- DISA_STIG_SharePoint_2013_v2r2.audit from DISA Microsoft SharePoint 2013 v2r2 STIG
- SP13-00-000005 - SharePoint must support the requirement to initiate a session lock after 15 minutes of system or application inactivity has transpired.
- SP13-00-000010 - SharePoint must maintain and support the use of security attributes with stored information - 'Custom content types have been defined for Site'
- SP13-00-000010 - SharePoint must maintain and support the use of security attributes with stored information - Document Library'
- SP13-00-000015 - SharePoint must utilize approved cryptography to protect the confidentiality of remote access sessions.
- SP13-00-000020 - SharePoint must use cryptography to protect the integrity of the remote access session.
- SP13-00-000025 - SharePoint must ensure remote sessions for accessing security functions and security-relevant information are audited.
- SP13-00-000030 - SharePoint must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
- SP13-00-000035 - SharePoint must identify data type, specification, and usage when transferring information between different security domains so policy restrictions may be applied.
- SP13-00-000040 - SharePoint must provide the ability to prohibit the transfer of unsanctioned information in accordance with security policy.
- SP13-00-000045 - SharePoint must display an approved system use notification message or banner before granting access to the system.
- SP13-00-000055 - SharePoint must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.
- SP13-00-000060 - SharePoint must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds - ConnectionTimeout
- SP13-00-000060 - SharePoint must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds - maxBandwidth
- SP13-00-000060 - SharePoint must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds - maxConnections
- SP13-00-000065 - SharePoint must prevent the execution of prohibited mobile code.
- SP13-00-000075 - SharePoint must use replay-resistant authentication mechanisms for network access to privileged accounts.
- SP13-00-000080 - SharePoint must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
- SP13-00-000085 - SharePoint must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
- SP13-00-000095 - SharePoint must employ NSA-approved cryptography to protect classified information.
- SP13-00-000100 - SharePoint must employ FIPS-validated cryptography to protect unclassified information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
- SP13-00-000105 - SharePoint must validate the integrity of security attributes exchanged between systems.
- SP13-00-000110 - SharePoint must ensure authentication of both client and server during the entire session. An example of this is SSL Mutual Authentication.
- SP13-00-000115 - SharePoint must terminate user sessions upon user logoff, and when idle time limit is exceeded.
- SP13-00-000125 - SharePoint must implement an information system isolation boundary that minimizes the number of nonsecurity functions included within the boundary containing security functions.
- SP13-00-000130 - SharePoint must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
- SP13-00-000135 - SharePoint must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission, unless the transmitted data is otherwise protected by alternative physical measures.
- SP13-00-000140 - SharePoint must prevent non-privileged users from circumventing malicious code protection capabilities.
- SP13-00-000145 - SharePoint must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- SP13-00-000150 - The SharePoint Central Administration site must not be accessible from Extranet or Internet connections.
