STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 5 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Virtual Machine Manager Security Requirements Guide

Version

V2R3

Release Date

Sep 10, 2025

SCAP Benchmark ID

VMM

Total Checks

198

Tags

other

CAT I: 2CAT II: 196CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (198)

V-207338MEDIUMThe VMM must provide automated mechanisms for supporting account management functions.V-207339MEDIUMThe VMM must automatically remove or disable local temporary user accounts after 72 hours.V-207340MEDIUMThe VMM must automatically disable local accounts after a 35-day period of account inactivity.V-207341MEDIUMThe VMM must automatically audit account creation.V-207342MEDIUMThe VMM must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-207343MEDIUMThe VMM must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.V-207344MEDIUMThe VMM must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.V-207345MEDIUMThe VMM must limit the number of concurrent sessions to ten for all accounts and/or account types.V-207346MEDIUMThe VMM must retain the session lock until the user reestablishes access using established identification and authentication procedures.V-207347MEDIUMThe VMM must initiate a session lock after a 15-minute period of inactivity.V-207348MEDIUMThe VMM must provide the capability for users to directly initiate a session lock.V-207349MEDIUMThe VMM must conceal, via the session lock, information previously visible on the display with a publicly viewable image.V-207350MEDIUMThe VMM must monitor remote access methods automatically.V-207351MEDIUMThe VMM must use DoD-approved encryption to protect the confidentiality of remote access sessions.V-207352MEDIUMThe VMM must produce audit records containing information to establish what type of events occurred.V-207353MEDIUMThe VMM must produce audit records containing information to establish when (date and time) the events occurred.V-207354MEDIUMThe VMM must produce audit records containing information to establish where the events occurred.V-207355MEDIUMThe VMM must produce audit records containing information to establish the source of the events.V-207356MEDIUMThe VMM must produce audit records containing information to establish the outcome of the events.V-207357MEDIUMThe VMM must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.V-207358MEDIUMThe VMM must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-207360MEDIUMThe VMM must support the capability to centrally review and analyze audit records from multiple components within the system.V-207361MEDIUMThe VMM must support the capability to filter audit records for events of interest based upon all audit fields within audit records.V-207362MEDIUMThe VMM must use internal system clocks to generate time stamps for audit records.V-207363MEDIUMThe VMM must protect audit information from unauthorized read access.V-207364MEDIUMThe VMM must protect audit information from unauthorized modification.V-207365MEDIUMThe VMM must protect audit information from unauthorized deletion.V-207366MEDIUMThe VMM must provide audit record generation capability for DoD-defined auditable events for all VMM components.V-207367MEDIUMThe VMM must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-207368MEDIUMThe VMM must generate audit records when successful/unsuccessful attempts to access privileges occur.V-207369MEDIUMThe VMM, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-207370MEDIUMThe VMM, for PKI-based authentication, must enforce authorized access to the corresponding private key.V-207371MEDIUMThe VMM must map the authenticated identity to the user or group account for PKI-based authentication.V-207372MEDIUMThe VMM must enforce password complexity by requiring that at least one uppercase character be used.V-207373MEDIUMThe VMM must enforce password complexity by requiring that at least one lowercase character be used.V-207374MEDIUMThe VMM must enforce password complexity by requiring that at least one numeric character be used.V-207375MEDIUMThe VMM must require the change of at least eight of the total number of characters when passwords are changed.V-207376MEDIUMThe VMM must store only encrypted representations of passwords.V-207377MEDIUMThe VMM must transmit only encrypted representations of passwords.V-207378MEDIUMThe VMM must enforce 24 hours/one day as the minimum password lifetime.V-207379MEDIUMThe VMM must enforce a 60-day maximum password lifetime restriction.V-207381MEDIUMThe VMM must enforce a minimum 15-character password length.V-207382MEDIUMThe VMM must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.V-207383MEDIUMThe VMM must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.V-207384MEDIUMThe VMM must be configured to disable non-essential capabilities.V-207385MEDIUMThe VMM must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-207386MEDIUMThe VMM must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).V-207387MEDIUMThe VMM must use multifactor authentication for network access to privileged accounts.V-207388MEDIUMThe VMM must use multifactor authentication for network access to non-privileged