From b5e7988cf8267dd77427a4d9b36d31027428be31 Mon Sep 17 00:00:00 2001
From: Automated Update <automated@mitre.org>
Date: Sat, 12 Oct 2024 00:03:28 +0000
Subject: [PATCH] Update Benchmarks

---
 .../U_UEM_Server_SRG_V2R2_Manual-xccdf.xml    | 1201 +++++++++++++++++
 stigs.json                                    |   28 +-
 2 files changed, 1218 insertions(+), 11 deletions(-)
 create mode 100644 benchmarks/DISA/U_UEM_Server_SRG_V2R2_Manual-xccdf.xml

diff --git a/benchmarks/DISA/U_UEM_Server_SRG_V2R2_Manual-xccdf.xml b/benchmarks/DISA/U_UEM_Server_SRG_V2R2_Manual-xccdf.xml
new file mode 100644
index 000000000..2acd372a5
--- /dev/null
+++ b/benchmarks/DISA/U_UEM_Server_SRG_V2R2_Manual-xccdf.xml
@@ -0,0 +1,1201 @@
+<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="UEM_Server_SRG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2024-10-10">accepted</status><title>Unified Endpoint Management Server Security Requirements Guide</title><description>This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 2 Benchmark Date: 10 Oct 2024</plain-text><plain-text id="generator">3.5</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>2</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234275" selected="true" /><select idref="V-234276" selected="true" /><select idref="V-234277" selected="true" /><select idref="V-234278" selected="true" /><select idref="V-234279" selected="true" /><select idref="V-234283" selected="true" /><select idref="V-234286" selected="true" /><select idref="V-234287" selected="true" /><select idref="V-234288" selected="true" /><select idref="V-234289" selected="true" /><select idref="V-234290" selected="true" /><select idref="V-234291" selected="true" /><select idref="V-234292" selected="true" /><select idref="V-234310" selected="true" /><select idref="V-234311" selected="true" /><select idref="V-234312" selected="true" /><select idref="V-234318" selected="true" /><select idref="V-234323" selected="true" /><select idref="V-234324" selected="true" /><select idref="V-234325" selected="true" /><select idref="V-234326" selected="true" /><select idref="V-234327" selected="true" /><select idref="V-234328" selected="true" /><select idref="V-234329" selected="true" /><select idref="V-234330" selected="true" /><select idref="V-234331" selected="true" /><select idref="V-234332" selected="true" /><select idref="V-234333" selected="true" /><select idref="V-234334" selected="true" /><select idref="V-234335" selected="true" /><select idref="V-234340" selected="true" /><select idref="V-234341" selected="true" /><select idref="V-234342" selected="true" /><select idref="V-234343" selected="true" /><select idref="V-234347" selected="true" /><select idref="V-234349" selected="true" /><select idref="V-234351" selected="true" /><select idref="V-234352" selected="true" /><select idref="V-234353" selected="true" /><select idref="V-234354" selected="true" /><select idref="V-234355" selected="true" /><select idref="V-234356" selected="true" /><select idref="V-234358" selected="true" /><select idref="V-234360" selected="true" /><select idref="V-234361" selected="true" /><select idref="V-234363" selected="true" /><select idref="V-234364" selected="true" /><select idref="V-234367" selected="true" /><select idref="V-234368" selected="true" /><select idref="V-234369" selected="true" /><select idref="V-234370" selected="true" /><select idref="V-234371" selected="true" /><select idref="V-234372" selected="true" /><select idref="V-234373" selected="true" /><select idref="V-234374" selected="true" /><select idref="V-234375" selected="true" /><select idref="V-234377" selected="true" /><select idref="V-234378" selected="true" /><select idref="V-234379" selected="true" /><select idref="V-234380" selected="true" /><select idref="V-234381" selected="true" /><select idref="V-234382" selected="true" /><select idref="V-234383" selected="true" /><select idref="V-234390" selected="true" /><select idref="V-234391" selected="true" /><select idref="V-234392" selected="true" /><select idref="V-234405" selected="true" /><select idref="V-234406" selected="true" /><select idref="V-234407" selected="true" /><select idref="V-234408" selected="true" /><select idref="V-234409" selected="true" /><select idref="V-234410" selected="true" /><select idref="V-234421" selected="true" /><select idref="V-234424" selected="true" /><select idref="V-234425" selected="true" /><select idref="V-234430" selected="true" /><select idref="V-234438" selected="true" /><select idref="V-234439" selected="true" /><select idref="V-234440" selected="true" /><select idref="V-234441" selected="true" /><select idref="V-234442" selected="true" /><select idref="V-234443" selected="true" /><select idref="V-234444" selected="true" /><select idref="V-234465" selected="true" /><select idref="V-234466" selected="true" /><select idref="V-234475" selected="true" /><select idref="V-234489" selected="true" /><select idref="V-234491" selected="true" /><select idref="V-234500" selected="true" /><select idref="V-234516" selected="true" /><select idref="V-234517" selected="true" /><select idref="V-234520" selected="true" /><select idref="V-234521" selected="true" /><select idref="V-234523" selected="true" /><select idref="V-234524" selected="true" /><select idref="V-234526" selected="true" /><select idref="V-234538" selected="true" /><select idref="V-234543" selected="true" /><select idref="V-234544" selected="true" /><select idref="V-234555" selected="true" /><select idref="V-234556" selected="true" /><select idref="V-234573" selected="true" /><select idref="V-234574" selected="true" /><select idref="V-234575" selected="true" /><select idref="V-234588" selected="true" /><select idref="V-234596" selected="true" /><select idref="V-234603" selected="true" /><select idref="V-234605" selected="true" /><select idref="V-234622" selected="true" /><select idref="V-234623" selected="true" /><select idref="V-234624" selected="true" /><select idref="V-234629" selected="true" /><select idref="V-234642" selected="true" /><select idref="V-234645" selected="true" /><select idref="V-234646" selected="true" /><select idref="V-234649" selected="true" /><select idref="V-234651" selected="true" /><select idref="V-234653" selected="true" /><select idref="V-234654" selected="true" /><select idref="V-234655" selected="true" /><select idref="V-234656" selected="true" /><select idref="V-234657" selected="true" /><select idref="V-234658" selected="true" /><select idref="V-234659" selected="true" /><select idref="V-234664" selected="true" /><select idref="V-234665" selected="true" /><select idref="V-234666" selected="true" /><select idref="V-234667" selected="true" /><select idref="V-234668" selected="true" /><select idref="V-234669" selected="true" /><select idref="V-234673" selected="true" /><select idref="V-234674" selected="true" /><select idref="V-234676" selected="true" /><select idref="V-234677" selected="true" /><select idref="V-256892" selected="true" /><select idref="V-264368" selected="true" /><select idref="V-264369" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234275" selected="true" /><select idref="V-234276" selected="true" /><select idref="V-234277" selected="true" /><select idref="V-234278" selected="true" /><select idref="V-234279" selected="true" /><select idref="V-234283" selected="true" /><select idref="V-234286" selected="true" /><select idref="V-234287" selected="true" /><select idref="V-234288" selected="true" /><select idref="V-234289" selected="true" /><select idref="V-234290" selected="true" /><select idref="V-234291" selected="true" /><select idref="V-234292" selected="true" /><select idref="V-234310" selected="true" /><select idref="V-234311" selected="true" /><select idref="V-234312" selected="true" /><select idref="V-234318" selected="true" /><select idref="V-234323" selected="true" /><select idref="V-234324" selected="true" /><select idref="V-234325" selected="true" /><select idref="V-234326" selected="true" /><select idref="V-234327" selected="true" /><select idref="V-234328" selected="true" /><select idref="V-234329" selected="true" /><select idref="V-234330" selected="true" /><select idref="V-234331" selected="true" /><select idref="V-234332" selected="true" /><select idref="V-234333" selected="true" /><select idref="V-234334" selected="true" /><select idref="V-234335" selected="true" /><select idref="V-234340" selected="true" /><select idref="V-234341" selected="true" /><select idref="V-234342" selected="true" /><select idref="V-234343" selected="true" /><select idref="V-234347" selected="true" /><select idref="V-234349" selected="true" /><select idref="V-234351" selected="true" /><select idref="V-234352" selected="true" /><select idref="V-234353" selected="true" /><select idref="V-234354" selected="true" /><select idref="V-234355" selected="true" /><select idref="V-234356" selected="true" /><select idref="V-234358" selected="true" /><select idref="V-234360" selected="true" /><select idref="V-234361" selected="true" /><select idref="V-234363" selected="true" /><select idref="V-234364" selected="true" /><select idref="V-234367" selected="true" /><select idref="V-234368" selected="true" /><select idref="V-234369" selected="true" /><select idref="V-234370" selected="true" /><select idref="V-234371" selected="true" /><select idref="V-234372" selected="true" /><select idref="V-234373" selected="true" /><select idref="V-234374" selected="true" /><select idref="V-234375" selected="true" /><select idref="V-234377" selected="true" /><select idref="V-234378" selected="true" /><select idref="V-234379" selected="true" /><select idref="V-234380" selected="true" /><select idref="V-234381" selected="true" /><select idref="V-234382" selected="true" /><select idref="V-234383" selected="true" /><select idref="V-234390" selected="true" /><select idref="V-234391" selected="true" /><select idref="V-234392" selected="true" /><select idref="V-234405" selected="true" /><select idref="V-234406" selected="true" /><select idref="V-234407" selected="true" /><select idref="V-234408" selected="true" /><select idref="V-234409" selected="true" /><select idref="V-234410" selected="true" /><select idref="V-234421" selected="true" /><select idref="V-234424" selected="true" /><select idref="V-234425" selected="true" /><select idref="V-234430" selected="true" /><select idref="V-234438" selected="true" /><select idref="V-234439" selected="true" /><select idref="V-234440" selected="true" /><select idref="V-234441" selected="true" /><select idref="V-234442" selected="true" /><select idref="V-234443" selected="true" /><select idref="V-234444" selected="true" /><select idref="V-234465" selected="true" /><select idref="V-234466" selected="true" /><select idref="V-234475" selected="true" /><select idref="V-234489" selected="true" /><select idref="V-234491" selected="true" /><select idref="V-234500" selected="true" /><select idref="V-234516" selected="true" /><select idref="V-234517" selected="true" /><select idref="V-234520" selected="true" /><select idref="V-234521" selected="true" /><select idref="V-234523" selected="true" /><select idref="V-234524" selected="true" /><select idref="V-234526" selected="true" /><select idref="V-234538" selected="true" /><select idref="V-234543" selected="true" /><select idref="V-234544" selected="true" /><select idref="V-234555" selected="true" /><select idref="V-234556" selected="true" /><select idref="V-234573" selected="true" /><select idref="V-234574" selected="true" /><select idref="V-234575" selected="true" /><select idref="V-234588" selected="true" /><select idref="V-234596" selected="true" /><select idref="V-234603" selected="true" /><select idref="V-234605" selected="true" /><select idref="V-234622" selected="true" /><select idref="V-234623" selected="true" /><select idref="V-234624" selected="true" /><select idref="V-234629" selected="true" /><select idref="V-234642" selected="true" /><select idref="V-234645" selected="true" /><select idref="V-234646" selected="true" /><select idref="V-234649" selected="true" /><select idref="V-234651" selected="true" /><select idref="V-234653" selected="true" /><select idref="V-234654" selected="true" /><select idref="V-234655" selected="true" /><select idref="V-234656" selected="true" /><select idref="V-234657" selected="true" /><select idref="V-234658" selected="true" /><select idref="V-234659" selected="true" /><select idref="V-234664" selected="true" /><select idref="V-234665" selected="true" /><select idref="V-234666" selected="true" /><select idref="V-234667" selected="true" /><select idref="V-234668" selected="true" /><select idref="V-234669" selected="true" /><select idref="V-234673" selected="true" /><select idref="V-234674" selected="true" /><select idref="V-234676" selected="true" /><select idref="V-234677" selected="true" /><select idref="V-256892" selected="true" /><select idref="V-264368" selected="true" /><select idref="V-264369" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234275" selected="true" /><select idref="V-234276" selected="true" /><select idref="V-234277" selected="true" /><select idref="V-234278" selected="true" /><select idref="V-234279" selected="true" /><select idref="V-234283" selected="true" /><select idref="V-234286" selected="true" /><select idref="V-234287" selected="true" /><select idref="V-234288" selected="true" /><select idref="V-234289" selected="true" /><select idref="V-234290" selected="true" /><select idref="V-234291" selected="true" /><select idref="V-234292" selected="true" /><select idref="V-234310" selected="true" /><select idref="V-234311" selected="true" /><select idref="V-234312" selected="true" /><select idref="V-234318" selected="true" /><select idref="V-234323" selected="true" /><select idref="V-234324" selected="true" /><select idref="V-234325" selected="true" /><select idref="V-234326" selected="true" /><select idref="V-234327" selected="true" /><select idref="V-234328" selected="true" /><select idref="V-234329" selected="true" /><select idref="V-234330" selected="true" /><select idref="V-234331" selected="true" /><select idref="V-234332" selected="true" /><select idref="V-234333" selected="true" /><select idref="V-234334" selected="true" /><select idref="V-234335" selected="true" /><select idref="V-234340" selected="true" /><select idref="V-234341" selected="true" /><select idref="V-234342" selected="true" /><select idref="V-234343" selected="true" /><select idref="V-234347" selected="true" /><select idref="V-234349" selected="true" /><select idref="V-234351" selected="true" /><select idref="V-234352" selected="true" /><select idref="V-234353" selected="true" /><select idref="V-234354" selected="true" /><select idref="V-234355" selected="true" /><select idref="V-234356" selected="true" /><select idref="V-234358" selected="true" /><select idref="V-234360" selected="true" /><select idref="V-234361" selected="true" /><select idref="V-234363" selected="true" /><select idref="V-234364" selected="true" /><select idref="V-234367" selected="true" /><select idref="V-234368" selected="true" /><select idref="V-234369" selected="true" /><select idref="V-234370" selected="true" /><select idref="V-234371" selected="true" /><select idref="V-234372" selected="true" /><select idref="V-234373" selected="true" /><select idref="V-234374" selected="true" /><select idref="V-234375" selected="true" /><select idref="V-234377" selected="true" /><select idref="V-234378" selected="true" /><select idref="V-234379" selected="true" /><select idref="V-234380" selected="true" /><select idref="V-234381" selected="true" /><select idref="V-234382" selected="true" /><select idref="V-234383" selected="true" /><select idref="V-234390" selected="true" /><select idref="V-234391" selected="true" /><select idref="V-234392" selected="true" /><select idref="V-234405" selected="true" /><select idref="V-234406" selected="true" /><select idref="V-234407" selected="true" /><select idref="V-234408" selected="true" /><select idref="V-234409" selected="true" /><select idref="V-234410" selected="true" /><select idref="V-234421" selected="true" /><select idref="V-234424" selected="true" /><select idref="V-234425" selected="true" /><select idref="V-234430" selected="true" /><select idref="V-234438" selected="true" /><select idref="V-234439" selected="true" /><select idref="V-234440" selected="true" /><select idref="V-234441" selected="true" /><select idref="V-234442" selected="true" /><select idref="V-234443" selected="true" /><select idref="V-234444" selected="true" /><select idref="V-234465" selected="true" /><select idref="V-234466" selected="true" /><select idref="V-234475" selected="true" /><select idref="V-234489" selected="true" /><select idref="V-234491" selected="true" /><select idref="V-234500" selected="true" /><select idref="V-234516" selected="true" /><select idref="V-234517" selected="true" /><select idref="V-234520" selected="true" /><select idref="V-234521" selected="true" /><select idref="V-234523" selected="true" /><select idref="V-234524" selected="true" /><select idref="V-234526" selected="true" /><select idref="V-234538" selected="true" /><select idref="V-234543" selected="true" /><select idref="V-234544" selected="true" /><select idref="V-234555" selected="true" /><select idref="V-234556" selected="true" /><select idref="V-234573" selected="true" /><select idref="V-234574" selected="true" /><select idref="V-234575" selected="true" /><select idref="V-234588" selected="true" /><select idref="V-234596" selected="true" /><select idref="V-234603" selected="true" /><select idref="V-234605" selected="true" /><select idref="V-234622" selected="true" /><select idref="V-234623" selected="true" /><select idref="V-234624" selected="true" /><select idref="V-234629" selected="true" /><select idref="V-234642" selected="true" /><select idref="V-234645" selected="true" /><select idref="V-234646" selected="true" /><select idref="V-234649" selected="true" /><select idref="V-234651" selected="true" /><select idref="V-234653" selected="true" /><select idref="V-234654" selected="true" /><select idref="V-234655" selected="true" /><select idref="V-234656" selected="true" /><select idref="V-234657" selected="true" /><select idref="V-234658" selected="true" /><select idref="V-234659" selected="true" /><select idref="V-234664" selected="true" /><select idref="V-234665" selected="true" /><select idref="V-234666" selected="true" /><select idref="V-234667" selected="true" /><select idref="V-234668" selected="true" /><select idref="V-234669" selected="true" /><select idref="V-234673" selected="true" /><select idref="V-234674" selected="true" /><select idref="V-234676" selected="true" /><select idref="V-234677" selected="true" /><select idref="V-256892" selected="true" /><select idref="V-264368" selected="true" /><select idref="V-264369" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234275" selected="true" /><select idref="V-234276" selected="true" /><select idref="V-234277" selected="true" /><select idref="V-234278" selected="true" /><select idref="V-234279" selected="true" /><select idref="V-234283" selected="true" /><select idref="V-234286" selected="true" /><select idref="V-234287" selected="true" /><select idref="V-234288" selected="true" /><select idref="V-234289" selected="true" /><select idref="V-234290" selected="true" /><select idref="V-234291" selected="true" /><select idref="V-234292" selected="true" /><select idref="V-234310" selected="true" /><select idref="V-234311" selected="true" /><select idref="V-234312" selected="true" /><select idref="V-234318" selected="true" /><select idref="V-234323" selected="true" /><select idref="V-234324" selected="true" /><select idref="V-234325" selected="true" /><select idref="V-234326" selected="true" /><select idref="V-234327" selected="true" /><select idref="V-234328" selected="true" /><select idref="V-234329" selected="true" /><select idref="V-234330" selected="true" /><select idref="V-234331" selected="true" /><select idref="V-234332" selected="true" /><select idref="V-234333" selected="true" /><select idref="V-234334" selected="true" /><select idref="V-234335" selected="true" /><select idref="V-234340" selected="true" /><select idref="V-234341" selected="true" /><select idref="V-234342" selected="true" /><select idref="V-234343" selected="true" /><select idref="V-234347" selected="true" /><select idref="V-234349" selected="true" /><select idref="V-234351" selected="true" /><select idref="V-234352" selected="true" /><select idref="V-234353" selected="true" /><select idref="V-234354" selected="true" /><select idref="V-234355" selected="true" /><select idref="V-234356" selected="true" /><select idref="V-234358" selected="true" /><select idref="V-234360" selected="true" /><select idref="V-234361" selected="true" /><select idref="V-234363" selected="true" /><select idref="V-234364" selected="true" /><select idref="V-234367" selected="true" /><select idref="V-234368" selected="true" /><select idref="V-234369" selected="true" /><select idref="V-234370" selected="true" /><select idref="V-234371" selected="true" /><select idref="V-234372" selected="true" /><select idref="V-234373" selected="true" /><select idref="V-234374" selected="true" /><select idref="V-234375" selected="true" /><select idref="V-234377" selected="true" /><select idref="V-234378" selected="true" /><select idref="V-234379" selected="true" /><select idref="V-234380" selected="true" /><select idref="V-234381" selected="true" /><select idref="V-234382" selected="true" /><select idref="V-234383" selected="true" /><select idref="V-234390" selected="true" /><select idref="V-234391" selected="true" /><select idref="V-234392" selected="true" /><select idref="V-234405" selected="true" /><select idref="V-234406" selected="true" /><select idref="V-234407" selected="true" /><select idref="V-234408" selected="true" /><select idref="V-234409" selected="true" /><select idref="V-234410" selected="true" /><select idref="V-234421" selected="true" /><select idref="V-234424" selected="true" /><select idref="V-234425" selected="true" /><select idref="V-234430" selected="true" /><select idref="V-234438" selected="true" /><select idref="V-234439" selected="true" /><select idref="V-234440" selected="true" /><select idref="V-234441" selected="true" /><select idref="V-234442" selected="true" /><select idref="V-234443" selected="true" /><select idref="V-234444" selected="true" /><select idref="V-234465" selected="true" /><select idref="V-234466" selected="true" /><select idref="V-234475" selected="true" /><select idref="V-234489" selected="true" /><select idref="V-234491" selected="true" /><select idref="V-234500" selected="true" /><select idref="V-234516" selected="true" /><select idref="V-234517" selected="true" /><select idref="V-234520" selected="true" /><select idref="V-234521" selected="true" /><select idref="V-234523" selected="true" /><select idref="V-234524" selected="true" /><select idref="V-234526" selected="true" /><select idref="V-234538" selected="true" /><select idref="V-234543" selected="true" /><select idref="V-234544" selected="true" /><select idref="V-234555" selected="true" /><select idref="V-234556" selected="true" /><select idref="V-234573" selected="true" /><select idref="V-234574" selected="true" /><select idref="V-234575" selected="true" /><select idref="V-234588" selected="true" /><select idref="V-234596" selected="true" /><select idref="V-234603" selected="true" /><select idref="V-234605" selected="true" /><select idref="V-234622" selected="true" /><select idref="V-234623" selected="true" /><select idref="V-234624" selected="true" /><select idref="V-234629" selected="true" /><select idref="V-234642" selected="true" /><select idref="V-234645" selected="true" /><select idref="V-234646" selected="true" /><select idref="V-234649" selected="true" /><select idref="V-234651" selected="true" /><select idref="V-234653" selected="true" /><select idref="V-234654" selected="true" /><select idref="V-234655" selected="true" /><select idref="V-234656" selected="true" /><select idref="V-234657" selected="true" /><select idref="V-234658" selected="true" /><select idref="V-234659" selected="true" /><select idref="V-234664" selected="true" /><select idref="V-234665" selected="true" /><select