STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 1 hour ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

Version

V1R2

Release Date

Jun 25, 2024

SCAP Benchmark ID

IBM_MQ_Appliance_V9-0_AS_STIG

Total Checks

43

Tags

other

CAT I: 1CAT II: 39CAT III: 3

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (43)

V-255775MEDIUMThe MQ Appliance messaging server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.V-255776MEDIUMThe MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.V-255777MEDIUMThe MQ Appliance messaging server must off-load log records onto a different system or media from the system being logged.V-255778LOWThe MQ Appliance messaging server must synchronize internal MQ Appliance messaging server clocks to an authoritative time source when the time difference is greater than the organization-defined time period.V-255779LOWThe MQ Appliance messaging server must compare internal MQ Appliance messaging server clocks at least every 24 hours with an authoritative time source.V-255780MEDIUMThe MQ Appliance messaging server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-255781MEDIUMThe MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour.V-255782MEDIUMThe MQ Appliance messaging server must produce log records containing information to establish what type of events occurred.V-255783MEDIUMThe MQ Appliance messaging server must identify potentially security-relevant error conditions.V-255784MEDIUMThe MQ Appliance messaging server must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.V-255785MEDIUMThe MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.V-255786MEDIUMThe MQ Appliance messaging server must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75% of maximum log record storage capacity.V-255787MEDIUMThe MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards.V-255788MEDIUMThe MQ Appliance messaging server must automatically terminate a SSH user session after organization-defined conditions or trigger events requiring a session disconnect.V-255789MEDIUMThe MQ Appliance must automatically terminate a WebGUI user session after 600 seconds of idle time.V-255790MEDIUMThe MQ Appliance SSH interface to the messaging server must prohibit the use of cached authenticators after 600 seconds.V-255791MEDIUMThe MQ Appliance messaging server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected (messaging) sessions.V-255792MEDIUMThe version of MQ Appliance messaging server running on the system must be a supported version.V-255793MEDIUMThe MQ Appliance messaging server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.V-255794LOWThe MQ Appliance messaging server must accept FICAM-approved third-party credentials.V-255795MEDIUMThe MQ Appliance messaging server must provide a log reduction capability that supports on-demand reporting requirements.V-255796MEDIUMThe MQ Appliance messaging server must be configured to fail over to another system in the event of log subsystem failure.V-255797MEDIUMThe MQ Appliance messaging server must uniquely identify all network-connected endpoint devices before establishing any connection.V-255798MEDIUMAccess to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication.V-255799MEDIUMThe MQ Appliance messaging server must map the authenticated identity to the individual messaging user or group account for PKI-based authentication.V-255800MEDIUMThe MQ Appliance must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-255801MEDIUMThe MQ Appliance messaging server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).V-255802MEDIUMThe MQ Appliance messaging server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.V-255803MEDIUMThe MQ Appliance messaging server must generate log records for access and authentication events.V-255804MEDIUMThe MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session.V-255805MEDIUMThe MQ Appliance messaging server must generate a unique session identifier using a FIPS 140-2 approved random number generator.V-255806MEDIUMThe MQ Appliance messaging server must authenticate all network-connected endpoint devices before establishing any connection.V-255807HIGHThe MQ Appliance messaging server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.V-255808MEDIUMMQ Appliance messaging servers must use NIST-approved or NSA-approved key management technology and processes.V-255809MEDIUMThe MQ Appliance messaging server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.V-255810MEDIUMThe MQ Appliance messaging server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.V-255811MEDIUMThe MQ Appliance messaging server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.V-255812MEDIUMThe MQ Appliance messaging server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.V-255813MEDIUMThe MQ Appliance messaging server must provide a clustering capability.V-255814MEDIUMThe MQ Appliance messaging server must provide centralized management and configuration of the content to be captured in log records generated by all application components.V-255815MEDIUMThe MQ Appliance messaging server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly.V-255816MEDIUMThe MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.V-255817MEDIUMThe MQ Appliance messaging server, when categorized as a high level system, must be in a high-availability (HA) cluster.