STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 1 hour ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Intrusion Detection and Prevention Systems Security Requirements Guide

Version

V3R4

Release Date

Sep 22, 2025

SCAP Benchmark ID

IDPS_SRG

Total Checks

60

Tags

other

CAT I: 0CAT II: 60CAT III: 0

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (60)

V-206864MEDIUMThe IPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network.V-206865MEDIUMThe IPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.V-206866MEDIUMThe IDPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions.V-206867MEDIUMThe IDPS must produce audit records containing sufficient information to establish what type of event occurred, including, at a minimum, event descriptions, policy filter, rule or signature invoked, port, protocol, and criticality level/alert code or description.V-206868MEDIUMThe IDPS must produce audit records containing information to establish when (date and time) the events occurred.V-206869MEDIUMThe IDPS must produce audit records containing information to establish where the event was detected, including, at a minimum, network segment, destination address, and IDPS component which detected the event.V-206870MEDIUMThe IDPS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.V-206871MEDIUMThe IDPS must produce audit records containing information to establish the outcome of events associated with detected harmful or potentially harmful traffic, including, at a minimum, capturing all associated communications traffic.V-206874MEDIUMThe IDPS must provide log information in a format that can be extracted and used by centralized analysis tools.V-206875MEDIUMThe IDPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.V-206876MEDIUMThe IDPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis.V-206877MEDIUMThe IDPS must provide audit record generation with a configurable severity and escalation level capability.V-206878MEDIUMThe IDPS must be configured to remove or disable non-essential capabilities which are not required for operation or not related to IDPS functionality (e.g., DNS, email client or server, FTP server, or web server).V-206879MEDIUMThe IDPS must be configured to remove or disable non-essential features, functions, and services of the IDPS application.V-206880MEDIUMThe IDPS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-206881MEDIUMThe IPS must block outbound traffic containing known and unknown denial-of-service (DoS) attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic.V-206882MEDIUMThe IDPS must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment.V-206883MEDIUMThe IPS must block any prohibited mobile code at the enclave boundary when it is detected.V-206884MEDIUMThe IDPS must fail to a secure state which maintains access control mechanisms when the IDPS hardware, software, or firmware fails on initialization/shutdown or experiences a sudden abort during normal operation.V-206885MEDIUMIn the event of a failure of the IDPS function, the IDPS must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted.V-206887MEDIUMThe IDPS must automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management procedures.V-206888MEDIUMThe IDPS must perform real-time monitoring of files from external sources at network entry/exit points.V-206889MEDIUMThe IPS must block malicious code.V-206890MEDIUMThe IPS must quarantine or block malicious code.V-206891MEDIUMThe IDPS must send an immediate (within seconds) alert to, at a minimum, the system administrator when malicious code is detected.V-206892MEDIUMThe IDPS must automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy.V-206893MEDIUMThe IPS must block outbound Internet Control Message Protocol (ICMP) Destination Unreachable, Redirect, and Address Mask reply messages.V-206894MEDIUMThe IPS must block malicious Internet Control Message Protocol (ICMP) packets by properly configuring ICMP signatures and rules.V-206895MEDIUMTo protect against unauthorized data mining, the IPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.V-206896MEDIUMTo protect against unauthorized data mining, the IPS must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.V-206897MEDIUMTo protect against unauthorized data mining, the IPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.V-206898MEDIUMTo protect against unauthorized data mining, the IDPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.V-206899MEDIUMTo protect against unauthorized data mining, the IDPS must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.V-206900MEDIUMTo protect against unauthorized data mining, the IDPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.V-206902MEDIUMThe IDPS must off-load log records to a centralized log server.V-206903MEDIUMThe IDPS must provide an alert to, at a minimum, the system administrator and ISSO when any audit failure events occur.V-206904MEDIUMThe IDPS must assign a critical severity level to all audit processing failures.V-206905MEDIUMThe IPS must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.V-206906MEDIUMThe IPS must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing anomaly-based attack detection.V-206907MEDIUMThe IPS must protect against or limit the effects of known types of denial-of-service (DoS) attacks by employing signatures.V-206909MEDIUMIDPS components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability.V-206910MEDIUMThe IDPS must detect network services that have not been authorized or approved by the ISSO or ISSM, at a minimum.V-206911MEDIUMThe IDPS must generate a log record when unauthorized network services are detected.V-206912MEDIUMThe IDPS must generate an alert to the ISSM and ISSO, at a minimum, when unauthorized network services are detected.V-206913MEDIUMThe IDPS must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions.V-206914MEDIUMThe IDPS must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.V-206915MEDIUMThe IDPS must send an alert to, at a minimum, the information system security manager (ISSM) and information system security officer (ISSO) when intrusion detection events are detected which indicate a compromise or potential for compromise.V-206916MEDIUMThe IDPS must send an alert to, at a minimum, the ISSM and ISSO when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected which indicate a compromise or potential for compromise.V-206917MEDIUMThe IDPS must generate an alert to, at a minimum, the ISSM and ISSO when root level intrusion events which provide unauthorized privileged access are detected.V-206918MEDIUMThe IDPS must send an alert to, at a minimum, the ISSM and ISSO when user level intrusions which provide non-privileged access are detected.V-206919MEDIUMThe IDPS must send an alert to, at a minimum, the ISSM and ISSO when denial of service incidents are detected.V-206920MEDIUMThe IDPS must generate an alert to, at a minimum, the ISSM and ISSO when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.V-206921MEDIUMThe IDPS must, for fragmented packets, either block the packets or properly reassemble the packets before inspecting and forwarding.V-206922MEDIUMThe IDPS must off-load log records to a centralized log server in real-time.V-206923MEDIUMThe IDPS must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices.V-263663MEDIUMThe IDPS must employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective.V-263664MEDIUMThe IDPS must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.V-263665MEDIUMThe IDPS must establish organization-defined alternate communications paths for system operations organizational command and control.V-278978MEDIUMThe IDPS must use organization-defined security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.V-278979MEDIUMThe IDPS must provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.