Switch Router

Internal Revenue Service
Office of Safeguards
▪ SCSEM Subject: Switch Router (SR)

▪ SCSEM Version: 2.0
▪ SCSEM Release Date: September 30, 2018
NOTICE:
The IRS strongly recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a develop
environment prior to deployment in production. In some cases a security setting may impact a system’s functionality and usab
it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system
should match the production system configuration. Prior to making changes to the production system, agencies should back up
files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if nece
General Testing Information

Agency Name:
Agency Code:
Test Location:
Test Date:
Closing Date:
Shared Agencies:
Name of Tester:
Device Name:
OS/App Version:
Network Location:
Device Function:
Agency Representatives and Contact Information
Name:
Org:
Title:
Phone:
E-mail:
Name:
Org:
Title:
Phone:
E-mail:
This SCSEM was designed to comply with Section 508 of the Rehabilitation Act
Please submit SCSEM feedback and suggestions to SafeguardReports@IRS.gov
Obtain SCSEM updates online at http://www.irs.gov/uac/Safeguards-Program
enue Service
ct: Switch Router (SR)
se Date: September 30, 2018
y recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a development or test
or to deployment in production. In some cases a security setting may impact a system’s functionality and usability. Consequently,
perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration
e production system configuration. Prior to making changes to the production system, agencies should back up all critical data
em and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.
g Information
entatives and Contact Information
s designed to comply with Section 508 of the Rehabilitation Act

CSEM feedback and suggestions to SafeguardReports@IRS.gov
updates online at http://www.irs.gov/uac/Safeguards-Program
Testing Results
INSTRUCTIONS:
Sections below are automatically calculated.
The 'Info' status is provided for use by the tester during test execution to indicate more information is needed to complete the te
It is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of testing.
All SCSEM Test Results

Final Test Results
This table calculates Additional
Total Number of Weighted
all tests in the Gen Passed Failed Information N/A
Tests Performed Pass Rate
Test Cases + IOS15.0 Requested
M Tests Cases tabs. 0 0 0 0 0 0%
Weighted Score
Risk Rating Test Cases Pass Fail N/A Weight
8 0 0 0 0 1500
7 5 0 0 0 750
6 16 0 0 0 100
5 33 0 0 0 50
4 14 0 0 0 10
3 3 0 0 0 5
2 7 0 0 0 2
1 0 0 0 0 1
88 WARNING: THERE IS AT LEAST ONE TEST CASE WITH AN 'INFO' OR BLANK STATUS (SEE ABO
10 WARNING: THERE IS AT LEAST ONE TEST CASE WITH MULTIPLE OR INVALID ISSUE CODES
eeded to complete the test.
Overall SCSEM Statistics
All SCSEM Tests Complete Blank Available
Totals 0 88 88
ANK STATUS (SEE ABOVE)
VALID ISSUE CODES

Instructions
Introduction and Purpose:
This SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have
electronic Federal Tax Information (FTI) files to and from the agency (perimeter), and within the agency network (internal, core)
Agencies should use this SCSEM to prepare for an upcoming Safeguards review. It is also an effective tool for agency use as p
security assessments or internal inspections to ensure continued compliance in the years when a Safeguards review is not sch
can also use the SCSEM to identify the types of policies and procedures required to ensure continued compliance with IRS Pub
Gen Test Cases - Selected set of security controls that satisfy the general security requirements of IRS Publication 1075. Agen
to ensure that they are implemented correctly, operate correctly, and satisfy all minimum requirements of IRS Publication 1075
respective tabs.
IOS 15.0M Test Cases - Controls specific to Cisco IOS 15.0M. These should be tested in conjunction with the Gen Test Cases
This SCSEM was created for the IRS Office of Safeguards based on the following resources:
▪ IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (October 2014)
▪ NIST SP 800-53 Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations (April 2013)
▪ CIS Cisco IOS Benchmark v3.0.1
Test Cases Legend:

▪ Test ID Pre-populated number to uniquely identify SCSEM test cases. The ID format includ
and a unique number (01-XX) and can therefore be easily identified after the test ha
▪ NIST ID Mapping of test case requirements to one or more NIST SP 800-53 control identifier
▪ NIST Control Name Full name which describes the NIST ID.
▪ Test Method Automated and Manual indicators are added to the Test method to indicate whether
tool.
▪ Section Title Section title conveys the intent of the recommendation.
▪ Description Description of specifically what the test is designed to accomplish. The objective sh
test case and expected results.
▪ Test Procedures A detailed description of the step-by-step instructions to be followed by the tester. T
executed using the applicable NIST 800-53A test method (Interview, Examine).
▪ Expected Results Provides a description of the acceptable conditions allowed as a result of the test pr
▪ Actual Results The tester shall provide appropriate detail describing the outcome of the test. The te
Interviewees and Evidence to validate the results in this field or the separate Notes/E
▪ Status The tester indicates the status for the test results (Pass, Fail, Info, N/A). "Pass" indi
were met. "Fail" indicates the expected results were not met. "Info" is temporary an
is not completed and additional information is required to determine a Pass/Fail stat
test subject is not capable of implementing the expected results and doing so does n
must determine the appropriateness of the "N/A" status.
▪ Notes/Evidence As determined appropriate to the tester or as required by the test method, procedure
may need to provide additional information pertaining to the test execution (Interview
▪ Criticality A baseline risk category has been pre-populated next to each control to assist agen
the discretion to change the prioritization to accurately reflect the risk and the overal
▪ CIS Benchmark Section # Mapping of test case requirements to the CIS Benchmark section number.
▪ Recommendation # Mapping of test case requirements to the CIS Benchmark recommendation number.
▪ Rationale Statement The Rationale section conveys the security benefits of the recommended configurat
vulnerabilities associated with a configuration posture.
▪ Remediation Procedure Remediation content for implementing and assessing benchmark guidance The con
benchmark.
▪ Remediation Procedure Remediation content for implementing and assessing benchmark guidance The con
benchmark.
▪ Issue Codes A single issue code must be selected for each test case to calculate the weighted ris
test.
5 for agencies that have implemented network gateways involved in controlling the flow
y network (internal, core).
tool for agency use as part of internal periodic

guards review is not scheduled. The agency
compliance with IRS Publication 1075.
Publication 1075. Agencies must always assess the performance of these security controls
of IRS Publication 1075 requirements. Technology specific controls are specified in their
with the Gen Test Cases. Duplicate test cases have been noted.
ober 2014)
nizations (April 2013)
es. The ID format includes the platform, platform version

dentified after the test has been executed.
800-53 control identifiers for reporting purposes.
thod to indicate whether the test can be accomplished through the Automated Assessment
mplish. The objective should be a summary of the
followed by the tester. The test procedures should be

nterview, Examine).
as a result of the test procedure execution.
tcome of the test. The tester is responsible for identifying
d or the separate Notes/Evidence field.
l, Info, N/A). "Pass" indicates that the expected results
et. "Info" is temporary and indicates that the test execution
etermine a Pass/Fail status. "N/A" indicates that the
sults and doing so does not impact security. The tester
e test method, procedures or expected results, the tester

test execution (Interviewee, Documentation, etc.)
ch control to assist agencies in establishing priorities for corrective action. The reviewer has
ct the risk and the overall security posture based on environment specific testing.
ection number.
ecommendation number.
ecommended configuration. This section also details where the risks, threats, and
hmark guidance The content allows you to apply the recommended settings for a particular
calculate the weighted risk score. The tester must perform this activity when executing each
Test Cases
Test ID NIST ID NIST Control Name Test Method
SRGEN-01 SA-22 Unsupported System Examine

Components
SRGEN-02 SI-2 Flaw Remediation Examine
SRGEN-03 AC-2 Account Management Examine &

Interview
SRGEN-04 AC-2 Account Management Interview
SRGEN-05 AC-2 Account Management Examine &

Interview
SRGEN-06 AC-2 Account Management Interview
SRGEN-07 AC-3 Access Enforcement Examine &

Interview

Interview
Interview

Interview
SRGEN-11 AC-6 Least Privilege Examine &

Interview
SRGEN-12 AC-7 Unsuccessful Logon Examine

Attempts
SRGEN-13 AC-8 System Use Notification Examine

SRGEN-14 AC-12 Session Termination Examine
SRGEN-15 AC-12 Session Termination Examine
SRGEN-16 IA-2 Identification and Examine &

Authentication Interview
(Organizational Users)
SRGEN-17 IA-2 Identification and Examine

Authentication
SRGEN-18 IA-2 Identification and Examine

Authentication
SRGEN-19 IA-3 Device Identification and Interview
Authentication
SRGEN-20 IA-4 Identifier Management Interview
SRGEN-21 IA-5 Authenticator Management Examine

SRGEN-24 IA-6 Authenticator Feedback Examine
SRGEN-25 AU-2 Audit Events Examine

SRGEN-26 AU-3 Content of Audit Records Examine &
Interview
SRGEN-27 AU-4 Audit Storage Capacity Interview

SRGEN-28 AU-6 Audit Review, Analysis, and Examine &
Reporting Interview
SRGEN-29 AU-8 Time Stamps Examine &

Interview
SRGEN-30 AU-9 Protection of Audit Examine &

Information Interview
SRGEN-31 AU-11 Audit Record Retention Examine
SRGEN-32 CM-3 Configuration Change Examine

Control
SRGEN-33 CM-6 Configuration Settings Examine
SRGEN-34 CM-7 Least Functionality Examine &

Interview
SRGEN-35 SC-5 Denial of Service Examine

Protection
SRGEN-36 SC-8 Transmission Examine
Confidentiality and Integrity
Input of test results starting with this row require corresponding Test IDs in Column A. Insert new rows above her
Test Objective Test Procedure
Verify that system maintenance is in place 1. Interview the SA (System Administrator) to determine if
and the router is supported by the vendor. maintenance is readily available for the routers inter-network
operating system (IOS). Vendor support must include security
Each organization shall ensure that updates or hot fixes that address any new security vulnerabilities.
unsupported software is removed or
upgraded to a supported version prior to a 2. Verify that the device is currently under support.
vendor dropping support.
Non-Cisco
Examine the device OS version/build with the SA.
Cisco
The following command will show the current software version.
From an enable console window, type 'show version'.
Compare results with the vendors support website to verify that

support has not expired.
Verify that system patch levels are up-to- 1. Review the system configuration to identify the current patch
date to address new vulnerabilities. level.
2. Refer to the vendors support website and cross reference the

latest security patch update with the systems current patch level.
Check to ensure that known vulnerabilities (i.e., Heartbleed)
vulnerabilities have been remediated.
Note: This test requires the tester to research the current vendor
supplied patch level.
Verify the agency has implemented an 1. Interview the device administrator and verify that account
account management process for admin management procedures have been implemented for end user
user access to the device. (regular/administrator) and system account creation, termination
and expiration.
2. Examine account management system workflow and/or

completed user access request and approvals for end users and
administrators.
Verify privileged accounts are reviewed at 1. Interview device administrator or security administrator and
least semi-annually for compliance with determine how often device accounts for privileged users are
agency account management reviewed.
requirements.
Verify that the device system does not 1. Examine the list of device privileged accounts and ensure all
contain duplicate accounts. administrative accounts are unique.
Device administrative users are 2. Interview the device administrator to see if any privileged
appropriately identified and authenticated accounts are shared inappropriately.
Identification and authentication is unique
to each user or system.
Ensure accounts that are no longer 1. Discuss the process (e.g. management notification, ticket
required are immediately removed from creation, email, etc.) for removing user accounts with the system
the authentication server or device admin for local and network (e.g. authentication server such as
(authentication server or local accounts). RADIUS, TACACS, etc.) accounts.
2. For each authentication method in use, confirm that there is a

