management functions.
SRG-APP-000024-MFP-000036The Mainframe Product must automatically remove or disable temporary user accounts after 72 hours.
SRG-APP-000025-MFP-000038The Mainframe Product must automatically disable accounts after 35 days of account inactivity.
SRG-APP-000026-MFP-000039The Mainframe Product must automatically audit account creation.
SRG-APP-000027-MFP-000040The Mainframe Product must automatically audit account modification.
SRG-APP-000028-MFP-000041The Mainframe Product must automatically audit account disabling actions.
SRG-APP-000029-MFP-000042The Mainframe Product must automatically audit account removal actions.
SRG-APP-000033-MFP-000056The Mainframe Product must enforce approved authorizations for logical access to sensitive information and system resources in accordance with applicable access control policies.
SRG-APP-000033-MFP-000057The Mainframe Product must enforce approved authorizations for security administrator access to sensitive information and system resources in accordance with applicable access control policies.
SRG-APP-000033-MFP-000066The Mainframe Product must enforce approved authorizations for system programmer access to sensitive information and system resources in accordance with applicable access control policies.
SRG-APP-000038-MFP-000067The Mainframe Product must enforce approved authorizations for controlling the flow of information within the system based on site security plan information flow control policies.
SRG-APP-000065-MFP-000093The Mainframe Product must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
SRG-APP-000073-MFP-000255Mainframe Products scanning for malicious code must scan all media used for system maintenance prior to use.
SRG-APP-000080-MFP-000102The Mainframe Product must protect against an individual (or process acting on behalf of an individual) falsely denying having performed actions defined in the site security plan to be covered by non-repudiation.
SRG-APP-000086-MFP-000110For Mainframe Products providing audit record aggregation, the Mainframe Product must compile audit records from mainframe components into a system-wide audit trail that is time-correlated with a tolerance for the relationship between time stamps of individual records in the audit trail in accordance with the site security plan.
SRG-APP-000089-MFP-000114The Mainframe Product must provide audit record generation capability for DoD-defined auditable events within all application components.
SRG-APP-000090-MFP-000115The Mainframe Product must allow only the information system security manager (ISSM) or individuals or roles appointed by the ISSM to select which auditable events are to be audited.
SRG-APP-000091-MFP-000116The Mainframe Product must generate audit records when successful/unsuccessful attempts to access privileges occur.
SRG-APP-000092-MFP-000137The Mainframe Product must initiate session auditing upon startup.
SRG-APP-000095-MFP-000140The Mainframe Product must produce audit records containing information to establish what type of events occurred.
SRG-APP-000096-MFP-000141The Mainframe Product must produce audit records containing information to establish when (date and time) the events occurred.
SRG-APP-000097-MFP-000142The Mainframe Product must produce audit records containing information to establish where the events occurred.
SRG-APP-000098-MFP-000143The Mainframe Product must produce audit records containing information to establish the source of the events.
SRG-APP-000099-MFP-000144The Mainframe Product must produce audit records containing information to establish the outcome of the events.
SRG-APP-000100-MFP-000145The Mainframe Product must generate audit records containing information to establish the identity of any individual or process associated with the event.
SRG-APP-000101-MFP-000146The Mainframe Product must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
SRG-APP-000108-MFP-000154The Mainframe Product must alert the system administrator (SA) and information system security officer (ISSO) (at a minimum) in the event of an audit processing failure.
SRG-APP-000109-MFP-000155The Mainframe Product must shut down by default upon audit failure (unless availability is an overriding concern).
SRG-APP-000111-MFP-000156The Mainframe Product must provide the capability to centrally review and analyze audit records from multiple components within the system.
SRG-APP-000112-MFP-000280The Mainframe Product must prevent the execution of prohibited mobile code.
SRG-APP-000115-MFP-000157The Mainframe Products must provide the capability to filter audit records for events of interest as defined in site security plan.
SRG-APP-000116-MFP-000171The Mainframe Products must use internal system clocks to generate time stamps for audit records.
SRG-APP-000118-MFP-000174The Mainframe Product must protect audit information from any type of unauthorized read access.
SRG-APP-000119-MFP-000175The Mainframe Product must protect audit information from unauthorized modification.
SRG-APP-000120-MFP-000176The Mainframe Product must protect audit information from unauthorized deletion.