accounts.V-207389MEDIUMThe VMM must use multifactor authentication for local access to privileged accounts.V-207390MEDIUMThe VMM must use multifactor authentication for local access to nonprivileged accounts.V-207391MEDIUMThe VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.V-207392MEDIUMThe VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts.V-207393MEDIUMThe VMM must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.V-207394MEDIUMThe VMM must uniquely identify peripherals before establishing a connection.V-207395MEDIUMThe VMM must disable local account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-207396MEDIUMThe VMM must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.V-207397MEDIUMThe VMM must support an audit reduction capability that supports on-demand reporting requirements.V-207398MEDIUMThe VMM must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.V-207399MEDIUMThe VMM must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.V-207401MEDIUMThe VMM must separate user functionality (including user interface services) from VMM management functionality.V-207402MEDIUMThe VMM must isolate security functions from non-security functions.V-207403MEDIUMThe VMM must prevent unauthorized and unintended information transfer via shared system resources.V-207404MEDIUMThe VMM must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks.V-207405MEDIUMThe VMM must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.V-207406MEDIUMThe VMM must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.V-207407MEDIUMThe VMM must protect the confidentiality and integrity of all information at rest.V-207409MEDIUMThe VMM must check the validity of all data inputs except those specifically identified by the organization.V-207410MEDIUMThe VMM must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.V-207411MEDIUMThe VMM must reveal system error messages only to authorized users.V-207412MEDIUMAll interactions among guest VMs must be mediated by the VMM or its service VMs to support proper function.V-207413MEDIUMThe VMM must automatically audit account modification.V-207414MEDIUMThe VMM must automatically audit account disabling actions.V-207415MEDIUMThe VMM must automatically audit account removal actions.V-207416MEDIUMAll guest VM network communications must be implemented through use of virtual network devices provisioned by the VMM.V-207417MEDIUMAll interactions between guest VMs and external systems, via other interface devices, must be mediated by the VMM or its service VMs.V-207418MEDIUMThe VMM must implement cryptography to protect the integrity of remote access sessions.V-207419MEDIUMThe VMM must initiate session audits at system startup.V-207420MEDIUMThe VMM must produce audit records containing information to establish the identity of any individual or process associated with the event.V-207421MEDIUMThe VMM must protect audit tools from unauthorized access.V-207422MEDIUMThe VMM must protect audit tools from unauthorized modification.V-207423MEDIUMThe VMM must protect audit tools from unauthorized deletion.V-207424MEDIUMThe VMM must limit privileges to change software resident within software libraries.V-207425MEDIUMThe VMM must enforce password complexity by requiring that at least one special character be used.V-207426MEDIUMIn the event of a system failure, the VMM must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.V-207427MEDIUMThe VMM must notify system administrators (SAs) and information system security officers (ISSOs) when accounts are created.V-207428MEDIUMThe VMM must notify the system administrator (SA) and information system security officer (ISSO) when accounts are modified.V-207429MEDIUMThe VMM must notify the system administrator (SA) and information system security officer (ISSO) when accounts are disabled.V-207430MEDIUMThe VMM must notify the system administrator (SA) and information system security officer (ISSO) when accounts are removed.V-207431MEDIUMThe VMM must use cryptographic mechanisms to protect the integrity of audit tools.V-207432MEDIUMThe VMM must automatically terminate a user session after inactivity timeouts have expired or at shutdown.V-207433MEDIUMVMMs requiring user access authentication must provide a logout capability for user-initiated communications sessions.V-207434MEDIUMThe VMM must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.V-207435MEDIUMThe VMM must control remote access methods.V-207436MEDIUMThe VMM must provide the capability to immediately disconnect or disable remote access to the information system.V-207437MEDIUMThe VMM must protect wireless access to the system using encryption.V-207438MEDIUMThe VMM must protect wireless access to the system using authentication of users and/or devices.V-207439MEDIUMThe VMM must automatically audit account enabling actions.V-207440MEDIUMThe VMM must notify the system administrator (SA) and information system security officer (ISSO) of account enabling actions.V-207441MEDIUMThe VMM must implement discretionary access controls to allow VMM admins to pass information to any other VMM admin, user, or guest VM.V-207442MEDIUMThe VMM must implement discretionary