# OS CCE Name Titel Purpose Impact
1 Win 7 CCE-8484-8 Accounts: Rename Administrator Account
Renaming this account makes it slightly more difficult for a malicious user to attempt a brute force password guessing attack, the value of this setting is diminished by the fact that the account has a well-known security identifier (SID) and attackers can use the SID rather than the account name when attempting to log on via the network.
The account will be renamed.
Win XP CCE-3135-1
Win Vista CCE-2714-4
2 Win 7 CCE-8487-1 Interactive Logon: Number Of Previous Logons To Cache (in Case Domain Controller Is Not Available)
Configuring this policy setting to two ensures that the primary user of the computer can logon even if no domain controller is available. Two is specified so that even if an administrator logs on to the computer to perform maintenance the primary user's credentials will still be cached.
Users who logon with a domain account will have their credentials cached, the computer will allow users with cached credentials to logon if it is unable to communicate with a domain controller.
Win XP CCE-3106-2 Win Vista CCE-2376-2
3 Win 7 CCE-10076-8 Notify Antivirus Programs When Opening Attachments
To minimize the risk of malicious software infecting the system. Antivirus programs will scan attachments before users can open them.
Win XP CCE-5059-1 Win Vista CCE-3300-1
4 Win 7 CCE-10090-9 Do Not Allow Passwords To Be Saved
To prevent the caching of user credentials. Remote Desktop Services will not save passwords; users will have to enter their credentials each time that they connect.
Win XP CCE-4849-6 Win Vista CCE-2975-1
5 Win 7 CCE-9308-8 Account Lockout Duration To mitigate the impact of the account lockout threshold, i.e., this setting lowers the risk of an attacker causing a denial of service (DoS) by deliberately causing failed logons for numerous accounts.
Accounts that have been locked out will automatically be unlocked after 15 minutes.
Win XP CCE-2928-0 Win Vista CCE-2363-0
6 Win 7 CCE-9330-2 Minimum Password Age To make it difficult for users to reuse old passwords, reused passwords increase the risk of account compromise.
Users will not be able to quickly cycle through 24 new passwords so that they can reuse the password they prefer.
Win XP CCE-2439-8 Win Vista CCE-3240-9
7 Win 7 CCE-9357-5 Minimum Password Length To make brute force password guessing attacks more difficult. Requiring long passwords increases the risk that users will write down their passwords in order to remember them. It is recommended that agencies provide users advice on password creating using ideas such Win XP CCE-2981-9
Win Vista CCE-2883-7 as passphrases.
8 Win 7 CCE-9683-4 Logon/Logoff: Logon Audit data provide information that may be needed in order to determine the root cause of a security incident. Audit data can also help to resolve various types of system and application configuration issues such as incorrect permissions in the registry.
Enabling audit policies will cause more events to be recorded in the Security Event Log, enabling certain audit policies can result in so many events being recorded that the log is unusable. On a very busy server enabling too many audit policies will degrade system performance.
Win XP CCE-2100-6 Win Vista CCE-5018-7
9 Win 7 CCE-9674-3 Turn Off Internet Download For Web Publishing And Online Ordering Wizards
To lower the risk of a user downloading malicious code. Windows ill not download the list of providers from Microsoft servers, only the service providers cached in the local registry will be displayed.
Win XP CCE-5099-7 Win Vista CCE-3364-7
10 Win 7 CCE-9528-1 Turn Off Autoplay To prevent malicious software from launching automatically when removable media is attached to the system.
Users will have to manually launch installation programs stored on removable media such as CDs and DVDs.
Win XP CCE-2710-2 Win Vista CCE-2719-3
11 Win 7 CCE-9461-5 Log On As A Service Only the operating system should have this privilege. Only the operating system will be able to log on as a service Win XP CCE-2948-8
Win Vista CCE-4038-6
12 Win 7 CCE-8714-8 Accounts: Guest Account Status
The built-in local guest account allows unauthenticated users to connect to shared resources via the network.