process in place to identify unused accounts and they are disabled
or deleted immediately when they are no longer needed.
Ensure modems are not connected to the 1. Interview the SA to determine if any modems are connected to
auxiliary port. the router. (Note: Elevate to CRITICAL if modems are attached and
used)
Ensure that the router’s auxiliary port is
disabled. 2. Examine the router configuration to ensure that the auxiliary port
is disabled.
Ensure only authorized administrators are 1. Have the SA display the security features that are used to control
given access to the stored configuration access to the configuration files.
files.
2. Ensure access to stored configuration files is restricted to
authorized firewall administrators only.
Ensure that all Trivial File Transfer 1. Verify written authorization is with the SA or ISSO.
Protocol (TFTP) implementations are
authorized and have maintained 2. Interview the router administrator to see how they transfer the
justification. router configuration files to and from the router.
Note: If the system being tested is Cisco IOS 15.0M, then this
control is N/A, since it is being tested under the IOS 15.0M Tab.
If Trivial File Transfer Protocol (TFTP) 1. Identify TFTP server addresses and determine if LAN has traffic
implementation is used, ensure the TFTP restrictions and devices with access to server have Access Control
server resides on a controlled managed List (ACL) permissions and restrictions.
Local Area Network (LAN) subnet, and
access is restricted to authorized devices
within the local enclave.
Ensure all user accounts are assigned the 1. Interview the SA and examine user accounts and user account
lowest privilege level that allows them to groups with privileged access to the firewall.
perform their duties (authentication server
or local accounts).
Ensure the maximum number of Check to determine if the agency limits consecutive invalid attempts
unsuccessful Secure Shell (SSH) login to three (3) by a user within a 120 minute period.
attempts is set to three (3), locking access
to the router within a 120 minute period. 1. Review the system configuration to ensure that authentication
retry is set for 3.
Verify that an IRS approved login banner 1. Login banners will be configured for all services that allow login
is being displayed before login. access to the system.
Verify that the warning banner displayed is in compliance with IRS

requirements. The user must accept the warning banner message
before moving forward.
Ensure the console is configured to 1. Review each router configuration to ensure that the console is
timeout after 30 minutes or less of disabled after 30 minutes of inactivity.
inactivity.
Ensure that idle timeout has been 1. Review each router’s configuration to ensure that all SSH
configured for SSH sessions. sessions are disabled after 30 minutes of inactivity.
Verify an authentication server (e.g., Active 1. Interview the device administrator and verify an authentication
Directory, Radius, etc.) is used to identify server is used to identify and authenticate administrators for
and authenticate administrators to the management of the device.
device.
Verify that the device does not allow blank 1. Examine password requirements (local and network /
passwords. authentication server accounts) for the network device system and
ensure a password is required for all system access.
Security policies and procedures
appropriately address ID and password
management.
Ensure that when an authentication server 1. Review the running configuration and verify that only one local
is used for administrative access to the account has been defined. An example of a local account is shown
router, only one account is defined locally in the example below:
on the router for use in an emergency (i.e.,
authentication server or connection to the Username xxxxxxx password 7 xxxxxxxxxxxx
server is down).
Verify that the system identifies and 1. Interview the device administrator to ascertain if there is a
authenticates specific devices before mechanism in place to restrict access (e.g. client based certificates,
establishing a management connection. MAC filtering, whitelists, etc.) before allowing a management
connection.
User IDs must follow username standards 1. Discuss with the network administrator to ensure that a standard
whenever possible (authentication server is used to generate all user id's.
or local accounts).
Ensure all password parameters 1. Verify that the systems password parameters (authentication
(authentication server or local accounts) server or local accounts) meet the following requirements :
meet IRS Publication 1075 requirements
(e.g., password complexity, aging, history, a) Minimum password length of 8 characters
etc.) b) Passwords must contain at least one number or special
character, and a combination of at least one lower and uppercase
letter.
c) Maximum password age of 60 days for privileged user and 90
days fro standard user accounts.
d) Minimum password age of 1 days
e) Password history for the previous 24 passwords
f) Users are forced to change their initial password during their first
logon
Ensure that unencrypted router passwords 1. Review the stored router configuration files to ensure passwords
are not stored in an offline configuration are not stored in plain-text format.
file.
Verify that default passwords have been 1. If default accounts exist on the system, examine the administrator
changed. attempt to authenticate with the published default password for any
existing built-in account. Examples may include:
Note: This test will require the reviewer to research ahead of time
built-in accounts and default passwords for the system used by the
agency, which will be identified during the PSE.
Verify that clear text passwords are not 1. Examine the screen while an administrator attempts to login and
displayed during login view authenticator feedback to ensure passwords are not displayed
during entry.
Ensure the system audits security relevant 1. Obtain and review device audit logs that document security-
events. related events. This must include:
-all unsuccessful login and authorization attempts.

-all identification and authentication attempts.
-all actions, connections and requests performed by privileged users
-all actions, connections and requests performed by privileged
functions.
-all changes to logical access control authorities
-all system changes with the potential to compromise the integrity of
security policy configurations
-the creation, modification and deletion of objects including files,
directories and user accounts.
-the creation, modification and deletion of user accounts and group
accounts.
-the creation, modification and deletion of user account and group
account privileges.
-system startup and shutdown functions.
Checks to see if sufficient security relevant 1. Review the logging mechanism to see what elements are
data is captured in system logs. recorded. The following elements are selected to be recorded in the
log:
1. Service timestamps and/or log datetime

2. User ID (if available), but do not log password used
3. Action/request attempted (particularly: interface status changes,
changes to the system configuration, access list matches and/or
failures)
4. Success or failure of the action;
5. Date/time stamp of the event and Source address of the request.
6. If the router is configured for dial-up access, confirm that logging
provides explicit audit trails for all dial-up access.
7. Disabling of audit features or failures
8. Clearing of audit log files
Ensure storage mechanisms send alerts 1. Interview system administrator and determine if the router
upon audit logs approaching maximum configuration and ensure audit log mechanisms are in place to alert
storage capacity. an SA when a storage device begins to exceed an organizational
defined capacity.
Checks to see if the organization 1. Verify that logs are reviewed and analyzed on a weekly basis,
supervises and reviews, on a weekly basis and that the results of each review are documented and given to
the activities of users with respect to the management.
enforcement and usage of information
system access controls. Audit trails and/or system logs should be reviewed:
- Excessive logon attempt failures by single or multiple users
- Logons at unusual/non-duty hours
- Unusual or unauthorized activity by System Administrators
- Command-line activity by a user that should not have that
capability
- System failures or errors
- Unusual or suspicious patterns of activity
2. Verify that security-related events are recorded in the logs and

are available to Security and Telecomm Management staff
members. This must include unsuccessful attempts to access
firewalls (ACL violations and logon failures)
Note: If device security audit logs are correlated and reviewed at

the enterprise-level (e.g., through the implementation of a SIEM
tool), this test case will be N/A and will be evaluated in the agency's
Network Assessment.
Check to validate the system is 1. Interview device administrator to ensure the system is
synchronized with the agency's synchronized with the agency's authoritative time server.
authoritative time server.
2. Examine configuration file(s) to verify NTP has been properly
configured to synchronize with the agency's internal authoritative
time server.
The audit trail shall be protected from 1. Interview the device administrator to determine if measures are
unauthorized access, use, deletion or taken to restrict the use of auditing tools and protect their output so
modification. that they can only be read by users with appropriate privileges, and
cannot be deleted or modified.
The audit trail shall be restricted to
personnel routinely responsible for 2. Examine if audit logs are sent to a SIEM for review and analysis
performing security audit functions. by security personnel. Ensure personnel who review and clear audit
logs are separate from personnel that perform non-audit
administration.
Verify that audit data is archived and 1. Interview the SA to determine if audit data is captured, backed
maintained. up, and maintained. IRS practice has been to retain archived audit
logs/trails for the remainder of the year they were made plus six
IRS practice has been to retain archived years for a total of 7 years.
audit logs/trails for the remainder of the
year they were made plus six years. Logs Note: If device audit logs are correlated and reviewed at the
must be retained for a total of 7 years. enterprise-level (e.g., through the implementation of a SIEM tool),
this test case will be N/A and will be evaluated in the agency's
Network Assessment.
Ensure all router changes and updates are Compare device configuration against standard secure
documented in a manner suitable for configurations defined for the network device in use in the
review. Ensure request forms are used to organization. The security configuration of such devices should be
aid in recording the audit trail of router documented, reviewed, and approved by an organization change
change requests. Ensure all changes and control board. Any deviations from the standard configuration or
modifications to routers are tested, updates to the standard configuration should be documented and
reviewed, and approved by management. approved in a change control system.
1. Have the SA provide copies of router change request forms for

visual inspection.
2. Interview SA and router administrator to verify compliance.
SNMP is configured to use the most 1. Examine router settings. Ensure that if SNMP is implemented, the
current version. device is configured to use SNMP Version 3 Security Model with
FIPS 140-2 compliant cryptography (i.e., SHA authentication and
AES encryption).
All unnecessary services on the router are 1. Interview the SA to determine what baseline functionality has
disabled. been installed and enabled for the router. Ensure the system
provides only essential capabilities and prohibits any functionality
that is not essential.
Ensure all ports, protocols, and services unnecessary for system

operation are disabled (e.g., BOOTP, DHCP, FTP, TELNET,
Ensure Secure Shell (SSH) timeout value 1. ReviewMOP,
FINGER, the global
PAD,configuration or execute show
etc.) If any unnecessary ssh are
services to verify the
running,
is set to 60 seconds or less, causing timeout is set for
administrators 60 present
must secondsaorstrong
less. justification for their necessity.
incomplete SSH connections to shut down
after 60 seconds or less. Note: If the system being tested is Cisco IOS 15.0M, then this
Note: This timeout pertains to the SSH
negotiation phase before a user is
authenticated.
Ensure that all management access to the 1. Review router configuration to verify that management sessions
device is secured using Federal are encrypted using FIPS 140-2 validated encryption.
Information Processing Standard (FIPS)
140-2 validated encryption with Secure
Shell (SSH) or Transport Layer Security
(TLS) version 1.1 or higher.
uire corresponding Test IDs in Column A. Insert new rows above here.
Expected Results Actual Results Status Notes/Evidence Criticality
1-2. The router is currently under Critical

support (either through vendor
support for COTS product, or in-
house agency maintenance team),
and maintenance is available to
address any security flaws
discovered.
1-2. The latest security patches are Significant

installed.
1-2. The device administrator can Significant

demonstrate that an account
management process has been
implemented for user access.
1. Privileged device accounts are Moderate
reviewed at least semi-annually for
compliance with account
management requirements.
1. All privileged device accounts Significant

are unique, there are no duplicate
accounts with the exception of the
local admin (used only for
emergencies).
2. No shared accounts are used

other than when operationally
required (e.g., root accounts).
1-2. A process should be in place to Significant

enforce proper account
management. Accounts that are no
longer needed should be disabled
or removed immediately from the
system.
1. Modems should not be Elevate to Critical if a Significant

connected to the console or modem is attached
auxiliary ports. and used for
Administration.
2. Auxiliary ports should be
disabled on all routers.
1-2. Router configurations are Significant

securely stored and access is
restricted to individuals to those
who require it (e.g., system
administrators)
1-2. TFTP implementations are Significant
authorized and have maintained
justification.
1. Ensure Trivial File Transfer Significant

Protocol (TFTP) implementations
reside on a controlled managed
LAN subnet and access is
restricted to authorized devices
within the local enclave.
1. Each user should have access to Significant

only the privileges they require to
perform their respective duties.
Access to the highest privilege
levels should be restricted to a few
users.
1. Maximum number of Significant

unsuccessful SSH login attempts is
set to three (3) within a 120 minute
period.
1. The warning banner is compliant Limited

with IRS guidelines and contains
the following 4 elements:
- the system contains US

government information
- users actions are monitored and
audited
- unauthorized use of the system is
prohibited
- unauthorized use of the system is
subject to criminal and civil
penalties
1. Timeout for unattended console Moderate
port is set for no longer than 30
minutes.
1. SSH idle timeout has been set Moderate

for 30 minutes or less.
1. An authenticator server is used Moderate

to identify and authenticate device
administrators.
1. The system does not allow the Significant

use of null passwords.
1. Only one local account should be Significant

defined on the router when an
authentication server is used.
1. The device restricts access to Significant
authorized systems before
authentication occurs.
1. All user id's, including TACACS Moderate

user id's follow approved username
standards
1. Password requirements meet all Moderate

