| 1A |
No |
$0 |
$0 |
|
|
Implement procedures to ensure a complete and updated listing of administrative user accounts of Linux servers are included in the review process.
|
| 1B |
No |
$0 |
$0 |
|
|
Define and implement a process for reviewing all Linux server administrators, including those found within the wheel group with root access.
|
| 1C |
No |
$0 |
$0 |
|
|
Implement a formalized process to validate or follow up on account removal actions identified during the semi-annual review process to ensure that user accounts align with job responsibilities and least privilege concepts.
|
| 2A |
No |
$0 |
$0 |
|
|
Implement system access authorization processes for Splunk administrators to include separation of duties controls. When separation of duties cannot be achieved for conflicting roles, assess the risk and document the control deviation and risk-based decisions.
|
| 3A |
No |
$0 |
$0 |
|
|
Ensure that audit log collection and retention is implemented in accordance with Federal and site-level policies and procedures.
|
| 4A |
No |
$0 |
$0 |
|
|
Ensure account passwords are reset, and documentation retained, whenever an individual with access to service accounts leaves BEA or is no longer in a role requiring such access.
|
| 7A |
No |
$0 |
$0 |
|
|
Update and implement existing configuration management procedures for all servers, printers, and services on the production network to enforce changing default credentials before the server or printer is connected to the network.
|
| 7B |
No |
$0 |
$0 |
|
|
Update and implement vulnerability management procedures to ensure that security vulnerabilities involving anonymous access, default credentials, and vulnerable services are identified, monitored, and remediated.
|
| 8A |
No |
$0 |
$0 |
|
|
We recommend that the Manager, Thomas Jefferson Site Office (TJSO), direct Jefferson Science Associates, LLC (JSA) to ensure application security controls are implemented in the Management Information System (MIS) portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.
|
| 8B |
No |
$0 |
$0 |
|
|
We recommend that the Manager, TJSO, direct JSA to update existing web application security risk assessment and testing processes for the MIS portal and remediate known web application vulnerabilities.
|
| 9A |
No |
$0 |
$0 |
|
|
We recommend that the Manager, TJSO, direct JSA to update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied as intended.
|
| 9B |
No |
$0 |
$0 |
|
|
We recommend that the Manager, TJSO, direct JSA to enhance operational vulnerability management procedures to include regular credentialed scanning and centralized software management to ensure vulnerabilities are appropriately monitored and patches are applied as intended.
|
| 10A |
No |
$0 |
$0 |
|
|
Update the vulnerability remediation process to ensure vulnerabilities are appropriately monitored and patches are applied in a timely manner.
|
| 10B |
No |
$0 |
$0 |
|
|
Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.
|
| 10B |
No |
$0 |
$0 |
|
|
Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.
|
| 11A |
No |
$0 |
$0 |
|
|
Update and implement existing configuration management procedures for all servers and services on the production network to enforce changing default credentials before the server is connected to the network.
|
| 11B |
No |
$0 |
$0 |
|
|
Update and implement vulnerability management procedures to ensure that security vulnerabilities involving anonymous access, default credentials, and vulnerable services are identified, monitored, and remediated.
|
| 12A |
No |
$0 |
$0 |
|
|
Ensure application security controls are implemented in the WAPA development Portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.
|
| 12B |
No |
$0 |
$0 |
|
|
Update existing web application security risk assessment and testing processes for the WAPA Portal and remediate known web application vulnerabilities.
|
| 13A |
No |
$0 |
$0 |
|
|
Update the vulnerability identification and software patch management process to ensure vulnerabilities are appropriately monitored and patches are applied in a timely manner.
|
| 13B |
No |
$0 |
$0 |
|
|
Enhance operational vulnerability and software patch management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner, or implement a risk acceptance or POA&Ms process.
|
| 14A |
No |
$0 |
$0 |
|
|
We continue to recommend that the Manager, Fermi Site Office, direct Fermi Research Alliance, LLC to update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied, as intended.
|
| 14B |
No |
$0 |
$0 |
|
|
We continue to recommend that the Manager, Fermi Site Office, direct Fermi Research Alliance, LLC to enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are validated as unfixable, required for the mission, and mitigated to an acceptable risk with Authorizing Official concurrence.
|
| 15A |
No |
$0 |
$0 |
|
|
We continue to recommend that the Manager, ORNL Site Office, direct ORNL to:15A. Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process, monitoring vendor patch releases and end-of-life notifications, and monitoring patching tools to ensure patches are applied, as intended.
|
| 15B |
No |
$0 |
$0 |
|
|
We continue to recommend that the Manager, ORNL Site Office, direct ORNL to:B. Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.
