| F5BI-DM-300001 - The F5 BIG-IP appliance must be configured to limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number. | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| F5BI-DM-300003 - The F5 BIG-IP appliance must terminate shared/group account credentials when members leave the group. | ACCESS CONTROL |
| F5BI-DM-300009 - The F5 BIG-IP appliance must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | ACCESS CONTROL |
| F5BI-DM-300010 - The F5 BIG-IP appliance must be configured to assign appropriate user roles or access levels to authenticated users. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| F5BI-DM-300012 - The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| F5BI-DM-300013 - The F5 BIG-IP appliance must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for at least 15 minutes. | ACCESS CONTROL |
| F5BI-DM-300014 - The F5 BIG-IP appliance must be configured to display the Standard Mandatory DOD Notice and Consent Banner upon access to the TMOS User Interface. | ACCESS CONTROL |
| F5BI-DM-300033 - The F5 BIG-IP appliance must manage local audit storage capacity in accordance with organization-defined audit record storage requirements. | AUDIT AND ACCOUNTABILITY |
| F5BI-DM-300034 - The F5 BIG-IP appliance must generate audit records and send records to redundant central syslog servers that are separate from the appliance. | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| F5BI-DM-300037 - The F5 BIG-IP appliance must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC). | AUDIT AND ACCOUNTABILITY |
| F5BI-DM-300039 - The F5 BIG-IP appliance must be configured to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. | CONFIGURATION MANAGEMENT |
| F5BI-DM-300040 - The F5 BIG-IP appliance must be configured to use at least two authentication servers to authenticate administrative users. | CONFIGURATION MANAGEMENT |
| F5BI-DM-300041 - The F5 BIG-IP appliance must be running an operating system release that is currently supported by the vendor. | CONFIGURATION MANAGEMENT |
| F5BI-DM-300044 - The F5 BIG-IP appliance must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| F5BI-DM-300045 - The F5 BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. | CONFIGURATION MANAGEMENT |
| F5BI-DM-300046 - The F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins. | AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| F5BI-DM-300048 - The F5 BIG-IP appliance must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based. | IDENTIFICATION AND AUTHENTICATION |
| F5BI-DM-300049 - The F5 BIG-IP appliance must enforce a minimum 15-character password length. | IDENTIFICATION AND AUTHENTICATION |
| F5BI-DM-300050 - The F5 BIG-IP appliance must enforce password complexity by requiring that at least one uppercase character be used. | IDENTIFICATION AND AUTHENTICATION |
| F5BI-DM-300051 - The F5 BIG-IP appliance must enforce password complexity by requiring that at least one lowercase character be used. | IDENTIFICATION AND AUTHENTICATION |
| F5BI-DM-300052 - The F5 BIG-IP appliance must enforce password complexity by requiring that at least one numeric character be used. | IDENTIFICATION AND AUTHENTICATION |
| F5BI-DM-300053 - The F5 BIG-IP appliance must enforce password complexity by requiring that at least one special character be used. | IDENTIFICATION AND AUTHENTICATION |
| F5BI-DM-300054 - The F5 BIG-IP appliance must require that when a password is changed, the characters are changed in at least eight of the positions within the password. | IDENTIFICATION AND AUTHENTICATION |
| F5BI-DM-300055 - The F5 BIG-IP appliance must prohibit the use of cached authenticators after eight hours or less. | IDENTIFICATION AND AUTHENTICATION |
| F5BI-DM-300056 - The F5 BIG-IP appliance must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication. | IDENTIFICATION AND AUTHENTICATION |
| F5BI-DM-300057 - The F5 BIG-IP appliance must set the idle time before automatic logout to five minutes of inactivity except to fulfill documented and validated mission requirements. | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| F5BI-DM-300060 - The F5 BIG-IP appliance must conduct backups of the configuration at a weekly or organization-defined frequency and store on a separate device. | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING |
| F5BI-DM-300098 - The F5 BIG-IP appliance must be configured to display the Standard Mandatory DOD Notice and Consent Banner when accessing via SSH. | ACCESS CONTROL |
| F5BI-DM-300099 - The F5 BIG-IP appliance must be configured to restrict a consistent inbound IP for the entire management session. | SYSTEM AND COMMUNICATIONS PROTECTION |