IRS Publication 1075 requirements
listed in the test procedure.
1. Unencrypted passwords are not Significant

stored in an offline configuration
file.
1. All device default passwords *Consider upgrading Significant
have been changed from their baseline criticality if
default values. default passwords
exist on an external
facing system.
1. The password is not displayed in Significant

clear text, it is blotted by
characters, i.e., asterisks.
1. All required security events are Moderate

logged.
1. Sufficient security relevant data Moderate
is captured in system logs.
1. The router will immediately alert Moderate

the SA by displaying a message at
the remote administrative console,
generate an alarm or alert, and
page or send an electronic
message if the audit trail exceeds
more than an organizational
defined capacity.
1. The organization supervises and Significant
reviews on a weekly basis the
activities of users with respect to
the enforcement and usage of
information system access controls.
2. Security-related events are

recorded in the logs and are
available to the management staff.
Any gaps in the log data are
identified and updated accordingly.
1-2. The device and audit records Moderate

are synchronized with the agency's
authoritative time server.
1. Audit information is made Significant

available only to users that have
the appropriate privileges. Audit
information is protected such that
the audit trail cannot be altered by
the network device administration
team.
2. The agency implements a SIEM

tool or other automated analysis
mechanism to review remote
access attempts for suspicious
activity.
1. Audit data is captured, backed Moderate
up, and maintained. IRS requires
agencies to retain archived audit
logs/trails for the remainder of the
year they were made plus six years
for a total of 7 years.
1-2. Configuration management Moderate

procedures are in place and all
changes are documented,
reviewed, and approved.
1. SNMP is configured to use Significant

Version 3.0 with FIPS 140-2
compliant cryptography.
1. All unnecessary services on the Significant

router have been disabled.
1. SSH session timeout is set to 60 Significant

seconds or less.
1. The router should utilize the Significant
most current supported version of
Secure Shell (SSHv2) or TLS v 1.1
or higher for all management
sessions.
Issue Code
HSA7
HSA8
HSA9
HSI2
HSI27
HAC37
HAC8
HAC21
HAC41
HCM10
HAC18
HAC42
HCM10
HAC43
HAC11
HAC15
HAC14
HAC38
HRM5
HRM5
HIA4
HPW1
HAC11
HIA1
HIA2
HPW2
HPW3
HPW4
HPW6
HPW12
HPW19
HPW20
HPW21
HPW17
HPW8
HAU2
HAU6
HAU17
HAU21
HAU22
HAU23
HAU24
HAU3
HAU18
HAU19
HAU11
HAU10
HAU16
HAU7
HCM34
HCM33
HCM4
HCM6
HSC15
HCM10
HSC17
HSC15
Issue Code Mapping (Select one to enter in column L)
HSA7: The external facing system is no longer supported by the vendor

HSA8: The internally hosted operating system's major release is no longer supported by the vendor
HSA9: The internally hosted operating system's minor release is no longer supported by the vendor
HSI2: System patch level is insufficient

HSI27: Critical security patches have not been applied
HAC37: Account management procedures are not implemented

HAC8: Accounts are not reviewed periodically for proper privileges
HAC21: Agency shares administrative account inappropriately
HAC41: Accounts are not removed or suspended when no longer necessary
HCM10: System has unneeded functionality installed

HAC18: Network device has modems installed
HAC42: System configuration files are not stored securely

HAC43: Management sessions are not properly restricted by ACL
HAC11: User access was not established with concept of least privilege
HAC15: User accounts not locked out after 3 unsuccessful login attempts
HAC14: Warning banner is insufficient

HAC38: Warning banner does not exist
HRM5: User sessions do not terminate after the Publication 1075 period of inactivity
HRM5: User sessions do not terminate after the Publication 1075 period of inactivity
HIA4: Authentication server is not used for device administration
HPW1: No password is required to access an FTI system
HAC11: User access was not established with concept of least privilege
HIA1: Adequate device identification and authentication is not employed
HIA2: Standardized naming convention is not enforced
HPW2: Password does not expire timely

HPW3: Minimum password length is too short
HPW4: Minimum password age does not exist
HPW6: Password history is insufficient
HPW12: Passwords do not meet complexity requirements
HPW19: More than one Publication 1075 password requirement is not met
HPW20: User is not required to change password upon first use
HPW21: Passwords are allowed to be stored unencrypted in config files

HPW17: Default passwords have not been changed
HPW8: Passwords are displayed on screen when entered
HAU2: No auditing is being performed on the system

HAU6: System does not audit changes to access control settings
HAU17: Audit logs do not capture sufficient auditable events
HAU21: System does not audit all attempts to gain access
HAU22: Content of audit records is not sufficient
HAU23: Audit storage capacity threshold has not been defined

HAU24: Administrators are not notified when audit storage threshold is reached
HAU3: Audit logs are not being reviewed
HAU18: Audit logs are reviewed, but not per Pub 1075 requirements
HAU19: Audit log anomalies or findings are not reported and tracked
HAU11: NTP is not properly implemented
HAU10: Audit logs are not properly protected

HAU16: A centralized automated audit log analysis solution is not implemented
HAU7: Audit records are not retained per Pub 1075
HCM34: Agency does not control significant changes to systems via an approval process
HCM33: Significant changes are not reviewed for security impacts before being implemented
HCM4: Routine operational changes are not reviewed for security impacts before being implemented
HCM6: Agency does not control routine operational changes to systems via an approval process
HSC15: Encryption capabilities do not meet FIPS 140-2 requirements
HSC17: Denial of Service protection settings are not configured

HSC15: Encryption capabilities do not meet FIPS 140-2 requirements
Test Cases
Test ID NIST ID NIST Control ID Test Method Section Title
IOS15-01 AC-3 Access Enforcement Test (Automated) Enable 'aaa new-model'
IOS15-02 IA-2 Identification And Test (Automated) Enable 'aaa authentication

Authentication login'
IOS15-03 AC-6 Least Privilege Test (Automated) Enable 'aaa authentication

enable default'
IOS15-04 AC-6 Least Privilege Test (Automated) Set 'login authentication for
'line con 0'
'line tty'
'line vty'
IOS15-07 AC-6 Least Privilege Test (Automated) Set 'privilege 1' for local
users
IOS15-08 SC-8 Transmission Test (Automated) Set 'transport input ssh' for
Confidentiality And Integrity 'line vty' connections
IOS15-09 CM-7 Least Functionality Test (Automated) Set 'no exec' for 'line aux 0'
IOS15-10 SC-7 Boundary Protection Test (Automated) Create 'access-list' for use
with 'line vty'
IOS15-11 SC-7 Boundary Protection Test (Automated) Set 'access-class' for 'line
vty'
IOS15-12 AC-12 Session Termination Test (Automated) Set 'exec-timeout' to less

than or equal to 10 minutes
for 'line aux 0'

'line console 0'
IOS15-14 AC-12 Session Termination Test (Automated) Set 'exec-timeout' less

'line tty'

'line vty'
IOS15-16 CM-7 Least Functionality Test (Automated) Set 'transport input none'
for 'line aux 0'
IOS15-17 AC-8 System Use Notification Test (Automated) Set the 'banner-text' for
'banner exec'
'banner login'
'banner motd'
IOS15-20 IA-5 Authenticator Management Test (Automated) Set 'password' for 'enable
secret'
IOS15-21 IA-5 Authenticator Management Test (Automated) Enable 'service password-

encryption'
IOS15-22 IA-5 Authenticator Management Test (Automated) Set 'username secret' for
all local users
IOS15-23 IA-5 Authenticator Management Test (Automated) Set 'no snmp-server' to

disable SNMP when
unused
IOS15-24 IA-5 Authenticator Management Test (Automated) Unset 'private' for 'snmp-
server community'
IOS15-25 IA-5 Authenticator Management Test (Automated) Unset 'public' for 'snmp-
server community'
IOS15-26 AC-6 Least Privilege Test (Automated) Do not set 'RW' for any
'snmp-server community'
IOS15-27 SC-7 Boundary Protection Test (Automated) Set the ACL for each
IOS15-28 SC-7 Boundary Protection Test (Automated) Create an 'access-list' for

use with SNMP
IOS15-29 AU-9 Protection Of Audit Test (Automated) Set 'snmp-server host'

Information when using SNMP
IOS15-30 AU-12 Audit Generation Test (Automated) Set 'snmp-server enable

traps snmp'
IOS15-31 CM-7 Least Functionality Test (Automated) Set 'no cdp run'
IOS15-32 CM-6 Configuration Settings Test (Manual) Set 'no ip bootp server'
IOS15-33 CM-7 Least Functionality Test (Automated) Set 'no service dhcp'
IOS15-34 CM-7 Least Functionality Test (Automated) Set 'no ip identd'
IOS15-35 SC-10 Network Disconnect Test (Automated) Set 'service tcp-keepalives-

in'
IOS15-36 SC-10 Network Disconnect Test (Manual) Set 'service tcp-keepalives-

out'
IOS15-37 CM-7 Least Functionality Test (Automated) Set 'no service pad'
IOS15-38 CM-6 Configuration Settings Test (Manual) Set version 2 for 'ip ssh
version'
IOS15-39 CM-6 Configuration Settings Test (Automated) Set the 'hostname'
IOS15-40 CM-6 Configuration Settings Test (Automated) Set the 'ip domain name'
IOS15-41 SC-12 Cryptographic Key Test (Manual) Set 'modulus' to greater

Establishment And than or equal to 2048 for
Management 'crypto key generate rsa'
IOS15-42 AC-12 Session Termination Test (Manual) Set 'seconds' for 'ip ssh
timeout'
IOS15-43 AC-12 Session Termination Test (Manual) Set maximimum value for
'ip ssh authentication-
retries'
IOS15-44 AU-12 Audit Generation Test (Automated) Set 'logging on'
IOS15-45 AU-4 Audit Storage Capacity Test (Automated) Set 'buffer size' for 'logging
buffered'
IOS15-46 AU-12 Audit Generation Test (Automated) Set 'logging console

critical'
IOS15-47 AU-9 Protection Of Audit Test (Automated) Set IP address for 'logging
Information host'
IOS15-48 AU-12 Audit Generation Test (Automated) Set 'logging trap

informational'
IOS15-49 AU-8 Time Stamps Test (Automated) Set 'service timestamps

debug datetime'
IOS15-50 AU-12 Audit Generation Test (Automated) Set 'logging source
interface'
IOS15-51 AU-8 Time Stamps Test (Automated) Set 'ip address' for 'ntp
server'
IOS15-52 SC-7 Boundary Protection Test (Automated) Set 'no ip source-route'
Input of test results starting with this row require corresponding Test IDs in Column A. Insert new rows above here
Do not edit below
Pass
Fail
N/A
Info
Criticality Ratings
Critical
Significant
Moderate
Limited
Description Test Procedure Expected Results
This command enables the AAA access Perform the following to AAA services have been
control system. determine if AAA services are enabled on the router.
enabled:
1. hostname#show running-
config | incl aaa new-model
2. If the result includes a "no", the
feature is not enabled.
Sets authentication, authorization and Perform the following to AAA services are used for
accounting (AAA) authentication at login. determine if AAA authentication local user authentication
for login is enabled:
1. hostname#show run | incl aaa

authentication login
2. If a result does not return, the
feature is not enabled.
Authenticates users who access privileged Perform the following to AAA authentication enable
EXEC mode when they use the enable determine if AAA authentication mode has been enabled.
command. enable mode is enabled:
1.hostname#show running-config
| incl aaa authentication enable
2. If a result does not return, the
feature is not enabled
Authenticates users who access the router Perform the following to AAA authentication for 'line
or switch using the serial console port. determine if AAA authentication con 0' has been enabled.
for line login is enabled:
If the command does not return a

result for each management
access method, the feature is not
enabled
1.hostname#sh run | sec line |
incl login authentication
or switch using the TTY port. determine if AAA authentication tty' has been enabled.
1. If the command does not

return a result for each
management access method, the
2. hostname#sh run | sec line |
or switch remotely through the VTY port. determine if AAA authentication vty' has been enabled.
1. If the command does not

return a result for each
management access method, the
2. hostname#sh run | sec line |
Sets the privilege level for the user. Perform the following to The privilege level for
determine if a user with an users has been set to
encrypted password is enabled: 'privilege 1.'
1. Verify all username results

return "privilege 1"
2. hostname#show run | incl
privilege
Selects the Secure Shell (SSH) protocol. Perform the following to Transport input SSH has
determine if SSH is the only been set for incoming VTY
transport method for incoming logins.
VTY logins:
1. The result should show only