idref="V-234666" selected="true" /><select idref="V-234667" selected="true" /><select idref="V-234668" selected="true" /><select idref="V-234669" selected="true" /><select idref="V-234673" selected="true" /><select idref="V-234674" selected="true" /><select idref="V-234676" selected="true" /><select idref="V-234677" selected="true" /><select idref="V-256892" selected="true" /><select idref="V-264368" selected="true" /><select idref="V-264369" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234275" selected="true" /><select idref="V-234276" selected="true" /><select idref="V-234277" selected="true" /><select idref="V-234278" selected="true" /><select idref="V-234279" selected="true" /><select idref="V-234283" selected="true" /><select idref="V-234286" selected="true" /><select idref="V-234287" selected="true" /><select idref="V-234288" selected="true" /><select idref="V-234289" selected="true" /><select idref="V-234290" selected="true" /><select idref="V-234291" selected="true" /><select idref="V-234292" selected="true" /><select idref="V-234310" selected="true" /><select idref="V-234311" selected="true" /><select idref="V-234312" selected="true" /><select idref="V-234318" selected="true" /><select idref="V-234323" selected="true" /><select idref="V-234324" selected="true" /><select idref="V-234325" selected="true" /><select idref="V-234326" selected="true" /><select idref="V-234327" selected="true" /><select idref="V-234328" selected="true" /><select idref="V-234329" selected="true" /><select idref="V-234330" selected="true" /><select idref="V-234331" selected="true" /><select idref="V-234332" selected="true" /><select idref="V-234333" selected="true" /><select idref="V-234334" selected="true" /><select idref="V-234335" selected="true" /><select idref="V-234340" selected="true" /><select idref="V-234341" selected="true" /><select idref="V-234342" selected="true" /><select idref="V-234343" selected="true" /><select idref="V-234347" selected="true" /><select idref="V-234349" selected="true" /><select idref="V-234351" selected="true" /><select idref="V-234352" selected="true" /><select idref="V-234353" selected="true" /><select idref="V-234354" selected="true" /><select idref="V-234355" selected="true" /><select idref="V-234356" selected="true" /><select idref="V-234358" selected="true" /><select idref="V-234360" selected="true" /><select idref="V-234361" selected="true" /><select idref="V-234363" selected="true" /><select idref="V-234364" selected="true" /><select idref="V-234367" selected="true" /><select idref="V-234368" selected="true" /><select idref="V-234369" selected="true" /><select idref="V-234370" selected="true" /><select idref="V-234371" selected="true" /><select idref="V-234372" selected="true" /><select idref="V-234373" selected="true" /><select idref="V-234374" selected="true" /><select idref="V-234375" selected="true" /><select idref="V-234377" selected="true" /><select idref="V-234378" selected="true" /><select idref="V-234379" selected="true" /><select idref="V-234380" selected="true" /><select idref="V-234381" selected="true" /><select idref="V-234382" selected="true" /><select idref="V-234383" selected="true" /><select idref="V-234390" selected="true" /><select idref="V-234391" selected="true" /><select idref="V-234392" selected="true" /><select idref="V-234405" selected="true" /><select idref="V-234406" selected="true" /><select idref="V-234407" selected="true" /><select idref="V-234408" selected="true" /><select idref="V-234409" selected="true" /><select idref="V-234410" selected="true" /><select idref="V-234421" selected="true" /><select idref="V-234424" selected="true" /><select idref="V-234425" selected="true" /><select idref="V-234430" selected="true" /><select idref="V-234438" selected="true" /><select idref="V-234439" selected="true" /><select idref="V-234440" selected="true" /><select idref="V-234441" selected="true" /><select idref="V-234442" selected="true" /><select idref="V-234443" selected="true" /><select idref="V-234444" selected="true" /><select idref="V-234465" selected="true" /><select idref="V-234466" selected="true" /><select idref="V-234475" selected="true" /><select idref="V-234489" selected="true" /><select idref="V-234491" selected="true" /><select idref="V-234500" selected="true" /><select idref="V-234516" selected="true" /><select idref="V-234517" selected="true" /><select idref="V-234520" selected="true" /><select idref="V-234521" selected="true" /><select idref="V-234523" selected="true" /><select idref="V-234524" selected="true" /><select idref="V-234526" selected="true" /><select idref="V-234538" selected="true" /><select idref="V-234543" selected="true" /><select idref="V-234544" selected="true" /><select idref="V-234555" selected="true" /><select idref="V-234556" selected="true" /><select idref="V-234573" selected="true" /><select idref="V-234574" selected="true" /><select idref="V-234575" selected="true" /><select idref="V-234588" selected="true" /><select idref="V-234596" selected="true" /><select idref="V-234603" selected="true" /><select idref="V-234605" selected="true" /><select idref="V-234622" selected="true" /><select idref="V-234623" selected="true" /><select idref="V-234624" selected="true" /><select idref="V-234629" selected="true" /><select idref="V-234642" selected="true" /><select idref="V-234645" selected="true" /><select idref="V-234646" selected="true" /><select idref="V-234649" selected="true" /><select idref="V-234651" selected="true" /><select idref="V-234653" selected="true" /><select idref="V-234654" selected="true" /><select idref="V-234655" selected="true" /><select idref="V-234656" selected="true" /><select idref="V-234657" selected="true" /><select idref="V-234658" selected="true" /><select idref="V-234659" selected="true" /><select idref="V-234664" selected="true" /><select idref="V-234665" selected="true" /><select idref="V-234666" selected="true" /><select idref="V-234667" selected="true" /><select idref="V-234668" selected="true" /><select idref="V-234669" selected="true" /><select idref="V-234673" selected="true" /><select idref="V-234674" selected="true" /><select idref="V-234676" selected="true" /><select idref="V-234677" selected="true" /><select idref="V-256892" selected="true" /><select idref="V-264368" selected="true" /><select idref="V-264369" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234275" selected="true" /><select idref="V-234276" selected="true" /><select idref="V-234277" selected="true" /><select idref="V-234278" selected="true" /><select idref="V-234279" selected="true" /><select idref="V-234283" selected="true" /><select idref="V-234286" selected="true" /><select idref="V-234287" selected="true" /><select idref="V-234288" selected="true" /><select idref="V-234289" selected="true" /><select idref="V-234290" selected="true" /><select idref="V-234291" selected="true" /><select idref="V-234292" selected="true" /><select idref="V-234310" selected="true" /><select idref="V-234311" selected="true" /><select idref="V-234312" selected="true" /><select idref="V-234318" selected="true" /><select idref="V-234323" selected="true" /><select idref="V-234324" selected="true" /><select idref="V-234325" selected="true" /><select idref="V-234326" selected="true" /><select idref="V-234327" selected="true" /><select idref="V-234328" selected="true" /><select idref="V-234329" selected="true" /><select idref="V-234330" selected="true" /><select idref="V-234331" selected="true" /><select idref="V-234332" selected="true" /><select idref="V-234333" selected="true" /><select idref="V-234334" selected="true" /><select idref="V-234335" selected="true" /><select idref="V-234340" selected="true" /><select idref="V-234341" selected="true" /><select idref="V-234342" selected="true" /><select idref="V-234343" selected="true" /><select idref="V-234347" selected="true" /><select idref="V-234349" selected="true" /><select idref="V-234351" selected="true" /><select idref="V-234352" selected="true" /><select idref="V-234353" selected="true" /><select idref="V-234354" selected="true" /><select idref="V-234355" selected="true" /><select idref="V-234356" selected="true" /><select idref="V-234358" selected="true" /><select idref="V-234360" selected="true" /><select idref="V-234361" selected="true" /><select idref="V-234363" selected="true" /><select idref="V-234364" selected="true" /><select idref="V-234367" selected="true" /><select idref="V-234368" selected="true" /><select idref="V-234369" selected="true" /><select idref="V-234370" selected="true" /><select idref="V-234371" selected="true" /><select idref="V-234372" selected="true" /><select idref="V-234373" selected="true" /><select idref="V-234374" selected="true" /><select idref="V-234375" selected="true" /><select idref="V-234377" selected="true" /><select idref="V-234378" selected="true" /><select idref="V-234379" selected="true" /><select idref="V-234380" selected="true" /><select idref="V-234381" selected="true" /><select idref="V-234382" selected="true" /><select idref="V-234383" selected="true" /><select idref="V-234390" selected="true" /><select idref="V-234391" selected="true" /><select idref="V-234392" selected="true" /><select idref="V-234405" selected="true" /><select idref="V-234406" selected="true" /><select idref="V-234407" selected="true" /><select idref="V-234408" selected="true" /><select idref="V-234409" selected="true" /><select idref="V-234410" selected="true" /><select idref="V-234421" selected="true" /><select idref="V-234424" selected="true" /><select idref="V-234425" selected="true" /><select idref="V-234430" selected="true" /><select idref="V-234438" selected="true" /><select idref="V-234439" selected="true" /><select idref="V-234440" selected="true" /><select idref="V-234441" selected="true" /><select idref="V-234442" selected="true" /><select idref="V-234443" selected="true" /><select idref="V-234444" selected="true" /><select idref="V-234465" selected="true" /><select idref="V-234466" selected="true" /><select idref="V-234475" selected="true" /><select idref="V-234489" selected="true" /><select idref="V-234491" selected="true" /><select idref="V-234500" selected="true" /><select idref="V-234516" selected="true" /><select idref="V-234517" selected="true" /><select idref="V-234520" selected="true" /><select idref="V-234521" selected="true" /><select idref="V-234523" selected="true" /><select idref="V-234524" selected="true" /><select idref="V-234526" selected="true" /><select idref="V-234538" selected="true" /><select idref="V-234543" selected="true" /><select idref="V-234544" selected="true" /><select idref="V-234555" selected="true" /><select idref="V-234556" selected="true" /><select idref="V-234573" selected="true" /><select idref="V-234574" selected="true" /><select idref="V-234575" selected="true" /><select idref="V-234588" selected="true" /><select idref="V-234596" selected="true" /><select idref="V-234603" selected="true" /><select idref="V-234605" selected="true" /><select idref="V-234622" selected="true" /><select idref="V-234623" selected="true" /><select idref="V-234624" selected="true" /><select idref="V-234629" selected="true" /><select idref="V-234642" selected="true" /><select idref="V-234645" selected="true" /><select idref="V-234646" selected="true" /><select idref="V-234649" selected="true" /><select idref="V-234651" selected="true" /><select idref="V-234653" selected="true" /><select idref="V-234654" selected="true" /><select idref="V-234655" selected="true" /><select idref="V-234656" selected="true" /><select idref="V-234657" selected="true" /><select idref="V-234658" selected="true" /><select idref="V-234659" selected="true" /><select idref="V-234664" selected="true" /><select idref="V-234665" selected="true" /><select idref="V-234666" selected="true" /><select idref="V-234667" selected="true" /><select idref="V-234668" selected="true" /><select idref="V-234669" selected="true" /><select idref="V-234673" selected="true" /><select idref="V-234674" selected="true" /><select idref="V-234676" selected="true" /><select idref="V-234677" selected="true" /><select idref="V-256892" selected="true" /><select idref="V-264368" selected="true" /><select idref="V-264369" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234275" selected="true" /><select idref="V-234276" selected="true" /><select idref="V-234277" selected="true" /><select idref="V-234278" selected="true" /><select idref="V-234279" selected="true" /><select idref="V-234283" selected="true" /><select idref="V-234286" selected="true" /><select idref="V-234287" selected="true" /><select idref="V-234288" selected="true" /><select idref="V-234289" selected="true" /><select idref="V-234290" selected="true" /><select idref="V-234291" selected="true" /><select idref="V-234292" selected="true" /><select idref="V-234310" selected="true" /><select idref="V-234311" selected="true" /><select idref="V-234312" selected="true" /><select idref="V-234318" selected="true" /><select idref="V-234323" selected="true" /><select idref="V-234324" selected="true" /><select idref="V-234325" selected="true" /><select idref="V-234326" selected="true" /><select idref="V-234327" selected="true" /><select idref="V-234328" selected="true" /><select idref="V-234329" selected="true" /><select idref="V-234330" selected="true" /><select idref="V-234331" selected="true" /><select idref="V-234332" selected="true" /><select idref="V-234333" selected="true" /><select idref="V-234334" selected="true" /><select idref="V-234335" selected="true" /><select idref="V-234340" selected="true" /><select idref="V-234341" selected="true" /><select idref="V-234342" selected="true" /><select idref="V-234343" selected="true" /><select idref="V-234347" selected="true" /><select idref="V-234349" selected="true" /><select idref="V-234351" selected="true" /><select idref="V-234352" selected="true" /><select idref="V-234353" selected="true" /><select idref="V-234354" selected="true" /><select idref="V-234355" selected="true" /><select idref="V-234356" selected="true" /><select idref="V-234358" selected="true" /><select idref="V-234360" selected="true" /><select idref="V-234361" selected="true" /><select idref="V-234363" selected="true" /><select idref="V-234364" selected="true" /><select idref="V-234367" selected="true" /><select idref="V-234368" selected="true" /><select idref="V-234369" selected="true" /><select idref="V-234370" selected="true" /><select idref="V-234371" selected="true" /><select idref="V-234372" selected="true" /><select idref="V-234373" selected="true" /><select idref="V-234374" selected="true" /><select idref="V-234375" selected="true" /><select idref="V-234377" selected="true" /><select idref="V-234378" selected="true" /><select idref="V-234379" selected="true" /><select idref="V-234380" selected="true" /><select idref="V-234381" selected="true" /><select idref="V-234382" selected="true" /><select idref="V-234383" selected="true" /><select idref="V-234390" selected="true" /><select idref="V-234391" selected="true" /><select idref="V-234392" selected="true" /><select idref="V-234405" selected="true" /><select idref="V-234406" selected="true" /><select idref="V-234407" selected="true" /><select idref="V-234408" selected="true" /><select idref="V-234409" selected="true" /><select idref="V-234410" selected="true" /><select idref="V-234421" selected="true" /><select idref="V-234424" selected="true" /><select idref="V-234425" selected="true" /><select idref="V-234430" selected="true" /><select idref="V-234438" selected="true" /><select idref="V-234439" selected="true" /><select idref="V-234440" selected="true" /><select idref="V-234441" selected="true" /><select idref="V-234442" selected="true" /><select idref="V-234443" selected="true" /><select idref="V-234444" selected="true" /><select idref="V-234465" selected="true" /><select idref="V-234466" selected="true" /><select idref="V-234475" selected="true" /><select idref="V-234489" selected="true" /><select idref="V-234491" selected="true" /><select idref="V-234500" selected="true" /><select idref="V-234516" selected="true" /><select idref="V-234517" selected="true" /><select idref="V-234520" selected="true" /><select idref="V-234521" selected="true" /><select idref="V-234523" selected="true" /><select idref="V-234524" selected="true" /><select idref="V-234526" selected="true" /><select idref="V-234538" selected="true" /><select idref="V-234543" selected="true" /><select idref="V-234544" selected="true" /><select idref="V-234555" selected="true" /><select idref="V-234556" selected="true" /><select idref="V-234573" selected="true" /><select idref="V-234574" selected="true" /><select idref="V-234575" selected="true" /><select idref="V-234588" selected="true" /><select idref="V-234596" selected="true" /><select idref="V-234603" selected="true" /><select idref="V-234605" selected="true" /><select idref="V-234622" selected="true" /><select idref="V-234623" selected="true" /><select idref="V-234624" selected="true" /><select idref="V-234629" selected="true" /><select idref="V-234642" selected="true" /><select idref="V-234645" selected="true" /><select idref="V-234646" selected="true" /><select idref="V-234649" selected="true" /><select idref="V-234651" selected="true" /><select idref="V-234653" selected="true" /><select idref="V-234654" selected="true" /><select idref="V-234655" selected="true" /><select idref="V-234656" selected="true" /><select idref="V-234657" selected="true" /><select idref="V-234658" selected="true" /><select idref="V-234659" selected="true" /><select idref="V-234664" selected="true" /><select idref="V-234665" selected="true" /><select idref="V-234666" selected="true" /><select idref="V-234667" selected="true" /><select idref="V-234668" selected="true" /><select idref="V-234669" selected="true" /><select idref="V-234673" selected="true" /><select idref="V-234674" selected="true" /><select idref="V-234676" selected="true" /><select idref="V-234677" selected="true" /><select idref="V-256892" selected="true" /><select idref="V-264368" selected="true" /><select idref="V-264369" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234275" selected="true" /><select idref="V-234276" selected="true" /><select idref="V-234277" selected="true" /><select idref="V-234278" selected="true" /><select idref="V-234279" selected="true" /><select idref="V-234283" selected="true" /><select idref="V-234286" selected="true" /><select idref="V-234287" selected="true" /><select idref="V-234288" selected="true" /><select idref="V-234289" selected="true" /><select idref="V-234290" selected="true" /><select idref="V-234291" selected="true" /><select idref="V-234292" selected="true" /><select idref="V-234310" selected="true" /><select idref="V-234311" selected="true" /><select idref="V-234312" selected="true" /><select idref="V-234318" selected="true" /><select idref="V-234323" selected="true" /><select idref="V-234324" selected="true" /><select idref="V-234325" selected="true" /><select idref="V-234326" selected="true" /><select idref="V-234327" selected="true" /><select idref="V-234328" selected="true" /><select idref="V-234329" selected="true" /><select idref="V-234330" selected="true" /><select idref="V-234331" selected="true" /><select idref="V-234332" selected="true" /><select idref="V-234333" selected="true" /><select idref="V-234334" selected="true" /><select idref="V-234335" selected="true" /><select idref="V-234340" selected="true" /><select idref="V-234341" selected="true" /><select idref="V-234342" selected="true" /><select idref="V-234343" selected="true" /><select idref="V-234347" selected="true" /><select idref="V-234349" selected="true" /><select idref="V-234351" selected="true" /><select idref="V-234352" selected="true" /><select idref="V-234353" selected="true" /><select idref="V-234354" selected="true" /><select idref="V-234355" selected="true" /><select idref="V-234356" selected="true" /><select idref="V-234358" selected="true" /><select idref="V-234360" selected="true" /><select idref="V-234361" selected="true" /><select idref="V-234363" selected="true" /><select idref="V-234364" selected="true" /><select idref="V-234367" selected="true" /><select idref="V-234368" selected="true" /><select idref="V-234369" selected="true" /><select idref="V-234370" selected="true" /><select idref="V-234371" selected="true" /><select idref="V-234372" selected="true" /><select idref="V-234373" selected="true" /><select idref="V-234374" selected="true" /><select idref="V-234375" selected="true" /><select idref="V-234377" selected="true" /><select idref="V-234378" selected="true" /><select idref="V-234379" selected="true" /><select idref="V-234380" selected="true" /><select idref="V-234381" selected="true" /><select idref="V-234382" selected="true" /><select idref="V-234383" selected="true" /><select idref="V-234390" selected="true" /><select idref="V-234391" selected="true" /><select idref="V-234392" selected="true" /><select idref="V-234405" selected="true" /><select idref="V-234406" selected="true" /><select idref="V-234407" selected="true" /><select idref="V-234408" selected="true" /><select idref="V-234409" selected="true" /><select idref="V-234410" selected="true" /><select idref="V-234421" selected="true" /><select idref="V-234424" selected="true" /><select idref="V-234425" selected="true" /><select idref="V-234430" selected="true" /><select idref="V-234438" selected="true" /><select idref="V-234439" selected="true" /><select idref="V-234440" selected="true" /><select idref="V-234441" selected="true" /><select idref="V-234442" selected="true" /><select idref="V-234443" selected="true" /><select idref="V-234444" selected="true" /><select idref="V-234465" selected="true" /><select idref="V-234466" selected="true" /><select idref="V-234475" selected="true" /><select idref="V-234489" selected="true" /><select idref="V-234491" selected="true" /><select idref="V-234500" selected="true" /><select idref="V-234516" selected="true" /><select idref="V-234517" selected="true" /><select idref="V-234520" selected="true" /><select idref="V-234521" selected="true" /><select idref="V-234523" selected="true" /><select idref="V-234524" selected="true" /><select idref="V-234526" selected="true" /><select idref="V-234538" selected="true" /><select idref="V-234543" selected="true" /><select idref="V-234544" selected="true" /><select idref="V-234555" selected="true" /><select idref="V-234556" selected="true" /><select idref="V-234573" selected="true" /><select idref="V-234574" selected="true" /><select idref="V-234575" selected="true" /><select idref="V-234588" selected="true" /><select idref="V-234596" selected="true" /><select idref="V-234603" selected="true" /><select idref="V-234605" selected="true" /><select idref="V-234622" selected="true" /><select idref="V-234623" selected="true" /><select idref="V-234624" selected="true" /><select idref="V-234629" selected="true" /><select idref="V-234642" selected="true" /><select idref="V-234645" selected="true" /><select idref="V-234646" selected="true" /><select idref="V-234649" selected="true" /><select idref="V-234651" selected="true" /><select idref="V-234653" selected="true" /><select idref="V-234654" selected="true" /><select idref="V-234655" selected="true" /><select idref="V-234656" selected="true" /><select idref="V-234657" selected="true" /><select idref="V-234658" selected="true" /><select idref="V-234659" selected="true" /><select idref="V-234664" selected="true" /><select idref="V-234665" selected="true" /><select idref="V-234666" selected="true" /><select idref="V-234667" selected="true" /><select idref="V-234668" selected="true" /><select idref="V-234669" selected="true" /><select idref="V-234673" selected="true" /><select idref="V-234674" selected="true" /><select idref="V-234676" selected="true" /><select idref="V-234677" selected="true" /><select idref="V-256892" selected="true" /><select idref="V-264368" selected="true" /><select idref="V-264369" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-234275" selected="true" /><select idref="V-234276" selected="true" /><select idref="V-234277" selected="true" /><select idref="V-234278" selected="true" /><select idref="V-234279" selected="true" /><select idref="V-234283" selected="true" /><select