STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

IBM DataPower Network Device Management Security Technical Implementation Guide

Version

V1R2

Release Date

Oct 5, 2017

SCAP Benchmark ID

IBM_DataPower_NDM_STIG

Total Checks

64

Tags

network

CAT I: 2CAT II: 56CAT III: 6

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (64)

V-64981MEDIUMThe DataPower Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.V-65063MEDIUMThe DataPower Gateway must enforce approved authorizations for controlling the flow of management information within DataPower based on information flow control policies.V-65065LOWThe DataPower Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.V-65067MEDIUMThe DataPower Gateway must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.V-65069MEDIUMThe DataPower Gateway must provide audit record generation capability for DoD-defined auditable events within DataPower.V-65071MEDIUMThe DataPower Gateway must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-65073MEDIUMThe DataPower Gateway must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-65075MEDIUMThe DataPower Gateway must protect audit information from any type of unauthorized read access.V-65077MEDIUMThe DataPower Gateway must protect audit tools from unauthorized access.V-65079MEDIUMThe DataPower Gateway must protect audit tools from unauthorized modification.V-65081MEDIUMThe DataPower Gateway must protect audit tools from unauthorized deletion.V-65083LOWThe DataPower Gateway must back up audit records at least every seven days onto a different system or system component than the system or component being audited.V-65085MEDIUMThe DataPower Gateway must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.V-65087MEDIUMThe DataPower Gateway must limit privileges to change the software resident within software libraries.V-65089MEDIUMThe DataPower Gateway must have SSH and web management bound to the management interface and Telnet disabled.V-65091MEDIUMThe DataPower Gateway must enforce a minimum 15-character password length.V-65093MEDIUMThe DataPower Gateway must prohibit password reuse for a minimum of five generations.V-65095MEDIUMIf multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one upper-case character be used.V-65097MEDIUMIf multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one lower-case character be used.V-65099MEDIUMIf multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one numeric character be used.V-65101MEDIUMIf multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one special character be used.V-65103MEDIUMThe DataPower Gateway must map the authenticated identity to the user account for PKI-based authentication.V-65105MEDIUMThe DataPower Gateway must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.V-65107HIGHThe DataPower Gateway must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.V-65109MEDIUMThe DataPower Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.V-65111MEDIUMThe DataPower Gateway must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.V-65113MEDIUMThe DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are created.V-65115MEDIUMThe DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.V-65117MEDIUMThe DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are disabled.V-65119MEDIUMThe DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are removed.V-65121MEDIUMThe DataPower Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.V-65123MEDIUMThe DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.V-65125MEDIUMThe DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.V-65127MEDIUMThe DataPower Gateway must automatically audit account enabling actions.V-65129MEDIUMThe DataPower Gateway must generate an immediate alert for account enabling actions.V-65131MEDIUMThe DataPower Gateway must be compliant with at least one IETF standard authentication protocol.V-65135MEDIUMIf the DataPower Gateway uses discretionary access control, the DataPower Gateway must enforce organization-defined discretionary access control policies over defined subjects and objects.V-65137MEDIUMIf the DataPower Gateway uses role-based access control, the DataPower Gateway must enforce role-based access control policies over defined subjects and objects.V-65139MEDIUMThe DataPower Gateway must audit the execution of privileged functions.V-65141MEDIUMThe DataPower Gateway must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.V-65143MEDIUMThe DataPower Gateway must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-65145LOWThe DataPower Gateway must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.V-65147LOWThe DataPower Gateway must generate an immediate real-time alert of all audit failure events.V-65149LOWThe DataPower Gateway must compare internal information system clocks at least every 24 hours with an authoritative time server.V-65151LOWThe DataPower Gateway must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.V-65153MEDIUMThe DataPower Gateway must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.V-65155MEDIUMThe DataPower Gateway must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).V-65157MEDIUMThe DataPower Gateway must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.V-65159MEDIUMThe DataPower Gateway must enforce access restrictions associated with changes to device configuration.V-65161MEDIUMThe DataPower Gateway must audit the enforcement actions used to restrict access associated with changes to the device.V-65163MEDIUMThe DataPower Gateway must require users to re-authenticate when privilege escalation or role changes occur.V-65165HIGHThe DataPower Gateway must use SNMPv3.V-65167MEDIUMThe DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period.V-65169MEDIUMThe IBM DataPower Gateway must only allow the use of protocols that implement cryptographic mechanisms to protect the integrity and confidentiality of management communications.V-65171MEDIUMThe DataPower Gateway must off-load audit records onto a different system or media than the system being audited.V-65173MEDIUMThe DataPower Gateway must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in accordance with CJCSM 6510.01B.V-65175MEDIUMThe DataPower Gateway must generate audit log events for a locally developed list of auditable events.V-65177MEDIUMThe DataPower Gateway must employ automated mechanisms to centrally manage authentication settings.V-65179MEDIUMThe DataPower Gateway must employ automated mechanisms to centrally apply authentication settings.V-65181MEDIUMThe DataPower Gateway must employ automated mechanisms to centrally verify authentication settings.V-65183MEDIUMThe DataPower Gateway must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.V-65185MEDIUMThe DataPower Gateway must employ automated mechanisms to assist in the tracking of security incidents.V-65187MEDIUMThe DataPower Gateway must obtain its public key certificates from an appropriate certificate policy through an approved service provider.V-65189MEDIUMThe DataPower Gateway must not use 0.0.0.0 as the management IP address.