Anonymous network access will not be available.
Win XP CCE-3040-3
To prevent a malicious user from gathering account and share names via the network.
It will not be possible to grant access to users of other domains via one-way trusts because administrators in the trusting domain will not be able to enumerate lists of accounts from the other domain.
Win XP CCE-2804-3 Win Vista CCE-3232-6
14 Win 7 CCE-9265-0 Microsoft Network Client:
Send Unencrypted Password To Third-party SMB Servers
To minimize the risk of the password being intercepted while traversing the network.
The computer will not be able to connect to shared resources on servers running very old versions of Windows and certain third-party implementations of SMB.
Win XP CCE-3049-4 Win Vista CCE-2838-1
15 Win 7 CCE-9616-4 User Account Control: Detect Application Installations And
To lower the risk of a user installing malicious or unauthorized software. Users will be prompted to elevate when installing software.
Win XP N/A Prompt For Elevation Win Vista CCD-4612-8
16 Win 7 CCE-9370-8 Password Must Meet Complexity Requirement
To make brute force password guessing attacks more difficult. Requiring complex passwords increases the risk that users will write down their passwords in order to remember them.
Win XP CCE-2735-9 Win Vista CCD-3033-8
17 Win 7 CCE-9829-3 Require A Password When A Computer Wakes (On Battery)
To ensure that anyone who wakes an unattended computer will have to enter their credentials before they can access it.
Users will be prompted to enter their logon credentials when the computer resumes from sleep.
Win XP N/A Win Vista CCE-2821-7
Table 11: FY14 CCE Settings
Appendix J: Points of Contact
Name Email
DHS ISO Jeffrey Gallucci
Director of Compliance & Technology
DHS ISO
Scorecard/Performance Plan/FISMA Reporting SP
Teresa Proctor
Branch Chief of Metric Strategy
DHS ISO Xacta/IACS
Richard Johnson
Branch Chief of Information Technology
DHS ISO Inventory
Paul Knick
Branch Chief of Inventory Management (Acting)
DHS ISO
Information Assurance
Kenneth Pearlstein
Branch Chief of Information Assurance
Privileged User Teresa Proctor
Branch Chief of Metric Strategy
Common Controls Angela Moore
ISO
Enterprise License Agreements Solomon Eshun
ISO
McAfee Max Palas [email protected]
Inventory FISMA Inventory Team
ISO
Security Authorization Document Review Team
ISO
POA&M Brenda Jacobs
ISO Remediation Division
Crystal Reports FISMA Reporting Team [email protected]
MES Bryan DiFrancesco
EOC
Table 12: Points of Contact
Appendix K: Resource, Reference, and Site Links
Title Link
Annual IT Security Awareness http://mgmt-ocio-sp.dhs.gov/ciso/fisma reporting/Lists/Annual IT Security Awareness Training
Asset Classification White Paper http://mgmt-ocio-sp.dhs.gov/ciso/fisma reporting/FY14 Supporting Documentation/Asset Classification White Paper.docx Asset Inventory http://mgmt-ocio-sp.dhs.gov/ciso/fisma reporting/Lists/INVENTORY
CMWG SharePoint Site http://mgmt-ocio-sp.dhs.gov/ciso/cmwg/default.aspx Common Control Catalog Implementation Guide Future link
Configuration Baseline Audit Files
http://mgmt-ocio-sp.dhs.gov/ciso/cmwg/Shared%20Documents/Forms/AllItems.aspx?RootFolder=%2Fciso%2Fcmwg%2FShared%20Documents%
2FBaseline%20Configuration%20Files%2FWindows%20Configuration%20Baseline%20SCAP%20Version&FolderCTID=0x012 000676F6544A2C1F1428957FFD3F61B38F6&View=%7b90C80479-F90D-4F61-A272-DB514051D2C9%7d