idref="V-234286" selected="true" /><select idref="V-234287" selected="true" /><select idref="V-234288" selected="true" /><select idref="V-234289" selected="true" /><select idref="V-234290" selected="true" /><select idref="V-234291" selected="true" /><select idref="V-234292" selected="true" /><select idref="V-234310" selected="true" /><select idref="V-234311" selected="true" /><select idref="V-234312" selected="true" /><select idref="V-234318" selected="true" /><select idref="V-234323" selected="true" /><select idref="V-234324" selected="true" /><select idref="V-234325" selected="true" /><select idref="V-234326" selected="true" /><select idref="V-234327" selected="true" /><select idref="V-234328" selected="true" /><select idref="V-234329" selected="true" /><select idref="V-234330" selected="true" /><select idref="V-234331" selected="true" /><select idref="V-234332" selected="true" /><select idref="V-234333" selected="true" /><select idref="V-234334" selected="true" /><select idref="V-234335" selected="true" /><select idref="V-234340" selected="true" /><select idref="V-234341" selected="true" /><select idref="V-234342" selected="true" /><select idref="V-234343" selected="true" /><select idref="V-234347" selected="true" /><select idref="V-234349" selected="true" /><select idref="V-234351" selected="true" /><select idref="V-234352" selected="true" /><select idref="V-234353" selected="true" /><select idref="V-234354" selected="true" /><select idref="V-234355" selected="true" /><select idref="V-234356" selected="true" /><select idref="V-234358" selected="true" /><select idref="V-234360" selected="true" /><select idref="V-234361" selected="true" /><select idref="V-234363" selected="true" /><select idref="V-234364" selected="true" /><select idref="V-234367" selected="true" /><select idref="V-234368" selected="true" /><select idref="V-234369" selected="true" /><select idref="V-234370" selected="true" /><select idref="V-234371" selected="true" /><select idref="V-234372" selected="true" /><select idref="V-234373" selected="true" /><select idref="V-234374" selected="true" /><select idref="V-234375" selected="true" /><select idref="V-234377" selected="true" /><select idref="V-234378" selected="true" /><select idref="V-234379" selected="true" /><select idref="V-234380" selected="true" /><select idref="V-234381" selected="true" /><select idref="V-234382" selected="true" /><select idref="V-234383" selected="true" /><select idref="V-234390" selected="true" /><select idref="V-234391" selected="true" /><select idref="V-234392" selected="true" /><select idref="V-234405" selected="true" /><select idref="V-234406" selected="true" /><select idref="V-234407" selected="true" /><select idref="V-234408" selected="true" /><select idref="V-234409" selected="true" /><select idref="V-234410" selected="true" /><select idref="V-234421" selected="true" /><select idref="V-234424" selected="true" /><select idref="V-234425" selected="true" /><select idref="V-234430" selected="true" /><select idref="V-234438" selected="true" /><select idref="V-234439" selected="true" /><select idref="V-234440" selected="true" /><select idref="V-234441" selected="true" /><select idref="V-234442" selected="true" /><select idref="V-234443" selected="true" /><select idref="V-234444" selected="true" /><select idref="V-234465" selected="true" /><select idref="V-234466" selected="true" /><select idref="V-234475" selected="true" /><select idref="V-234489" selected="true" /><select idref="V-234491" selected="true" /><select idref="V-234500" selected="true" /><select idref="V-234516" selected="true" /><select idref="V-234517" selected="true" /><select idref="V-234520" selected="true" /><select idref="V-234521" selected="true" /><select idref="V-234523" selected="true" /><select idref="V-234524" selected="true" /><select idref="V-234526" selected="true" /><select idref="V-234538" selected="true" /><select idref="V-234543" selected="true" /><select idref="V-234544" selected="true" /><select idref="V-234555" selected="true" /><select idref="V-234556" selected="true" /><select idref="V-234573" selected="true" /><select idref="V-234574" selected="true" /><select idref="V-234575" selected="true" /><select idref="V-234588" selected="true" /><select idref="V-234596" selected="true" /><select idref="V-234603" selected="true" /><select idref="V-234605" selected="true" /><select idref="V-234622" selected="true" /><select idref="V-234623" selected="true" /><select idref="V-234624" selected="true" /><select idref="V-234629" selected="true" /><select idref="V-234642" selected="true" /><select idref="V-234645" selected="true" /><select idref="V-234646" selected="true" /><select idref="V-234649" selected="true" /><select idref="V-234651" selected="true" /><select idref="V-234653" selected="true" /><select idref="V-234654" selected="true" /><select idref="V-234655" selected="true" /><select idref="V-234656" selected="true" /><select idref="V-234657" selected="true" /><select idref="V-234658" selected="true" /><select idref="V-234659" selected="true" /><select idref="V-234664" selected="true" /><select idref="V-234665" selected="true" /><select idref="V-234666" selected="true" /><select idref="V-234667" selected="true" /><select idref="V-234668" selected="true" /><select idref="V-234669" selected="true" /><select idref="V-234673" selected="true" /><select idref="V-234674" selected="true" /><select idref="V-234676" selected="true" /><select idref="V-234677" selected="true" /><select idref="V-256892" selected="true" /><select idref="V-264368" selected="true" /><select idref="V-264369" selected="true" /></Profile><Group id="V-234275"><title>SRG-APP-000001</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234275r960735_rule" weight="10.0" severity="medium"><version>SRG-APP-000001-UEM-000001</version><title>The UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.</title><description>&lt;VulnDiscussion&gt;Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.
+
+This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. 
+
+This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system. 
+
+Satisfies:FMT_SMF.1.1(2) b 
+Reference:PP-MDM-431010&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000054</ident><fixtext fixref="F-37425r617395_fix">Configure the UEM server to limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.</fixtext><fix id="F-37425r617395_fix" /><check system="C-37460r617394_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server limits the number of concurrent sessions per privileged user account to three or less concurrent sessions.
+
+If the UEM server does not limit the number of concurrent sessions per privileged user account to three or less concurrent sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-234276"><title>SRG-APP-000002</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234276r960738_rule" weight="10.0" severity="medium"><version>SRG-APP-000002-UEM-000002</version><title>The UEM server must conceal, via the session lock, information previously visible on the display with a publicly viewable image.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. 
+
+The session lock is implemented at the point where session activity can be determined. This is typically at the operating system level, but may be at the application level. 
+
+When the application design specifies the application rather than the operating system will determine when to lock the session, the application session lock event must include an obfuscation of the display screen to prevent other users from reading what was previously displayed. 
+
+Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. 
+
+Satisfies:FMT_SMF.1.1(2) b 
+Reference:PP-MDM-431011&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000060</ident><fixtext fixref="F-37426r613839_fix">Configure the UEM server to conceal via the session lock information previously visible on the display with a publicly viewable image.</fixtext><fix id="F-37426r613839_fix" /><check system="C-37461r613838_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server conceals, via the session lock, information previously visible on the display with a publicly viewable image.
+
+If the UEM server does not conceal via the session lock information previously visible on the display with a publicly viewable image, this is a finding.</check-content></check></Rule></Group><Group id="V-234277"><title>SRG-APP-000003</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234277r960741_rule" weight="10.0" severity="medium"><version>SRG-APP-000003-UEM-000003</version><title>The UEM server must initiate a session lock after a 15-minute period of inactivity.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.
+
+The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead. 
+
+Satisfies:FMT_SMF.1.1(2) c.8 
+Reference:PP-MDM-411047&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-37427r613842_fix">Configure the UEM server to initiate a session lock after a 15-minute period of inactivity.</fixtext><fix id="F-37427r613842_fix" /><check system="C-37462r613841_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server initiates a session lock after a 15-minute period of inactivity.
+
+If the UEM server does not initiate a session lock after a 15-minute period of inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-234278"><title>SRG-APP-000004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234278r985740_rule" weight="10.0" severity="medium"><version>SRG-APP-000004-UEM-000004</version><title>The MDM server must provide the capability for users to directly initiate a session lock.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not want to log out because of the temporary nature of the absence. 
+
+The session lock is implemented at the point where session activity can be determined. This is typically at the operating system level, but may be at the application level. Rather than be forced to wait for a period of time to expire before the user session can be locked, applications need to provide users with the ability to manually invoke a session lock so users may secure their application should the need arise for them to temporarily vacate the immediate physical vicinity. 
+
+Satisfies:FMT_SMF.1.1(2) b 
+Reference:PP-MDM-431012&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-37428r613845_fix">Configure the UEM server to provide the capability for users to directly initiate a session lock.</fixtext><fix id="F-37428r613845_fix" /><check system="C-37463r613844_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server provides the capability for users to directly initiate a session lock.
+
+If the UEM server does not provide the capability for users to directly initiate a session lock, this is a finding.</check-content></check></Rule></Group><Group id="V-234279"><title>SRG-APP-000005</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234279r960747_rule" weight="10.0" severity="medium"><version>SRG-APP-000005-UEM-000005</version><title>The MDM server must retain the session lock until the user reestablishes access using established identification and authentication procedures.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not want to log out because of the temporary nature of the absence. 
+
+The session lock is implemented at the point where session activity can be determined. This is typically determined and performed at the operating system level, but in some instances it may be at the application level. 
+
+Regardless of where the session lock is determined and implemented, once invoked the session lock must remain in place until the user re-authenticates. No other system or application activity aside from re-authentication will unlock the system. 
+
+Satisfies:FMT_SMF.1.1(2) b 
+Reference:PP-MDM-431013&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-37429r613848_fix">Configure the MDM server to retain the session lock until the user reestablishes access using established identification and authentication procedures.</fixtext><fix id="F-37429r613848_fix" /><check system="C-37464r613847_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server retains the session lock until the user reestablishes access using established identification and authentication procedures.
+
+If the UEM server does not retain the session lock until the user reestablishes access using established identification and authentication procedures, this is a finding.</check-content></check></Rule></Group><Group id="V-234283"><title>SRG-APP-000014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234283r960759_rule" weight="10.0" severity="medium"><version>SRG-APP-000014-UEM-000009</version><title>The UEM server must use TLS 1.2, or higher, to protect the confidentiality of sensitive data during electronic dissemination using remote access.</title><description>&lt;VulnDiscussion&gt;Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
+
+This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DoD-only or on public-facing servers. 
+
+Satisfies:FCS_TLSC_EXT.1.1 
+Reference:PP-MDM-412061&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000068</ident><fixtext fixref="F-37433r613860_fix">Configure the UEM server to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.</fixtext><fix id="F-37433r613860_fix" /><check system="C-37468r613859_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server uses TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
+
+If the UEM server does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access, this is a finding.</check-content></check></Rule></Group><Group id="V-234286"><title>SRG-APP-000023</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234286r960768_rule" weight="10.0" severity="medium"><version>SRG-APP-000023-UEM-000012</version><title>The UEM server must provide automated mechanisms for supporting account management functions.</title><description>&lt;VulnDiscussion&gt;Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. 
+
+A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.
+
+The application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements.
+
+Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000015</ident><fixtext fixref="F-37436r613869_fix">Configure the UEM server to provide automated mechanisms for supporting account management functions.</fixtext><fix id="F-37436r613869_fix" /><check system="C-37471r613868_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server provides automated mechanisms for supporting account management functions.
+
+If the UEM server does not provide automated mechanisms for supporting account management functions, this is a finding.</check-content></check></Rule></Group><Group id="V-234287"><title>SRG-APP-000024</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234287r960771_rule" weight="10.0" severity="medium"><version>SRG-APP-000024-UEM-000013</version><title>The UEM server must automatically remove or disable temporary user accounts after 72 hours if supported by the UEM server.</title><description>&lt;VulnDiscussion&gt;If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary user accounts must be set upon account creation.
+
+Temporary user accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. 
+
+If temporary user accounts are used, the application must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours.
+
+To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000016</ident><fixtext fixref="F-37437r613872_fix">Configure the UEM server to automatically remove or disable temporary user accounts after 72 hours, if supported by the UEM server.</fixtext><fix id="F-37437r613872_fix" /><check system="C-37472r613871_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server automatically removes or disables temporary user accounts after 72 hours, if supported by the UEM server.
+
+If the UEM server does not automatically remove or disable temporary user accounts after 72 hours, if supported by the UEM server, this is a finding.</check-content></check></Rule></Group><Group id="V-234288"><title>SRG-APP-000025</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234288r960774_rule" weight="10.0" severity="medium"><version>SRG-APP-000025-UEM-000014</version><title>The UEM server must automatically disable accounts after a 35-day period of account inactivity.</title><description>&lt;VulnDiscussion&gt;Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise.
+
+To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
+
+This policy does not apply to either emergency accounts or infrequently used accounts. Infrequently used accounts are local login administrator accounts used by system administrators when network or normal logon/access is not available. Emergency accounts are administrator accounts created in response to crisis situations. 
+
+Satisfies:FMT_SMF.1(2)b. 
+Reference:PP-MDM-431027&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000017</ident><fixtext fixref="F-37438r613875_fix">Configure the UEM server to automatically disable accounts after a 35-day period of account inactivity.</fixtext><fix id="F-37438r613875_fix" /><check system="C-37473r613874_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server automatically disables accounts after a 35-day period of account inactivity.
+
+If the UEM server does not automatically disable accounts after a 35-day period of account inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-234289"><title>SRG-APP-000026</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234289r960777_rule" weight="10.0" severity="medium"><version>SRG-APP-000026-UEM-000015</version><title>The UEM server must automatically audit account creation.</title><description>&lt;VulnDiscussion&gt;Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. 
+
+To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000018</ident><fixtext fixref="F-37439r613878_fix">Configure the UEM server to automatically audit account creation.</fixtext><fix id="F-37439r613878_fix" /><check system="C-37474r613877_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server automatically audits account creation.
+
+If the UEM server does not automatically audit account creation, this is a finding.</check-content></check></Rule></Group><Group id="V-234290"><title>SRG-APP-000027</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234290r960780_rule" weight="10.0" severity="medium"><version>SRG-APP-000027-UEM-000016</version><title>The UEM server must automatically audit account modification.</title><description>&lt;VulnDiscussion&gt;Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. 
+
+To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001403</ident><fixtext fixref="F-37440r613881_fix">Configure the UEM server to automatically audit account modification.</fixtext><fix id="F-37440r613881_fix" /><check system="C-37475r613880_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server automatically audits account modification.
+
+If the UEM server does not automatically audit account modification, this is a finding.</check-content></check></Rule></Group><Group id="V-234291"><title>SRG-APP-000028</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234291r960783_rule" weight="10.0" severity="medium"><version>SRG-APP-000028-UEM-000017</version><title>The UEM server must automatically audit account disabling actions.</title><description>&lt;VulnDiscussion&gt;When application accounts are disabled, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to disable authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account disabling actions provides logging that can be used for forensic purposes.
+
+To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001404</ident><fixtext fixref="F-37441r613884_fix">Configure the UEM server to automatically audit account disabling actions.</fixtext><fix id="F-37441r613884_fix" /><check system="C-37476r613883_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server automatically audits account disabling actions.
+
+If the UEM server does not automatically audit account disabling actions, this is a finding.</check-content></check></Rule></Group><Group id="V-234292"><title>SRG-APP-000029</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234292r960786_rule" weight="10.0" severity="medium"><version>SRG-APP-000029-UEM-000018</version><title>The UEM server must automatically audit account removal actions.</title><description>&lt;VulnDiscussion&gt;When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account removal actions provides logging that can be used for forensic purposes.
+
+To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001405</ident><fixtext fixref="F-37442r613887_fix">Configure the UEM server to automatically audit account removal actions.</fixtext><fix id="F-37442r613887_fix" /><check system="C-37477r613886_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server automatically audits account removal actions.
+
+If the UEM server does not automatically audit account removal actions, this is a finding.</check-content></check></Rule></Group><Group id="V-234310"><title>SRG-APP-000065</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234310r960840_rule" weight="10.0" severity="medium"><version>SRG-APP-000065-UEM-000036</version><title>The UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. 
+
+Satisfies:FMT_SMF.1(2)b. 
+Reference:PP-MDM-431028&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><fixtext fixref="F-37460r613941_fix">Configure the UEM server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.</fixtext><fix id="F-37460r613941_fix" /><check system="C-37495r617396_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server enforces the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
+
+If the UEM server does not enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period, this is a finding.</check-content></check></Rule></Group><Group id="V-234311"><title>SRG-APP-000068</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234311r960843_rule" weight="10.0" severity="medium"><version>SRG-APP-000068-UEM-000037</version><title>The UEM server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.</title><description>&lt;VulnDiscussion&gt;Display of the DoD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+
+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+
+The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters:
+
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+
+Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
+
+"I've read &amp; consent to terms in IS user agreem't." 
+
+Satisfies:FTA_TAB.1.1, FMT_SMF.1.1(2) c.2 
+Reference:PP-MDM-411056&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000048</ident><fixtext fixref="F-37461r613944_fix">Configure the UEM server to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.</fixtext><fix id="F-37461r613944_fix" /><check system="C-37496r613943_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
+
+If the UEM server does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application, this is a finding.</check-content></check></Rule></Group><Group id="V-234312"><title>SRG-APP-000069</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234312r960846_rule" weight="10.0" severity="low"><version>SRG-APP-000069-UEM-000038</version><title>The UEM server must retain the access banner until the user acknowledges acceptance of the access conditions.</title><description>&lt;VulnDiscussion&gt;The banner must be acknowledged by the user prior to allowing the user access to the application. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. 
+
+To establish acceptance of the application usage policy, a click-through banner at application logon is required. The application must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". 
+
+Satisfies:FTA_TAB.1.1 
+Reference:PP-MDM-413003&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000050</ident><fixtext fixref="F-37462r613947_fix">Configure the UEM server to retain the access banner until the user acknowledges acceptance of the access conditions.</fixtext><fix id="F-37462r613947_fix" /><check system="C-37497r613946_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server retains the access banner until the user acknowledges acceptance of the access conditions.