"ssh" for "transport input"
2. hostname#sh run | sec vty
The 'no exec' command restricts a line to Perform the following to The 'no exec' option has
outgoing connections only. determine if the EXEC process been set to 'line aux 0' to
for the aux port is disabled: restrict a line to outgoing
connections.
1. Verify no exec
2. hostname#sh run | sec aux
3. Verify you see the following "no
exec"
4. hostname#sh line aux 0 | incl
exec
Access lists control the transmission of Perform the following to An 'access-list' has been
packets on an interface, control Virtual determine if the ACL is created: created for use with 'line
Terminal Line (VTY) access, and restrict the vty.'
contents of routing updates. The Cisco IOS 1. Verify the appropriate access-
software stops checking the extended list definitions
access list after a match occurs. 2. hostname#sh ip access-list
The 'access-class' setting restricts incoming Perform the following to An 'access-class' has been
and outgoing connections between a determine if the ACL is set: created for use with 'line
particular vty (into a Cisco device) and the vty.'
networking devices associated with 1. Verify you see the access-
addresses in an access list. class defined
2. hostname#sh run | sec vty
If no input is detected during the interval, the Perform the following to Exec-timeout has been set
EXEC facility resumes the current determine if the timeout is to less than or equal to 10
connection. If no connections exist, the configured: minutes for 'line aux 0.'
EXEC facility returns the terminal to the idle
state and disconnects the incoming session. 1. Verify you return a result
NOTE: If you set an exec-timeout
of 10 minutes, this will not show
up in the configuration
2. hostname#sh run | sec line aux
0
connection. If no connections exist, the configured: minutes for 'line console 0.'
2. hostname#sh run | sec line con
0
connection. If no connections exist, the configured: minutes for 'line tty.'
2. hostname#sh line tty | begin
Timeout
connection. If no connections exist, the configured: minutes for 'line vty.'
2. hostname#sh line vty | begin
Timeout
When you want to allow only an outgoing Perform the following to The "transport input none'
connection on a line, use the no exec determine if inbound connections option has been set for
command. for the aux port are disabled: 'line aux 0.'
1. Verify you see the following

"Allowed input transports are
none
2. hostname#sh line aux 0 | incl
input transports
This command specifies a message to be Perform the following to The 'banner-text' for
displayed when an EXEC process is created determine if the exec banner is 'banner exec' has been
(a line is activated, or an incoming set: set.
connection is made to a vty). Follow this 1. hostname#sh running-config |
command with one or more blank spaces beg banner exec
and a delimiting character of your choice. 2. If the command does not
Then enter one or more lines of text, return a result, the banner is not
terminating the message with the second enabled
occurrence of the delimiting character.
When a user connects to a router, the

message-of-the-day (MOTD) banner
appears first, followed by the login banner
and prompts. After the user logs in to the
router, the EXEC banner or incoming banner
will be displayed, depending on the type of
connection. For a reverse Telnet login, the
incoming banner will be displayed. For all
other connections, the router will display the
EXEC banner.
Follow the banner login command with one Perform the following to The banner text has been
or more blank spaces and a delimiting determine if the login banner is set for 'banner login.'
character of your choice. Then enter one or set:
more lines of text, terminating the message 1. hostname#show running-
with the second occurrence of the delimiting config | beg banner login
character. 2. If the command does not
return a result, the banner is not
When a user connects to the router, the enabled.
message-of-the-day (MOTD) banner (if
configured) appears first, followed by the
login banner and prompts. After the user
successfully logs in to the router, the EXEC
banner or incoming banner will be
displayed, depending on the type of
EXEC banner.
This MOTD banner is displayed to all Perform the following to The banner text has been
terminals connected and is useful for determine if the login banner is set for 'banner motd.'
sending messages that affect all users (such set:
as impending system shutdowns). Use the 1. hostname#sh running-config |
no exec-banner or no motd-banner beg banner motd
command to disable the MOTD banner on a 2. If the command does not
line. The no exec-banner command also return a result, the banner is not
disables the EXEC banner on the line. enabled.
When a user connects to the router, the

MOTD banner appears before the login
prompt. After the user logs in to the router,
the EXEC banner or incoming banner will be
displayed, depending on the type of
EXEC banner.
Use the enable secret command to provide Perform the following to Enable secret has been set
an additional layer of security over the determine enable secret is set: for passwords.
enable password. The enable secret
command provides better security by storing 1. If the command does not
the enable secret password using a return a result, the enable
nonreversible cryptographic function. The password is not set.
added layer of security encryption provides 2. hostname#sh run | incl enable
is useful in environments where the secret
password crosses the network or is stored
on a TFTP server.
When password encryption is enabled, the Perform the following to The 'service password-
encrypted form of the passwords is determine if a user with an encryption' option has
displayed when a more system:running- encrypted password is enabled: been enabled.
config command is entered.
1. Ensure a result that matches
the command return
2. hostname#sh run | incl service
password-encryption
Use the username secret command to Perform the following to The 'username secret'
configure a username and MD5-encrypted determine if a user with an option has been set for all
user password. MD5 encryption is a strong encrypted password is enabled: local users.
encryption method that is not retrievable;
thus, you cannot use MD5 encryption with 1. If a result does not return with
protocols that require clear-text passwords, secret, the feature is not enabled
such as Challenge Handshake 2. hostname#show run | incl
Authentication Protocol (CHAP). username
The username secret command provides an

additional layer of security over the
username password. It also provides better
security by encrypting the password using
non reversible MD5 encryption and storing
the encrypted text. The added layer of MD5
encryption is useful in environments in
which the password crosses the network or
is stored on a TFTP server.
If not in use, disable simple network Verify the result reads "SNMP The 'no snmp-server'
management protocol (SNMP), read and agent not enabled" option has been set to
write access. 1. hostname#show snmp disable SNMP when not in
community use.
An SNMP community string permits read- Perform the following to The 'private' option for the
only access to all objects. determine if the public community 'snmp-server community'
string is enabled: has been unset.
1. Ensure `private `does not show

as a result
2. hostname# show snmp
community
An SNMP community string permits read- Perform the following to The 'public' option for the
only access to all objects. determine if the public community 'snmp-server community'
string is enabled: Ensure `public has been unset.
`does not show as a result
1. hostname# show snmp
community
Specifies read-write access. Authorized Perform the following to The 'RW' permission for
management stations can both retrieve and determine if a read/write any 'snmp-server
modify MIB objects. community string is enabled: community' has not been
set.
1. Verify the result does not show
a community string with a "RW"
snmp-server community
This feature specifies a list of IP addresses Perform the following to An ACL has been set for
that are allowed to use the community string determine if an ACL is enabled: each 'snmp-server
to gain access to the SNMP agent. community.'
Verify the result shows a number
after the community string
snmp-server community
You can use access lists to control the Perform the following to An 'access-list' has been
transmission of packets on an interface, determine if the ACL is created: created for use with SNMP.
control Simple Network Management
Protocol (SNMP) access, and restrict the 1. Verify you the appropriate
contents of routing updates. The Cisco IOS access-list definitions
software stops checking the extended 2. hostname#sh ip access-list
access list after a match occurs.
SNMP notifications can be sent as traps to Perform the following to The 'snmp-server host'
authorized management systems. determine if SNMP traps are option has been set for use
enabled: with SNMP.
1. If the command returns

configuration values, then SNMP
is enabled.
snmp-server
SNMP notifications can be sent as traps to Perform the following to The 'snmp-server enable
authorized management systems. determine if SNMP traps are traps snmp' option has
enabled: been set.
1. If the command returns

configuration values, then SNMP
is enabled.
snmp-server
Disable Cisco Discovery Protocol (CDP) Perform the following to The Cisco Discovery
service at device level. determine if CDP is enabled: Protocol (CDP) service has
been disabled.
1. Verify the result shows "CDP is
not enabled"
2. hostname#show cdp
Disable the Bootstrap Protocol (BOOTP) Perform the following to The Disable the Bootstrap
service on your routing device. determine if bootp is enabled: Protocol (BOOTP) service
has been disabled.
1. Verify a "no ip bootp server"
result returns
bootp
Disable the Dynamic Host Configuration Perform the following to The Dynamic Host
Protocol (DHCP) server and relay agent determine if the DHCP service is Configuration Protocol
features on your router. enabled: (DHCP) server has been
disabled.
1. Verify no result returns
2. hostname#show run | incl dhcp
Disable the identification (identd) server. Perform the following to The identification (identd)
determine if identd is enabled: server has been disabled.

identd
Generate keepalive packets on idle Perform the following to The 'service tcp-
incoming network connections. determine if the feature is keepalives-in' option has
enabled: been set.
1. Verify a command string result

returns
service tcp
Generate keepalive packets on idle Perform the following to The 'service tcp-
outgoing network connections. determine if the feature is keepalives-out' option has
enabled: been set.

returns
service tcp
Disable X.25 Packet Perform the following to The Disable X.25 Packet
Assembler/Disassembler (PAD) service. determine if the feature is Assembler/Disassembler
disabled: (PAD) service has been
disabled.
service pad
Specify the version of Secure Shell (SSH) to Perform the following to The 'ip ssh version' has
be run on a router determine if SSH version 2 is been set to version 2.
configured:
1. Verify that SSH version 2 is

configured properly.
2. hostname#sh ip ssh
The hostname is used in prompts and Perform the following to The hostname has been
default configuration filenames. determine if the local time zone is set.
configured:
Verify the result shows the

summer-time recurrence is
```
hostname#sh run | incl hostname

```
Define a default domain name that the Perform the following to The 'ip domain name' has
Cisco IOS software uses to complete determine if the domain name is been set.
unqualified hostnames configured:
1. Verify the domain name is

2. hostname#sh run | incl domain
name
Use this command to generate RSA key Perform the following to The 'modulus' option has
pairs for your Cisco device. determine if the RSA key pair is been set to greater than or
configured: equal to 2048 for 'crypto
RSA keys are generated in pairs--one public 1. hostname#sh crypto key key generate rsa.'
RSA key and one private RSA key. mypubkey rsa
The time interval that the router waits for the Perform the following to The 'seconds' option has
SSH client to respond before disconnecting determine if the SSH timeout is been set for 'ip ssh
an uncompleted login attempt. configured: timeout.'
1. Verify the timeout is configured

properly.
The number of retries before the SSH login Perform the following to The maximum value has
session disconnects. determine if SSH authentication been set for 'ip ssh
retries is configured: authentication-retries.'
1. Verify the authentication retries

is configured properly.
Enable logging of system messages. Perform the following to Logging has been set to
determine if the feature is on.
enabled:

logging on
Enable system message logging to a local Perform the following to The buffer size has been
buffer. determine if the feature is set for 'logging buffered.'
enabled:

returns
logging buffered
Verify logging to device console is enabled Perform the following to The 'logging console
and limited to a rational severity level to determine if the feature is critical' option has been set
avoid impacting system performance and enabled: to avoid impacting system
management. performance and
1. Verify a command string result management.
returns
logging console
Log system messages and debug output to Perform the following to The IP address has been
a remote host. determine if a syslog server is set for the 'logging host.'
enabled:
1. Verify one or more IP

address(es) returns
2. hostname#sh log | incl logging
host
Limit messages logged to the syslog servers Perform the following to The 'logging trap
based on severity level informational. determine if a syslog server for informational' option has
SNMP traps is enabled: been set.
1. Verify "level informational"

returns
2. hostname#sh log | incl trap
logging
Configure the system to apply a time stamp Perform the following to The 'service timestamps
to debugging messages or system logging determine if the additional detail debug datetime' has been
messages is enabled: set.

returns
2. hostname#sh run | incl service
timestamps
Specify the source IPv4 or IPv6 address of Perform the following to The 'logging source
system logging packets determine if logging services are interface' option has been
bound to a source interface: set.

returns
2. hostname#sh run | incl logging
source
Use this command if you want to allow the From the command prompt, The 'ip address' option has
system to synchronize the system software execute the following commands: been set for the 'ntp
clock with the specified NTP server. 1. hostname#sh ntp associations server.'
Disable the handling of IP datagrams with Verify the command string result The 'no ip source-route'
source routing header options. returns option has been set.
1. hostname#sh run | incl ip
source-route
sert new rows above here.

Actual Results Status Finding (Internal Use Notes/Evidence
Only)
AAA services are not used
to enforce accounting,
authorization and
authentication on the
router.
AAA authentication for

local router login has not
been enabled.
AAA authentication enable

mode has not been
enabled.
AAA authentication for 'line

con 0' has not been
enabled.

tty' has not been enabled.
vty' has not been enabled.
The privilege level for

users has not been set to
'privilege 1.'
Transport input SSH has

not been set for incoming
VTY logins.
The 'no exec' option has

not been set to 'line aux 0'
to restrict a line to outgoing
connections.
An 'access-list' has not

been created for use with
'line vty.'
An 'access-class' has not
'line vty.'
Exec-timeout has not been

set to less than or equal to
10 minutes for 'line aux 0.'

10 minutes for 'line console
0.'

10 minutes for 'line tty.'