Crystal Reports https://dhscr.dhs.gov
DHS Connect CISO Website http://dhsconnect.dhs.gov/org/comp/mgmt/cio/iso/Pages/sscg.aspx
DHS Executive FISMA Scorecard Page http://mgmt-ocio-sp.dhs.gov/ciso/fisma reporting/SitePages/DHS Executive FISMA Scorecard.aspx DHS FISMA Inventory Methodology http://dhsconnect.dhs.gov/org/comp/mgmt/cio/iso/Pages/isodocs.aspx
DHS FISMA Inventory Methodology http://dhsconnect.dhs.gov/org/comp/mgmt/cio/iso/Pages/isodocs.aspx Document Review Checklist http://dhsconnect.dhs.gov/org/comp/mgmt/cio/iso
EOC SharePoint Site http://mgmt-ocio-sp.dhs.gov/itso/eoc_watchportal/mission_essential_systems/default.aspx ESSWG SharePoint Site http://mgmt-oico-sp.dhs.gov/ciso/dcswg
FISMA Reporting SharePoint http://mgmt-ocio-sp.dhs.gov/ciso/fisma reporting/SitePages/Home.aspx
IACS https://iacs.dhs.gov
IACS Portal http://mgmt-ocio-sp.dhs.gov/ciso/compliance/iacs/SitePages/Home.aspx Inventory Management SharePoint Site http://mgmt-ocio-sp.dhs.gov/ciso/im/Pages/inventmgmt.aspx
ISCM Waivers for Operational Systems http://mgmt-ocio-sp.dhs.gov/ciso/fisma reporting/Lists/ISCM Waivers for Operational Systems/AllItems.aspx
ISOSupport [email protected]
Mandatory PIV Tracking http://mgmt-ocio-sp.dhs.gov/ciso/fisma reporting/Lists/MANDATORY PIV TRACKING McAfee ePO CM Reference Guide v2.1
http://mgmt-ocio-sp.dhs.gov/ciso/cmwg/Shared%20Documents/McAfee%20ePO%20document/McAfee_ePO_CM_Reference_Guide_v2%201.docx
OMB Max Portal https://max.omb.gov/maxportal/home
OMB Memorandum M-14-03 http://www.whitehouse.gov/sites/default/files/omb/memoranda/2014/m-14.03.pdf Ongoing Authorization Methodology http://mgmt-ocio-sp.dhs.gov/CISO/OA/SitePages/Home.aspx
Ongoing Authorization SharePoint Site http://mgmt-ocio-sp.dhs.gov/CISO/OA/SitePages/Home.aspx
POA&M Process Guide http://dhsconnect.dhs.gov/org/comp/mgmt/cio/iso/Documents/%5b4300A HB Att H%5dPOAM Guide.pdf Privilege User Training Form http://mgmt-ocio-sp.dhs.gov/ciso/fisma%20reporting/Lists/Privileged%20Users
SOP Data Feed Submission version v4.1
http://mgmt-ocio-sp.dhs.gov/ciso/cmwg/Shared%20Documents/SOP%20Data%20Feed%20Submission%20version%20v4%201.docx
Tenable Parser
http://mgmt-ocio-sp.dhs.gov/ciso/cmwg/Shared%20Documents/Forms/AllItems.aspx?RootFolder=%2Fciso%2Fcmwg%2FShared%20Documents%
2FTenable%20Parser&FolderCTID=0x012000676F6544A2C1F1428957FFD3F61B38F6&View=%7b90C80479-F90D-4F61-A272-DB514051D2C9%7d
Tenable-Nessus Implementation Guide v2 http://mgmt-ocio-sp.dhs.gov/ciso/cmwg/Shared%20Documents/Tenable-Nessus%20Implementation%20Guide%20v2.0.docx Universal Device Role List
http://mgmt-ocio-sp.dhs.gov/ciso/fisma%20reporting/FY14%20Supporting%20Documentation/Distinct%20Asset%20Device%20Roles.xlsx Table 13: Reference Links
Appendix L: Acronyms
3PAO Third Party Assessment Organizations
AO Authorizing Official
ATO Authority to Operate
CAP Cross Agency Priority
CAT Control Allocation Table
CCC Common Control Catalog
CCE Common Configuration Enumeration
CCR Critical Control Review
CDM Continuous Diagnostics & Mitigation
CFO Chief Financial Officer
CIO Chief Information Officer
CISO Chief Information Security Officer
CM Continuous Monitoring
CMDB Continuous Monitoring Database
CMWG Continuous Monitoring Working Group
COAV Component Outreach and Assist Visit