SRG-APP-000121-MFP-000177The Mainframe Product must protect audit tools from unauthorized access.
SRG-APP-000122-MFP-000178The Mainframe Product must protect audit tools from unauthorized modification.
SRG-APP-000123-MFP-000179The Mainframe Product must protect audit tools from unauthorized deletion.
SRG-APP-000131-MFP-000189The Mainframe Product must prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization.
SRG-APP-000133-MFP-000192The Mainframe Product must limit privileges to change the Mainframe Product installation datasets to system programmers and authorized users in accordance with applicable access control policies.
SRG-APP-000133-MFP-000193The Mainframe Product must limit privileges to change Mainframe Product started task and job datasets to system programmers and authorized users in accordance with applicable access control policies.
SRG-APP-000133-MFP-000194The Mainframe Product must limit privileges to change Mainframe Product user datasets to authorized individuals.
SRG-APP-000141-MFP-000200The Mainframe Product must be configured to disable non-essential capabilities.
SRG-APP-000148-MFP-000206The Mainframe Product must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SRG-APP-000149-MFP-000207The Mainframe Product must use multifactor authentication for network access to privileged accounts.
SRG-APP-000150-MFP-000211The Mainframe Product must use multifactor authentication for network access to non-privileged accounts.
SRG-APP-000151-MFP-000212The Mainframe Product must use multifactor authentication for local access to privileged accounts.
SRG-APP-000152-MFP-000213The Mainframe Product must use multifactor authentication for local access to nonprivileged accounts.
SRG-APP-000153-MFP-000214The Mainframe Product must verify users are authenticated with an individual authenticator prior to using a group authenticator.
SRG-APP-000164-MFP-000227The Mainframe Product must enforce a minimum 15-character password length.
SRG-APP-000166-MFP-000228The Mainframe Product must enforce password complexity by requiring that at least one uppercase character be used.
SRG-APP-000167-MFP-000229The Mainframe Product must enforce password complexity by requiring that at least one lowercase character be used.
SRG-APP-000168-MFP-000230The Mainframe Product must enforce password complexity by requiring that at least one numeric character be used.
SRG-APP-000169-MFP-000231The Mainframe Product must enforce password complexity by requiring that at least one special character be used.
SRG-APP-000170-MFP-000232The Mainframe Product must require the change of at least eight of the total number of characters when passwords are changed.
SRG-APP-000171-MFP-000233The Mainframe Product must store only cryptographically protected passwords.
SRG-APP-000172-MFP-000234The Mainframe Product must transmit only cryptographically protected passwords.
SRG-APP-000173-MFP-000235The Mainframe Product must enforce 24 hours/1 day as the minimum password lifetime.
SRG-APP-000174-MFP-000236The Mainframe Product must enforce a 60-day maximum password lifetime restriction.
SRG-APP-000175-MFP-000242The Mainframe Product, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SRG-APP-000176-MFP-000243The Mainframe Product, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
SRG-APP-000177-MFP-000244The Mainframe Product must map the authenticated identity to the individual user or group account for PKI-based authentication.
SRG-APP-000178-MFP-000246The Mainframe Product must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
SRG-APP-000179-MFP-000247The Mainframe Product must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
SRG-APP-000180-MFP-000248The Mainframe Product must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SRG-APP-000181-MFP-000161The Mainframe Product must provide an audit reduction capability that supports on-demand reporting requirements.
SRG-APP-000206-MFP-000277The Mainframe Product must identify prohibited mobile code.
SRG-APP-000207-MFP-000278The Mainframe Product must block, quarantine, and/or alert system administrators when prohibited mobile code is identified.
SRG-APP-000209-MFP-000279The Mainframe Product must prevent the download of prohibited mobile code.
SRG-APP-000210-MFP-000281The Mainframe Product must prevent the automatic execution of mobile code in, at a minimum, office applications, browsers, email clients, mobile code run-time environments, and mobile agent systems.
SRG-APP-000211-MFP-000283The Mainframe Product must separate user functionality (including user interface services) from information system management functionality.
SRG-APP-000225-MFP-000300The Mainframe Product must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
SRG-APP-000226-MFP-000301In the event of application failure, Mainframe Products must preserve any information necessary to determine the cause of failure and any information necessary to return to operations with the least disruption to mission processes.