|
| 16A |
No |
$0 |
$0 |
|
|
Ensure application security controls are implemented in the NARAC application to protect against known types of attacks. (21-LLNL-PT-01, Rec 1)
|
| 16B |
No |
$0 |
$0 |
|
|
Update existing web application security risk assessment and testing processes for the National Atmospheric Release Advisory Center application and remediate known web application vulnerabilities. (21-LLNL-PT-01)
|
| 17A |
No |
$0 |
$0 |
|
|
We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions:17A. Identify all servers, workstations, and networked devices within the WARS boundary that are necessary for its successful operation. Remove any unnecessary assets, update system documentation to include relevant details, monitor the WARS for future changes, and maintain an accurate asset list.
|
| 17B |
No |
$0 |
$0 |
|
|
We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions:B. Upgrade or replace unsupported software and install the latest security updates/patches for all servers, workstations, and networked devices within the system boundary.
|
| 17C |
No |
$0 |
$0 |
|
|
We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions: C. Install endpoint protection software on all applicable servers, workstations, and networked devices and ensure that this software can receive regular updates.
|
| 17D |
No |
$0 |
$0 |
|
|
We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions:D. Disable unencrypted services and replace them with alternate services that are configured to use strong encryption. Establish a configuration monitoring process to prevent future use of unencrypted services and services using weak encryption settings.
|
| 18A |
No |
$0 |
$0 |
|
|
Enhance operational procedures of the vulnerability management program to demonstrate alignment with Binding Operational Directive 22-01.
|
| 18B |
No |
$0 |
$0 |
|
|
"Finalize implementation of the updated vulnerability management plan to ensure corrective actions for vulnerabilities identified are applied to effectively implement patches and fixes, as required. If required remediation timelines cannot be adhered to, consistently document the risk acceptance, business rationale, and/or technical issue(s) related to vulnerability remediation."
|
| 17D |
No |
$0 |
$0 |
|
|
Disable unencrypted services and replace them with alternate services that are configured to use strong encryption. Establish a configuration monitoring process to prevent future use of unencrypted services and services using weak encryption settings.
|
| 17C |
No |
$0 |
$0 |
|
|
Install endpoint protection software on all applicable servers, workstations, and networked devices and ensure that this software can receive regular updates.
|
| 2A |
No |
$0 |
$0 |
|
|
Implement system access authorization processes for Splunk administrators to include separation of duties controls. When separation of duties cannot be achieved for conflicting roles, assess the risk and document the control deviation and risk-based decisions.
|
| 3A |
No |
$0 |
$0 |
|
|
Ensure that audit log collection and retention is implemented in accordance with Federal and site-level policies and procedures.
|
| 4A |
No |
$0 |
$0 |
|
|
Ensure account passwords are reset, and documentation retained, whenever an individual with access to service accounts leaves BEA or is no longer in a role requiring such access.
|
| 8A |
No |
$0 |
$0 |
|
|
Ensure application security controls are implemented in the MIS portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.
|
| 8B |
No |
$0 |
$0 |
|
|
Update existing web application security risk assessment and testing processes for the MIS portal and remediate known web application vulnerabilities.
|
| 9A |
No |
$0 |
$0 |
|
|
Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied as intended.
|
| 9B |
No |
$0 |
$0 |
|
|
Enhance operational vulnerability management procedures to include regular credentialed scanning and centralized software management to ensure vulnerabilities are appropriately monitored and patches are applied as intended.
|
| 11A |
No |
$0 |
$0 |
|
|
Update and implement existing configuration management procedures for all servers and services on the production network to enforce changing default credentials before the server is connected to the network.
|
| 11B |
No |
$0 |
$0 |
|
|
Update and implement vulnerability management procedures to ensure that security vulnerabilities involving anonymous access, default credentials, and vulnerable services are identified, monitored, and remediated.
|
| 12A |
No |
$0 |
$0 |
|
|
Ensure application security controls are implemented in the WAPA development Portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.
|
| 12B |
No |
$0 |
$0 |
|
|
Update existing web application security risk assessment and testing processes for the WAPA Portal and remediate known web application vulnerabilities.
|
| 13A |
No |
$0 |
$0 |
|
|
Update the vulnerability identification and software patch management process to ensure vulnerabilities are appropriately monitored and patches are applied in a timely manner.
|
| 13B |
No |
$0 |
$0 |
|
|
Enhance operational vulnerability and software patch management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner, or implement a risk acceptance or POA&Ms process.
|
| 15A |
No |
$0 |
$0 |
|
|
Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process, monitoring vendor patch releases and end-of-life notifications, and monitoring patching tools to ensure patches are applied, as intended.
|
| 15B |
No |
$0 |
$0 |
|
|
Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.
|
| 17A |
No |
$0 |
$0 |
|
|
Identify all servers, workstations, and networked devices within the WARS boundary that are necessary for its successful operation. Remove any unnecessary assets, update system documentation to include relevant details, monitor the WARS for future changes, and maintain an accurate asset list.
|
| 17B |
No |
$0 |
$0 |
|
|
Upgrade or replace unsupported software and install the latest security updates/patches for all servers, workstations, and networked devices within the system boundary.
|