+
+If the UEM server does not retain the access banner until the user acknowledges acceptance of the access conditions, this is a finding.</check-content></check></Rule></Group><Group id="V-234318"><title>SRG-APP-000080</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234318r960864_rule" weight="10.0" severity="medium"><version>SRG-APP-000080-UEM-000044</version><title>The UEM server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.</title><description>&lt;VulnDiscussion&gt;Without non-repudiation, it is impossible to positively attribute an action to an individual (or process acting on behalf of an individual). 
+
+Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. The application will be configured to provide non-repudiation services for an organization-defined set of commands that are used by the user (or processes action on behalf of the user).
+
+DoD PKI provides for non-repudiation through the use of digital signatures. Non-repudiation requirements will vary from one application to another and will be defined based on application functionality, data sensitivity, and mission requirements. 
+
+Satisfies:FCS_COP.1.1(3), FCS_COP.1.1(4)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000166</ident><fixtext fixref="F-37468r613965_fix">Configure the UEM server to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.</fixtext><fix id="F-37468r613965_fix" /><check system="C-37503r613964_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
+
+If the UEM server does not protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation this is a finding.</check-content></check></Rule></Group><Group id="V-234323"><title>SRG-APP-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234323r960879_rule" weight="10.0" severity="medium"><version>SRG-APP-000089-UEM-000049</version><title>The UEM server must provide audit record generation capability for DoD-defined auditable events within all application components.</title><description>&lt;VulnDiscussion&gt;Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
+
+DoD has defined the list of events for which the application will provide an audit record generation capability as the following: 
+
+(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);
+
+(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and
+
+(iii) All account creation, modification, disabling, and termination actions.
+
+DoD Required auditable events:
+- Change in enrollment status
+- Failure to apply policies to a mobile device
+- Start up and shut down of the UEM System
+- All administrative actions
+- Commands issued to the UEM Agent
+- Server component failure
+- All system alerts, including system integrity verification failures 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-37473r613980_fix">Configure the UEM server to provide audit record generation capability for DoD-defined auditable events within all application components.</fixtext><fix id="F-37473r613980_fix" /><check system="C-37508r613979_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server provides audit record generation capability for DoD-defined auditable events within all application components.
+
+If the UEM server does not provide audit record generation capability for DoD-defined auditable events within all application components, this is a finding.</check-content></check></Rule></Group><Group id="V-234324"><title>SRG-APP-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234324r960879_rule" weight="10.0" severity="medium"><version>SRG-APP-000089-UEM-000050</version><title>The UEM server must be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.</title><description>&lt;VulnDiscussion&gt;Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted. 
+
+Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems.
+
+Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. 
+
+Satisfies:FAU_SAR.1.2 
+Reference:PP-MDM-413050&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000169</ident><fixtext fixref="F-37474r613983_fix">Configure the UEM server to be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.</fixtext><fix id="F-37474r613983_fix" /><check system="C-37509r613982_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server provides audit records in a manner suitable for the Authorized Administrators to interpret the information.
+
+If the UEM server does not provide audit records in a manner suitable for the Authorized Administrators to interpret the information, this is a finding.</check-content></check></Rule></Group><Group id="V-234325"><title>SRG-APP-000090</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234325r960882_rule" weight="10.0" severity="medium"><version>SRG-APP-000090-UEM-000051</version><title>The UEM server must be configured to allow only specific administrator roles to select which auditable events are to be audited.</title><description>&lt;VulnDiscussion&gt;Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. 
+
+Satisfies:FMT_SMR.1.1(1) 
+Reference:PP-MDM-411058&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000171</ident><fixtext fixref="F-37475r613986_fix">Configure the UEM server to be configured to allow only specific administrator roles to select which auditable events are to be audited.</fixtext><fix id="F-37475r613986_fix" /><check system="C-37510r613985_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server allows only specific administrator roles to select which auditable events are to be audited.
+
+If the UEM server does not allow only specific administrator roles to select which auditable events are to be audited, this is a finding.</check-content></check></Rule></Group><Group id="V-234326"><title>SRG-APP-000091</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234326r960885_rule" weight="10.0" severity="medium"><version>SRG-APP-000091-UEM-000052</version><title>The UEM server must generate audit records when successful/unsuccessful attempts to access privileges occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_GEN.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37476r613989_fix">Configure the UEM server to generate audit records when successful/unsuccessful attempts to access privileges occur.</fixtext><fix id="F-37476r613989_fix" /><check system="C-37511r613988_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records when successful/unsuccessful attempts to access privileges occur.
+
+If the UEM server does not generate audit records when successful/unsuccessful attempts to access privileges occur, this is a finding.</check-content></check></Rule></Group><Group id="V-234327"><title>SRG-APP-000092</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234327r960888_rule" weight="10.0" severity="medium"><version>SRG-APP-000092-UEM-000053</version><title>The UEM server must initiate session auditing upon startup.</title><description>&lt;VulnDiscussion&gt;If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. 
+
+Satisfies:FAU_GEN.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001464</ident><fixtext fixref="F-37477r613992_fix">Configure the UEM server to initiate session auditing upon startup.</fixtext><fix id="F-37477r613992_fix" /><check system="C-37512r613991_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server initiate session auditing upon startup.
+
+If the UEM server does not initiate session auditing upon startup, this is a finding.</check-content></check></Rule></Group><Group id="V-234328"><title>SRG-APP-000095</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234328r960891_rule" weight="10.0" severity="medium"><version>SRG-APP-000095-UEM-000055</version><title>The UEM server must be configured to produce audit records containing information to establish what type of events occurred.</title><description>&lt;VulnDiscussion&gt;Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit record content that may be necessary to satisfy the requirement of this policy includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+
+Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. 
+
+Satisfies:FAU_GEN.1.2(1) 
+Reference:PP-MDM-412060&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000130</ident><fixtext fixref="F-37478r613995_fix">Configure the UEM server to be configured to produce audit records containing information to establish what type of events occurred.</fixtext><fix id="F-37478r613995_fix" /><check system="C-37513r613994_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server produces audit records containing information to establish what type of events occurred.
+
+If the UEM server does not produce audit records containing information to establish what type of events occurred, this is a finding.</check-content></check></Rule></Group><Group id="V-234329"><title>SRG-APP-000096</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234329r960894_rule" weight="10.0" severity="medium"><version>SRG-APP-000096-UEM-000056</version><title>The UEM server must be configured to produce audit records containing information to establish when (date and time) the events occurred.</title><description>&lt;VulnDiscussion&gt;Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events relating to an incident.
+
+In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time). 
+
+Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. 
+
+Satisfies:FAU_GEN.1.2(1) 
+Reference:PP-MDM-412060&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000131</ident><fixtext fixref="F-37479r613998_fix">Configure the UEM server to be configured to produce audit records containing information to establish when (date and time) the events occurred.</fixtext><fix id="F-37479r613998_fix" /><check system="C-37514r613997_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server produces audit records containing information to establish when (date and time) the events occurred.
+
+If the UEM server does not produce audit records containing information to establish when (date and time) the events occurred, this is a finding.</check-content></check></Rule></Group><Group id="V-234330"><title>SRG-APP-000097</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234330r960897_rule" weight="10.0" severity="medium"><version>SRG-APP-000097-UEM-000057</version><title>The UEM server must be configured to produce audit records containing information to establish where the events occurred.</title><description>&lt;VulnDiscussion&gt;Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary. 
+
+Satisfies:FAU_GEN.1.2(1) 
+Reference:PP-MDM-412060&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000132</ident><fixtext fixref="F-37480r614001_fix">Configure the UEM server to be configured to produce audit records containing information to establish where the events occurred.</fixtext><fix id="F-37480r614001_fix" /><check system="C-37515r614000_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server produces audit records containing information to establish where the events occurred.
+
+If the UEM server does not produce audit records containing information to establish where the events occurred, this is a finding.</check-content></check></Rule></Group><Group id="V-234331"><title>SRG-APP-000098</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234331r960900_rule" weight="10.0" severity="medium"><version>SRG-APP-000098-UEM-000058</version><title>The UEM server must be configured to produce audit records containing information to establish the source of the events.</title><description>&lt;VulnDiscussion&gt;Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
+
+In addition to logging where events occur within the application, the application must also produce audit records that identify the application itself as the source of the event.
+
+In the case of centralized logging, the source would be the application name accompanied by the host or client name. 
+
+In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know the source of the event, particularly in the case of centralized logging.
+
+Associating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application. 
+
+Satisfies:FAU_GEN.1.2(1) 
+Reference:PP-MDM-412060&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000133</ident><fixtext fixref="F-37481r614004_fix">Configure the UEM server to be configured to produce audit records containing information to establish the source of the events.</fixtext><fix id="F-37481r614004_fix" /><check system="C-37516r614003_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server produces audit records containing information to establish the source of the events.
+
+If the UEM server does not produce audit records containing information to establish the source of the events, this is a finding.</check-content></check></Rule></Group><Group id="V-234332"><title>SRG-APP-000099</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234332r960903_rule" weight="10.0" severity="medium"><version>SRG-APP-000099-UEM-000059</version><title>The UEM server must be configured to produce audit records that contain information to establish the outcome of the events.</title><description>&lt;VulnDiscussion&gt;Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the system.
+
+Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. 
+
+Satisfies:FAU_GEN.1.2(1) 
+Reference:PP-MDM-412060&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000134</ident><fixtext fixref="F-37482r614007_fix">Configure the UEM server to be configured to produce audit records that contain information to establish the outcome of the events.</fixtext><fix id="F-37482r614007_fix" /><check system="C-37517r614006_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server produces audit records that contain information to establish the outcome of the events.
+
+If the UEM server does not produce audit records that contain information to establish the outcome of the events, this is a finding.</check-content></check></Rule></Group><Group id="V-234333"><title>SRG-APP-000100</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234333r960906_rule" weight="10.0" severity="medium"><version>SRG-APP-000100-UEM-000060</version><title>The UEM server must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.</title><description>&lt;VulnDiscussion&gt;Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.
+
+Event identifiers (if authenticated or otherwise known) include, but are not limited to, user database tables, primary key values, user names, or process identifiers. 
+
+Satisfies:FAU_GEN.1.2(1) 
+Reference:PP-MDM-412060&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001487</ident><fixtext fixref="F-37483r614010_fix">Configure the UEM server to be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.</fixtext><fix id="F-37483r614010_fix" /><check system="C-37518r614009_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records containing information that establishes the identity of any individual or process associated with the event.
+
+If the UEM server does not generate audit records containing information that establishes the identity of any individual or process associated with the event, this is a finding.</check-content></check></Rule></Group><Group id="V-234334"><title>SRG-APP-000101</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234334r960909_rule" weight="10.0" severity="medium"><version>SRG-APP-000101-UEM-000061</version><title>The UEM server must be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. 
+
+Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit either full-text recording of privileged commands or the individual identities of group users, or both. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. 
+
+In addition, the application must have the capability to include organization-defined additional, more detailed information in the audit records for audit events. 
+
+Satisfies:FAU_GEN.1.2(1) 
+Reference:PP-MDM-412060&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000135</ident><fixtext fixref="F-37484r614013_fix">Configure the UEM server to be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.</fixtext><fix id="F-37484r614013_fix" /><check system="C-37519r614012_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records containing the full-text recording of privileged commands or the individual identities of group account users.
+
+If the UEM server does not generate audit records containing the full-text recording of privileged commands or the individual identities of group account users, this is a finding.</check-content></check></Rule></Group><Group id="V-234335"><title>SRG-APP-000108</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234335r960912_rule" weight="10.0" severity="medium"><version>SRG-APP-000108-UEM-000062</version><title>The UEM SRG must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.</title><description>&lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. 
+
+Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+
+This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. 
+
+Satisfies:FAU_ALT_EXT.1.1 
+Reference:PP-MDM-412059&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000139</ident><fixtext fixref="F-37485r614016_fix">Configure the UEM server to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.</fixtext><fix id="F-37485r614016_fix" /><check system="C-37520r614015_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server alerts the ISSO and SA (at a minimum) in the event of an audit processing failure.
+
+If the UEM server does not alert the ISSO and SA (at a minimum) in the event of an audit processing failure, this is a finding.</check-content></check></Rule></Group><Group id="V-234340"><title>SRG-APP-000116</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234340r960927_rule" weight="10.0" severity="medium"><version>SRG-APP-000116-UEM-000067</version><title>The UEM server must use host operating system clocks to generate time stamps for audit records.</title><description>&lt;VulnDiscussion&gt;Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. 
+
+If the internal clock is not used, the system may not be able to provide time stamps for log messages. Additionally, externally generated time stamps may not be accurate. Applications can use the capability of an operating system or purpose-built module for this purpose. 
+
+Satisfies: OE.TIMESTAMP, FAU_GEN.1.2(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000159</ident><fixtext fixref="F-37490r614031_fix">Configure the UEM server to use host operating system clocks to generate time stamps for audit records.</fixtext><fix id="F-37490r614031_fix" /><check system="C-37525r614030_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server uses host operating system clocks to generate time stamps for audit records.
+
+If the UEM server does not use host operating system clocks to generate time stamps for audit records, this is a finding</check-content></check></Rule></Group><Group id="V-234341"><title>SRG-APP-000118</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234341r960930_rule" weight="10.0" severity="medium"><version>SRG-APP-000118-UEM-000068</version><title>The UEM server must protect audit information from any type of unauthorized read access.</title><description>&lt;VulnDiscussion&gt;If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.
+
+To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access.
+
+This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories.
+
+Additionally, applications with user interfaces to audit records must not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access.
+
+Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. 
+
+Satisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000162</ident><fixtext fixref="F-37491r614034_fix">Configure the UEM server to protect audit information from any type of unauthorized read access.</fixtext><fix id="F-37491r614034_fix" /><check system="C-37526r614033_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server protects audit information from any type of unauthorized read access.
+
+If the UEM server does not protect audit information from any type of unauthorized read access, this is a finding</check-content></check></Rule></Group><Group id="V-234342"><title>SRG-APP-000119</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234342r960933_rule" weight="10.0" severity="medium"><version>SRG-APP-000119-UEM-000069</version><title>The UEM server must protect audit information from unauthorized modification.</title><description>&lt;VulnDiscussion&gt;If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. 
+
+To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. 
+
+This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. 
+
+Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.
+
+Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. 
+
+Satisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000163</ident><fixtext fixref="F-37492r614037_fix">Configure the UEM server to protect audit information from unauthorized modification.</fixtext><fix id="F-37492r614037_fix" /><check system="C-37527r614036_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server protects audit information from unauthorized modification.
+
+If the UEM server does not protect audit information from unauthorized modification, this is a finding.</check-content></check></Rule></Group><Group id="V-234343"><title>SRG-APP-000120</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234343r960936_rule" weight="10.0" severity="medium"><version>SRG-APP-000120-UEM-000070</version><title>The UEM server must protect audit information from unauthorized deletion.</title><description>&lt;VulnDiscussion&gt;If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. 
+
+To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. 
+
+Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained.
+
+Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit data.
+
+Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information may include data from other applications or be included with the audit application itself. 
+
+Satisfies:FIA_UAU.1.2, FMT_SMR.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000164</ident><fixtext fixref="F-37493r614040_fix">Configure the UEM server to protect audit information from unauthorized deletion.</fixtext><fix id="F-37493r614040_fix" /><check system="C-37528r614039_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server protects audit information from unauthorized deletion.
+
+If the UEM server does not protect audit information from unauthorized deletion, this is a finding</check-content></check></Rule></Group><Group id="V-234347"><title>SRG-APP-000125</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234347r960948_rule" weight="10.0" severity="medium"><version>SRG-APP-000125-UEM-000074</version><title>The UEM server must back up audit records at least every seven days onto a log management server.</title><description>&lt;VulnDiscussion&gt;Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. 
+
+This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.
+
+This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. 
+
+Satisfies:FAU_STG_EXT.1.1, FMT_SMF.1.1(2) Refinement b&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001348</ident><fixtext fixref="F-37497r614052_fix">Configure the UEM server to back up audit records at least every seven days onto a log management server.</fixtext><fix id="F-37497r614052_fix" /><check system="C-37532r614051_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server backs up audit records at least every seven days onto a log management server.
+
+If the UEM server does not back up audit records at least every seven days onto a log management server, this is a finding.</check-content></check></Rule></Group><Group id="V-234349"><title>SRG-APP-000131</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234349r985741_rule" weight="10.0" severity="medium"><version>SRG-APP-000131-UEM-000076</version><title>The UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.</title><description>&lt;VulnDiscussion&gt;Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and that it has been provided by a trusted vendor. 
+
+Accordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. 
+
+Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The application should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA). 
+
+Satisfies:FIA_X509_EXT.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-003992</ident><fixtext fixref="F-37499r614058_fix">Configure the UEM server to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.</fixtext><fix id="F-37499r614058_fix" /><check system="C-37534r614057_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server prevents the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
+
+If the UEM server does not prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-234351"><title>SRG-APP-000133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234351r960960_rule" weight="10.0" severity="medium"><version>SRG-APP-000133-UEM-000078</version><title>The UEM server must limit privileges to change the software resident within software libraries.</title><description>&lt;VulnDiscussion&gt;If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+
+This requirement applies to applications with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs, which execute with escalated privileges. Only qualified and authorized individuals will be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. 
+
+Satisfies:FMT_SMR.1.1(1), FPT_TUD_EXT.1.2&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001499</ident><fixtext fixref="F-37501r614064_fix">Configure the UEM server to limit privileges to change the software resident within software libraries.</fixtext><fix id="F-37501r614064_fix" /><check system="C-37536r614063_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server limits privileges to change the software resident within software libraries.
+
+If the UEM server does not limit privileges to change the software resident within software libraries, this is a finding.</check-content></check></Rule></Group><Group id="V-234352"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234352r960963_rule" weight="10.0" severity="medium"><version>SRG-APP-000141-UEM-000079</version><title>The UEM server must be configured to disable non-essential capabilities.</title><description>&lt;VulnDiscussion&gt;It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+
+Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). 
+
+Examples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled. 
+
+Satisfies:FMT_SMF.1.1(2) c.2 
+Reference:PP-MDM-411064&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-37502r614067_fix">Configure the UEM server to be configured to disable non-essential capabilities.</fixtext><fix id="F-37502r614067_fix" /><check system="C-37537r614066_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server has disabled non-essential capabilities.
+
+If the UEM server has not disabled non-essential capabilities, this is a finding.</check-content></check></Rule></Group><Group id="V-234353"><title>SRG-APP-000142</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234353r960966_rule" weight="10.0" severity="medium"><version>SRG-APP-000142-UEM-000080</version><title>The firewall protecting the UEM server platform must be configured so only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).</title><description>&lt;VulnDiscussion&gt;All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary. 
+
+Satisfies:FMT_SMF.1.1(2) Refinement b 
+Reference:PP-MDM-431006&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000382</ident><fixtext fixref="F-37503r614070_fix">Configure the firewall protecting the UEM server platform so that only DoD-approved ports, protocols, and services are enabled. (See the DoD PPSM CAL list for DoD-approved ports, protocols, and services).</fixtext><fix id="F-37503r614070_fix" /><check system="C-37538r614069_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the firewall protecting the UEM server platform is configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD PPSM CAL list for DoD-approved ports, protocols, and services).
+
+If the firewall protecting the UEM server platform is not configured so that only DoD-approved ports, protocols, and services are enabled, this is a finding.</check-content></check></Rule></Group><Group id="V-234354"><title>SRG-APP-000142</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234354r960966_rule" weight="10.0" severity="medium"><version>SRG-APP-000142-UEM-000081</version><title>The UEM server must be configured to use only documented platform APIs.</title><description>&lt;VulnDiscussion&gt;Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
+
+Application communication sessions are protected utilizing transport encryption protocols, such as TLS. TLS provides web applications with a means to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. 
+
+This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). 
+
+This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TLS mutual authentication (two-way/bidirectional). 
+
+Satisfies:FPT_API_EXT.1.1&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000382</ident><fixtext fixref="F-37504r614073_fix">Configure the UEM server to be configured to use only documented platform APIs.</fixtext><fix id="F-37504r614073_fix" /><check system="C-37539r614072_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server uses only documented platform APIs.
+
+If the UEM server does not use only documented platform APIs, this is a finding.</check-content></check></Rule></Group><Group id="V-234355"><title>SRG-APP-000148</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234355r960969_rule" weight="10.0" severity="medium"><version>SRG-APP-000148-UEM-000082</version><title>The UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).</title><description>&lt;VulnDiscussion&gt;To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. 
+
+Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following.
+
+(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 
+(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. 
+
+Satisfies: FIA 
+Reference:PP-MDM-414003&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000764</ident><fixtext fixref="F-37505r614076_fix">Configure the UEM server to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).</fixtext><fix id="F-37505r614076_fix" /><check system="C-37540r614075_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
+
+If the UEM server does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.</check-content></check></Rule></Group><Group id="V-234356"><title>SRG-APP-000149</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234356r960972_rule" weight="10.0" severity="medium"><version>SRG-APP-000149-UEM-000083</version><title>The UEM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.</title><description>&lt;VulnDiscussion&gt;A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). 
