STIGs Search Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 7 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

F5 BIG-IP Device Management Security Technical Implementation Guide

Version

V2R4

Release Date

Dec 19, 2024

SCAP Benchmark ID

F5_BIG-IP_Device_Management_11-x_STIG

Total Checks

75

Tags

other

CAT I: 5CAT II: 63CAT III: 7

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (75)

V-217381MEDIUMThe BIG-IP appliance must limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number.V-217383MEDIUMThe BIG-IP appliance must automatically audit account creation.V-217384MEDIUMThe BIG-IP appliance must automatically audit account modification.V-217385MEDIUMThe BIG-IP appliance must automatically audit account-disabling actions.V-217386MEDIUMThe BIG-IP appliance must automatically audit account removal actions.V-217387HIGHThe BIG-IP appliance must be configured to enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.V-217388MEDIUMThe BIG-IP appliance must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-217389LOWThe BIG-IP appliance must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.V-217390MEDIUMThe BIG-IP appliance must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed system configuration changes.V-217392MEDIUMThe BIG-IP appliance must be configured to protect audit information from unauthorized modification.V-217393MEDIUMThe BIG-IP appliance must be configured to protect audit information from unauthorized deletion.V-217394MEDIUMThe BIG-IP appliance must be configured to protect audit tools from unauthorized access.V-217396MEDIUMThe BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.V-217397MEDIUMThe BIG-IP appliance must be configured to ensure administrators are authenticated with an individual authenticator prior to using a group authenticator.V-217398MEDIUMThe BIG-IP appliance must be configured to enforce a minimum 15-character password length.V-217399MEDIUMIf multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one upper-case character be used.V-217400MEDIUMIf multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one lower-case character be used.V-217401MEDIUMIf multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one numeric character be used.V-217402MEDIUMIf multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one special character be used.V-217403MEDIUMIf multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must require that when a password is changed, the characters are changed in at least eight (8) of the positions within the password.V-217404MEDIUMThe BIG-IP appliance must only store encrypted representations of passwords.V-217405MEDIUMThe BIG-IP appliance must only transmit encrypted representations of passwords.V-217406MEDIUMThe BIG-IP appliance must be configured to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.V-217407MEDIUMThe BIG-IP appliance must be configured to use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.V-217408HIGHThe BIG-IP appliance must be configured to terminate all management sessions after 10 minutes of inactivity.V-217410MEDIUMThe BIG-IP appliance must be configured to automatically audit account-enabling actions.V-217411MEDIUMThe BIG-IP appliance must be configured to enforce organization-defined role-based access control policies over defined subjects and objects.V-217413MEDIUMThe BIG-IP appliance must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-217414MEDIUMThe BIG-IP appliance must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.V-217415MEDIUMThe BIG-IP appliance must be configured to enforce access restrictions associated with changes to device configuration.V-217416MEDIUMThe BIG-IP appliance must be configured to audit the enforcement actions used to restrict access associated with changes to the device.V-217417HIGHThe BIG-IP appliance must be configured to protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the BIG-IP appliance management network by limiting the number of concurrent sessions.V-217418MEDIUMThe BIG-IP appliance must be configured to off-load audit records onto a different system or media than the system being audited.V-217419MEDIUMThe BIG-IP appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-217420MEDIUMThe BIG-IP appliance must be configured to employ automated mechanisms to centrally manage authentication settings.V-217421LOWThe BIG-IP appliance must create backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.V-217422MEDIUMThe BIG-IP appliance must be configured to create backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.V-217423MEDIUMThe BIG-IP appliance must be configured to obtain its public key certificates from an appropriate certificate policy through a DoD-approved service provider.V-217424MEDIUMThe F5 BIG-IP must ensure SSH is disabled for root user logon to prevent remote access using the root account.V-228978MEDIUMThe BIG-IP appliance must provide automated support for account management functions.V-228979MEDIUMThe BIG-IP appliance must automatically remove or disable temporary user accounts after 72 hours.V-228980MEDIUMThe BIG-IP appliance must automatically disable accounts after a 35-day period of account inactivity.V-228981MEDIUMUpon successful logon, the BIG-IP appliance must be configured to notify the administrator of the date and time of the last logon.V-228982MEDIUMUpon successful logon, the BIG-IP appliance must be configured to notify the administrator of the number of unsuccessful logon attempts since the last successful logon.V-228983LOWThe BIG-IP appliance must be configured to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-228985MEDIUMThe BIG-IP appliance must be configured to protect audit information from any type of unauthorized read access.V-228987MEDIUMThe BIG-IP appliance must be configured to use NIAP evaluated cryptographic mechanisms to protect the integrity of audit information at rest.V-228988HIGHThe BIG-IP appliance must be configured to uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).V-228989MEDIUMThe BIG-IP appliance must be configured to prohibit password reuse for a minimum of five generations.V-228990MEDIUMThe BIG-IP appliance must be configured to enforce 24 hours/1 day as the minimum password lifetime.V-228991MEDIUMThe BIG-IP appliance must be configured to enforce a 60-day maximum password lifetime restriction.V-228992MEDIUMThe BIG-IP appliance must be configured to automatically remove or disable emergency accounts after 72 hours.V-228993MEDIUMThe application must be configured to reveal error messages only to authorized individuals (ISSO, ISSM, and SA).V-228994MEDIUMThe BIG-IP appliance must be configured to activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.V-228995MEDIUMThe BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are created.V-228996MEDIUMThe BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are modified.V-228997MEDIUMThe BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are disabled.V-228998MEDIUMThe BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are removed.V-229000MEDIUMThe BIG-IP appliance must be configured to generate an immediate alert for account-enabling actions.V-229001MEDIUMThe BIG-IP appliance must be configured to transmit access authorization information using approved security safeguards to authorized information systems that enforce access control decisions.V-229002MEDIUMThe BIG-IP appliance must be configured to automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.V-229003LOWThe BIG-IP appliance must be configured to notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the date and time of the last logon (access).V-229005LOWThe BIG-IP appliance must be configured to generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.V-229006MEDIUMThe BIG-IP appliance must be configured to implement automated security responses if baseline configurations are changed in an unauthorized manner.V-229007MEDIUMThe BIG-IP appliance must be configured to dynamically manage user accounts.V-229008MEDIUMThe BIG-IP appliance must be configured to allow the use of a temporary password for system logons with an immediate change to a permanent password.V-229009LOWThe BIG-IP appliance must be configured to notify the administrator of the number of successful logon attempts occurring during an organization-defined time period.V-229010MEDIUMThe BIG-IP appliance must be configured to use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW with CJCSM 6510.01B.V-229011MEDIUMThe BIG-IP appliance must be configured to employ automated mechanisms to centrally apply authentication settings.V-229012MEDIUMThe BIG-IP appliance must be configured to employ automated mechanisms to centrally verify authentication settings.V-229013MEDIUMThe BIG-IP appliance must be configured to employ automated mechanisms to assist in the tracking of security incidents.V-230217LOWIf the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set.V-259332MEDIUMThe F5 BIG-IP appliance must be configured to restrict a consistent inbound IP for the entire management session.V-260049MEDIUMThe F5 BIG-IP appliance providing user access control intermediary services must display the Standard Mandatory DOD-approved Notice and Consent Banner before granting access to SSH.V-270898HIGHThe version of F5 BIG-IP must be a supported version.