STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

CA API Gateway ALG Security Technical Implementation Guide

Version

V1R3

Release Date

Jun 4, 2024

SCAP Benchmark ID

CA_API_Gateway_ALG_STIG

Total Checks

82

Tags

other

CAT I: 1CAT II: 79CAT III: 2

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (82)

V-237342MEDIUMThe CA API Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.V-237343MEDIUMThe CA API Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.V-237344MEDIUMThe CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.V-237345MEDIUMThe CA API Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network.V-237346MEDIUMThe CA API Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.V-237347MEDIUMThe CA API Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.V-237348MEDIUMThe CA API Gateway providing user access control intermediary services must limit users to two concurrent sessions.V-237349MEDIUMThe CA API Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.V-237350MEDIUMThe CA API Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.V-237351MEDIUMThe CA API Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.V-237352MEDIUMThe CA API Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.V-237353MEDIUMThe CA API Gateway must produce audit records containing information to establish the source of the events.V-237354MEDIUMThe CA API Gateway must produce audit records containing information to establish the outcome of the events.V-237355MEDIUMThe CA API Gateway must generate audit records containing information to establish the identity of any individual or process associated with the event.V-237356MEDIUMThe CA API Gateway must protect audit information from unauthorized read access.V-237357MEDIUMThe CA API Gateway must protect audit information from unauthorized deletion.V-237358MEDIUMThe CA API Gateway must protect audit tools from unauthorized access.V-237359MEDIUMThe CA API Gateway must not have unnecessary services and functions enabled.V-237360MEDIUMThe CA API Gateway must be configured to remove or disable unrelated or unneeded application proxy services.V-237361MEDIUMThe CA API Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.V-237362MEDIUMThe CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-237363MEDIUMThe CA API Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) that validate user account access authorizations and privileges.V-237364MEDIUMThe CA API Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).V-237365MEDIUMThe ALG providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.V-237366MEDIUMThe CA API Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.V-237367MEDIUMThe CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.V-237368MEDIUMThe CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).V-237369MEDIUMThe CA API Gateway providing content filtering must block outbound traffic containing known and unknown Denial of Service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.V-237370MEDIUMThe CA API Gateway must terminate all network connections associated with a Policy Manager session at the end of the session or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity within the Policy Manager, and for user sessions simply viewing the contents of Policy Manager or viewing Audit Logs for tracking purposes (non-privileged session), the session must be terminated after 15 minutes of inactivity.V-237371MEDIUMThe CA API Gateway must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment.V-237372MEDIUMThe CA API Gateway must protect the authenticity of communications sessions.V-237373MEDIUMThe CA API Gateway must invalidate session identifiers upon user logout or other session termination.V-237374MEDIUMThe CA API Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.V-237375MEDIUMThe CA API Gateway providing content filtering must integrate with an ICAP-enabled Intrusion Detection System that updates malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.V-237376MEDIUMThe CA API Gateway providing content filtering must be configured to perform real-time scans of files from external sources at network entry/exit points as they are downloaded and prior to being opened or executed.V-237377MEDIUMThe CA API Gateway providing content filtering must block malicious code upon detection.V-237378MEDIUMThe CA API Gateway providing content filtering must delete or quarantine malicious code in response to malicious code detection.V-237379MEDIUMThe CA API Gateway providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection.V-237380MEDIUMThe CA API Gateway providing content filtering must automatically update malicious code protection mechanisms.V-237381MEDIUMThe CA API Gateway must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.V-237382MEDIUMThe CA API Gateway providing content filtering must block or restrict detected prohibited mobile code.V-237383MEDIUMThe CA API Gateway providing content filtering must prevent the download of prohibited mobile code.V-237384MEDIUMThe CA API Gateway providing intermediary services for remote access communications traffic must control remote access methods.V-237385MEDIUMTo protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.V-237386MEDIUMTo protect against data mining, the CA API Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.V-237387MEDIUMTo protect against data mining, the CA API Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.V-237388MEDIUMTo protect against data mining, the CA API Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.V-237389MEDIUMTo protect against data mining, the CA API Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.V-237390MEDIUMTo protect against data mining, the CA API Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.V-237391MEDIUMThe CA API Gateway must off-load audit records onto a centralized log server.V-237392MEDIUMThe CA API Gateway providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.V-237393MEDIUMThe CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.V-237394MEDIUMThe CA API Gateway providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.V-237395MEDIUMThe CA API Gateway must prohibit the use of cached authenticators after an organization-defined time period.V-237396MEDIUMThe CA API Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.V-237397MEDIUMThe CA API Gateway providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM) issued profiles.V-237398MEDIUMThe CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.V-237399MEDIUMThe CA API Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.V-237400MEDIUMThe CA API Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.V-237401MEDIUMThe CA API Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.V-237402MEDIUMThe CA API Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.V-237403MEDIUMThe CA API Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system.V-237404MEDIUMThe CA API Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.V-237405MEDIUMThe CA API Gateway providing content filtering must generate a notification on the console when root-level intrusion events that attempt to provide unauthorized privileged access are detected.V-237406LOWThe CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user-level intrusions that provide non-privileged access are detected.V-237407LOWThe CA API Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when Denial of Service (DoS) incidents are detected.V-237408MEDIUMThe ALG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.V-237409MEDIUMThe CA API Gateway providing user authentication intermediary services must transmit only encrypted representations of passwords.V-237410MEDIUMThe CA API Gateway must check the validity of all data inputs except those specifically identified by the organization.V-237411MEDIUMThe CA API Gateway must reveal error messages only to the ISSO, ISSM, and SCA.V-237412MEDIUMThe CA API Gateway providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur.V-237413MEDIUMThe CA API Gateway providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system.V-237414MEDIUMThe CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.V-237415MEDIUMThe CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.V-237416MEDIUMThe CA API Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.V-237417MEDIUMThe CA API Gateway must off-load audit records onto a centralized log server in real time.V-237418MEDIUMThe CA API Gateway that provides intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.V-237419MEDIUMThe CA API Gateway that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.V-237420MEDIUMThe CA API Gateway providing user access control intermediary services must automatically terminate a user session when organization-defined conditions or trigger events that require a session disconnect occur.V-237421MEDIUMThe CA API Gateway providing user access control intermediary services must provide a logoff capability for user-initiated communications sessions.V-237422MEDIUMThe CA API Gateway providing user access control intermediary services must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.V-264434HIGHThe CA API ALG must be using a version supported by the vendor.