+
+Satisfies: FIA 
+Reference:PP-MDM-414003&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000765</ident><fixtext fixref="F-37506r614079_fix">Configure the UEM server to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.</fixtext><fix id="F-37506r614079_fix" /><check system="C-37541r614078_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server uses a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.
+
+If the UEM server does not use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts, this is a finding.</check-content></check></Rule></Group><Group id="V-234358"><title>SRG-APP-000151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234358r985742_rule" weight="10.0" severity="medium"><version>SRG-APP-000151-UEM-000085</version><title>All UEM server local accounts created during application installation and configuration must be removed. 
+
+Note: In this context local accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.</title><description>&lt;VulnDiscussion&gt;A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). 
+
+Satisfies:FMT_SMF.1.1(2) b / IA-5(1)(a) 
+Reference:PP-MDM-431007&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000765</ident><fixtext fixref="F-37508r985680_fix">Remove all UEM server local accounts created during application installation. 
+
+Note: In this context, "local" accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.</fixtext><fix id="F-37508r985680_fix" /><check system="C-37543r985679_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify all UEM server local accounts created during application installation and configuration have been removed. 
+
+Note: In this context, "local" accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.
+
+If all UEM server local accounts created during application installation and configuration have not been removed, this is a finding.</check-content></check></Rule></Group><Group id="V-234360"><title>SRG-APP-000153</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234360r985744_rule" weight="10.0" severity="medium"><version>SRG-APP-000153-UEM-000087</version><title>The UEM server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.</title><description>&lt;VulnDiscussion&gt;To ensure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated. 
+
+Individual accountability mandates that each user is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the application using a single account. 
+
+If an application allows or provides for group authenticators, it must first individually authenticate users prior to implementing group authenticator functionality. 
+
+Some applications may not have the need to provide a group authenticator; this is considered a matter of application design. In those instances where the application design includes the use of a group authenticator, this requirement will apply.
+
+There may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. An example of this type of access is a web server which contains publicly releasable information. 
+
+Satisfies: FIA 
+Reference:PP-MDM-414003&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004045</ident><fixtext fixref="F-37510r614091_fix">Configure the UEM server to ensure users are authenticated with an individual authenticator prior to using a group authenticator.</fixtext><fix id="F-37510r614091_fix" /><check system="C-37545r985683_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication.
+
+Verify the UEM server ensures users are authenticated with an individual authenticator prior to using a group authenticator.
+
+If the UEM server does not ensure users are authenticated with an individual authenticator prior to using a group authenticator, this is a finding.</check-content></check></Rule></Group><Group id="V-234361"><title>SRG-APP-000154</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234361r985745_rule" weight="10.0" severity="medium"><version>SRG-APP-000154-UEM-000088</version><title>The UEM server must be configured to use DOD PKI for multifactor authentication. This requirement is included in SRG-APP-000149. </title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a common access card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. 
+
+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards, such as the U.S. Government Personal Identity Verification card and the DOD CAC.
+
+A privileged account is any information system account with authorizations of a privileged user. 
+
+Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004046</ident><fixtext fixref="F-37511r985686_fix">Configure the UEM server to use DOD PKI for multifactor authentication.</fixtext><fix id="F-37511r985686_fix" /><check system="C-37546r985685_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server uses DOD PKI for multifactor authentication.
+
+If the UEM server does not use DOD PKI for multifactor authentication, this is a finding.</check-content></check></Rule></Group><Group id="V-234363"><title>SRG-APP-000156</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234363r960993_rule" weight="10.0" severity="high"><version>SRG-APP-000156-UEM-000090</version><title>The UEM server must use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.</title><description>&lt;VulnDiscussion&gt;A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
+
+Anti-replay is a cryptographically based mechanism; thus, it must use FIPS-approved algorithms. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Note that the anti-replay service is implicit when data contains monotonically increasing sequence numbers and data integrity is assured. Use of DoD PKI is inherently compliant with this requirement for user and device access. Use of Transport Layer Security (TLS), including application protocols, such as HTTPS and DNSSEC, that use TLS/SSL as the underlying security protocol is also complaint.
+
+Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards.
+
+Configure the information system to use the hash message authentication code (HMAC) algorithm for authentication services to Kerberos, SSH, web management tool, and any other access method. 
+
+Satisfies: FIA 
+Reference:PP-MDM-414003&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001941</ident><fixtext fixref="F-37513r614100_fix">Configure the UEM server to use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.</fixtext><fix id="F-37513r614100_fix" /><check system="C-37548r614099_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server uses FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
+
+If the UEM server does not use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.</check-content></check></Rule></Group><Group id="V-234364"><title>SRG-APP-000157</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234364r985747_rule" weight="10.0" severity="medium"><version>SRG-APP-000157-UEM-000091</version><title>The UEM server must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.</title><description>&lt;VulnDiscussion&gt;A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
+
+An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. 
+
+A nonprivileged account is any operating system account with authorizations of a nonprivileged user. 
+
+Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. 
+
+Satisfies: FIA 
+Reference:PP-MDM-414003&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001941</ident><fixtext fixref="F-37514r985690_fix">Configure the UEM server to implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.</fixtext><fix id="F-37514r985690_fix" /><check system="C-37549r985689_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication.
+
+Verify the UEM server implements replay-resistant authentication mechanisms for network access to nonprivileged accounts.
+
+If the UEM server does not implement replay-resistant authentication mechanisms for network access to non-privileged accounts, this is a finding.</check-content></check></Rule></Group><Group id="V-234367"><title>SRG-APP-000164</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234367r985748_rule" weight="10.0" severity="medium"><version>SRG-APP-000164-UEM-000094</version><title>The UEM server must enforce a minimum 15-character password length.</title><description>&lt;VulnDiscussion&gt;The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
+
+Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. 
+
+Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. 
+
+Satisfies:FMT_SMF.1(2)b 
+Reference:PP-MDM-431018&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-37517r614112_fix">Configure the UEM server to enforce a minimum 15-character password length.</fixtext><fix id="F-37517r614112_fix" /><check system="C-37552r614111_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server enforces a minimum 15-character password length.
+
+If the UEM server does not enforce a minimum 15-character password length, this is a finding.</check-content></check></Rule></Group><Group id="V-234368"><title>SRG-APP-000165</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234368r1015267_rule" weight="10.0" severity="medium"><version>SRG-APP-000165-UEM-000095</version><title>The UEM server must prohibit password reuse for a minimum of five generations.</title><description>&lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
+
+To meet password policy requirements, passwords need to be changed at specific policy-based intervals. 
+
+If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. 
+
+Satisfies:FMT_SMF.1(2)b 
+Reference:PP-MDM-431025&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004061</ident><fixtext fixref="F-37518r614115_fix">Configure the UEM server to prohibit password reuse for a minimum of five generations.</fixtext><fix id="F-37518r614115_fix" /><check system="C-37553r614114_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server prohibits password reuse for a minimum of five generations.
+
+If the UEM server does not prohibit password reuse for a minimum of five generations, this is a finding.</check-content></check></Rule></Group><Group id="V-234369"><title>SRG-APP-000166</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234369r985750_rule" weight="10.0" severity="medium"><version>SRG-APP-000166-UEM-000096</version><title>The UEM server must enforce password complexity by requiring that at least one uppercase character be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+
+Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. 
+
+Satisfies:FMT_SMF.1(2)b 
+Reference:PP-MDM-431020&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-37519r614118_fix">Configure the UEM server to enforce password complexity by requiring that at least one uppercase character be used.</fixtext><fix id="F-37519r614118_fix" /><check system="C-37554r614117_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server enforces password complexity by requiring that at least one uppercase character be used.
+
+If the UEM server does not enforce password complexity by requiring that at least one uppercase character be used, this is a finding.</check-content></check></Rule></Group><Group id="V-234370"><title>SRG-APP-000167</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234370r985751_rule" weight="10.0" severity="medium"><version>SRG-APP-000167-UEM-000097</version><title>The UEM server must enforce password complexity by requiring that at least one lowercase character be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
+
+Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. 
+
+Satisfies:FMT_SMF.1(2)b 
+Reference:PP-MDM-431019&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-37520r614121_fix">Configure the UEM server to enforce password complexity by requiring that at least one lowercase character be used.</fixtext><fix id="F-37520r614121_fix" /><check system="C-37555r614120_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server enforces password complexity by requiring that at least one lowercase character be used.
+
+If the UEM server does not enforce password complexity by requiring that at least one lowercase character be used, this is a finding.</check-content></check></Rule></Group><Group id="V-234371"><title>SRG-APP-000168</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234371r985752_rule" weight="10.0" severity="medium"><version>SRG-APP-000168-UEM-000098</version><title>The UEM server must enforce password complexity by requiring that at least one numeric character be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
+
+Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. 
+
+Satisfies:FMT_SMF.1(2)b 
+Reference:PP-MDM-431021&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-37521r614124_fix">Configure the UEM server to enforce password complexity by requiring that at least one numeric character be used.</fixtext><fix id="F-37521r614124_fix" /><check system="C-37556r614123_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server enforces password complexity by requiring that at least one numeric character be used.
+
+If the UEM server does not enforce password complexity by requiring that at least one numeric character be used, this is a finding.</check-content></check></Rule></Group><Group id="V-234372"><title>SRG-APP-000169</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234372r985753_rule" weight="10.0" severity="medium"><version>SRG-APP-000169-UEM-000099</version><title>The UEM server must enforce password complexity by requiring that at least one special character be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 
+
+Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. 
+
+Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. 
+
+Satisfies:FMT_SMF.1(2)b 
+Reference:PP-MDM-431022&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-37522r614127_fix">Configure the UEM server to enforce password complexity by requiring that at least one special character be used.</fixtext><fix id="F-37522r614127_fix" /><check system="C-37557r614126_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server enforces password complexity by requiring that at least one special character be used.
+
+If the UEM server does not enforce password complexity by requiring that at least one special character be used, this is a finding.</check-content></check></Rule></Group><Group id="V-234373"><title>SRG-APP-000170</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234373r985754_rule" weight="10.0" severity="medium"><version>SRG-APP-000170-UEM-000100</version><title>The UEM server must require the change of at least 15 of the total number of characters when passwords are changed.</title><description>&lt;VulnDiscussion&gt;If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
+
+The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-37523r614130_fix">Configure the UEM server to require the change of at least 15 of the total number of characters when passwords are changed.</fixtext><fix id="F-37523r614130_fix" /><check system="C-37558r614129_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server requires the change of at least 15 of the total number of characters when passwords are changed.
+
+If the UEM server does not require the change of at least 15 of the total number of characters when passwords are changed, this is a finding.</check-content></check></Rule></Group><Group id="V-234374"><title>SRG-APP-000171</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234374r985755_rule" weight="10.0" severity="medium"><version>SRG-APP-000171-UEM-000101</version><title>For UEM server using password authentication, the application must store only cryptographic representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. 
+
+Examples of situations where a user ID and password might be used include:
+
+- When the user does not use a common access card (CAC) and is not a current DOD employee, member of the military, or DOD contractor.
+- When a user has been officially designated as temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) (i.e., Temporary Exception User) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied.
+- When the application is publicly available and or hosting publicly releasable data requiring some degree of need-to-know protection.
+
+If the password is already encrypted and not a plaintext password, this meets this requirement. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security.
+
+Verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the hash. A more secure version of verifying a user knowing a password is to store the result of an iterating hash function and a large random salt value as follows:
+
+H0 = H(pwd, H(salt))
+Hn = H(Hn-1,H(salt))
+
+In the above, "n" is a cryptographically-strong random [*3] number. "Hn" is stored along with the salt. When the application wishes to verify that the user knows a password, it simply repeats the process and compares "Hn" with the stored "Hn". A salt is essentially a fixed-length cryptographically strong random value.
+
+Another method is using a keyed-hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key.
+
+This requirement applies to all accounts including authentication server, AAA, and local account, including the root account and the account of last resort. 
+
+Satisfies:FMT_SMF.1(2)b 
+Reference:PP-MDM-431008&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004062</ident><fixtext fixref="F-37524r614133_fix">For a UEM server using password authentication, configure the server to store only cryptographic representations of passwords.</fixtext><fix id="F-37524r614133_fix" /><check system="C-37559r614132_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>If the UEM server is using password authentication, verify the server stores only cryptographic representations of passwords.
+
+If the UEM server is using password authentication but does not store only cryptographic representations of passwords, this is a finding.</check-content></check></Rule></Group><Group id="V-234375"><title>SRG-APP-000172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234375r961029_rule" weight="10.0" severity="high"><version>SRG-APP-000172-UEM-000102</version><title>For UEM server using password authentication, the network element must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
+
+The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption.
+
+Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems must not be configured to use SHA-1 for integrity of remote access sessions. 
+
+This requirement applies to all accounts, including authentication server; Authorization, Authentication, and Accounting (AAA); and local accounts such as the root account and the account of last resort.
+
+This requirement only applies to components where this is specific to the function of the device (e.g., TLS VPN or ALG). This does not apply to authentication for the purpose of configuring the device itself (management). 
+
+Satisfies:FIA_ENR_EXT.1.1, FCS_COP.1.1(2) Refinement&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000197</ident><fixtext fixref="F-37525r614136_fix">For a UEM server using password authentication, configure the network element to use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.</fixtext><fix id="F-37525r614136_fix" /><check system="C-37560r614135_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>For UEM server using password authentication, verify the network element uses FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
+
+If UEM server using password authentication but the network element does not use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process, this is a finding.</check-content></check></Rule></Group><Group id="V-234377"><title>SRG-APP-000174</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234377r985756_rule" weight="10.0" severity="medium"><version>SRG-APP-000174-UEM-000104</version><title>The UEM server must enforce a 60-day maximum password lifetime restriction.</title><description>&lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. 
+
+One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. 
+
+This requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions. 
+
+Satisfies:FMT_SMF.1(2)b 
+Reference:PP-MDM-431024&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-37527r614142_fix">Configure the UEM server to enforce a 60-day maximum password lifetime restriction.</fixtext><fix id="F-37527r614142_fix" /><check system="C-37562r614141_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server enforces a 60-day maximum password lifetime restriction.
+
+If the UEM server does not enforce a 60-day maximum password lifetime restriction, this is a finding.</check-content></check></Rule></Group><Group id="V-234378"><title>SRG-APP-000175</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234378r961038_rule" weight="10.0" severity="medium"><version>SRG-APP-000175-UEM-000105</version><title>When using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.</title><description>&lt;VulnDiscussion&gt;Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information system must create trusted channels between itself and remote trusted authorized IT product (e.g., syslog server) entities that protect the confidentiality and integrity of communications. The information system must create trusted paths between itself and remote administrators and users that protect the confidentiality and integrity of communications.
+
+A trust anchor is an authoritative entity represented via a public key and associated data. It is most often used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. However, applications that do not use a trusted path are not approved for non-local and remote management of DoD information systems.
+
+Use of SSHv2 to establish a trusted channel is approved. Use of FTP, TELNET, HTTP, and SNMPV1 is not approved since they violate the trusted channel rule set. Use of web management tools that are not validated by common criteria my also violate trusted channel rule set.
+
+When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. 
+
+This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. 
+
+Satisfies:FIA_X509_EXT.1.1(1), FIA_X509_EXT.2.1, FIA_X509_EXT.2.2&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000185</ident><fixtext fixref="F-37528r614145_fix">When using PKI-based authentication for user access, configure the UEM server to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.</fixtext><fix id="F-37528r614145_fix" /><check system="C-37563r614144_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+When using PKI-based authentication for user access, verify the UEM server validates certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
+
+If the UEM server uses PKI-based authentication for user access but does not validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor, this is a finding.</check-content></check></Rule></Group><Group id="V-234379"><title>SRG-APP-000175</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234379r961038_rule" weight="10.0" severity="medium"><version>SRG-APP-000175-UEM-000106</version><title>When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate.</title><description>&lt;VulnDiscussion&gt;When an UEM server accepts an unverified certificate, it may be trusting a malicious actor. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. 
+
+Satisfies:FIA_X509_EXT.2.2 
+Reference:PP-MDM-412003&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000185</ident><fixtext fixref="F-37529r614148_fix">Configure the UEM server to not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate.</fixtext><fix id="F-37529r614148_fix" /><check system="C-37564r614147_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server does not automatically accept a certificate when it cannot establish a connection to determine the validity of a certificate.
+
+If the UEM server automatically accepts a certificate when it cannot establish a connection to determine the validity of a certificate, this is a finding.</check-content></check></Rule></Group><Group id="V-234380"><title>SRG-APP-000176</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234380r961041_rule" weight="10.0" severity="medium"><version>SRG-APP-000176-UEM-000107</version><title>The UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.</title><description>&lt;VulnDiscussion&gt;If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
+
+The cornerstone of the PKI is the private key used to encrypt or digitally sign information. 
+
+If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. 
+
+Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. 
+
+Satisfies:FIA_X509_EXT.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000186</ident><fixtext fixref="F-37530r614151_fix">Configure the UEM server, when using PKI-based authentication, to enforce authorized access to the corresponding private key.</fixtext><fix id="F-37530r614151_fix" /><check system="C-37565r614150_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the he UEM server, when using PKI-based authentication, enforces authorized access to the corresponding private key.
+
+If the UEM server, when using PKI-based authentication, does not enforce authorized access to the corresponding private key, this is a finding</check-content></check></Rule></Group><Group id="V-234381"><title>SRG-APP-000177</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234381r961044_rule" weight="10.0" severity="medium"><version>SRG-APP-000177-UEM-000108</version><title>The UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication.</title><description>&lt;VulnDiscussion&gt;Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. 
+
+Satisfies: FIA 
+Reference:PP-MDM-414003&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000187</ident><fixtext fixref="F-37531r614154_fix">Configure the UEM server to map the authenticated identity to the individual user or group account for PKI-based authentication.</fixtext><fix id="F-37531r614154_fix" /><check system="C-37566r614153_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server maps the authenticated identity to the individual user or group account for PKI-based authentication.
+
+If the UEM server does not map the authenticated identity to the individual user or group account for PKI-based authentication, this is a finding.</check-content></check></Rule></Group><Group id="V-234382"><title>SRG-APP-000178</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234382r961047_rule" weight="10.0" severity="medium"><version>SRG-APP-000178-UEM-000109</version><title>The UEM server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.</title><description>&lt;VulnDiscussion&gt;To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the information system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. 
+
+Obfuscation of user-provided information when typed into the system is a method used in addressing this risk. 
+
+For example, displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information. 
+
+Satisfies:FMT_SMF.1(2)b 
+Reference:PP-MDM-431026&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000206</ident><fixtext fixref="F-37532r614157_fix">Configure the UEM server to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.</fixtext><fix id="F-37532r614157_fix" /><check system="C-37567r614156_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
+
+If the UEM server does not obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals, this is a finding.</check-content></check></Rule></Group><Group id="V-234383"><title>SRG-APP-000179</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234383r961050_rule" weight="10.0" severity="high"><version>SRG-APP-000179-UEM-000110</version><title>The UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. 
+
+Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. 
+
+To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512.
+
+Applications also include HMAC, KDFs, Random Bit Generation, and hash-only applications (e.g., hashing passwords and use for compute a checksum). For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only, but this is discouraged by DoD.
+
+Separate requirements for configuring applications and protocols used by each product (e.g., SNMPv3, SSH, NTP, and other protocols and applications that require server/client authentication) are required to implement this requirement. 
+
+Satisfies:FCS_COP.1.1(2)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000803</ident><fixtext fixref="F-37533r614160_fix">Configure the UEM server to use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.</fixtext><fix id="F-37533r614160_fix" /><check system="C-37568r614159_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server uses FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
+
+If the UEM server does not use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications, this is a finding.</check-content></check></Rule></Group><Group id="V-234390"><title>SRG-APP-000191</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234390r1035567_rule" weight="10.0" severity="medium"><version>SRG-APP-000191-UEM-000117</version><title>The UEM server must be configured to provide a trusted communication channel between itself and authorized IT entities using [selection:
+-IPsec,
+-SSH,
+-mutually authenticated TLS, 
+-mutually authenticated DTLS, 
+-HTTPS].</title><description>&lt;VulnDiscussion&gt;Examples of authorized IT entities: audit server, Active Directory, software update server, and database server.
+
+Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
+
+Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. 
