Title

Strong two-factor authentication is NOT used to access all management system workstations and administrative / management ports on all devices or systems (Cat II impact)

Discussion

Requirement: The IAO will ensure strong two-factor authentication is required to access all management system workstations and administrative / management ports on any device or system. The term strong two-factor authentication refers to the use of two forms of identification. This is usually something you know and something you have. A username and password is not considered two-factor authentication. It is actually the something you know. This could also be a security code. The something you have is a typically physical token. An example of this is a bankcard and PIN. Additionally there are tokens associated with one-time password access control systems available such as RSA Security’s SecurID and Quest Software’s NC-Pass. These provide a constantly changing code that is used in conjunction with an additional PIN or password to generate a one time password. The code is generated by a RNG algorithm that is synchronized with a server application (e.g., RSA ACE). These and similar tokens are, and have been, widely used in DoD for access control to network elements, servers, and mainframes. These and similar one-time password tokens used in conjunction with their associated access control servers meet the intent of this requirement. NOTE: One-time password tokens and systems are older technology which is no longer mentioned in DoD policy even though the technology has been in previous DoD policy; has been in use for some time; and is currently being used in many instances for access control to legacy systems. Going forward, however, DoD policy only supports DoD’s token of choice which is the Common Access Card (CAC) or Personal Identity Verification (PIV) card which contain DoD Public Key Infrastructure (PKI) certificates. The CAC/PIV is the DoD’s token of choice. Meeting this requirement does not satisfy requirements that dictate the use of CAC/PKI tokens. The use of a one-time-password token and access control server can only (and may only) serve as a mitigation for not being able to meet CAC/PKI requirements. This is typical of older legacy systems such as mainframes. APL NOTE: New systems being developed for use by DoD and those being tested for inclusion on the DoD Approved Products List (APL) should support CAC/PKI tokens rather than one-time password token systems.

Check Content

Review current configuration files of effected devices to confirm compliance

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Additional Identifiers

Rule ID: SV-9056r1_rule

Vulnerability ID: V-8559

Group Title: Two-factor authentication NOT used

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.