10 minutes for 'line vty.'
The "transport input none'
option has not been set for
'line aux 0.'
The 'banner-text' for

'banner exec' has not been
set.
The banner text has not

been set for 'banner login.'
The banner text has not
been set for 'banner motd.'
Enable secret' has not

been set for passwords.
The 'service password-

encryption' option has not
been enabled.
The 'username secret'
all local users.
The 'no snmp-server'

option has not been set to
disable SNMP when not in
use.
The 'private' option for the

has not been unset.
The 'public' option for the

has been set.
The 'RW' permission for

any 'snmp-server
community' has been set.
An ACL has not been set
for each 'snmp-server
community.'
An 'access-list' has not

SNMP.
The 'snmp-server host'

use with SNMP.
The 'snmp-server enable

traps snmp' option has not
been set.
The Cisco Discovery

Protocol (CDP) service has
not been disabled.
The Disable the Bootstrap
Protocol (BOOTP) service
has not been disabled.
The Dynamic Host

Configuration Protocol
(DHCP) server has not
been disabled.
The identification (identd)

server has not been
disabled.
The 'service tcp-

keepalives-in' option has
not been set.
The 'service tcp-

keepalives-out' option has
not been set.
The Disable X.25 Packet

Assembler/Disassembler
(PAD) service has not been
disabled.
The 'ip ssh version' has not
been set to version 2.
The hostname has not

been set.
The 'ip domain name' has

not been set.
The 'modulus' option has

not been set to greater
than or equal to 2048 for
'crypto key generate rsa.'
The 'seconds' option has

not been set for 'ip ssh
timeout.'
The maximum value has

not been set for 'ip ssh
authentication-retries.'
Logging has been set to
off.
The buffer size has not

been set for 'logging
buffered.'
The 'logging console

critical' option has not been
set to avoid impacting
system performance and
management.
The IP address has not

been set for the 'logging
host.'
The 'logging trap

informational' option has
been set.
The 'service timestamps

debug datetime' has not
been set.
The 'logging source
interface' option has not
been set.
The 'ip address' option has

not been set for the 'ntp
server.'
The 'no ip source-route'

option has not been set.
Criticality Issue Code Issue Code Mapping (Select one to enter in
column N)
Significant HAC11 HAC11: User access was not established with
concept of least privilege





Significant HSC1 HSC1: FTI is not encrypted in transit

Significant HSC19 HSC19: Network perimeter devices do not

properly restrict traffic
Significant HSC19 HSC19: Network perimeter devices do not
properly restrict traffic
Significant HCM45 HCM45: System configuration provides

additional attack surface



Limited HAC38 HAC38: Warning banner does not exist

Significant HPW13 HPW13: Enabled secret passwords are not

implemented correctly
Significant HPW11 HPW11: Password transmission does not use

strong cryptography
Significant HPW11 HPW11: Password transmission does not use
strong cryptography
Moderate HCM11 HCM11: SNMP is not implemented correctly




Moderate HRM5 HRM5: User sessions do not terminate after the

Publication 1075 period of inactivity
Moderate HRM5 HRM5: User sessions do not terminate after the

Publication 1075 period of inactivity

Significant HSC1 HSC1: FTI is not encrypted in transit
Significant HAC27 HAC27: Default accounts have not been

disabled or renamed
Significant HAC27 HAC27: Default accounts have not been

disabled or renamed
Moderate HSC29 HSC29: Cryptographic key pairs are not

properly managed
Significant HRM17 HRM17: SSH is not implemented correctly for

device management
Significant HRM17 HRM17: SSH is not implemented correctly for

device management
Critical HAU1 HAU1: No auditing is being performed at the
agency
Limited HAU23 HAU23: Audit storage capacity threshold has

not been defined
Significant HAU17 HAU17: Audit logs do not capture sufficient

auditable events
Limited HAU20 HAU20: Audit log data not sent from a

consistently identified source
Significant HAU17 HAU17: Audit logs do not capture sufficient

auditable events
Significant HAU12 HAU12: Audit records are not time stamped

Limited HAU20 HAU20: Audit log data not sent from a
consistently identified source
Moderate HAU11 HAU11: NTP is not properly implemented

CIS Benchmark Section # Recommendation #
1.1 1.1.1
1.1 1.1.2
1.1 1.1.3
1.1 1.1.4
1.1 1.1.5
1.1 1.1.6
1.2 1.2.1
1.2 1.2.2
1.2 1.2.3
1.2 1.2.4
1.2 1.2.5
1.2 1.2.6
1.2 1.2.7
1.2 1.2.8
1.2 1.2.9
1.2 1.2.10
1.3 1.3.1
1.3 1.3.2
1.3 1.3.3
1.4 1.4.1
1.4 1.4.2
1.4 1.4.3
1.5 1.5.1
1.5 1.5.2
1.5 1.5.3
1.5 1.5.4
1.5 1.5.5
1.5 1.5.6
1.5 1.5.7
1.5 1.5.8
2.1 2.1.2
2.1 2.1.3
2.1 2.1.4
2.1 2.1.5
2.1 2.1.6
2.1 2.1.7
2.1 2.1.8
2.1.1 2.1.1.2
2.1.1.1 2.1.1.1.1
2.1.1.1 2.1.1.1.2
2.1.1.1 2.1.1.1.3
2.1.1.1 2.1.1.1.4
2.1.1.1 2.1.1.1.5
2.2 2.2.1
2.2 2.2.2
2.2 2.2.3
2.2 2.2.4
2.2 2.2.5
2.2 2.2.6
2.2 2.2.7
2.3 2.3.2
3.1 3.1.1
Rationale Statement
Authentication, authorization and accounting (AAA) services provide an
authoritative source for managing and monitoring access for devices.
Centralizing control improves consistency of access control, the services
that may be accessed once authenticated and accountability by tracking
services accessed. Additionally, centralizing access control simplifies and
reduces administrative costs of account provisioning and de-provisioning,
especially when managing a large number of devices.
Using AAA authentication for interactive management access to the device

provides consistent, centralized control of your network. The default under
AAA (local or network) is to require users to log in using a valid user name
and password. This rule applies for both local and network AAA. Fallback
mode should also be enabled to allow emergency access to the router or
switch in the event that the AAA server was unreachable, by utilizing the
LOCAL keyword after the AAA server-tag.

and password. This rule applies for both local and network AAA.


Default device configuration does not require strong user authentication

potentially enabling unfettered access to an attacker that is able to reach
the device. Creating a local account with privilege level 1 permissions only
allows the local user to access the device with EXEC-level permissions and
will be unable to modify the device without using the enable password. In
addition, require the use of an encrypted password as well (see Section
1.1.4.4 - Require Encrypted User Passwords).
Configuring VTY access control restricts remote access to only those

authorized to manage the device and prevents unauthorized users from
accessing the system.
Enabling SNMP read-write enables remote management of the device.

Unless absolutely necessary, do not allow simple network management
protocol (SNMP) write access.
VTY ACLs control what addresses may attempt to log in to the router.
Configuring VTY lines to use an ACL, restricts the sources where a user
can manage the device. You should limit the specific host(s) and or
network(s) authorized to connect to and configure the device, via an
approved protocol, to those individuals or systems authorized to administer
the device. For example, you could limit access to specific hosts, so that
only network managers can configure the devices only by using specific
network management workstations. Make sure you configure all VTY lines
to use the same ACL.
Restricting the type of network devices, associated with the addresses on
the access-list, further restricts remote access to those devices authorized
to manage the device and reduces the risk of unauthorized access.
This prevents unauthorized users from misusing abandoned sessions. For

example, if the network administrator leaves for the day and leaves a
computer open with an enabled login session accessible. There is a trade-
off here between security (shorter timeouts) and usability (longer timeouts).
Review your local policies and operational needs to determine the best
timeout value. In most cases, this should be no more than 10 minutes.



Unused ports should be disabled, if not required, since they provide a
potential access path for attackers. Some devices include both an auxiliary
and console port that can be used to locally connect to and configure the
device. The console port is normally the primary port used to configure the
device; even when remote, backup administration is required via console
server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is
primarily used for dial-up administration via an external modem; instead,
use other available methods.
"Network banners are electronic messages that provide notice of legal

rights to users of computer networks. From a legal standpoint, banners
have four primary functions.
- First, banners may be used to generate consent to real-time monitoring

under Title III.
- Second, banners may be used to generate consent to the retrieval of
stored files and records pursuant to ECPA.
- Third, in the case of government networks, banners may eliminate any
Fourth Amendment "reasonable expectation of privacy" that government
employees or other users might otherwise retain in their use of the
government's network under O'Connor v. Ortega, 480 U.S. 709 (1987).
- Fourth, in the case of a non-government network, banners may establish
a system administrator's "common authority" to consent to a law
enforcement search pursuant to United States v. Matlock, 415 U.S. 164
(1974)." (US Department of Justice APPENDIX A: Sample Network Banner
Language)


under Title III.
Language)

under Title III.
Language)
Requiring the enable secret setting protects privileged EXEC mode. By

default, a strong password is not required, a user can just press the Enter
key at the Password prompt to start privileged mode. The enable password
command causes the device to enforce use of a password to access
privileged mode. Enable secrets use a one-way cryptographic hash (MD5).
This is preferred to Level 7 enable passwords that use a weak, well-known,
and easily reversible encryption algorithm.
This requires passwords to be encrypted in the configuration file to prevent

unauthorized users from learning the passwords just by reading the
configuration. When not enabled, many of the device's passwords will be
rendered in plain text in the configuration file. This service ensures
passwords are rendered as encrypted strings preventing an attacker from
easily determining the configured value.
Default device configuration does not require strong user authentication
potentially enabling unfettered access to an attacker that is able to reach
the device. Creating a local account with an encrypted password enforces
login authentication and provides a fallback authentication mechanism for
configuration in a named method list in a situation where centralized
authentication, authorization, and accounting services are unavailable.
SNMP read access allows remote monitoring and management of the

device.
The default community string "private" is well known. Using easy to guess,
well known community string poses a threat that an attacker can
effortlessly gain unauthorized access to the device.
The default community string "public" is well known. Using easy to guess,
well known community string poses a threat that an attacker can
effortlessly gain unauthorized access to the device.
Enabling SNMP read-write enables remote management of the device.

Unless absolutely necessary, do not allow simple network management
protocol (SNMP) write access.
If ACLs are not applied, then anyone with a valid SNMP community string
can potentially monitor and manage the router. An ACL should be defined
and applied for all SNMP access to limit access to a small number of
authorized management stations segmented in a trusted management
zone. If possible, use SNMPv3 which uses authentication, authorization,
and data privatization (encryption).
SNMP ACLs control what addresses are authorized to manage and monitor
the device via SNMP. If ACLs are not applied, then anyone with a valid
SNMP community string may monitor and manage the router. An ACL
should be defined and applied for all SNMP community strings to limit
access to a small number of authorized management stations segmented
in a trusted management zone.
If SNMP is enabled for device management and device alerts are required,
then ensure the device is configured to submit traps only to authorize
management systems.
SNMP has the ability to submit traps .
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices

use to identify each other on a LAN segment. It is useful only in network
monitoring and troubleshooting situations but is considered a security risk
because of the amount of information provided from queries. In addition,
there have been published denial-of-service (DoS) attacks that use CDP.
CDP should be completely disabled unless necessary.
BootP allows a router to issue IP addresses. This should be disabled
unless there is a specific requirement.
The DHCP server supplies automatic configuration parameters, such as

dynamic IP address, to requesting systems. A dedicated server located in a
secured management zone should be used to provide DHCP services
instead. Attackers can potentially be used for denial-of-service (DoS)
attacks.
Identification protocol enables identifying a user's transmission control

protocol (TCP) session. This information disclosure could potentially
provide an attacker with information about users.
Stale connections use resources and could potentially be hijacked to gain

illegitimate access. The TCP keepalives-in service generates keepalive
packets on idle incoming network connections (initiated by remote host).
This service allows the device to detect when the remote host fails and
drop the session. If enabled, keepalives are sent once per minute on idle
connections. The connection is closed within five minutes if no keepalives
are received or immediately if the host replies with a reset packet.
Stale connections use resources and could potentially be hijacked to gain