access controls to allow VMM admins to grant their privileges to other VMM admins.V-207443MEDIUMThe VMM must implement discretionary access controls to allow VMM admins to change security attributes on users, guest VMs, the VMM, or the VMMs components.V-207444MEDIUMThe VMM must implement discretionary access controls to allow VMM admins to choose the security attributes to be associated with newly created or revised guest VMs.V-207445MEDIUMThe VMM must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.V-207446MEDIUMThe VMM must prevent all software from executing at higher privilege levels than users executing the software.V-207447MEDIUMThe VMM must audit the execution of privileged functions.V-207448MEDIUMThe VMM must automatically lock an account until the locked account is released by an administrator, when three unsuccessful logon attempts in 15 minutes are made.V-207449MEDIUMThe VMM must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all VMM components, based on all selectable event criteria in near real time.V-207452MEDIUMThe VMM must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.V-207453MEDIUMThe VMM must off-load audit records onto a different system or media than the system being audited.V-207454MEDIUMThe VMM must provide an immediate warning to the SA and ISSO, at a minimum, when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.V-207455MEDIUMThe VMM must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.V-207456MEDIUMThe VMM must provide an audit reduction capability that supports on-demand audit review and analysis.V-207457MEDIUMThe VMM must provide an audit reduction capability that supports after-the-fact investigations of security incidents.V-207458MEDIUMThe VMM must provide a report generation capability that supports on-demand audit review and analysis.V-207459MEDIUMThe VMM must provide a report generation capability that supports on-demand reporting requirements.V-207460MEDIUMThe VMM must provide a report generation capability that supports after-the-fact investigations of security incidents.V-207461MEDIUMThe VMM that provides an audit reduction capability must not alter original content or time ordering of audit records.V-207462MEDIUMThe VMM that provides a report generation capability must not alter original content or time ordering of audit records.V-207463MEDIUMThe VMM must, for networked systems, compare internal information system clocks at least every 24 hours with an authoritative time source.V-207464MEDIUMThe VMM must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.V-207465MEDIUMThe VMM must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.V-207466MEDIUMThe VMM must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).V-207467MEDIUMThe VMM must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.V-207468MEDIUMThe VMM must prohibit user installation of software without explicit privileged status.V-207469MEDIUMThe VMM must notify designated personnel if baseline configurations are changed in an unauthorized manner.V-207470MEDIUMThe VMM must enforce access restrictions associated with changes to the system.V-207471MEDIUMThe VMM must audit the enforcement actions used to restrict access associated with changes to the system.V-207472MEDIUMThe VMM must prevent the installation of guest VMs, patches, service packs, device drivers, or VMM components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.V-207473MEDIUMThe VMM must prevent use of service and helper VMs not required to support proper VMM function.V-207474MEDIUMThe VMM must prevent inappropriate use of redundant guest VMs.V-207475MEDIUMThe VMM must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and guest VMs.V-207480MEDIUMThe VMM must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.V-207481MEDIUMThe VMM must accept Personal Identity Verification (PIV) credentials.V-207482MEDIUMThe VMM must electronically verify Personal Identity Verification (PIV) credentials.V-207483MEDIUMThe VMM must authenticate peripherals before establishing a connection.V-207484MEDIUMThe VMM must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.V-207486MEDIUMThe VMM must prohibit the use of cached authenticators after one day.V-207487MEDIUMThe VMM, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.V-207488MEDIUMThe VMM must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-207489MEDIUMThe VMM must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.V-207490MEDIUMThe VMM must request data integrity verification on the name/address resolution responses the system receives from authoritative sources.V-207491MEDIUMThe VMM must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.V-207492MEDIUMThe VMM must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.V-207493MEDIUMThe VMM must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.V-207494MEDIUMThe VMM must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all VMM components.V-207495MEDIUMThe VMM must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all VMM components.V-207496MEDIUMThe VMM must maintain a separate execution domain for each executing process.V-207497MEDIUMThe VMM must maintain a