SRG-APP-000231-MFP-000302The Mainframe Product must protect the confidentiality and integrity of all information at rest.
SRG-APP-000233-MFP-000305The Mainframe Product must isolate security functions from nonsecurity functions.
SRG-APP-000234-MFP-000037The Mainframe Product must be configured such that emergency accounts are never automatically removed or disabled.
SRG-APP-000251-MFP-000328The Mainframe Product must check the validity of all data inputs except those specifically identified by the organization.
SRG-APP-000266-MFP-000334The Mainframe Product must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
SRG-APP-000267-MFP-000335The Mainframe Product must reveal full-text detail error messages only to system programmers and/or security administrators.
SRG-APP-000272-MFP-000347The Mainframe Product must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy.
SRG-APP-000275-MFP-000372The Mainframe product must notify the system programmer and security administrator of failed security verification tests.
SRG-APP-000276-MFP-000353The Mainframe Product must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management procedures.
SRG-APP-000277-MFP-000354The Mainframe Product must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
SRG-APP-000290-MFP-000182The Mainframe Product must use cryptographic mechanisms to protect the integrity of audit tools.
SRG-APP-000291-MFP-000043The Mainframe Product must notify system programmers and security administrators when accounts are created.
SRG-APP-000292-MFP-000044The Mainframe Product must notify system programmers and security administrators when accounts are modified.
SRG-APP-000293-MFP-000045The Mainframe Product must notify system programmers and security administrators for account disabling actions.
SRG-APP-000294-MFP-000046The Mainframe Product must notify system programmers and security administrators for account removal actions.
SRG-APP-000295-MFP-000006The Mainframe Product must automatically terminate a user session after conditions, as defined in site security plan, are met or trigger events requiring session disconnect.
SRG-APP-000296-MFP-000007Mainframe Products requiring user access authentication must provide a logoff capability for a user-initiated communication session.
SRG-APP-000297-MFP-000008The Mainframe Product must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.
SRG-APP-000311-MFP-000025The Mainframe Product must associate types of security attributes having security attribute values as defined in site security plan with information in storage.
SRG-APP-000313-MFP-000026The Mainframe Product must associate types of security attributes having security attribute values as defined in site security plan with information in process.
SRG-APP-000317-MFP-000034The Mainframe Product must terminate shared/group account credentials when members leave the group.
SRG-APP-000319-MFP-000047The Mainframe Product must automatically audit account enabling actions.
SRG-APP-000320-MFP-000048The Mainframe Product must notify system programmers and security administrators of account enabling actions.
SRG-APP-000328-MFP-000061The Mainframe Product must enforce organization-defined discretionary access control policies over defined subjects and objects.
SRG-APP-000340-MFP-000088The Mainframe Product must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
SRG-APP-000342-MFP-000090The Mainframe Product must prevent software as identified in the site security plan from executing at higher privilege levels than users executing the software.
SRG-APP-000343-MFP-000091The Mainframe Product must audit the execution of privileged functions.
SRG-APP-000345-MFP-000094The Mainframe Product must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
SRG-APP-000354-MFP-000136The Mainframe Product must provide the capability for authorized users to select a user session to capture/record or view/hear.
SRG-APP-000355-MFP-000139The Mainframe Product must provide the capability for authorized users to remotely view/hear, in real time, all content related to an established user session from a component separate from the Mainframe Product being monitored.
SRG-APP-000357-MFP-000148The mainframe product must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
SRG-APP-000358-MFP-000149The Mainframe Product must off-load audit records onto a different system or media than the system being audited.
SRG-APP-000359-MFP-000151The Mainframe Product must provide an immediate warning to the system programmer and security administrator (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
SRG-APP-000360-MFP-000152The Mainframe Product must provide an immediate real-time alert to the operations staff, system programmers, and/or security administrators, at a minimum, of all audit failure events requiring real-time alerts.
SRG-APP-000364-MFP-000160The Mainframe Product must provide an audit reduction capability that supports on-demand audit review and analysis.
SRG-APP-000365-MFP-000162The Mainframe Product must provide an audit reduction capability that supports after-the-fact investigations of security incidents.
SRG-APP-000366-MFP-000163The Mainframe Product must provide a report generation capability that supports on-demand audit review and analysis.