COP Common cooperating Picture
CP Contingency Plan
CPE Common Platform Enumeration
CPT Contingency Plan Test
CSP Cloud Service Provider
CSR Cloud Service Review
CSV Comma Separated Values
CTM Cloud Tenant Minor Applications
CVE Common Vulnerability Enumeration
CVSS Common Vulnerability Scoring System
CWG Compliance Working Group
DC Data Center
DHCP Dynamic Host Configuration Protocol
DHS Department of Homeland Security
DIACAP Defense Information Assessment Certification & Accreditation Process
DIP DIACAP Implementation Plan
DR Document Review
EA Enterprise Authentication
EIS External Information System
ELA Enterprise License Agreement
EOC Enterprise Operations Center
ePO McAfee ePolicy Orchestrator
ESSWG Enterprise System Security Working Group
FCCI Federal Cloud Computing Initiative
FedRAMP Federal Risk & Authorization Management Program
FIPS Federal Information Processing Standards
FISMA Federal Information Security Management Act
FNR Federal Network Resilience
FO Focused Operations
FY Fiscal Year
GAO Government Accountability Office
GSS General Support System
HHS Health and Human Services
HIPs Host Intrusion Prevention
HPI High Priority Initiative
HQ Headquarters
HSDN Homeland Secure Data Network
HTML Hyper Text Markup Language
IACS Information Assurance Compliance System
ICAM PMO Identity Credential and Access Management Program Management Office
ID Identifier
IDS Intrusion Detection System
IMT Inventory Management Team
IOS Internetwork Operating System
IP Internet Protocol
ISCM Information Security Continuous Monitoring
ISO Information Security Office
ISSM Information Security System Manager
ISSO Information System Security Officer
ISVM Information Security Vulnerability Management
IT Information Technology
JCMWG Joint Continuous Monitoring Working Group
MAST Management Aggregation and Security Tool
MES Mission Essential System
MOA Memorandum of Agreement
MOU Memorandum of Understanding
NIST National Institute of Standards & Technology
NPPD National Protection and Program Directorate
NSS National Security System
OA Ongoing Authorization
OAWG Ongoing Authorization Working group
OCIO Office of the Chief Information Officer
OCISO Office of Chief Information Security Officer
OIG Office of the Inspector General
OMB Office of Management and Budget
ORMB Operational Risk Management Board
OS Operating System
PIA Privacy Impact Assessment
PIV Personal Identification Verification
PO Privacy Office
POA&M Plan of Action & Milestone
POC Point of Contact
PTA Privacy Threshold Analysis
QA Quality Assurance
RMF Risk Management Framework
RTM Requirements Traceability Matrix
SA Security Authorization
SAR Security Assessment Report
SBU Sensitive But Unclassified
SCA Security Control Assessor
SCAP Security Content Automation Protocol
SELC System Engineering Life Cycle
SEN Security Event Notifications
SEN Security Event Notification
SIP System Identification Profile
SLA Service Level Agreement
SME Subject Matter Expert
SOC Security Operations Center
SOP Standard Operating Procedure
SORN System of Records Notice
SP Security Plan
SPR Security Assessment Plan
ST&E Security Test & Evaluation
TIC Trusted Internet Connection
TRAL Trigger Accountability Log
TRM Technical Reference Model
USB Universal Serial Bus
USGCB United States Government Configuration Baseline
XML Extensible Markup Language