STIGs Search Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 3 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Network Device Management Security Requirements Guide

Version

V5R4

Release Date

Sep 10, 2025

SCAP Benchmark ID

Network_Device_Management_SRG

Total Checks

105

Tags

network

CAT I: 18CAT II: 87CAT III: 0

This Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (105)

V-202006MEDIUMThe network device must conceal, via the session lock, information previously visible on the display with a publicly viewable image.V-202007MEDIUMThe network device must initiate a session lock after a 15-minute period of inactivity.V-202008MEDIUMThe network device must be configured to enable network administrators to directly initiate a session lock.V-202009MEDIUMThe network device must retain the session lock until the administrator reestablishes access using established identification and authentication procedures.V-202013MEDIUMThe network device must automatically audit account creation.V-202014MEDIUMThe network device must automatically audit account modification.V-202015MEDIUMThe network device must automatically audit account disabling actions.V-202016MEDIUMThe network device must automatically audit account removal actions.V-202017HIGHThe network device must be configured to assign appropriate user roles or access levels to authenticated users.V-202018MEDIUMThe network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.V-202019MEDIUMThe network device must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.V-202020MEDIUMThe network device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.V-202021MEDIUMThe network device must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.V-202025MEDIUMThe network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.V-202028MEDIUMThe network device must generate audit records when successful/unsuccessful attempts to access privileges occur.V-202029MEDIUMThe network device must initiate session auditing upon startup.V-202030MEDIUMThe network device must produce audit log records containing sufficient information to establish what type of event occurred.V-202031MEDIUMThe network device must produce audit records containing information to establish when (date and time) the events occurred.V-202032MEDIUMThe network device must produce audit records containing information to establish where the events occurred.V-202033MEDIUMThe network device must produce audit log records containing information to establish the source of events.V-202034MEDIUMThe network device must produce audit records that contain information to establish the outcome of the event.V-202035MEDIUMThe network device must generate audit records containing information that establishes the identity of any individual or process associated with the event.V-202036MEDIUMThe network device must generate audit records containing the full-text recording of privileged commands.V-202039MEDIUMThe network device must use internal system clocks to generate time stamps for audit records.V-202040MEDIUMThe network device must protect audit information from unauthorized modification.V-202041MEDIUMThe network device must protect audit information from unauthorized deletion.V-202042MEDIUMThe network device must protect audit tools from unauthorized access.V-202043MEDIUMThe network device must protect audit tools from unauthorized modification.V-202044MEDIUMThe network device must protect audit tools from unauthorized deletion.V-202047MEDIUMThe network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.V-202048MEDIUMThe network device must limit privileges to change the software resident within software libraries.V-202049HIGHThe network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services V-202051MEDIUMThe network device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.V-202054MEDIUMThe network device must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.V-202055MEDIUMThe network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.V-202057MEDIUMThe network device must enforce a minimum 15-character password length.V-202059MEDIUMThe network device must enforce password complexity by requiring that at least one uppercase character be used.V-202060MEDIUMThe network device must enforce password complexity by requiring that at least one lowercase character be used.V-202061MEDIUMThe network device must enforce password complexity by requiring that at least one numeric character be used.V-202062MEDIUMThe network device must enforce password complexity by requiring that at least one special character be used.V-202063MEDIUMThe network device must require that when a password is changed, the characters are changed in at least eight of the positions within the password.V-202064HIGHThe network device must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash for password-based authentication.V-202065HIGHThe network device must transmit only encrypted representations of passwords.V-202071HIGHThe network device must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.V-202072HIGHThe network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.V-202074HIGHThe network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.V-202075MEDIUMThe network device must invalidate session identifiers upon administrator logout or other session termination.V-202076MEDIUMThe network device must recognize only system-generated session identifiers.V-202077MEDIUMThe network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.V-202078HIGHThe network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).V-202085MEDIUMThe network device must be configured to provide a logout mechanism for administrator-initiated communication sessions.V-202086MEDIUMThe network device must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.V-202087MEDIUMThe network device must terminate shared/group account credentials when members leave the group.V-202088MEDIUMThe network device must automatically audit account enabling actions.V-202091MEDIUMIf the network device uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.V-202092MEDIUMIf the network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.V-202093HIGHThe network device must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.V-202094MEDIUMThe network device must audit the execution of privileged functions.V-202098MEDIUMThe network device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-202100MEDIUMThe network device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.V-202102MEDIUMThe network device must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).V-202103MEDIUMThe network device must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.V-202105MEDIUMThe network device must prohibit installation of software without explicit privileged status.V-202106MEDIUMThe network device must enforce access restrictions associated with changes to device configuration.V-202107MEDIUMThe network device must audit the enforcement actions used to restrict access associated with changes to the device.V-202111MEDIUMThe network device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).V-202112MEDIUMThe network device must authenticate Network Time Protocol sources using authentication that is cryptographically based.V-202115MEDIUMThe network device must prohibit the use of cached authenticators after an organization-defined time period.V-202116MEDIUMNetwork devices performing maintenance functions must restrict use of these functions to authorized personnel only.V-202117HIGHThe network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.V-202118HIGHThe network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions V-202119MEDIUMThe network device must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.V-202120MEDIUMIf the network device uses mandatory access control, the network device must enforce organization-defined mandatory access control policies over all subjects and objects.V-202121MEDIUMThe network device must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.V-202122MEDIUMThe network device must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.V-202123MEDIUMThe network device must generate audit records when successful/unsuccessful logon attempts occur.V-202124MEDIUMThe network device must generate audit records for privileged activities or other system-level access.V-202125MEDIUMThe network device must generate audit records showing starting and ending time for administrator access to the system.V-202126MEDIUMThe network device must generate audit records when concurrent logons from different workstations occur.V-202127MEDIUMThe network device must off-load audit records onto a different system or media than the system being audited.V-202130MEDIUMThe network device must generate log records for a locally developed list of auditable events V-202131MEDIUMThe network device must enforce access restrictions associated with changes to the system components.V-202132HIGHThe network device must be configured to use at least one authentication server for the purpose of authenticating users prior to granting administrative access. For boundary devices, two authentication servers are required.V-202136MEDIUMThe network device must be configured to conduct backups of system level information contained in the information system when changes occur.V-202137MEDIUMThe network device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.V-202139MEDIUMThe network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.V-202140MEDIUMThe network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.V-213467HIGHThe network device must be configured to send log data to at least one central log server for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). For boundary devices, two log servers are required.V-213468HIGHThe network device must be running an operating system release that is currently supported by the vendor.V-216508MEDIUMThe network device must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-237779HIGHThe network device must be configured to use DoD PKI as multi-factor authentication (MFA) for interactive logins.V-237780HIGHThe network device must be configured to use DoD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.V-237781HIGHThe network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.V-256777MEDIUMThe network device must install security-relevant firmware updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).V-264293MEDIUMThe network device must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.V-264294MEDIUMThe network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.V-264295MEDIUMThe network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.V-264299MEDIUMThe network device must be configured to verify, when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords in IA-5 (1) (a) for password-based authentication.V-264301MEDIUMThe network device must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters for password-based authentication.V-264303MEDIUMThe network device must be configured to implement certificate revocation checking to support path discovery and validation for public key-based authentication.V-264304MEDIUMThe network device must be configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.V-264305MEDIUMThe network device must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.V-264307MEDIUMThe network device must be configured to synchronize system clocks within and between systems or system components.V-264308MEDIUMThe network device must be configured to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.V-278996HIGHThe network device must be a version supported by the vendor.