The Edge SWG must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279167	SRG-NET-000339-ALG-000090	SYME-00-002600	SV-279167r1170656_rule	2025-12-16	1

Description
For remote access to nonprivileged accounts, one factor of multifactor authentication must be provided by a device separate from the information system gaining access to reduce the likelihood of compromising authentication credentials stored on the system. Before continuing, ensure that the Edge SWG was implemented for SYME-ND-000190. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD common access card (CAC). A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD-nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password. Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000500-ALG-000035, SRG-NET-000340-ALG-000091, SRG-NET-000355-ALG-000117, SRG-NET-000370-ALG-000125, SRG-NET-000494-ALG-000029, SRG-NET-000495-ALG-000030, SRG-NET-000496-ALG-000031, SRG-NET-000497-ALG-000032, SRG-NET-000498-ALG-000033, SRG-NET-000499-ALG-000034, SRG-NET-000501-ALG-000036, SRG-NET-000502-ALG-000037, SRG-NET-000503-ALG-000038, SRG-NET-000505-ALG-000039

Description

For remote access to nonprivileged accounts, one factor of multifactor authentication must be provided by a device separate from the information system gaining access to reduce the likelihood of compromising authentication credentials stored on the system. Before continuing, ensure that the Edge SWG was implemented for SYME-ND-000190. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD common access card (CAC). A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD-nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password. Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000500-ALG-000035, SRG-NET-000340-ALG-000091, SRG-NET-000355-ALG-000117, SRG-NET-000370-ALG-000125, SRG-NET-000494-ALG-000029, SRG-NET-000495-ALG-000030, SRG-NET-000496-ALG-000031, SRG-NET-000497-ALG-000032, SRG-NET-000498-ALG-000033, SRG-NET-000499-ALG-000034, SRG-NET-000501-ALG-000036, SRG-NET-000502-ALG-000037, SRG-NET-000503-ALG-000038, SRG-NET-000505-ALG-000039

ℹ️ Check
In the Edge SWG Web UI, navigate to the Visual Policy Manager (VPM). Under the configured Web Access Layer, if there are not allow rules for at least HTTP and HTTPS, this is a finding. If the allow rules do not have a specific LDAPS group used in the source column, this is a finding. If the rule does not have the Track column set to log all access logs, this is a finding.

✔️ Fix
1. In the Edge SWG Web UI, navigate to the VPM. 2. Under the configured Web Access Layer, add a rule. 3. Under "Source", left-click then click "Set". 4. Click "Add new object". 5. Select "Group". 6. Enter the full Distinguished Name (DN) of the LDAPS group. For example: "CN=broadcom.proxyusers.gsg,OU=BROADCOM,DC=dod,DC=mil" 7. Under "Authentication Realm", select the CAC/certificate realm. 8. Click "Apply". 9. Under "Service", left-click then click "Set". 10. Select the "All HTTPS client" protocol. 11. Click "Apply". 12. Under Action, left-click then click "Set". 13. Click "Allow", then click "Apply". 14. Under "Track", left-click then click "Set". 15. Select the event log that was created previously. 16. Click "Apply". 17. Repeat the above steps for HTTP instead of HTTPS and add any additional protocols that need to be proxied. 18. Click "Apply policy".

✔️ Fix

1. In the Edge SWG Web UI, navigate to the VPM. 2. Under the configured Web Access Layer, add a rule. 3. Under "Source", left-click then click "Set". 4. Click "Add new object". 5. Select "Group". 6. Enter the full Distinguished Name (DN) of the LDAPS group. For example: "CN=broadcom.proxyusers.gsg,OU=BROADCOM,DC=dod,DC=mil" 7. Under "Authentication Realm", select the CAC/certificate realm. 8. Click "Apply". 9. Under "Service", left-click then click "Set". 10. Select the "All HTTPS client" protocol. 11. Click "Apply". 12. Under Action, left-click then click "Set". 13. Click "Allow", then click "Apply". 14. Under "Track", left-click then click "Set". 15. Select the event log that was created previously. 16. Click "Apply". 17. Repeat the above steps for HTTP instead of HTTPS and add any additional protocols that need to be proxied. 18. Click "Apply policy".