illegitimate access. The TCP keepalives-in service generates keepalive
packets on idle incoming network connections (initiated by remote host).
This service allows the device to detect when the remote host fails and
drop the session. If enabled, keepalives are sent once per minute on idle
connections. The closes connection is closed within five minutes if no
keepalives are received or immediately if the host replies with a reset
packet.
If the PAD service is not necessary, disable the service to prevent intruders
from accessing the X.25 PAD command set on the router.
SSH Version 1 has been subject to a number of serious vulnerabilities and
is no longer considered to be a secure protocol, resulting in the adoption of
SSH Version 2 as an Internet Standard in 2006.
Cisco routers support both versions, but due to the weakness of SSH
Version 1 only the later standard should be used.
The domain name is prerequisite for setting up SSH.
The domain name is a prerequisite for setting up SSH.
An RSA key pair is a prerequisite for setting up SSH and should be at least
2048 bits.
NOTE: IOS does NOT display the modulus bit value in the Audit Procedure.
This reduces the risk of an administrator leaving an authenticated session

logged in for an extended period of time.
This limits the number of times an unauthorized user can attempt a

password without having to establish a new SSH login attempt. This
reduces the potential for success during online brute force attacks by
limiting the number of login attempts per SSH connection.
Logging provides a chronological record of activities on the Cisco device
and allows monitoring of both operational and security related events.
The device can copy and store log messages to an internal memory buffer.
The buffered data is available only from a router exec or enabled exec
session. This form of logging is useful for debugging and monitoring when
logged in to a router.
This configuration determines the severity of messages that will generate

console messages. Logging to console should be limited only to those
messages required for immediate troubleshooting while logged into the
device. This form of logging is not persistent; messages printed to the
console are not stored by the router. Console logging is handy for
operators when they use the console.
Cisco routers can send their log messages to a Unix-style Syslog service. A
syslog service simply accepts messages and stores them in files or prints
them according to a simple configuration file. This form of logging is best
because it can provide protected long-term storage for logs (the devices
internal logging buffer has limited capacity to store events.) In addition,
logging to an external system is highly recommended or required by most
security standards. If desired or required by policy, law and/or regulation,
enable a second syslog server for redundancy.
This determines the severity of messages that will generate simple network
management protocol (SNMP) trap and or syslog messages. This setting
should be set to either "debugging" (7) or "informational" (6), but no lower.
Including timestamps in log messages allows correlating events and tracing

network attacks across multiple devices. Enabling service timestamp to
mark the time log messages were generated simplifies obtaining a holistic
view of events enabling faster troubleshooting of issues or attacks.
This is required so that the router sends log messages to the logging
server from a consistent IP address.
To ensure that the time on your Cisco router is consistent with other
devices in your network, at least two (and preferably at least three) NTP
Server/s external to the router should be configured.
Ensure you also configure consistent timezone and daylight savings time
setting for all devices. For simplicity, the default of Coordinated Universal
Time (UTC).
Source routing is a feature of IP whereby individual packets can specify

routes. This feature is used in several kinds of attacks. Cisco routers
normally accept and process source routes. Unless a network depends on
source routing, it should be disabled.
Remediation Procedure
Ensure that authentication, authorization and accounting
(AAA) is enabled using the new-model command. One
method to implement the recommended state is to:
hostname(config)#aaa new-model
Ensure that AAA authentication method(s) are enabled for

login authentication. One method to implement the
recommended state is to:
hostname(config)#aaa authentication login {default |

aaa_list_name} [passwd-expiry]
method1 [method2]
Ensure that AAA authentication method(s) are enabled for

authentication. One method to implement the recommended
state is to:
hostname(config)#aaa authentication enable default

{method1} enable
Ensure that management lines require login using the default

or a named AAA authentication list. One method to
implement the recommended state is to:
hostname(config)#line console 0
hostname(config-line)#login authentication {default |

_aaa\_list\_name_}

hostname(config)#line tty {line-number} [ending-line-number]

aaa_list_name}
hostname(config)#line vty {line-number} [ending-line-number]

aaa_list_name}
Ensure that the local user is set to privilege level 1. One

hostname(config)#username privilege 1
Ensure that SSH is set on all VTY management lines. One

hostname(config)#line vty
hostname(config-line)#transport input ssh
Ensure that the EXEC process is disabled on the auxiliary

port.One method to implement the recommended state is to:
hostname(config)#line aux 0
hostname(config-line)#no exec
Ensure that the VTY ACL is used to restrict management

access to the device. One method to implement the
hostname(config)#access-list permit tcp any

hostname(config)#access-list permit tcp host any
hostname(config)#deny ip any any log
Esnure that remote management access controls are
restricted for all VTY lines. One method to implement the
hostname(config)#line vty
hostname(config-line)# access-class in
Ensure that device timeout (10 minutes or less) is configured

to disconnect sessions after a fixed idle time. One method to
hostname(config-line)#exec-timeout

hostname(config)#line con 0

hostname(config)#line tty {line_number}

[ending_line_number]

hostname(config)#line vty {line_number}
[ending_line_number]
Ensure that the inbound connections are disabled on the
auxiliary port. One method to implement the recommended
state is to:
hostname(config-line)#transport input none
Ensure that the EXEC banner is presented to a user when

accessing the devices enable prompt. One method to
hostname(config)#banner exec c
Enter TEXT message. End with the character 'c'.
Ensure that the device displays a login banner presented to

a user attempting to access the device. One method to
hostname(config)#banner login c
c
Ensure that the message of the day (MOTD) banner is
presented when a user first connects to the device. One
```
hostname(config)#banner motd c
c
```
Ensure that a strong, secret password has been enabled.

One method to implement the recommended state is to:
hostname(config)#enable secret
Ensure that a password encryption service is enabled to

protect sensitive access passwords in the device
configuration. One method to implement the recommended
state is to:
hostname(config)#service password-encryption
Ensure that a local user account as been created with an
encrypted, complex (not easily guessed) password. One
hostname(config)#username secret
Ensure that SNMP is disabled for read and write access if

not in used to monitor and/or manage device. One method to
hostname(config)#no snmp-server
Ensure that the default SNMP community string "private" is

disabled. One method to implement the recommended state
is to:
hostname(config)#no snmp-server community {private}
Ensure that default SNMP community string "public" is

disabled. One method to implement the recommended state
is to:
hostname(config)#no snmp-server community {public}
Disable SNMP write access. One method to implement the

hostname(config)#no snmp-server community

{write_community_string}
Ensure that authorized SNMP community strings are
configured to restrict access to authorized management
systems. One method to implement the recommended state
is to:
hostname(config)#snmp-server community ro
{snmp_access-list_number |
snmp_access-list_name}
Ensure that SNMP ACLs are restricting access to the device

from authorized management stations segmented in a
trusted management zone. One method to implement the
```
hostname(config)#access-list permit
hostname(config)#access-list deny any log
```
Ensure that SNMP is configured. One method to implement

the recommended state is to:
hostname(config)#snmp-server host {ip_address}

{trap_community_string} snmp
Enable SNMP traps. One method to implement the

hostname(config)#snmp-server enable traps snmp

authentication linkup linkdown coldstart
Ensure that Cisco Discovery Protocol (CDP) is disabled. One

hostname(config)#no cdp run

Ensure that the boot server is disabled. One method to
hostname(config)#no ip bootp server
Ensure that the DHCP server is disabled. One method to

hostname(config)#no service dhcp
Ensure that the ident server is disabled. One method to

hostname(config)#no ip identd
Ensure that TCP-KeepAlives are enabled. One method to

hostname(config)#service tcp-keepalives-in
Enable TCP keepalives-out service. One method to

hostname(config)#service tcp-keepalives-out
Ensure that the PAD service is disabled. One method to

hostname(config)#no service pad

Ensure that SSH version 2 is set for the router. One method
to implement the recommended state is to:
hostname(config)#ip ssh version 2
Ensure that an appropriate hostname is configured for the

router. One method to implement the recommended state is
to:
hostname(config)#hostname {router_name}
Ensure that an appropriate domain name has been

configured for the router. One method to implement the
hostname (config)#ip domain name {domain-name}
Ensure that a RSA key is being genreated for the router. One
hostname(config)#crypto key generate rsa general-keys

modulus 2048
Ensure that SSH timeout is configured properly. One method

to implement the recommended state is to:
hostname(config)#ip ssh time-out [60]
Ensure that IP SSH authentication retries is configured

properly. One method to implement the recommended state
is to:
hostname(config)#ip ssh authentication-retries [3]

Ensure that system logging is enabled. One method to
hostname(config)#logging on
Ensure that buffered logging is configured properly. (with

minimum size). Recommended size is 64000. One method to
hostname(config)#logging buffered [log_buffer_size]
Ensure that the console logging level is configured. One

hostname(config)#logging console critical
Ensure that syslog servers are designated by IP address.

hostname(config)#logging host syslog_server
Ensure that SNMP trap and syslog logging level have been
configured. One method to implement the recommended
state is to:
hostname(config)#logging trap informational
Ensure that debug messages include timestamps. One

hostname(config)#service timestamps debug datetime

{msec} show-timezone
Ensure that the router is sending log messages to the
logging server from a consistent IP address. One method to
hostname(config)#logging source-interface loopback

{loopback_interface_number}
Ensure that at least one NTP server is properly configured.

hostname(config)#ntp server {ip address}
Ensure that source routnig is disabled. One method to

hostname(config)#no ip source-route
Change Log
Version Date
1.0 3/25/2016
2.0 1/31/2017
2.0 9/30/2017
2.0 1/31/2018
2.1 8/31/2018
2.1 9/30/2018
Description of Changes
First Release
Session terminations set to 30 minutes, account automated unlock set to 15 minutes, Issue code
changes
Updated issue code table
Minor content updates
Minor content updates
Internal Update
Author
Booz Allen Hamilton
Booz Allen Hamilton
Booz Allen Hamilton