SRG-APP-000367-MFP-000164The Mainframe Product must provide a report generation capability that supports on-demand reporting requirements.
SRG-APP-000368-MFP-000165The Mainframe Product must provide a report generation capability that supports after-the-fact investigations of security incidents.
SRG-APP-000369-MFP-000166The Mainframe Product must provide an audit reduction capability that does not alter original content or time ordering of audit records.
SRG-APP-000370-MFP-000167The Mainframe Product must provide a report generation capability that does not alter original content or time ordering of audit records.
SRG-APP-000378-MFP-000185The Mainframe product must prohibit user installation of software without explicit privileged status.
SRG-APP-000379-MFP-000186The Mainframe Product must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
SRG-APP-000380-MFP-000187The Mainframe Product must enforce access restrictions associated with changes to application configuration.
SRG-APP-000381-MFP-000188The Mainframe Product must audit the enforcement actions used to restrict access associated with changes to the application.
SRG-APP-000391-MFP-000208The Mainframe Product must accept Personal Identity Verification (PIV) credentials.
SRG-APP-000392-MFP-000209The Mainframe Product must electronically verify Personal Identity Verification (PIV) credentials.
SRG-APP-000400-MFP-000241The Mainframe Product must prohibit the use of cached authenticators after one hour.
SRG-APP-000402-MFP-000249The Mainframe Product must accept Personal Identity Verification (PIV) credentials from other federal agencies.
SRG-APP-000403-MFP-000250The Mainframe Product must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.
SRG-APP-000404-MFP-000251The Mainframe Product must accept Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials.
SRG-APP-000405-MFP-000252The Mainframe Product must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
SRG-APP-000409-MFP-000257Mainframe Products must audit nonlocal maintenance and diagnostic sessions audit events as defined in site security plan.
SRG-APP-000411-MFP-000260Mainframe Products must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
SRG-APP-000412-MFP-000261Mainframe Products must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
SRG-APP-000413-MFP-000262Mainframe Products must verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions.
SRG-APP-000414-MFP-000265The Mainframe Product must implement privileged access authorization to all information systems and infrastructure components for selected vulnerability scanning activities as defined in the site security plan.
SRG-APP-000416-MFP-000269The Mainframe Product must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
SRG-APP-000428-MFP-000303The Mainframe Product must implement cryptographic mechanisms to prevent unauthorized modification of all information not cleared for public release at rest on system components outside of organization facilities.
SRG-APP-000429-MFP-000304The Mainframe Product must implement cryptographic mechanisms to prevent unauthorized disclosure of all information not cleared for public release at rest on system components outside of organization facilities.
SRG-APP-000431-MFP-000312The Mainframe Product must maintain a separate execution domain for each executing process.
SRG-APP-000447-MFP-000332The Mainframe Product must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
SRG-APP-000450-MFP-000338The Mainframe Product must implement security safeguards to protect its memory from unauthorized code execution.
SRG-APP-000454-MFP-000343The Mainframe Product must remove all upgraded/replaced software components that are no longer required for operation after updated versions have been installed.
SRG-APP-000456-MFP-000345The Mainframe Product must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs).
SRG-APP-000472-MFP-000370The Mainframe Product performing organization-defined security functions must verify correct operation of security functions.
SRG-APP-000473-MFP-000371The Mainframe Product must perform verification of the correct operation of security functions upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days.
SRG-APP-000474-MFP-000373The Mainframe Product must either shut down, restart, and/or notify the appropriate personnel when anomalies in the operation of the security functions as defined in site security plan are discovered.
SRG-APP-000475-MFP-000374The Mainframe product must perform an integrity check of all software from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity at startup, at transitional states as defined in site security plan or security-relevant events, or annually.
SRG-APP-000477-MFP-000376The Mainframe Product must perform an integrity check of information as defined in site security plan at startup, at transitional states as defined in site security plan or security-relevant events, or annually.
SRG-APP-000480-MFP-000379The Mainframe Product must automatically shut down the information system, restart the information system, and/or implement security safeguards as conditions as defined in site security plan when integrity violations are discovered.
SRG-APP-000484-MFP-000383The Mainframe Product must audit detected potential integrity violations.