+
+Satisfies: FTP_ITC.1.1(1) Refinement 
+Reference: PP-MDM-412062&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004750</ident><fixtext fixref="F-37540r614181_fix">Configure the UEM server to provide a trusted communication channel between itself and authorized IT entities using [selection:
+-IPsec,
+-SSH,
+-mutually authenticated TLS, 
+-mutually authenticated DTLS, 
+-HTTPS].</fixtext><fix id="F-37540r614181_fix" /><check system="C-37575r614180_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server provides a trusted communication channel between itself and authorized IT entities using [selection:
+-IPsec,
+-SSH,
+-mutually authenticated TLS, 
+-mutually authenticated DTLS, 
+-HTTPS].
+
+If the UEM server does not provide a trusted communication channel between itself and authorized IT entities using [selection:
+-IPsec,
+-SSH,
+-mutually authenticated TLS, 
+-mutually authenticated DTLS, 
+-HTTPS], this is a finding.</check-content></check></Rule></Group><Group id="V-234391"><title>SRG-APP-000191</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234391r1035568_rule" weight="10.0" severity="medium"><version>SRG-APP-000191-UEM-000118</version><title>The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: 
+-IPsec, 
+-SSH, 
+-TLS, 
+-HTTPS].</title><description>&lt;VulnDiscussion&gt;Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
+
+Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. 
+
+Satisfies: FTP_TRP.1.1(1) Refinement&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004750</ident><fixtext fixref="F-37541r1001237_fix">Configure the UEM server to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:
+-IPsec,
+-SSH,
+-TLS, 
+-HTTPS].</fixtext><fix id="F-37541r1001237_fix" /><check system="C-37576r614183_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server invokes either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:
+-IPsec,
+-SSH,
+-TLS, 
+-HTTPS].
+
+If the UEM server does not invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:
+-IPsec,
+-SSH,
+-TLS, 
+-HTTPS], this is a finding.</check-content></check></Rule></Group><Group id="V-234392"><title>SRG-APP-000191</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234392r1035569_rule" weight="10.0" severity="medium"><version>SRG-APP-000191-UEM-000119</version><title>The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: 
+-TLS, 
+-HTTPS].</title><description>&lt;VulnDiscussion&gt;Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
+
+Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. 
+
+Satisfies: FTP_TRP.1.1(2) Refinement&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004750</ident><fixtext fixref="F-37542r1001239_fix">Configure the UEM server to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:
+-TLS, 
+-HTTPS].</fixtext><fix id="F-37542r1001239_fix" /><check system="C-37577r614186_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server invokes either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:
+-TLS, 
+-HTTPS].
+
+If the UEM server does not invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:
+-TLS, 
+-HTTPS], this is a finding.</check-content></check></Rule></Group><Group id="V-234405"><title>SRG-APP-000219</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234405r961110_rule" weight="10.0" severity="medium"><version>SRG-APP-000219-UEM-000132</version><title>The UEM server must protect the authenticity of communications sessions.</title><description>&lt;VulnDiscussion&gt;Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
+
+Application communication sessions are protected utilizing transport encryption protocols, such as TLS. TLS provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. 
+
+This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). 
+
+This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TLS mutual authentication (two-way/bidirectional). 
+
+Satisfies:FIA_ENR_EXT.1.1, FTP_TRP.1.1(2), FTP_TRP.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001184</ident><fixtext fixref="F-37555r614226_fix">Configure the UEM server to protect the authenticity of communications sessions.</fixtext><fix id="F-37555r614226_fix" /><check system="C-37590r614225_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server protects the authenticity of communications sessions.
+
+If the UEM server does not protect the authenticity of communications sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-234406"><title>SRG-APP-000220</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234406r961113_rule" weight="10.0" severity="medium"><version>SRG-APP-000220-UEM-000133</version><title>The UEM server must invalidate session identifiers upon user logout or other session termination.</title><description>&lt;VulnDiscussion&gt;Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs.
+
+This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). 
+
+Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. Unique session identifiers or IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the application must terminate the user session to minimize the potential for an attacker to hijack that particular user session.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001185</ident><fixtext fixref="F-37556r614229_fix">Configure the UEM server to invalidate session identifiers upon user logout or other session termination.</fixtext><fix id="F-37556r614229_fix" /><check system="C-37591r614228_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server invalidates session identifiers upon user logout or other session termination.
+
+If the UEM server does not invalidate session identifiers upon user logout or other session termination, this is a finding.</check-content></check></Rule></Group><Group id="V-234407"><title>SRG-APP-000223</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234407r961116_rule" weight="10.0" severity="medium"><version>SRG-APP-000223-UEM-000134</version><title>The UEM server must recognize only system-generated session identifiers.</title><description>&lt;VulnDiscussion&gt;Applications utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the session may be compromised.
+
+Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.
+
+This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001664</ident><fixtext fixref="F-37557r614232_fix">Configure the UEM server to recognize only system-generated session identifiers.</fixtext><fix id="F-37557r614232_fix" /><check system="C-37592r614231_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server recognizes only system-generated session identifiers.
+
+If the UEM server does not recognize only system-generated session identifiers, this is a finding.</check-content></check></Rule></Group><Group id="V-234408"><title>SRG-APP-000224</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234408r961119_rule" weight="10.0" severity="high"><version>SRG-APP-000224-UEM-000135</version><title>The UEM server must generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.</title><description>&lt;VulnDiscussion&gt;Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers.
+
+Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. 
+
+The DRBGs Hash_DRBG, HMAC_DRBG, and CTR_DRBG are recommended for use with RNGs. 
+
+This requirement is applicable to devices that use a web interface for device management. 
+
+Satisfies:FCS_RBG_EXT.1.1, FIA_UAU.1.1, FIA_UAU.1.2&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001188</ident><fixtext fixref="F-37558r614235_fix">Configure the UEM server to generate unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm.</fixtext><fix id="F-37558r614235_fix" /><check system="C-37593r614234_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm.
+
+If the UEM server does not generate unique session identifiers using a FIPS-validated RNG based on the DRBG algorithm, this is a finding.</check-content></check></Rule></Group><Group id="V-234409"><title>SRG-APP-000225</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234409r961122_rule" weight="10.0" severity="medium"><version>SRG-APP-000225-UEM-000136</version><title>The UEM server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.</title><description>&lt;VulnDiscussion&gt;Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Applications or systems that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection capability. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption of mission-essential processes. 
+
+In general, application security mechanisms should be designed so that a failure will follow the same execution path as disallowing the operation. For example, security methods, such as isAuthorized(), isAuthenticated(), and validate(), should all return false if there is an exception during processing. If security controls can throw exceptions, they must be very clear about exactly what that condition means. 
+
+Abort refers to stopping a program or function before it has finished naturally. The term abort refers to both requested and unexpected terminations. 
+
+Satisfies:FPT_TST_EXT.1.2&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001190</ident><fixtext fixref="F-37559r614238_fix">Configure the UEM server to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.</fixtext><fix id="F-37559r614238_fix" /><check system="C-37594r614237_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server fails to a secure state if system initialization fails, shutdown fails, or aborts fail.
+
+If the UEM server does not fail to a secure state if system initialization fails, shutdown fails, or aborts fail, this is a finding.</check-content></check></Rule></Group><Group id="V-234410"><title>SRG-APP-000226</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234410r961125_rule" weight="10.0" severity="medium"><version>SRG-APP-000226-UEM-000137</version><title>In the event of a system failure, the UEM server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.</title><description>&lt;VulnDiscussion&gt;Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes. 
+
+Satisfies:FAU_GEN.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001665</ident><fixtext fixref="F-37560r617413_fix">Configure the UEM server to preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure.</fixtext><fix id="F-37560r617413_fix" /><check system="C-37595r614240_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server preserves any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure.
+
+If the UEM server does not preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes, in the event of a system failure, this is a finding.</check-content></check></Rule></Group><Group id="V-234421"><title>SRG-APP-000251</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234421r961158_rule" weight="10.0" severity="medium"><version>SRG-APP-000251-UEM-000148</version><title>The UEM server must check the validity of all data inputs.</title><description>&lt;VulnDiscussion&gt;Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid input is one of the primary methods employed when attempting to compromise an application. 
+
+Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001310</ident><fixtext fixref="F-37571r614274_fix">Configure the UEM server to check the validity of all data inputs.</fixtext><fix id="F-37571r614274_fix" /><check system="C-37606r617398_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server checks the validity of all data inputs.
+
+If the UEM server does not check the validity of all data inputs, this is a finding.</check-content></check></Rule></Group><Group id="V-234424"><title>SRG-APP-000266</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234424r961167_rule" weight="10.0" severity="medium"><version>SRG-APP-000266-UEM-000151</version><title>The UEM server must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.</title><description>&lt;VulnDiscussion&gt;Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. 
+
+Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. 
+
+Satisfies:FAU_ALT_EXT.1.1, FPT_TST_EXT.1, FAU_GEN.1.2(1), FIA_UAU.1.2, FMT_SMR.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001312</ident><fixtext fixref="F-37574r614283_fix">Configure the UEM server to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.</fixtext><fix id="F-37574r614283_fix" /><check system="C-37609r614282_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
+
+If the UEM server does not generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries, this is a finding.</check-content></check></Rule></Group><Group id="V-234425"><title>SRG-APP-000267</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234425r961170_rule" weight="10.0" severity="medium"><version>SRG-APP-000267-UEM-000152</version><title>The UEM server must reveal error messages only to the Information System Security Manager (ISSM) and Information System Security Officer (ISSO).</title><description>&lt;VulnDiscussion&gt;Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the application. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.
+
+The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. 
+
+Satisfies:FPT_TST_EXT.1, FAU_GEN.1.2(1), FIA_UAU.1.2, FMT_SMR.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001314</ident><fixtext fixref="F-37575r614286_fix">Configure the UEM server to reveal error messages only to the ISSM and ISSO.</fixtext><fix id="F-37575r614286_fix" /><check system="C-37610r614285_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server reveals error messages only to the ISSM and ISSO.
+
+If the UEM server does not reveal error messages only to the ISSM and ISSO, this is a finding.</check-content></check></Rule></Group><Group id="V-234430"><title>SRG-APP-000275</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234430r961185_rule" weight="10.0" severity="medium"><version>SRG-APP-000275-UEM-000157</version><title>The application must notify the Information System Security Manager (ISSM) and Information System Security Officer (ISSO) of failed security verification tests.</title><description>&lt;VulnDiscussion&gt;If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. 
+
+Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.
+
+This requirement applies to applications performing security functions and the applications performing security function verification/testing. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001294</ident><fixtext fixref="F-37580r614301_fix">Configure the UEM server to notify the ISSO and ISSM of failed security verification tests.</fixtext><fix id="F-37580r614301_fix" /><check system="C-37615r614300_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server notifies the ISSO and ISSM of failed security verification tests.
+
+If the UEM server does not notify the ISSO and ISSM of failed security verification tests, this is a finding.</check-content></check></Rule></Group><Group id="V-234438"><title>SRG-APP-000291</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234438r985759_rule" weight="10.0" severity="medium"><version>SRG-APP-000291-UEM-000165</version><title>The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are created.</title><description>&lt;VulnDiscussion&gt;Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the SA and ISSO is one method for mitigating this risk.
+
+To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000015</ident><fixtext fixref="F-37588r985704_fix">Configure the UEM server to notify SA and the ISSO when accounts are created.</fixtext><fix id="F-37588r985704_fix" /><check system="C-37623r985703_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication.
+
+Verify the UEM server notify SAs and ISSO when accounts are created.
+
+If the UEM server does not notify SAs and the ISSO when accounts are created, this is a finding.</check-content></check></Rule></Group><Group id="V-234439"><title>SRG-APP-000292</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234439r985760_rule" weight="10.0" severity="medium"><version>SRG-APP-000292-UEM-000166</version><title>The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified.</title><description>&lt;VulnDiscussion&gt;When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
+
+To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000015</ident><fixtext fixref="F-37589r985707_fix">Configure the UEM server to notify SAs and the ISSO when accounts are modified.</fixtext><fix id="F-37589r985707_fix" /><check system="C-37624r985706_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication.
+
+Verify the UEM server notifies SAs and the ISSO when accounts are modified.
+
+If the UEM server does not notify SAs and the ISSO when accounts are modified, this is a finding.</check-content></check></Rule></Group><Group id="V-234440"><title>SRG-APP-000293</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234440r985761_rule" weight="10.0" severity="medium"><version>SRG-APP-000293-UEM-000167</version><title>The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) for account disabling actions.</title><description>&lt;VulnDiscussion&gt;When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account disabling events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
+
+To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000015</ident><fixtext fixref="F-37590r985710_fix">Configure the UEM server to notify SAs and the ISSO for account disabling actions.</fixtext><fix id="F-37590r985710_fix" /><check system="C-37625r985709_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication.
+
+Verify the UEM server notifies SAs and the ISSO for account disabling actions.
+
+If the UEM server does not notify SAs and the ISSO for account disabling actions, this is a finding.</check-content></check></Rule></Group><Group id="V-234441"><title>SRG-APP-000294</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234441r985762_rule" weight="10.0" severity="medium"><version>SRG-APP-000294-UEM-000168</version><title>The UEM server must notify system administrators (SAs) and the information system security officer (ISSO) for account removal actions.</title><description>&lt;VulnDiscussion&gt;When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
+
+To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000015</ident><fixtext fixref="F-37591r985713_fix">Configure the UEM server to notify SAs and the ISSO for account removal actions.</fixtext><fix id="F-37591r985713_fix" /><check system="C-37626r985712_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DOD Central Directory Service for administrator account authentication.
+
+Verify the UEM server notifies SAs and the ISSO for account removal actions.
+
+If the UEM server does not notify SAs and the ISSO for account removal actions, this is a finding.</check-content></check></Rule></Group><Group id="V-234442"><title>SRG-APP-000295</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234442r961221_rule" weight="10.0" severity="medium"><version>SRG-APP-000295-UEM-000169</version><title>The UEM server must automatically terminate a user session after an organization-defined period of user inactivity.</title><description>&lt;VulnDiscussion&gt;Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions.
+
+Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. 
+
+Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.
+
+This capability is typically reserved for specific application system functionality where the system owner, data owner, or organization requires additional assurance. Based upon requirements and events specified by the data or application owner, the application developer must incorporate logic into the application that will provide a control mechanism that disconnects users upon the defined event trigger. The methods for incorporating this requirement will be determined and specified on a case-by-case basis during the application design and development stages. 
+
+Satisfies:FMT_SMF.1.1(2) b 
+Reference:PP-MDM-431014&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002361</ident><fixtext fixref="F-37592r614337_fix">Configure the UEM server to automatically terminate a user session after an organization-defined period of user inactivity.</fixtext><fix id="F-37592r614337_fix" /><check system="C-37627r614336_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server automatically terminates a user session after an organization-defined period of user inactivity.
+
+If the UEM server does not automatically terminate a user session after an organization-defined period of user inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-234443"><title>SRG-APP-000296</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234443r961224_rule" weight="10.0" severity="medium"><version>SRG-APP-000296-UEM-000170</version><title>The UEM server must provide logout capability for user-initiated communication sessions.</title><description>&lt;VulnDiscussion&gt;If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.
+
+Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions. 
+
+Satisfies:FMT_SMF.1.1(2) b 
+Reference:PP-MDM-431015&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002363</ident><fixtext fixref="F-37593r614340_fix">Configure the UEM server to provide a logout capability for user-initiated communication sessions.</fixtext><fix id="F-37593r614340_fix" /><check system="C-37628r614339_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server provides a logout capability for user-initiated communication sessions.
+
+If the UEM server does not provide a logout capability for user-initiated communication sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-234444"><title>SRG-APP-000297</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234444r961227_rule" weight="10.0" severity="medium"><version>SRG-APP-000297-UEM-000171</version><title>The UEM server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.</title><description>&lt;VulnDiscussion&gt;If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or not the session has been terminated.
+
+Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. Logout messages for web page access, for example, can be displayed after authenticated sessions have been terminated. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logout messages as final messages prior to terminating sessions.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002364</ident><fixtext fixref="F-37594r614343_fix">Configure the UEM server to display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.</fixtext><fix id="F-37594r614343_fix" /><check system="C-37629r614342_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
+
+If the UEM server does not display an explicit logout message to users indicating the reliable termination of authenticated communications sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-234465"><title>SRG-APP-000319</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234465r961290_rule" weight="10.0" severity="medium"><version>SRG-APP-000319-UEM-000192</version><title>The UEM server must automatically audit account-enabling actions.</title><description>&lt;VulnDiscussion&gt;Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Automatically auditing account enabling actions provides logging that can be used for forensic purposes.
+
+To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-37615r614406_fix">Configure the UEM server to automatically audit account enabling actions.</fixtext><fix id="F-37615r614406_fix" /><check system="C-37650r614405_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server automatically audits account enabling actions.
+
+If the UEM server does not automatically audit account enabling actions, this is a finding.</check-content></check></Rule></Group><Group id="V-234466"><title>SRG-APP-000320</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234466r985764_rule" weight="10.0" severity="medium"><version>SRG-APP-000320-UEM-000193</version><title>The UEM server must notify system administrator (SA) and information system security officer (ISSO) of account enabling actions.</title><description>&lt;VulnDiscussion&gt;Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Sending notification of account enabling events to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
+
+In order to detect and respond to events that affect user accessibility and application processing, applications must notify the appropriate individuals so they can investigate the event.
+
+To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000015</ident><fixtext fixref="F-37616r985717_fix">Configure the UEM server to notify SA and the ISSO of account enabling actions.</fixtext><fix id="F-37616r985717_fix" /><check system="C-37651r985716_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when the UEM server is configured to use DOD Central Directory Service for administrator account authentication.
+
+Verify the UEM server notifies the SA and the ISSO of account enabling actions.
+
+If the UEM server does not notify the SA and the ISSO of account enabling actions, this is a finding.</check-content></check></Rule></Group><Group id="V-234475"><title>SRG-APP-000329</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234475r1035570_rule" weight="10.0" severity="medium"><version>SRG-APP-000329-UEM-000202</version><title>The UEM server must be configured to have at least one user in defined administrator roles.</title><description>&lt;VulnDiscussion&gt;Having several administrative roles for the UEM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations of which they may not understand or approve, which can weaken overall security and increase the risk of compromise.
+
+Defined roles:
+- Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. Responsible for the maintenance of applications in the MAS.
+- Security configuration administrator: Responsible for security configuration of the server, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators.
+- Device user group administrator: Responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Responsible for defining which apps user groups or individual users have access to in the MAS. Can only perform administrative functions assigned by the security configuration administrator.
+- Auditor: Responsible for reviewing and maintaining server and mobile device audit logs. 
+
+Satisfies: FMT_SMR.1.1(1) 
+Reference: PP-MDM-411058&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-37625r615069_fix">Configure the UEM server to have at least one user in defined administrator roles.</fixtext><fix id="F-37625r615069_fix" /><check system="C-37660r615068_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server has at least one user in defined administrator roles.
+
+If the UEM server does not have at least one user in defined administrator roles, this is a finding.</check-content></check></Rule></Group><Group id="V-234489"><title>SRG-APP-000343</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234489r961362_rule" weight="10.0" severity="medium"><version>SRG-APP-000343-UEM-000216</version><title>The UEM server must audit the execution of privileged functions.</title><description>&lt;VulnDiscussion&gt;Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and identify the risk from insider threats and the advanced persistent threat. 
+
+Satisfies:FAU_GEN.1.1(1), b.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002234</ident><fixtext fixref="F-37639r615111_fix">Configure the UEM server to audit the execution of privileged functions.</fixtext><fix id="F-37639r615111_fix" /><check system="C-37674r615110_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server audits the execution of privileged functions.
+
+If the UEM server does not audit the execution of privileged functions, this is a finding.</check-content></check></Rule></Group><Group id="V-234491"><title>SRG-APP-000345</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234491r961368_rule" weight="10.0" severity="medium"><version>SRG-APP-000345-UEM-000218</version><title>The UEM server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. 
+
+Satisfies:FMT_SMF.1(2)b 
+Reference:PP-MDM-431030&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002238</ident><fixtext fixref="F-37641r615117_fix">Configure the UEM server to automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.</fixtext><fix id="F-37641r615117_fix" /><check system="C-37676r851554_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server automatically locks the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
+
+If the UEM server does not automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded, this is a finding.</check-content></check></Rule></Group><Group id="V-234500"><title>SRG-APP-000358</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234500r961395_rule" weight="10.0" severity="medium"><version>SRG-APP-000358-UEM-000228</version><title>The UEM server must be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity.
+
+Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices. 
+
+Satisfies:FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) 
+Reference:PP-MDM-411054&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-37650r615144_fix">Configure the UEM server to be configured to transfer UEM server logs to another server for storage, analysis, and reporting.
+
+Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.</fixtext><fix id="F-37650r615144_fix" /><check system="C-37685r851564_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server transfers UEM server logs to another server for storage, analysis, and reporting.
+
+If the UEM server does not transfer UEM server logs to another server for storage, analysis, and reporting, this is a finding.