Booz Allen Hamilton
Booz Allen Hamilton
Booz Allen Hamilton
Issue Code
HAC1
HAC2
HAC3
HAC4
HAC5
HAC6
HAC7
HAC8
HAC9
HAC10
HAC100
HAC11
HAC12
HAC13
HAC14
HAC15
HAC16
HAC17
HAC18
HAC19
HAC20
HAC21
HAC22
HAC23
HAC24
HAC25
HAC26
HAC27
HAC28
HAC29
HAC30
HAC31
HAC32
HAC33
HAC34
HAC35
HAC36
HAC37
HAC38
HAC39
HAC40
HAC41
HAC42
HAC43
HAC44
HAC45
HAC46
HAC47
HAC48
HAC49
HAC50
HAC51
HAC52
HAC53
HAC54
HAC55
HAC56
HAC57
HAC58
HAC59
HAC60
HAC61
HAC62
HAC63
HAT1
HAT100
HAT2
HAT3
HAT4
HIA1
HIA2
HIA3
HIA4
HIA5
HAU1
HAU2
HAU3
HAU4
HAU5
HAU6
HAU7
HAU8
HAU9
HAU10
HAU100
HAU11
HAU12
HAU13
HAU14
HAU15
HAU16
HAU17
HAU18
HAU19
HAU20
HAU21
HAU22
HAU23
HAU24
HAU25
HAU26
HAU27
HCA1
HCA100
HCA2
HCA3
HCA4
HCA5
HCA6
HCA7
HCA8
HCA9
HCA10
HCA11
HCA12
HCA13
HCA14
HCA15
HCM1
HCM10
HCM100
HCM11
HCM12
HCM13
HCM14
HCM15
HCM16
HCM17
HCM18
HCM19
HCM2
HCM20
HCM21
HCM22
HCM23
HCM24
HCM25
HCM26
HCM27
HCM28
HCM29
HCM3
HCM30
HCM31
HCM32
HCM33
HCM34
HCM35
HCM36
HCM37
HCM38
HCM39
HCM4
HCM40
HCM41
HCM42
HCM43
HCM44
HCM45
HCM46
HCM47
HCM48
HCM5
HCM6
HCM7
HCM8
HCM9
HCP1
HCP100
HCP2
HCP3
HCP4
HCP5
HCP6
HCP7
HCP8
HCP9
HCP10
HIR1
HIR100
HIR2
HIR3
HIR4
HIR5
HMA1
HMA100
HMA2
HMA3
HMA4
HMA5
HMT1
HMT2
HMT3
HMT4
HMT5
HMT6
HMT7
HMT8
HMT9
HMT10
HMT100
HMT11
HMT12
HMT13
HMT14
HMT15
HMT16
HMT17
HMT18
HMT19
HPW1
HPW2
HPW3
HPW4
HPW5
HPW6
HPW7
HPW8
HPW9
HPW10
HPW100
HPW11
HPW12
HPW13
HPW14
HPW15
HPW16
HPW17
HPW18
HPW19
HPW20
HPW21
HPW22
HPW23
HRA1
HRA100
HRA2
HRA3
HRA4
HRA5
HRA6
HRA7
HRA8
HRA9
HRM1
HRM10
HRM100
HRM11
HRM12
HRM13
HRM14
HRM15
HRM16
HRM17
HRM18
HRM19
HRM2
HRM3
HRM4
HRM5
HRM6
HRM7
HRM8
HRM9
HSA1
HSA100
HSA2
HSA3
HSA4
HSA5
HSA6
HSA7
HSA8
HSA9
HSA10
HSA11
HSA12
HSA13
HSA14
HSA15
HSA16
HSA17
HSA18
HSC1
HSC2
HSC3
HSC4
HSC5
HSC6
HSC7
HSC8
HSC9
HSC10
HSC100
HSC11
HSC12
HSC13
HSC14
HSC15
HSC16
HSC17
HSC18
HSC19
HSC20
HSC21
HSC22
HSC23
HSC24
HSC25
HSC26
HSC27
HSC28
HSC29
HSC30
HSC31
HSC32
HSC33
HSC34
HSC35
HSC36
HSC37
HSC38
HSC39
HSI1
HSI2
HSI3
HSI4
HSI5
HSI6
HSI7
HSI8
HSI9
HSI10
HSI100
HSI11
HSI12
HSI13
HSI14
HSI16
HSI17
HSI18
HSI19
HSI20
HSI21
HSI22
HSI23
HSI24
HSI25
HSI26
HSI27
HSI28
HSI29
HSI30
HSI31
HSI32
HSI33
HSI34
HSI35
HSI36
HTW1
HTW100
HTW2
HTW3
HTW4
HTW5
HTW6
HMP1
HPE1
HPM1
HTC1
HTC10
HTC100
HTC11
HTC12
HTC13
HTC14
HTC15
HTC16
HTC17
HTC18
HTC19
HTC2
HTC20
HTC21
HTC22
HTC23
HTC24
HTC25
HTC26
HTC27
HTC28
HTC29
HTC3
HTC30
HTC31
HTC32
HTC33
HTC34
HTC35
HTC36
HTC37
HTC38
HTC39
HTC4
HTC40
HTC41
HTC42
HTC43
HTC44
HTC45
HTC46
HTC47
HTC48
HTC49
HTC5
HTC50
HTC51
HTC52
HTC53
HTC54
HTC55
HTC56
HTC57
HTC58
HTC59
HTC60
HTC61
HTC62
HTC63
HTC64
HTC65
HTC66
HTC67
HTC68
HTC69
HTC70
HTC71
HTC72
HTC73
HTC74
HTC75
HTC76
HTC77
HTC78
HTC79
HTC80
HTC81
HTC82
HTC83
HTC84
HTC85
HTC86
HTC87
HTC88
HTC6
HTC7
HTC8
HTC9
Description
Contractors with unauthorized access to FTI
User sessions do not lock after the Publication 1075 required timeframe
Agency processes FTI at a contractor-run consolidated data center
FTI is not labeled and is commingled with non-FTI
FTI is commingled with non-FTI data in the data warehouse
Cannot determine who has access to FTI
Account management procedures are not in place
Accounts are not reviewed periodically for proper privileges
Accounts have not been created using user roles
Accounts do not expire after the correct period of inactivity
Other
User access was not established with concept of least privilege
Separation of duties is not in place
Operating system configuration files have incorrect permissions
Warning banner is insufficient
User accounts not locked out after 3 unsuccessful login attempts
Network device allows telnet connections
Account lockouts do not require administrator action
Network device has modems installed
Out of Band Management is not utilized in all instances
Agency duplicates usernames
Agency shares administrative account inappropriately
Administrators do not use su or sudo command to access root privileges
Unauthorized disclosure to other agencies
User roles do not exist within the data warehouse environment
Agency employees with inappropriate access to FTI
Inappropriate access to FTI from mobile devices
Default accounts have not been disabled or renamed
Database trace files are not properly protected
Access to system functionality without identification and authentication
RACF access controls not properly implemented
The database public users has improper access to data and/or resources
Mainframe access control function does not control access to FTI data
FTI is accessible to third parties
Improper access to DBMS by non-DBAs
Inappropriate public access to FTI
Agency allows FTI access from unsecured wireless network
Account management procedures are not implemented
Warning banner does not exist
Access to wireless network exceeds acceptable range
The system does not effectively utilize whitelists or ACLs
Accounts are not removed or suspended when no longer necessary
System configuration files are not stored securely
Management sessions are not properly restricted by ACL
System does not have a manual log off feature
Split tunneling is enabled
Access to mainframe product libraries is not adequately controlled
Files containing authentication information are not adequately protected
Usernames are not archived and may be re-issued to different users
Use of emergency user IDs is not properly controlled
Print spoolers do not adequately restrict jobs
Unauthorized access to FTI
Wireless usage policies are not sufficient
Mobile device policies are not sufficient
FTI is not properly labeled in the cloud environment
FTI is not properly isolated in the cloud environment
Mobile device does not wipe after the required threshold of passcode failures
Mobile devices policies governing access to FTI are not sufficient
Access control parameter thresholds are reset
The guest account has improper access to data and/or resources
Agency does not centrally manage access to third party environments
User rights and permissions are not adequately configured
Host-based firewall is not configured according to industry standard best practice
Security profiles have not been established
Agency does not train employees with FTI access
Other
Agency does not train contractors with FTI access
Agency does not maintain training records
Agency does not provide security-specific training
Adequate device identification and authentication is not employed
Standardized naming convention is not enforced
Authentication server is not used for end user authentication
Authentication server is not used for device administration
System does not properly control authentication process
No auditing is being performed at the agency
No auditing is being performed on the system
Audit logs are not being reviewed
System does not audit failed attempts to gain access
Auditing is not performed on all data tables containing FTI
System does not audit changes to access control settings
Audit records are not retained per Pub 1075
Logs are not maintained on a centralized log server
No log reduction system exists
Audit logs are not properly protected
Other
NTP is not properly implemented
Audit records are not time stamped
Audit records are not archived during VM rollback
Remote access is not logged
Verbose logging is not being performed on perimeter devices
A centralized automated audit log analysis solution is not implemented
Audit logs do not capture sufficient auditable events
Audit logs are reviewed, but not per Pub 1075 requirements
Audit log anomalies or findings are not reported and tracked
Audit log data not sent from a consistently identified source
System does not audit all attempts to gain access
Content of audit records is not sufficient
Audit storage capacity threshold has not been defined
Administrators are not notified when audit storage threshold is reached
Audit processing failures are not properly reported and responded to
System/service provider is not held accountable to protect and share audit records with the agency
Audit trail does not include access to FTI in pre-production
Systems are not formally certified by management to process FTI
Other
Undocumented system interconnections exist
Agency does not conduct routine assessments of security controls
No third party verification of security assessments
POA&Ms are not used to track and mitigate potential weaknesses
The agency's SSR does not address the current FTI environment
SSR is not current with Pub 1075 reporting requirements
Rules of behavior does not exist
Rules of behavior is not sufficient
Assessment results are not shared with designated agency officials
Interconnection Security Agreements are not sufficient
POA&Ms are not reviewed in accordance with Pub 1075
System authorizations are not updated in accordance with Pub 1075
A continuous monitoring program has not been established
The continuous monitoring program is not sufficient
Information system baseline is insufficient
System has unneeded functionality installed
Other
SNMP is not implemented correctly
Offline system configurations are not kept up-to-date
System component inventories do not exist
System component inventories are outdated
Hardware asset inventory is not sufficient
Software asset inventory is not sufficient
Hardware asset inventory does not exist
Software asset inventory does not exist
Firewall rules are not reviewed or removed when no longer necessary
FTI is not properly labeled on-screen
Application interfaces are not separated from management functionality
Permitted services have not been documented and approved
Application code is not adequately separated from data sets
System is not monitored for changes from baseline
Agency network diagram is not complete
Zoning has not been configured appropriately
Static IP addresses are not used when needed
Information system baseline does not exist
Boundary devices are not scanned for open ports and services
Application architecture does not properly separate user interface from data repository
Operating system does not have vendor support
System reset function leaves device in unsecure state
Default SSID has not been changed
The device is inappropriately used to serve multiple functions
Significant changes are not reviewed for security impacts before being implemented
Agency does not control significant changes to systems via an approval process
Services are not configured to use the default/standard ports
The required benchmark has not been applied
Configuration settings and benchmarks have not been defined
Agency does not adequately govern or control software usage
RACF security settings are not properly configured
Routine operational changes are not reviewed for security impacts before being implemented
ACF security settings are not properly configured
Top Secret security settings are not properly configured
UNISYS security settings are not properly configured
IBMi security settings are not properly configured
Agency does not properly test changes prior to implementation
System configuration provides additional attack surface
Agency does not centrally manage mobile device configuration
System error messages display system configuration information
Low-risk operating system settings are not configured securely
Web portal with FTI does not have three-tier architecture
Agency does not control routine operational changes to systems via an approval process
Configuration management procedures do not exist
The ability to make changes is not properly limited
Systems are not deployed using the concept of least privilege
No contingency plan exists for FTI data
Other
Contingency plans are not tested annually
Contingency plan does not exist for consolidated data center
FTI is not encrypted in transit to the DR site
Backup data is not adequately protected
Contingency plan is not updated annually
Contingency plan is not sufficient
Contingency training is not conducted
Contingency training is not sufficient
Backup data is located on production systems
Incident response program does not exist
Other
Incident response plan is not sufficient
Agency does not perform incident response exercises in accordance with Pub 1075
Agency does not provide support resource for assistance in handling and reporting security incidents
Incident response plan does not exist
External maintenance providers not escorted in the data center
Other
Maintenance not restricted to local access
Maintenance tools are not approved / controlled
Maintenance records are not sufficient
Nonlocal maintenance is not implemented securely
Risk Assessment controls are not implemented properly
Planning controls are not implemented properly
Program management controls are not implemented properly
System acquisition controls are not implemented properly
SA&A controls are not implemented properly
Contingency planning controls are not implemented properly
Configuration management controls are not implemented properly
Maintenance controls are not implemented properly
System and information integrity controls are not implemented properly
Incident response controls are not implemented properly
Other
Awareness and training controls are not implemented properly
Identification and authentication controls are not implemented properly
Access controls are not implemented properly
Audit and accountability are not implemented properly
System and communications protection controls are not implemented properly
Documentation does not exist
Documentation is sufficient but outdated
Documentation exists but is not sufficient
Management Operational and Technical controls are not implemented properly
No password is required to access an FTI system
Password does not expire timely
Minimum password length is too short
Minimum password age does not exist
Passwords are generated and distributed automatically
Password history is insufficient
Password change notification is not sufficient
Passwords are displayed on screen when entered
Password management processes are not documented
Passwords are allowed to be stored
Other
Password transmission does not use strong cryptography
Passwords do not meet complexity requirements
Enabled secret passwords are not implemented correctly
Authenticator feedback is labeled inappropriately
Passwords are shared inappropriately
Swipe-based passwords are allowed on mobile devices
Default passwords have not been changed
No password is required to remotely access an FTI system
More than one Publication 1075 password requirement is not met
User is not required to change password upon first use
Passwords are allowed to be stored unencrypted in config files
Administrators cannot override minimum password age for users, when required
Passwords cannot be changed by users
Risk assessments are not performed
Other
Vulnerability assessments are not performed
Vulnerability assessments do not generate corrective action plans
Vulnerability assessments are not performed as frequently as required per Publication 1075
Vulnerabilities are not remediated in a timely manner
Scope of vulnerability scanning is not sufficient
Risk assessments are performed but not in accordance with Pub 1075 parameters
Penetration test results are not included in agency POA&Ms
Application source code is not assessed for static vulnerabilities
Multi-Factor authentication is not required
Client side cache cleaning utility has not been implemented
Other
Site to site connection does not terminate outside the firewall
An FTI system is directly routable to the internet via unencrypted protocols
The agency does not blacklist known malicious IPs
The agency does not update blacklists of known malicious IPs
Multi-factor authentication is not enforced for local device management
VPN access points have not been limited
SSH is not implemented correctly for device management
Remote access policies are not sufficient
Agency cannot remotely wipe lost mobile device
Multi-Factor authentication is not required to access FTI via personal devices
FTI access from personal devices
FTI access from offshore
User sessions do not terminate after the Publication 1075 period of inactivity
The mainframe is directly routable to the internet via Port 23
The agency does not adequately control remote access to its systems
Direct root access is enabled on the system
VPN technology does not perform host checking
Live FTI data is used in test environments without approval
Other
Usage restrictions to open source software are not in place
No agreement exists with 3rd party provider to host FTI
Software installation rights are not limited to the technical staff
Configuration changes are not controlled during all phases of the SDLC
Security test and evaluations are not performed during system development
The external facing system is no longer supported by the vendor
The internally hosted operating system's major release is no longer supported by the vendor
The internally hosted operating system's minor release is no longer supported by the vendor
The internally hosted software's major release is no longer supported by the vendor
The internally hosted software's minor release is no longer supported by the vendor
Internal networking devices are no longer supported by the vendor
IT security is not part of capital planning and the investment control process
FTI systems are not included in a SDLC
FTI contracts do not contain all security requirements
Documentation is not properly protected
Security is not a consideration in system design or upgrade
Cloud vendor is not FedRAMP certified
FTI is not encrypted in transit
FTI is emailed outside of the agency
FTI is emailed incorrectly inside the agency
VOIP system not implemented correctly
No DMZ exists for the network
Not all connections to FTI systems are monitored
NAT is not implemented for internal IP addresses
Network architecture is flat
Database listener is not properly configured
FTI is not properly deleted / destroyed
Other
No backup plan exists to remove failed data loads in the data warehouse
Original FTI extracts are not protected after ETL process
FTI is transmitted incorrectly using an MFD
VM to VM communication exists using VMCI
Encryption capabilities do not meet FIPS 140-2 requirements
System does not meet common criteria requirements
Denial of Service protection settings are not configured
System communication authenticity is not guaranteed
Network perimeter devices do not properly restrict traffic
Publicly available systems contain FTI
Number of logon sessions are not managed appropriately
VPN termination point is not sufficient
Site survey has not been performed
Digital Signatures or PKI certificates are expired or revoked
Network sessions do not timeout per Publication 1075 requirements
Email policy is not sufficient
Traffic inspection is not sufficient
The network is not properly segmented
Cryptographic key pairs are not properly managed
VLAN configurations do not utilize networking best practices
Collaborative computing devices are not deployed securely
PKI certificates are not issued from an approved authority
Data warehouse has insecure connections
The production and development environments are not properly separated
Procedures stored in the database are not encrypted
System is configured to accept unwanted network connections
Network connection to third party system is not properly configured
SSL inspection has not been implemented
The communications protocol is not NIST 800-52 compliant
System configured to load or run removable media automatically
System patch level is insufficient
System is not monitored for threats
No intrusion detection system exists
OS files are not hashed to detect inappropriate changes
Intrusion detection system not implemented correctly
FTI can move via covert channels (e.g., VM isolation tools)
All VM moves are being tracked in the virtual environment
Network device configuration files are not kept offline
Hash sums of ISO images are not maintained in the virtual environment
Other
Antivirus is not configured to automatically scan removable media
No antivirus is configured on the system
Antivirus does not exist on an internet-facing endpoint
The system's automatic update feature is not configured appropriately
Agency network not properly protected from spam email
Antivirus is not configured appropriately
VM rollbacks are conducted while connected to the network
Data inputs are not being validated
Agency does not receive security alerts, advisories, or directives
FTI is inappropriately moved and shared with non-FTI virtual machines
Data remanence is not properly handled
Agency has not defined an authorized list of software
Agency does not monitor for unauthorized software on the network
Agency does not monitor for unauthorized hosts on the network
No host intrusion detection/prevention system exists
Critical security patches have not been applied
Security alerts are not disseminated to agency personnel
Data inputs are from external sources
System output is not secured in accordance with Publication 1075
Agency does not properly retire or remove unneeded source code from production
Virtual Switch (Vswitch) security parameters are set incorrectly
Memory protection mechanisms are not sufficient
A file integrity checking mechanism does not exist
Failover is not properly configured
Malware analysis is not being performed
Tumbleweed client is not configured properly
Other
Tumbleweed certificate is assigned to the wrong person
No written procedures for using Tumbleweed
FTI is left on the device running the Tumbleweed application
Axway does not run on a dedicated platform
The data transfer agreement is not in place
Media sanitization is not sufficient
Printer does not lock and prevent access to the hard drive
A senior information officer does not exist
The Windows 2000 server is unsupported
The ASA firewall is not configured securely
Other
The RACF Mainframe is not configured securely
The ACF2 Mainframe is not configured securely
The Top Secret Mainframe is not configured securely
The Unisys Mainframe is not configured securely
The i5OS Mainframe is not configured securely
The VPN concentrator is not configured securely
The Citrix Access Gateway is not configured securely
The Windows XP Workstation is not configured securely
The Windows 7 Workstation is not configured securely
The Windows 2003 Server is not configured securely
The Windows 8 Workstation is not configured securely
Network protection capabilities are not configured securely
The MFD is not configured securely
The GenTax application is not configured securely
The data warehouse is not configured securely
The RSI data warehouse is not configured securely
The Teradata data warehouse is not configured securely
The DB2 database is not configured securely
The Oracle 9g database is not configured securely
The Windows 2008 Standard Server is not configured securely
The SQL Server 2000 installation is unsupported
The SQL Server 2005 installation is not configured securely
The VMWare Hypervisor is not configured securely
The Tumbleweed client is not configured securely
The internet browser is not configured securely
The storage area network device is not configured securely
The voice-over IP network is not configured securely
The Windows 2012 Standard Server is not configured securely
The wireless network is not configured securely
The custom web application is not configured securely
The IVR system is not configured securely
The web server is not configured securely
The cloud computing environment is not configured securely
The Apple iOS device is not configured securely
The Google Android device is not configured securely
The Blackberry OS device is not configured securely
The Microsoft Windows RT device is not configured securely
The mobile device is not configured securely
The Solaris server is not configured securely
Agency has not notified IRS of this technology
Technology is not properly sanitized after use
The AIX server is not configured securely
The custom application is not configured securely
The SuSE Linux server is not configured securely
The Adabas database is not configured securely
The Windows 10 operating system is not configured securely
The Oracle 12c database is not configured securely
The Red Hat Enterprise Linux 6 operating system is not configured securely
The Red Hat Enterprise Linux 7 operating system is not configured securely
The Windows 2016 Server is not configured securely
The Windows 2012 R2 Server is not configured securely
The SQL Server 2014 database is not configured securely
The Windows 2008 R2 Server is not configured securely
The High Volume Printer is not configured securely
The system was not assessed during the onsite review
The VMWare ESXi 5.5 Hypervisor is not configured securely
The VMWare ESXi 6.0 Hypervisor is not configured securely
The IBM z/OS version 1.13.x is not configured securely
The Checkpoint R76 firewall is not configured securely
The Oracle 11.2.0.4 database is not configured securely
The Cisco IOS v12.x is not configured securely
The Cisco IOS v15.x is not configured securely
The AIX 6 server is not configured securely
The AIX 7 server is not configured securely
The CentOS 6 server is not configured securely
The CentOS 7 server is not configured securely
The OEL 6 server is not configured securely
The OEL 7 server is not configured securely
The Solaris 10 server is not configured securely
The Solaris 11 server is not configured securely
The SuSE 11 server is not configured securely
The SuSE 12 server is not configured securely
The VMWare Horizon 6 VDI solution is not configured securely
The VMWare Horizon 7 VDI solution is not configured securely
The Red Hat Linux server is not configured securely
The CentOS server is not configured securely
The Cisco networking device is not configured securely
The Cisco pix firewall is not configured securely
Weight 8/31/2018
6
4
1
2
2
4
2
5
5
5
2
5
4
4
1
5
8
1
8
6
7
7
7
5
5
5
6
6
4
7
5
5
8
1
5
8
5
5
2
4
5
5
6
5
4
5
6
7
3
6
4
5
2
2
5
5
5
5
3
6
3
4
3
3
3
2
3
3
3
5
3
6
5
4
7
6
5
3
5
4
2
4
4
4
2
3
6
3
6
5
5
5
3
5
2
5
4
2
2
4
5
4
4
2
4
5
2
5
6
4
5
4
2
2
3
3
5
4
3
5
2
4
1
6
5
3
3
4
4
6
3
5
6
4
5
4
4
4
5
6
5
7
6
1
6
6
6
4
6
3
4
5
3
5
5
5
5
5
5
6
4
3
6
5
3
5
5
4
2
3
3
5
5
2
3
4
2
2
5
2
3
3
3
5
4
2
1
4
3
4
4
4
2
3
4
2
4
4
4
3
2
1
4
4
4
4
2
1
1
4
7
5
6
5
2
3
1
7
2
5
2
6
4
6
4
6
4
7
8
6
5
6
1
4
5
2
6
5
4
5
5
4
4
5
7
4
3
5
8
5
4
4
5
6
5
6
8
6
8
4
8
6
6
6
4
2
2
5
5
4
4
8
7
6
8
7
6
4
4
5
1
4
7
6
5
5
3
6
5
5
6
5
5
2
1
4
5
3
6
4
5
4
6
6
4
6
3
5
4
3
4
5
4
5
4
4
5
6
5
5
6
5
5
6
5
6
6
4
5
4
3
2
3
2
7
6
7
5
6
5
4
2
4
4
5
2
4
4
5
8
3
4
4
4
5
5
5
4
6
4
2
4
1
4
3
5
4
4
5
1
1
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
5
4
1
1
1
1
1
1
1
1
1
1
1
1
1
8
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Switch Router

