| FGFW-ND-000005 - The FortiGate device must automatically audit account creation | ACCESS CONTROL |
| FGFW-ND-000010 - The FortiGate device must automatically audit account modification | ACCESS CONTROL |
| FGFW-ND-000020 - The FortiGate device must automatically audit account removal actions | ACCESS CONTROL |
| FGFW-ND-000030 - The FortiGate device must have only one local account to be used as the account of last resort in the event the authentication server is unavailable. | ACCESS CONTROL |
| FGFW-ND-000035 - The FortiGate device must allow full access to only those individuals or roles designated by the ISSM. | ACCESS CONTROL |
| FGFW-ND-000040 - The FortiGate device must audit the execution of privileged functions | ACCESS CONTROL |
| FGFW-ND-000045 - The FortiGate device must enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes | ACCESS CONTROL |
| FGFW-ND-000050 - The FortiGate device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | ACCESS CONTROL |
| FGFW-ND-000055 - The FortiGate device must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. | ACCESS CONTROL |
| FGFW-ND-000060 - The FortiGate device must log all user activity. | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000065 - The FortiGate device must generate audit records when successful/unsuccessful attempts to modify administrator privileges occur | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000070 - The FortiGate device must generate audit records when successful/unsuccessful attempts to delete administrator privileges occur | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000075 - The FortiGate device must generate audit records when successful/unsuccessful logon attempts occur | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000080 - The FortiGate device must generate audit records for privileged activities or other system-level access | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000085 - The FortiGate device must generate audit records showing starting and ending time for administrator access to the system | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000090 - The FortiGate device must generate audit records when concurrent logons from different workstations occur | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000095 - The FortiGate device must generate audit records containing information that establishes the identity of any individual or process associated with the event. | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000100 - The FortiGate device must generate audit records containing the full-text recording of privileged commands. | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000105 - The FortiGate device must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000110 - The FortiGate device must off-load audit records on to a different system or media than the system being audited. | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000115 - The FortiGate device must generate an immediate real-time alert of all audit failure events requiring real-time alerts. | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000120 - The FortiGate device must synchronize internal information system clocks using redundant authoritative time sources | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| FGFW-ND-000125 - The FortiGate device must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000130 - The FortiGate device must protect audit information from unauthorized deletion. | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000135 - The FortiGate device must protect audit tools from unauthorized access. | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000140 - The FortiGate device must protect audit tools from unauthorized modification. | AUDIT AND ACCOUNTABILITY |
| FGFW-ND-000145 - The FortiGate device must prohibit installation of software without explicit privileged status. | CONFIGURATION MANAGEMENT |
| FGFW-ND-000150 - The FortiGate device must enforce access restrictions associated with changes to device configuration. | CONFIGURATION MANAGEMENT |
| FGFW-ND-000155 - The FortiGate device must limit privileges to change the software resident within software libraries. | CONFIGURATION MANAGEMENT |
| FGFW-ND-000160 - The FortiGate device must enforce access restrictions associated with changes to the system components. | CONFIGURATION MANAGEMENT |
| FGFW-ND-000165 - The FortiGate device must use LDAP for authentication. | CONFIGURATION MANAGEMENT |
| FGFW-ND-000170 - The FortiGate device must be running an operating system release that is currently supported by the vendor. | CONFIGURATION MANAGEMENT |
| FGFW-ND-000175 - The FortiGate device must generate log records for a locally developed list of auditable events | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| FGFW-ND-000180 - The FortiGate device must conduct backups of system-level information contained in the information system when changes occur. | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING |
| FGFW-ND-000185 - The FortiGate device must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner. | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING |
| FGFW-ND-000190 - FortiGate devices performing maintenance functions must restrict use of these functions to authorized personnel only. | CONFIGURATION MANAGEMENT, MAINTENANCE |
| FGFW-ND-000195 - The FortiGate device must use DoD-approved Certificate Authorities (CAs) for public key certificates. | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| FGFW-ND-000200 - The FortiGate device must prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services. | CONFIGURATION MANAGEMENT |
| FGFW-ND-000205 - The FortiGate device must implement replay-resistant authentication mechanisms for network access to privileged accounts | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000210 - The FortiGate device must authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC) | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000215 - The FortiGate device must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based. | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000220 - The FortiGate device must enforce a minimum 15-character password length. | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000225 - The FortiGate device must enforce password complexity by requiring that at least one uppercase character be used. | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000230 - The FortiGate device must enforce password complexity by requiring that at least one lowercase character be used. | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000235 - The FortiGate device must enforce password complexity by requiring at least one numeric character be used. | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000240 - The FortiGate device must enforce password complexity by requiring that at least one special character be used. | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000245 - The FortiGate device must use LDAPS for the LDAP connection. | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000250 - The FortiGate device must not have any default manufacturer passwords when deployed. | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000255 - The FortiGate device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module. | IDENTIFICATION AND AUTHENTICATION |
| FGFW-ND-000260 - The FortiGate devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications. | MAINTENANCE |