SRG-APP-000485-MFP-000384The Mainframe Product, upon detection of a potential integrity violation, must initiate one or more of the following actions: generate an audit record, alert the current user, alert personnel or roles as defined in the site security plan, and/or perform other actions as defined in the SSP.
SRG-APP-000488-MFP-000282The Mainframe Product must prompt the user for action prior to executing mobile code.
SRG-APP-000492-MFP-000117The Mainframe Product must generate audit records when successful/unsuccessful attempts to access security objects occur.
SRG-APP-000493-MFP-000118The Mainframe Product must generate audit records when successful/unsuccessful attempts to access security levels occur.
SRG-APP-000494-MFP-000119The Mainframe Product must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
SRG-APP-000495-MFP-000120The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify privileges occur.
SRG-APP-000496-MFP-000121The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify security objects occur.
SRG-APP-000497-MFP-000122The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify security levels occur.
SRG-APP-000498-MFP-000123The Mainframe Product must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
SRG-APP-000499-MFP-000124The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete privileges occur.
SRG-APP-000500-MFP-000125The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete security levels occur.
SRG-APP-000501-MFP-000126The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete security objects occur.
SRG-APP-000502-MFP-000127The Mainframe Product must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur.
SRG-APP-000503-MFP-000128The Mainframe Product must generate audit records when successful/unsuccessful logon attempts occur.
SRG-APP-000504-MFP-000129The Mainframe Product must generate audit records for privileged activities or other system-level access.
SRG-APP-000505-MFP-000130The Mainframe Product must generate audit records showing starting and ending time for user access to the system.
SRG-APP-000506-MFP-000131The Mainframe Product must generate audit records when concurrent logons from different workstations occur.
SRG-APP-000507-MFP-000132The Mainframe Product must generate audit records when successful/unsuccessful accesses to objects occur.
SRG-APP-000508-MFP-000133The Mainframe Product must generate audit records for all direct access to the information system.
SRG-APP-000509-MFP-000134The Mainframe Product must generate audit records for all account creations, modifications, disabling, and termination events.
SRG-APP-000510-MFP-000135The Mainframe Product must generate audit records for all kernel module load, unload, and restart events, and for all program initiations.
SRG-APP-000514-MFP-000270The Mainframe Product must implement NIST FIPS-validated cryptography to provision digital signatures in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
SRG-APP-000514-MFP-000272The Mainframe Product must implement NIST FIPS-validated cryptography to generate and validate cryptographic hashes in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
SRG-APP-000514-MFP-000274The Mainframe Product must implement NIST FIPS-validated cryptography to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
SRG-APP-000516-MFP-000195The Mainframe Product must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SRG-APP-000700-MFP-000100The Mainframe Product must disable accounts when the accounts have expired.
SRG-APP-000705-MFP-000110The Mainframe Product must disable accounts when the accounts are no longer associated to a user.
SRG-APP-000745-MFP-000120The Mainframe Product must implement the capability to centrally review and analyze audit records from multiple components within the system.
SRG-APP-000795-MFP-000130The Mainframe Product must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
SRG-APP-000820-MFP-000170The Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
SRG-APP-000825-MFP-000180The Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.
SRG-APP-000830-MFP-000190The Mainframe Product must, for password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.
SRG-APP-000835-MFP-000200The Mainframe Product must, for password-based authentication, update the list of passwords on an organization-defined frequency.
SRG-APP-000840-MFP-000210The Mainframe Product must, for password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.
SRG-APP-000845-MFP-000220The Mainframe Product must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
SRG-APP-000855-MFP-000240The Mainframe Product must, for password-based authentication, require immediate selection of a new password upon account recovery.
SRG-APP-000860-MFP-000250The Mainframe Product must, for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.
SRG-APP-000865-MFP-000260The Mainframe Product must, for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.
SRG-APP-000875-MFP-000280The Mainframe Product must for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.
SRG-APP-000880-MFP-000290The Mainframe Product must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.
SRG-APP-000910-MFP-000300The Mainframe Product must include only approved trust anchors in trust stores or certificate stores managed by the organization.
SRG-APP-000915-MFP-000310The Mainframe Product must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.
SRG-APP-000920-MFP-000320The Mainframe Product must synchronize system clocks within and between systems or system components.
SRG-APP-000925-MFP-000330The Mainframe Product must compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.