+
+Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.</check-content></check></Rule></Group><Group id="V-234516"><title>SRG-APP-000374</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234516r961443_rule" weight="10.0" severity="medium"><version>SRG-APP-000374-UEM-000244</version><title>The UEM server must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).</title><description>&lt;VulnDiscussion&gt;If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
+
+Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC. 
+
+Satisfies:FAU_GEN.1.2(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001890</ident><fixtext fixref="F-37666r615192_fix">Configure the UEM server to be configured to record time stamps for audit records that can be mapped to UTC or GMT.</fixtext><fix id="F-37666r615192_fix" /><check system="C-37701r615191_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server records time stamps for audit records that can be mapped to UTC or GMT.
+
+If the UEM server does not record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.</check-content></check></Rule></Group><Group id="V-234517"><title>SRG-APP-000375</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234517r961446_rule" weight="10.0" severity="medium"><version>SRG-APP-000375-UEM-000245</version><title>The UEM server must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.</title><description>&lt;VulnDiscussion&gt;Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. 
+
+Time stamps generated by the application include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001889</ident><fixtext fixref="F-37667r615195_fix">Configure the UEM server to be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.</fixtext><fix id="F-37667r615195_fix" /><check system="C-37702r851582_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server records time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
+
+If the UEM server does not record time stamps for audit records that meet a granularity of one second for a minimum degree of precision, this is a finding.</check-content></check></Rule></Group><Group id="V-234520"><title>SRG-APP-000378</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234520r985770_rule" weight="10.0" severity="medium"><version>SRG-APP-000378-UEM-000248</version><title>The UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.</title><description>&lt;VulnDiscussion&gt;Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.
+
+Application functionality will vary, and while users are not permitted to install unapproved applications, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. 
+
+The application must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. 
+
+This requirement applies, for example, to applications that provide the ability to extend application functionality (e.g., plug-ins, add-ons) and software management applications.
+
+Satisfies:FPT_TUD_EXT.1.2&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-003980</ident><fixtext fixref="F-37670r615204_fix">Configure the UEM server to prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.</fixtext><fix id="F-37670r615204_fix" /><check system="C-37705r851587_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server prohibits user installation of software by an administrator without the appropriate assigned permission for software installation.
+
+If the UEM server does not prohibit user installation of software by an administrator without the appropriate assigned permission for software installation, this is a finding.</check-content></check></Rule></Group><Group id="V-234521"><title>SRG-APP-000378</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234521r985771_rule" weight="10.0" severity="medium"><version>SRG-APP-000378-UEM-000249</version><title>The UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.</title><description>&lt;VulnDiscussion&gt;If the application install policy is not enforced, malicious applications and vulnerable applications can be installed on managed mobile devices, which could compromise DOD data. 
+
+Satisfies:FMT_MOF.1.1(3) 
+Reference:PP-MDM-423206&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-003980</ident><fixtext fixref="F-37671r615207_fix">Configure the UEM server to allow only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.</fixtext><fix id="F-37671r615207_fix" /><check system="C-37706r851589_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server allows only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.
+
+If the UEM server does not allow only enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications, this is a finding.</check-content></check></Rule></Group><Group id="V-234523"><title>SRG-APP-000380</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234523r961461_rule" weight="10.0" severity="medium"><version>SRG-APP-000380-UEM-000251</version><title>The UEM server must enforce access restrictions associated with changes to the server configuration.</title><description>&lt;VulnDiscussion&gt;Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. 
+
+When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. 
+
+Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. 
+
+Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). 
+
+Satisfies:FMT_SMR.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001813</ident><fixtext fixref="F-37673r615213_fix">Configure the UEM server to enforce access restrictions associated with changes to the server configuration.</fixtext><fix id="F-37673r615213_fix" /><check system="C-37708r615212_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server enforces access restrictions associated with changes to the server configuration.
+
+If the UEM server does not enforce access restrictions associated with changes to the server configuration, this is a finding.</check-content></check></Rule></Group><Group id="V-234524"><title>SRG-APP-000381</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234524r985772_rule" weight="10.0" severity="medium"><version>SRG-APP-000381-UEM-000252</version><title>The UEM server must audit the enforcement actions used to restrict access associated with changes to the application.</title><description>&lt;VulnDiscussion&gt;Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. 
+
+Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact. 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-003938</ident><fixtext fixref="F-37674r615216_fix">Configure the UEM server to audit the enforcement actions used to restrict access associated with changes to the application.</fixtext><fix id="F-37674r615216_fix" /><check system="C-37709r851593_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server audits the enforcement actions used to restrict access associated with changes to the application.
+
+If the UEM server does not audit the enforcement actions used to restrict access associated with changes to the application, this is a finding.</check-content></check></Rule></Group><Group id="V-234526"><title>SRG-APP-000383</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234526r961470_rule" weight="10.0" severity="medium"><version>SRG-APP-000383-UEM-000254</version><title>The UEM server must disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.</title><description>&lt;VulnDiscussion&gt;Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.
+
+Examples include unneeded listening ports.
+
+The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure. 
+
+Satisfies:FMT_SMF.1.1(2) Refinement b 
+Reference:PP-MDM-431006&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001762</ident><fixtext fixref="F-37676r615222_fix">Configure the UEM server to disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.</fixtext><fix id="F-37676r615222_fix" /><check system="C-37711r851596_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server disables organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.
+
+If the UEM server does not disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure, this is a finding.</check-content></check></Rule></Group><Group id="V-234538"><title>SRG-APP-000395</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234538r961506_rule" weight="10.0" severity="high"><version>SRG-APP-000395-UEM-000266</version><title>Before establishing a connection to any endpoint device being managed, the UEM server must establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.</title><description>&lt;VulnDiscussion&gt;Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DoD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm. 
+
+For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions.
+
+A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; the internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).
+
+Because of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability. 
+
+Satisfies:FIA_X509_EXT.1(1), FIA_ENR_EXT.1.1&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001967</ident><fixtext fixref="F-37688r878109_fix">Configure the UEM server to establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed.</fixtext><fix id="F-37688r878109_fix" /><check system="C-37723r851610_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server establishes a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed. 
+
+If the UEM server does not establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device before establishing a connection to any endpoint device being managed, this is a finding.</check-content></check></Rule></Group><Group id="V-234543"><title>SRG-APP-000400</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234543r961521_rule" weight="10.0" severity="medium"><version>SRG-APP-000400-UEM-000271</version><title>The UEM server must prohibit the use of cached authenticators after an organization-defined time period.</title><description>&lt;VulnDiscussion&gt;If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
+
+According to the CNSS 1253, the IA-5(13) control which is tied to this requirement is not defined at the DoD-level. The organization should specify this value based on numerous factors, including the application in question, the data it hosts and the associated exposures/risks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002007</ident><fixtext fixref="F-37693r615273_fix">Configure the UEM server to prohibit the use of cached authenticators after an organization-defined time period.</fixtext><fix id="F-37693r615273_fix" /><check system="C-37728r851617_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when the UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server prohibits the use of cached authenticators after an organization-defined time period.
+
+If the UEM server does not prohibit the use of cached authenticators after an organization-defined time period, this is a finding.</check-content></check></Rule></Group><Group id="V-234544"><title>SRG-APP-000401</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234544r985774_rule" weight="10.0" severity="medium"><version>SRG-APP-000401-UEM-000272</version><title>The UEM server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.</title><description>&lt;VulnDiscussion&gt;Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004068</ident><fixtext fixref="F-37694r615276_fix">Configure the UEM server to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network for PKI-based authentication.</fixtext><fix id="F-37694r615276_fix" /><check system="C-37729r851619_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
+
+If the UEM server, for PKI-based authentication, does not implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding.</check-content></check></Rule></Group><Group id="V-234555"><title>SRG-APP-000412</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234555r961557_rule" weight="10.0" severity="high"><version>SRG-APP-000412-UEM-000283</version><title>The UEM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.</title><description>&lt;VulnDiscussion&gt;Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
+
+Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-003123</ident><fixtext fixref="F-37705r615309_fix">Configure the UEM server web management tools with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.</fixtext><fix id="F-37705r615309_fix" /><check system="C-37740r851630_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server web management tools use a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
+
+If the UEM server web management tools do not use FIPS-validated Advanced Encryption Standard (AES) cipher block algorithms to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-234556"><title>SRG-APP-000413</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234556r961560_rule" weight="10.0" severity="medium"><version>SRG-APP-000413-UEM-000284</version><title>The UEM server must verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.</title><description>&lt;VulnDiscussion&gt;If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Remote connections must be disconnected and verified as disconnected when non-local maintenance sessions have been terminated and are no longer available for use.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002891</ident><fixtext fixref="F-37706r615312_fix">Configure the UEM server to verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.</fixtext><fix id="F-37706r615312_fix" /><check system="C-37741r851632_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server verifies remote disconnection when non-local maintenance and diagnostic sessions are terminated.
+
+If the UEM server does not verify remote disconnection when non-local maintenance and diagnostic sessions are terminated, this is a finding.</check-content></check></Rule></Group><Group id="V-234573"><title>SRG-APP-000427</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234573r961596_rule" weight="10.0" severity="medium"><version>SRG-APP-000427-UEM-000298</version><title>The UEM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.</title><description>&lt;VulnDiscussion&gt;Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.
+
+The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. 
+
+This requirement focuses on communications protection for the application session rather than for the network packet.
+
+This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). 
+
+Satisfies:FIA_X509_EXT.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002470</ident><fixtext fixref="F-37723r615354_fix">Configure the UEM server to allow only DoD-PKI established certificate authorities for verification of the establishment of protected sessions.</fixtext><fix id="F-37723r615354_fix" /><check system="C-37758r851645_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server allows only DoD-PKI established certificate authorities for verification of the establishment of protected sessions.
+
+If the UEM server does not allow only DoD-PKI established certificate authorities for verification of the establishment of protected sessions, this is a finding.</check-content></check></Rule></Group><Group id="V-234574"><title>SRG-APP-000427</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234574r961596_rule" weight="10.0" severity="medium"><version>SRG-APP-000427-UEM-000299</version><title>The UEM server must be configured to use X.509v3 certificates for code signing for system software updates.</title><description>&lt;VulnDiscussion&gt;It is critical that the UEM server validate code signing certificates for key activities such as code signing for system software updates, code signing for integrity verification, and policy signing. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Therefore, the MDM server must have the capability to enforce a policy for this control. 
+
+Satisfies:FMT_SMF.1.1(2) c.8, FIA_X509_EXT.2.1 
+Reference:PP-MDM-412002&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002470</ident><fixtext fixref="F-37724r615357_fix">Configure the UEM server to use X.509v3 certificates for code signing for system software updates.</fixtext><fix id="F-37724r615357_fix" /><check system="C-37759r615356_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server uses X.509v3 certificates for code signing for system software updates.
+
+If the UEM server does not use X.509v3 certificates for code signing for system software updates, this is a finding.</check-content></check></Rule></Group><Group id="V-234575"><title>SRG-APP-000427</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234575r961596_rule" weight="10.0" severity="medium"><version>SRG-APP-000427-UEM-000300</version><title>The UEM server must be configured to use X.509v3 certificates for code signing for integrity verification.</title><description>&lt;VulnDiscussion&gt;It is critical that the UEM server validate code signing certificates for key activities such as code signing for system software updates, code signing for integrity verification, and policy signing. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Therefore, the MDM server must have the capability to enforce a policy for this control. 
+
+Satisfies:FMT_SMF.1.1(2) c.8, FIA_X509_EXT.2.1 
+Reference:PP-MDM-412002&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002470</ident><fixtext fixref="F-37725r615360_fix">Configure the UEM server to use X.509v3 certificates for code signing for integrity verification.</fixtext><fix id="F-37725r615360_fix" /><check system="C-37760r615359_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server uses X.509v3 certificates for code signing for integrity verification.
+
+If the UEM server does not use X.509v3 certificates for code signing for integrity verification, this is a finding.</check-content></check></Rule></Group><Group id="V-234588"><title>SRG-APP-000439</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234588r961632_rule" weight="10.0" severity="high"><version>SRG-APP-000439-UEM-000313</version><title>The UEM server must connect to [assignment: [list of applications]] and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.</title><description>&lt;VulnDiscussion&gt;Applications may include the following: update server, database, and enterprise directory service. Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. 
+
+This requirement applies only to those applications that are either distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPSEC.
+
+Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
+
+This requirement applies to any application to which the server connects (for example SQL server, Active Directory). 
+
+Satisfies:FMT_SMF.1.1(2) b, FTP_ITC.1.1(1), FTP_ITC.1.2(1), FTP_ITC.1.3(1)  
+Reference:PP-MDM-431009&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002418</ident><fixtext fixref="F-37738r615399_fix">Configure the UEM server to connect to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.</fixtext><fix id="F-37738r615399_fix" /><check system="C-37773r851661_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server connects to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.
+
+If the UEM server does not connect to applications and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information, this is a finding.</check-content></check></Rule></Group><Group id="V-234596"><title>SRG-APP-000447</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234596r961656_rule" weight="10.0" severity="medium"><version>SRG-APP-000447-UEM-000321</version><title>The UEM server must be configured to write to the server event log when invalid inputs are received.</title><description>&lt;VulnDiscussion&gt;A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.
+
+The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input. 
+
+Satisfies:FPT_TST_EXT.1.2&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002754</ident><fixtext fixref="F-37746r615423_fix">Configure the UEM server to write to the server event log when invalid inputs are received.</fixtext><fix id="F-37746r615423_fix" /><check system="C-37781r615422_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server writes to the server event log when invalid inputs are received.
+
+If the UEM server does not write to the server event log when invalid inputs are received, this is a finding.</check-content></check></Rule></Group><Group id="V-234603"><title>SRG-APP-000454</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234603r961677_rule" weight="10.0" severity="medium"><version>SRG-APP-000454-UEM-000328</version><title>The UEM server must remove old software components after updated versions have been installed.</title><description>&lt;VulnDiscussion&gt;Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
+
+If the update is due to a security issue with the old version of the app, the old version is not reinstalled. If rollback files are used by the server, they must be stored so as to not be easily accessible to the production system, or cannot be accidentally installed on the operational system, and then must be deleted after a short period of time defined by the organization.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-37753r615444_fix">Configure the UEM server to remove old software components after updated versions have been installed.</fixtext><fix id="F-37753r615444_fix" /><check system="C-37788r615443_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server removes old software components after updated versions have been installed.
+
+If the UEM server does not remove old software components after updated versions have been installed, this is a finding.</check-content></check></Rule></Group><Group id="V-234605"><title>SRG-APP-000456</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234605r961683_rule" weight="10.0" severity="high"><version>SRG-APP-000456-UEM-000330</version><title>The UEM server must be maintained at a supported version.</title><description>&lt;VulnDiscussion&gt;The UEM vendor maintains specific product versions for a specific period of time. MDM/EMM server versions no longer supported by the vendor will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. 
+
+Satisfies:FPT_TUD_EXT.1.1, FPT_TUD_EXT.1.2 
+Reference:PP-MDM-414005&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002605</ident><fixtext fixref="F-37755r615450_fix">Configure the UEM server to be maintained at a supported version.</fixtext><fix id="F-37755r615450_fix" /><check system="C-37790r615449_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server is maintained at a supported version.
+
+If the UEM server is not maintained at a supported version, this is a finding.</check-content></check></Rule></Group><Group id="V-234622"><title>SRG-APP-000472</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234622r961731_rule" weight="10.0" severity="medium"><version>SRG-APP-000472-UEM-000347</version><title>The UEM server must be configured with the periodicity of the following commands to the agent of six hours or less:  - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.</title><description>&lt;VulnDiscussion&gt;Without verification, security functions may not operate correctly and this failure may go unnoticed. 
+
+Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+This requirement applies to applications performing security functions and the applications performing security function verification/testing. 
+
+Satisfies:FAU_NET_EXT.1.1, FMT_SMF.1.1(2) c.3 
+Reference:PP-MDM-411057&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002696</ident><fixtext fixref="F-37772r878111_fix">Configure the UEM server with the periodicity of the following commands to the agent of six hours or less: 
+- query connectivity status;
+- query the current version of the managed device firmware/software;
+- query the current version of installed mobile applications;
+- read audit logs kept by the managed device.</fixtext><fix id="F-37772r878111_fix" /><check system="C-37807r851696_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server is configured with the periodicity of the following commands to the agent of six hours or less: 
+- query connectivity status;
+- query the current version of the managed device firmware/software;
+- query the current version of installed mobile applications;
+- read audit logs kept by the managed device.
+
+If the UEM server is not configured with the periodicity of the following commands to the agent of six hours or less: 
+- query connectivity status;
+- query the current version of the managed device firmware/software;
+- query the current version of installed mobile applications;
+- read audit logs kept by the managed device,
+this is a finding.</check-content></check></Rule></Group><Group id="V-234623"><title>SRG-APP-000473</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234623r961734_rule" weight="10.0" severity="medium"><version>SRG-APP-000473-UEM-000348</version><title>The UEM server must run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.</title><description>&lt;VulnDiscussion&gt;Without verification, security functions may not operate correctly and this failure may go unnoticed. 
+
+Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights.
+
+This requirement applies to applications performing security functions and the applications performing security function verification/testing. 
+
+Satisfies:FPT_TST_EXT.1.1&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002699</ident><fixtext fixref="F-37773r615504_fix">Configure the UEM server to run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.</fixtext><fix id="F-37773r615504_fix" /><check system="C-37808r851699_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server runs a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.
+
+If the UEM server does not run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server, this is a finding.</check-content></check></Rule></Group><Group id="V-234624"><title>SRG-APP-000474</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234624r961737_rule" weight="10.0" severity="medium"><version>SRG-APP-000474-UEM-000349</version><title>The UEM server must alert the system administrator when anomalies in the operation of security functions are discovered.</title><description>&lt;VulnDiscussion&gt;If anomalies are not acted upon, security functions may fail to secure the system. 
+
+Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+
+Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.
+
+This requirement applies to applications performing security functions and the applications performing security function verification/testing. 
+
+Satisfies:FAU_ALT_EXT.1.1 c.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002702</ident><fixtext fixref="F-37774r615507_fix">Configure the UEM server to alert the system administrator when anomalies in the operation of security functions are discovered.</fixtext><fix id="F-37774r615507_fix" /><check system="C-37809r851701_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server alerts the system administrator when anomalies in the operation of security functions are discovered.
+
+If the UEM server does not alert the system administrator when anomalies in the operation of security functions are discovered, this is a finding.</check-content></check></Rule></Group><Group id="V-234629"><title>SRG-APP-000479</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234629r961752_rule" weight="10.0" severity="medium"><version>SRG-APP-000479-UEM-000354</version><title>The UEM server must be configured to verify software updates to the server using a digital signature mechanism prior to installing those updates.</title><description>&lt;VulnDiscussion&gt;Unauthorized modifications to software or firmware may be indicative of a sophisticated, targeted cyber-attack. Cryptographic authentication includes, for example, verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. 
+
+Satisfies:FPT_TUD_EXT.1.3&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002740</ident><fixtext fixref="F-37779r615522_fix">Configure the UEM server to verify software updates to the server using a digital signature mechanism prior to installing those updates.</fixtext><fix id="F-37779r615522_fix" /><check system="C-37814r851707_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server verifies software updates to the server using a digital signature mechanism prior to installing those updates.
+
+If the UEM server does not verify software updates to the server using a digital signature mechanism prior to installing those updates, this is a finding.</check-content></check></Rule></Group><Group id="V-234642"><title>SRG-APP-000492</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234642r961791_rule" weight="10.0" severity="medium"><version>SRG-APP-000492-UEM-000367</version><title>The UEM server must generate audit records when successful/unsuccessful attempts to access security objects occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37792r615561_fix">Configure the UEM server to generate audit records when successful/unsuccessful attempts to access security objects occur.</fixtext><fix id="F-37792r615561_fix" /><check system="C-37827r616011_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records when successful/unsuccessful attempts to access security objects occur.
+
+If the UEM server does not generate audit records when successful/unsuccessful attempts to access security objects occur, this is a finding.</check-content></check></Rule></Group><Group id="V-234645"><title>SRG-APP-000495</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234645r961800_rule" weight="10.0" severity="medium"><version>SRG-APP-000495-UEM-000370</version><title>The UEM server must generate audit records when successful/unsuccessful attempts to modify privileges occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37795r615570_fix">Configure the UEM server to generate audit records when successful/unsuccessful attempts to modify privileges occur.</fixtext><fix id="F-37795r615570_fix" /><check system="C-37830r617401_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records when successful/unsuccessful attempts to modify privileges occur.