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Switch Router

Încărcat de

Drepturi de autor:

Formate disponibile

Internal Revenue Service

▪ SCSEM Subject: Switch Router (SR)

General Testing Information

Agency Representatives and Contact Information

ct: Switch Router (SR)

se Date: September 30, 2018

entatives and Contact Information

s designed to comply with Section 508 of the Rehabilitation Act

All SCSEM Test Results

Overall SCSEM Statistics

All SCSEM Tests Complete Blank Available

ANK STATUS (SEE ABOVE)

VALID ISSUE CODES

Test Cases Legend:

tool for agency use as part of internal periodic

es. The ID format includes the platform, platform version

mplish. The objective should be a summary of the

followed by the tester. The test procedures should be

e test method, procedures or expected results, the tester

SRGEN-01 SA-22 Unsupported System Examine

SRGEN-02 SI-2 Flaw Remediation Examine

SRGEN-03 AC-2 Account Management Examine &

SRGEN-05 AC-2 Account Management Examine &

SRGEN-06 AC-2 Account Management Interview

SRGEN-07 AC-3 Access Enforcement Examine &

SRGEN-08 AC-3 Access Enforcement Examine &

SRGEN-10 AC-3 Access Enforcement Examine &

SRGEN-11 AC-6 Least Privilege Examine &

SRGEN-12 AC-7 Unsuccessful Logon Examine

SRGEN-13 AC-8 System Use Notification Examine

SRGEN-15 AC-12 Session Termination Examine

SRGEN-16 IA-2 Identification and Examine &

SRGEN-17 IA-2 Identification and Examine

SRGEN-18 IA-2 Identification and Examine

SRGEN-20 IA-4 Identifier Management Interview

SRGEN-21 IA-5 Authenticator Management Examine

SRGEN-22 IA-5 Authenticator Management Examine

SRGEN-24 IA-6 Authenticator Feedback Examine

SRGEN-25 AU-2 Audit Events Examine

SRGEN-27 AU-4 Audit Storage Capacity Interview

SRGEN-29 AU-8 Time Stamps Examine &

SRGEN-30 AU-9 Protection of Audit Examine &

SRGEN-32 CM-3 Configuration Change Examine

SRGEN-33 CM-6 Configuration Settings Examine

SRGEN-34 CM-7 Least Functionality Examine &

SRGEN-35 SC-5 Denial of Service Examine

From an enable console window, type 'show version'.

Compare results with the vendors support website to verify that

2. Refer to the vendors support website and cross reference the

2. Examine account management system workflow and/or

2. For each authentication method in use, confirm that there is a

Verify that the warning banner displayed is in compliance with IRS

-all unsuccessful login and authorization attempts.

1. Service timestamps and/or log datetime

2. Verify that security-related events are recorded in the logs and

Note: If device security audit logs are correlated and reviewed at

1. Have the SA provide copies of router change request forms for

2. Interview SA and router administrator to verify compliance.

Ensure all ports, protocols, and services unnecessary for system

1-2. The router is currently under Critical

1-2. The latest security patches are Significant

1-2. The device administrator can Significant