V-279167

Discussion

For remote access to nonprivileged accounts, one factor of multifactor authentication must be provided by a device separate from the information system gaining access to reduce the likelihood of compromising authentication credentials stored on the system. Before continuing, ensure that the Edge SWG was implemented for SYME-ND-000190. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD common access card (CAC). A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD-nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password. Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000500-ALG-000035, SRG-NET-000340-ALG-000091, SRG-NET-000355-ALG-000117, SRG-NET-000370-ALG-000125, SRG-NET-000494-ALG-000029, SRG-NET-000495-ALG-000030, SRG-NET-000496-ALG-000031, SRG-NET-000497-ALG-000032, SRG-NET-000498-ALG-000033, SRG-NET-000499-ALG-000034, SRG-NET-000501-ALG-000036, SRG-NET-000502-ALG-000037, SRG-NET-000503-ALG-000038, SRG-NET-000505-ALG-000039

Check Content

In the Edge SWG Web UI, navigate to the Visual Policy Manager (VPM).

Under the configured Web Access Layer, if there are not allow rules for at least HTTP and HTTPS, this is a finding.

If the allow rules do not have a specific LDAPS group used in the source column, this is a finding.

If the rule does not have the Track column set to log all access logs, this is a finding.