separate execution domain for each guest VM.V-207498MEDIUMThe VMM must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the VMM is implementing rate-limiting measures on impacted network interfaces.V-207499MEDIUMThe VMM must protect the confidentiality and integrity of transmitted information.V-207500MEDIUMThe VMM must maintain the confidentiality and integrity of information during preparation for transmission.V-207501MEDIUMThe VMM must maintain the confidentiality and integrity of information during reception.V-207502MEDIUMThe VMM must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.V-207503MEDIUMThe VMM must implement non-executable data to protect its memory from unauthorized code execution.V-207504MEDIUMThe VMM must implement address space layout randomization to protect its memory from unauthorized code execution.V-207505MEDIUMThe VMM must remove all software components after updated versions have been installed.V-207506MEDIUMThe VMM must verify correct operation of all security functions.V-207507MEDIUMThe VMM must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days.V-207508MEDIUMThe VMM must shut down, restart, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.V-207509MEDIUMThe VMM must generate audit records when successful/unsuccessful attempts to access security objects occur.V-207510MEDIUMThe VMM must generate audit records when successful/unsuccessful attempts to access security levels occur.V-207511MEDIUMThe VMM must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.V-207512MEDIUMThe VMM must generate audit records when successful/unsuccessful attempts to modify privileges occur.V-207513MEDIUMThe VMM must generate audit records when successful/unsuccessful attempts to modify security objects occur.V-207514MEDIUMThe VMM must generate audit records when successful/unsuccessful attempts to modify security levels occur.V-207515MEDIUMThe VMM must generate audit records when successful/unsuccessful attempts to delete privileges occur.V-207516MEDIUMThe VMM must generate audit records when successful/unsuccessful attempts to delete security levels occur.V-207517MEDIUMThe VMM must generate audit records when successful/unsuccessful attempts to delete security objects occur.V-207518MEDIUMThe VMM must generate audit records when successful/unsuccessful logon attempts occur.V-207519MEDIUMThe VMM must generate audit records for privileged activities or other system-level access.V-207520MEDIUMThe VMM must generate audit records showing starting and ending time for user access to the system.V-207521MEDIUMThe VMM must generate audit records when concurrent logons from different workstations occur.V-207522MEDIUMThe VMM must generate audit records when successful/unsuccessful accesses to objects occur.V-207523MEDIUMThe VMM must generate audit records for all direct access to the VMM.V-207524MEDIUMThe VMM must generate audit records for all account creations, modifications, disabling, and termination events.V-207525MEDIUMThe VMM must generate audit records for all module load, unload, and restart actions, and also for all program and guest VM initiations.V-207526MEDIUMThe VMM must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-207527MEDIUMThe VMM must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.V-207528MEDIUMThe VMM must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-207529MEDIUMThe VMM must protect the confidentiality and integrity of communications with wireless peripherals.V-264315MEDIUMThe VMM must disable accounts when the accounts are no longer associated to a user.V-264316MEDIUMThe VMM must prohibit the use or connection of unauthorized hardware components.V-264317MEDIUMThe VMM must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.V-264318MEDIUMThe VMM must for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in ia-5 (1) (a).V-264319MEDIUMThe VMM must for password-based authentication, require immediate selection of a new password upon account recovery.V-264320MEDIUMThe VMM must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.V-264321MEDIUMThe VMM must for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.V-264322MEDIUMThe VMM must accept only external credentials that are NIST-compliant.V-264323MEDIUMThe VMM must monitor the use of maintenance tools that execute with increased privilege.V-264324MEDIUMThe VMM must include only approved trust anchors in trust stores or certificate stores managed by the organization.V-264325MEDIUMThe VMM must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.V-264326MEDIUMThe VMM must synchronize system clocks within and between systems or system components.V-279013MEDIUMThe VMM must enforce a role-based access control (RBAC) policy over defined subjects and objects.V-279014MEDIUMThe VMM must use a FIPS-validated cryptographic module to provision digital signatures.V-279015MEDIUMThe VMM must enforce attribute-based access control policy over defined subjects and objects based upon organization-defined attributes to assume access permissions.V-279016HIGHThe VMM must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).V-279017HIGHThe VMM must be a version supported by the vendor.