+
+If the UEM server does not generate audit records when successful/unsuccessful attempts to modify privileges occur, this is a finding.</check-content></check></Rule></Group><Group id="V-234646"><title>SRG-APP-000496</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234646r961803_rule" weight="10.0" severity="medium"><version>SRG-APP-000496-UEM-000371</version><title>The UEM server must generate audit records when successful/unsuccessful attempts to modify security objects occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37796r615573_fix">Configure the UEM server to generate audit records when successful/unsuccessful attempts to modify security objects occur.</fixtext><fix id="F-37796r615573_fix" /><check system="C-37831r616013_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records when successful/unsuccessful attempts to modify security objects occur.
+
+If the UEM server does not generate audit records when successful/unsuccessful attempts to modify security objects occur, this is a finding.</check-content></check></Rule></Group><Group id="V-234649"><title>SRG-APP-000499</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234649r961812_rule" weight="10.0" severity="medium"><version>SRG-APP-000499-UEM-000374</version><title>The UEM server must generate audit records when successful/unsuccessful attempts to delete privileges occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37799r615582_fix">Configure the UEM server to generate audit records when successful/unsuccessful attempts to delete privileges occur.</fixtext><fix id="F-37799r615582_fix" /><check system="C-37834r615581_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records when successful/unsuccessful attempts to delete privileges occur.
+
+If the UEM server does not generate audit records when successful/unsuccessful attempts to delete privileges occur, this is a finding.</check-content></check></Rule></Group><Group id="V-234651"><title>SRG-APP-000501</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234651r961818_rule" weight="10.0" severity="medium"><version>SRG-APP-000501-UEM-000376</version><title>The UEM server must generate audit records when successful/unsuccessful attempts to delete security objects occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37801r615588_fix">Configure the UEM server to generate audit records when successful/unsuccessful attempts to delete security objects occur.</fixtext><fix id="F-37801r615588_fix" /><check system="C-37836r616015_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records when successful/unsuccessful attempts to delete security objects occur.
+
+If the UEM server does not generate audit records when successful/unsuccessful attempts to delete security objects occur, this is a finding.</check-content></check></Rule></Group><Group id="V-234653"><title>SRG-APP-000503</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234653r961824_rule" weight="10.0" severity="medium"><version>SRG-APP-000503-UEM-000378</version><title>The UEM server must generate audit records when successful/unsuccessful logon attempts occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37803r615594_fix">Configure the UEM server to generate audit records when successful/unsuccessful logon attempts occur.</fixtext><fix id="F-37803r615594_fix" /><check system="C-37838r615593_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records when successful/unsuccessful logon attempts occur.
+
+If the UEM server does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.</check-content></check></Rule></Group><Group id="V-234654"><title>SRG-APP-000504</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234654r961827_rule" weight="10.0" severity="medium"><version>SRG-APP-000504-UEM-000379</version><title>The UEM server must generate audit records for privileged activities or other system-level access.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37804r615597_fix">Configure the UEM server to generate audit records for privileged activities or other system-level access.</fixtext><fix id="F-37804r615597_fix" /><check system="C-37839r615596_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records for privileged activities or other system-level access.
+
+If the UEM server does not generate audit records for privileged activities or other system-level access, this is a finding.</check-content></check></Rule></Group><Group id="V-234655"><title>SRG-APP-000505</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234655r961830_rule" weight="10.0" severity="medium"><version>SRG-APP-000505-UEM-000380</version><title>The UEM server must generate audit records showing starting and ending time for user access to the system.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37805r615600_fix">Configure the UEM server to generate audit records showing starting and ending time for user access to the system.</fixtext><fix id="F-37805r615600_fix" /><check system="C-37840r615599_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records showing starting and ending time for user access to the system.
+
+If the UEM server does not generate audit records showing starting and ending time for user access to the system, this is a finding.</check-content></check></Rule></Group><Group id="V-234656"><title>SRG-APP-000506</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234656r961833_rule" weight="10.0" severity="medium"><version>SRG-APP-000506-UEM-000381</version><title>The UEM server must generate audit records when concurrent logons from different workstations occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37806r615603_fix">Configure the UEM server to generate audit records when concurrent logons from different workstations occur.</fixtext><fix id="F-37806r615603_fix" /><check system="C-37841r615602_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records when concurrent logons from different workstations occur.
+
+If the UEM server does not generate audit records when concurrent logons from different workstations occur, this is a finding.</check-content></check></Rule></Group><Group id="V-234657"><title>SRG-APP-000507</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234657r961836_rule" weight="10.0" severity="medium"><version>SRG-APP-000507-UEM-000382</version><title>The UEM server must generate audit records when successful/unsuccessful accesses to objects occur.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37807r615606_fix">Configure the UEM server to generate audit records when successful/unsuccessful accesses to objects occur.</fixtext><fix id="F-37807r615606_fix" /><check system="C-37842r615605_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records when successful/unsuccessful accesses to objects occur.
+
+If the UEM server does not generate audit records when successful/unsuccessful accesses to objects occur, this is a finding.</check-content></check></Rule></Group><Group id="V-234658"><title>SRG-APP-000508</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234658r961839_rule" weight="10.0" severity="medium"><version>SRG-APP-000508-UEM-000383</version><title>The UEM server must generate audit records for all direct access to the information system.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37808r615609_fix">Configure the UEM server to generate audit records for all direct access to the information system.</fixtext><fix id="F-37808r615609_fix" /><check system="C-37843r615608_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server generates audit records for all direct access to the information system.
+
+If the UEM server does not generate audit records for all direct access to the information system, this is a finding.</check-content></check></Rule></Group><Group id="V-234659"><title>SRG-APP-000509</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234659r961842_rule" weight="10.0" severity="medium"><version>SRG-APP-000509-UEM-000384</version><title>The UEM server must generate audit records for all account creations, modifications, disabling, and termination events.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. 
+
+Audit records can be generated from various components within the information system (e.g., module or policy filter). 
+
+Satisfies:FAU_ALT_EXT.1.1, FAU_GEN.1.1(1), FMT_SMF.1.1(2)c.8 
+Reference:PP-MDM-411065, PP-MDM-412000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-37809r615612_fix">Configure the UEM server to generate audit records for all account creations, modifications, disabling, and termination events.</fixtext><fix id="F-37809r615612_fix" /><check system="C-37844r616017_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Requirement is Not Applicable when UEM server is configured to use DoD Central Directory Service for administrator account authentication.
+
+Verify the UEM server generates audit records for all account creations, modifications, disabling, and termination events.
+
+If the UEM server does not generate audit records for all account creations, modifications, disabling, and termination events, this is a finding.</check-content></check></Rule></Group><Group id="V-234664"><title>SRG-APP-000514</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234664r961857_rule" weight="10.0" severity="high"><version>SRG-APP-000514-UEM-000389</version><title>The UEM server must use a FIPS-validated cryptographic module to generate cryptographic hashes.</title><description>&lt;VulnDiscussion&gt;FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard. 
+
+The cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function within the product being evaluated. 
+
+Satisfies:FCS_COP.1.1(2)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002450</ident><fixtext fixref="F-37814r615627_fix">Configure the UEM server to use a FIPS-validated cryptographic module to generate cryptographic hashes.</fixtext><fix id="F-37814r615627_fix" /><check system="C-37849r615626_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server uses a FIPS-validated cryptographic module to generate cryptographic hashes.
+
+If the UEM server does not use a FIPS-validated cryptographic module to generate cryptographic hashes, this is a finding.</check-content></check></Rule></Group><Group id="V-234665"><title>SRG-APP-000515</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234665r961860_rule" weight="10.0" severity="medium"><version>SRG-APP-000515-UEM-000390</version><title>The UEM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+
+Off-loading is a common process in information systems with limited audit storage capacity. 
+
+Satisfies:FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) 
+Reference:PP-MDM-411054&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-37815r615630_fix">Configure the UEM server to, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.</fixtext><fix id="F-37815r615630_fix" /><check system="C-37850r851724_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server, at a minimum, off-loads audit logs of interconnected systems in real time and off-load standalone systems weekly.
+
+If the UEM server does not off-load audit logs of interconnected systems in real time and off-load standalone systems weekly, this is a finding.</check-content></check></Rule></Group><Group id="V-234666"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234666r961863_rule" weight="10.0" severity="medium"><version>SRG-APP-000516-UEM-000391</version><title>The UEM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.</title><description>&lt;VulnDiscussion&gt;Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. 
+
+Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-37816r615633_fix">Configure the UEM server in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.</fixtext><fix id="F-37816r615633_fix" /><check system="C-37851r616021_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
+
+If the UEM server is not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.</check-content></check></Rule></Group><Group id="V-234667"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234667r961863_rule" weight="10.0" severity="medium"><version>SRG-APP-000516-UEM-000392</version><title>The UEM server must be configured to allow authorized administrators to read all audit data from audit records on the server.</title><description>&lt;VulnDiscussion&gt;Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. If the application does not provide the ability to centrally review the application logs, forensic analysis is negatively impacted. 
+
+Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system or application has multiple logging components written to different locations or systems.
+
+Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. 
+
+Satisfies:FAU_SAR.1.1 
+Reference:PP-MDM-413000&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-37817r615636_fix">Configure the UEM server to allow authorized administrators to read all audit data from audit records on the server.</fixtext><fix id="F-37817r615636_fix" /><check system="C-37852r615635_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server allows authorized administrators to read all audit data from audit records on the server.
+
+If the UEM server does not allow authorized administrators to read all audit data from audit records on the server, this is a finding.</check-content></check></Rule></Group><Group id="V-234668"><title>SRG-APP-000555</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234668r961866_rule" weight="10.0" severity="high"><version>SRG-APP-000555-UEM-000393</version><title>The UEM server must be configured to implement FIPS 140-2 mode for all server and agent encryption.</title><description>&lt;VulnDiscussion&gt;Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. 
+
+Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.
+
+A block cipher mode is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication.
+
+AES is the FIPS-validated cipher block cryptographic algorithm approved for use in DoD. For an algorithm implementation to be listed on a FIPS 140-2 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2 and must successfully complete the cryptographic algorithm validation process. Currently, NIST has approved the following confidentiality modes to be used with approved block ciphers in a series of special publications: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW. 
+
+Satisfies:FCS_COP.1.1(1), FTP_TRP.1.1(1)  
+Reference:PP-MDM-414001&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002450</ident><fixtext fixref="F-37818r615639_fix">Configure the UEM server to implement FIPS 140-2 mode for all server and agent encryption.</fixtext><fix id="F-37818r615639_fix" /><check system="C-37853r615638_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify FIPS 140-2 mode has been implemented on the UEM server for all server and agent encryption.
+
+If FIPS 140-2 mode has not been implemented on the UEM server for all server and agent encryption, this is a finding.</check-content></check></Rule></Group><Group id="V-234669"><title>SRG-APP-000560</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234669r961869_rule" weight="10.0" severity="medium"><version>SRG-APP-000560-UEM-000394</version><title>The UEM server must be configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.</title><description>&lt;VulnDiscussion&gt;Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
+
+This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation, either on DoD-only or on public-facing servers. 
+
+Satisfies:FCS_TLSC_EXT.1.1 
+Reference:PP-MDM-412061&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-37819r615642_fix">Configure the UEM server to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.</fixtext><fix id="F-37819r615642_fix" /><check system="C-37854r615641_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server is configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
+
+If the UEM server is not configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0, this is a finding.</check-content></check></Rule></Group><Group id="V-234673"><title>SRG-APP-000580</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234673r961881_rule" weight="10.0" severity="medium"><version>SRG-APP-000580-UEM-000398</version><title>The UEM server must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.</title><description>&lt;VulnDiscussion&gt;Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk, such as remote connections.
+
+This requires device-to-device authentication. Information systems must use IEEE 802.1x, Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, or Kerberos to identify/authenticate devices on local and/or wide area networks. 
+
+Satisfies:FMT_SMF.1.1(2) b, FTP_ITC.1.1(1), FTP_ITC.1.2(1), FTP_ITC.1.3(1)  
+Reference:PP-MDM-431009&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001967</ident><fixtext fixref="F-37823r615654_fix">Configure the UEM server to authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.</fixtext><fix id="F-37823r615654_fix" /><check system="C-37858r851729_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server authenticates endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
+
+If the UEM server does not authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based, this is a finding.</check-content></check></Rule></Group><Group id="V-234674"><title>SRG-APP-000585</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234674r961884_rule" weight="10.0" severity="medium"><version>SRG-APP-000585-UEM-000399</version><title>If cipher suites using pre-shared keys are used for device authentication, the UEM server must have a minimum security strength of 112 bits or higher.</title><description>&lt;VulnDiscussion&gt;Pre-shared keys are symmetric keys that are already in place prior to the initiation of a Transport Layer Security (TLS) session (e.g., as the result of a manual distribution). In general, pre-shared keys should not be used. However, the use of pre-shared keys may be appropriate for some closed environments that have stung key management best practices. 
+
+Pre-shared keys may be appropriate for constrained environments with limited processing, memory, or power. If pre-shared keys are appropriate and supported, the following additional guidelines must be followed. Consult 800-52 for recommended pre-shared key cipher suites for pre-shared keys. Pre-shared keys must be distributed in a secure manner, such as a secure manual distribution or using a key establishment certificate. These cipher suites employ a pre-shared key for device authentication (for both the server and the client) and may also use RSA or ephemeral Diffie-Hellman (DHE) algorithms for key establishment. 
+
+Because these cipher suites require pre-shared keys, these suites are not generally applicable to classic secure website applications and are not expected to be widely supported in TLS clients or TLS servers. NIST suggests that these suites be considered in particular for infrastructure applications, particularly if frequent authentication of the network entities is required. These cipher suites may be used with TLS versions 1.1 or 1.2. Note that cipher suites using GCM, SHA-256, or SHA-384 are only available in TLS 1.2.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001967</ident><fixtext fixref="F-37824r615657_fix">If cipher suites using pre-shared keys are used for device authentication, configure the UEM server to have a minimum security strength of 112 bits or higher.</fixtext><fix id="F-37824r615657_fix" /><check system="C-37859r851731_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify cipher suites using pre-shared keys are for device authentication have a minimum security strength of 112 bits or higher.
+
+If cipher suites using pre-shared keys are for device authentication do not have a minimum security strength of 112 bits or higher, this is a finding.</check-content></check></Rule></Group><Group id="V-234676"><title>SRG-APP-000605</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234676r961893_rule" weight="10.0" severity="medium"><version>SRG-APP-000605-UEM-000401</version><title>The UEM server must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.</title><description>&lt;VulnDiscussion&gt;A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. 
+
+Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses. 
+
+Satisfies:FIA_X509_EXT.1.1(1)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000185</ident><fixtext fixref="F-37826r615663_fix">Configure the UEM server to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.</fixtext><fix id="F-37826r615663_fix" /><check system="C-37861r616029_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server validates certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
+
+If the UEM server does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.</check-content></check></Rule></Group><Group id="V-234677"><title>SRG-APP-000610</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-234677r961896_rule" weight="10.0" severity="high"><version>SRG-APP-000610-UEM-000402</version><title>The application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. 
+
+To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512.
+
+For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only. 
+
+Satisfies:FCS_COP.1.1(4)&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000803</ident><fixtext fixref="F-37827r615666_fix">Configure the UEM server to use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.</fixtext><fix id="F-37827r615666_fix" /><check system="C-37862r616031_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server uses FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.
+
+If the UEM server does not use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification, this is a finding.</check-content></check></Rule></Group><Group id="V-256892"><title>SRG-APP-000427</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-256892r985785_rule" weight="10.0" severity="high"><version>SRG-APP-000427-UEM-000500</version><title>The UEM server must provide digitally signed policies and policy updates to the UEM agent.</title><description>&lt;VulnDiscussion&gt;It is critical that the UEM server sign all policy updates with validated certificates. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy.
+
+Satisfies: FMT_POL_EXT.1.1&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002470</ident><fixtext fixref="F-60510r891311_fix">Configure the UEM server to sign all policy updates sent to the UEM Agent with validated certificates.</fixtext><fix id="F-60510r891311_fix" /><check system="C-60567r891313_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server is signing all policy updates sent to the UEM Agent with validated certificates.
+
+If the UEM server is not signing all policy updates sent to the UEM Agent with validated certificates, this is a finding.</check-content></check></Rule></Group><Group id="V-264368"><title>SRG-APP-000427</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-264368r985737_rule" weight="10.0" severity="high"><version>SRG-APP-000427-UEM-000501</version><title>The UEM server must sign policies and policy updates using a private key associated with [selection: an X509 certificate, a public key provisioned to the agent trusted by the agent] for policy verification.</title><description>&lt;VulnDiscussion&gt;It is critical that the UEM server sign all policy updates with validated certificate or private keys. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy.
+
+Satisfies - FMT_POL_EXT.1.2
+PP-MDM-411070&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002470</ident><fixtext fixref="F-68190r985736_fix">Configure the UEM server to sign policies and policy updates using [selection: an X509 certificate, a public key provisioned to the agent] trusted by the agent for policy verification.</fixtext><fix id="F-68190r985736_fix" /><check system="C-68282r985735_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the server is configured to sign policies and policy updates using [selection: an X509 certificate, a public key provisioned to the agent] trusted by the agent for policy verification.
+
+If the UEM server is not signing all policy updates using [selection: an X509 certificate, a public key provisioned to the agent] trusted by the agent for policy verification., this is a finding.</check-content></check></Rule></Group><Group id="V-264369"><title>SRG-APP-000427</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-264369r985781_rule" weight="10.0" severity="high"><version>SRG-APP-000427-UEM-000502</version><title>The UEM server, for each unique policy managed, must validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent] associated with a policy signing key uniquely associated with the policy.</title><description>&lt;VulnDiscussion&gt;It is critical that the UEM server sign all policy updates with validated certificate or private keys. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy.
+
+This requirement focuses on communications protection for the application session rather than for the network packet.
+
+This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs).
+
+Satisfies: FMT_POL_EXT.1.3
+Reference: PP-MDM-411071&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Unified Endpoint Management Server</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Unified Endpoint Management Server</dc:subject><dc:identifier>5269</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002470</ident><fixtext fixref="F-68191r985780_fix">Configure the IUEM server, for each unique policy managed, to validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy].</fixtext><fix id="F-68191r985780_fix" /><check system="C-68283r985779_chk"><check-content-ref href="Unified_Endpoint_Management_Server_SRG.xml" name="M" /><check-content>Verify the UEM server, for each unique policy managed, validates the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy].
+
+If the UEM server does not validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent and associated with a policy signing key uniquely associated with the policy, this is a finding.</check-content></check></Rule></Group></Benchmark>
\ No newline at end of file
diff --git a/stigs.json b/stigs.json
index 552741e10..0aad219c6 100644
--- a/stigs.json
+++ b/stigs.json
@@ -5355,13 +5355,6 @@
     "version": "V1R1",
     "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_MongoDB_Enterprise_Advanced_7-x_STIG_V1R1_Manual-xccdf.xml"
   },
-  {
-    "id": "16d42323-b03c-46d1-985d-84f93a27f0d5",
-    "name": "z/OS RACF Products - Ver 6, Rel 61",
-    "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_RACF_V6R61_Products.zip",
-    "size": "8.95 MB",
-    "version": "V6R61"
-  },
   {
     "id": "Apple_iOS-iPadOS_18_STIG",
     "name": "Apple iOS-iPadOS 18 STIG - Ver 1, Rel 1",
@@ -5371,10 +5364,23 @@
     "file": "https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/U_Apple_iOS-iPadOS_18_STIG_V1R1_Manual-xccdf.xml"
   },
   {
-    "id": "49230c21-b7f7-4389-95c6-2d8e6730b7d8",
-    "name": "z/OS ACF2 Products - Ver 6, Rel 61",
-    "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_ACF2_V6R61_Products.zip",
-    "size": "8.86 MB",
+    "id": "3156bb9f-ed81-44c2-87ec-b27a6a79be6c",
+    "name": "Sunset - HP-UX 11.31 STIG Benchmark - Ver 1, Rel 17",
+    "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_HPUX_11-31_V1R17_STIG_SCAP_1-2_Benchmark.zip",
+    "size": "109.21 KB",
+    "version": "V1R17"
+  },
+  {
+    "id": "87904a6b-be49-4f3d-a32d-0696fbbb528a",
+    "name": "Unified Endpoint Management Server SRG",
+    "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_UEM_Y24M10_SRG.zip",
+    "size": "1.42 MB"
+  },
+  {
+    "id": "145aae8c-10bc-4635-9cea-62c08b915d6d",
+    "name": "z/OS TSS Products - Ver 6, Rel 61",
+    "url": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_zOS_TSS_V6R61_Products.zip",
+    "size": "8.87 MB",
     "version": "V6R61"
   }
 ]
\ No newline at end of file