Capacity
CCI-000068
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
5
Rule
Severity: Medium
Install the dracut-fips-aesni Package
5
Rule
Severity: Medium
Install the dracut-fips Package
13
Rule
Severity: High
Ensure '/etc/system-fips' exists
5
Rule
Severity: High
Enable FIPS Mode in GRUB2
29
Rule
Severity: Medium
Force frequent session key renegotiation
9
Rule
Severity: High
Disable rexec Service
8
Rule
Severity: High
Disable rsh Service
18
Rule
Severity: Medium
Use Only FIPS 140-2 Validated Ciphers
17
Rule
Severity: Medium
Use Only FIPS 140-2 Validated MACs
9
Rule
Severity: High
Enable Dracut FIPS Module
9
Rule
Severity: High
Enable FIPS Mode
9
Rule
Severity: High
Set kernel parameter 'crypto.fips_enabled' to 1
7
Rule
Severity: High
Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config
7
Rule
Severity: Medium
Configure session renegotiation for SSH client
1
Rule
Severity: High
Kona Site Defender that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
1
Rule
Severity: High
Compliance Guardian must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
4
Rule
Severity: Medium
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
2
Rule
Severity: High
An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
2
Rule
Severity: Medium
The ALG providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
2
Rule
Severity: Medium
The ALG that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
2
Rule
Severity: Medium
The ALG that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
2
Rule
Severity: Medium
The application server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
2
Rule
Severity: Medium
The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
2
Rule
Severity: High
Messages protected with WS_Security must use time stamps with creation and expiration times.
2
Rule
Severity: High
Validity periods must be verified on all application messages using WS-Security or SAML assertions.
2
Rule
Severity: Medium
The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
2
Rule
Severity: Medium
The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary.
2
Rule
Severity: High
The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.
2
Rule
Severity: High
The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion.
2
Rule
Severity: Medium
The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion.
2
Rule
Severity: Medium
The application must ensure messages are encrypted when the SessionIndex is tied to privacy data.
1
Rule
Severity: High
DocAve must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1
Rule
Severity: Medium
The CA API Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1
Rule
Severity: Medium
The CA API Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
1
Rule
Severity: Medium
The CA API Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
2
Rule
Severity: High
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use HTTPS.
2
Rule
Severity: Medium
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP when using LDAP Lookup for users.
2
Rule
Severity: Medium
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP for certificate directory lookup.
1
Rule
Severity: High
Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.
1
Rule
Severity: High
Citrix Receiver must implement DoD-approved encryption.
1
Rule
Severity: High
The Citrix Storefront server must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
2
Rule
Severity: High
Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.
1
Rule
Severity: Medium
TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
1
Rule
Severity: High
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
2
Rule
Severity: Medium
Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment. This is required for compliance with C2C Step 1.
1
Rule
Severity: High
Forescout that stores device keys must have a key management process that is FIPS-approved and protected by Advanced Encryption Standard (AES) block cipher algorithms. This is required for compliance with C2C Step 1.
1
Rule
Severity: High
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: High
The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1
Rule
Severity: High
The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1
Rule
Severity: High
The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1
Rule
Severity: High
The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52.
1
Rule
Severity: High
The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
1
Rule
Severity: High
The IBM Aspera High-Speed Transfer Server must be configured to comply with the required TLS settings in NIST SP 800-52.
1
Rule
Severity: High
The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server must enable the use of dynamic token encryption keys.
1
Rule
Severity: Medium
The DataPower Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1
Rule
Severity: Medium
The DataPower Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
1
Rule
Severity: Medium
The DataPower Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
1
Rule
Severity: Medium
The MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
2
Rule
Severity: Medium
The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
2
Rule
Severity: High
Application security must be enabled on the WebSphere Liberty Server.
1
Rule
Severity: Medium
The WebSphere Application Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
1
Rule
Severity: High
The WebSphere Application Server global application security must be enabled.
1
Rule
Severity: High
The WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security.
1
Rule
Severity: Medium
The IBM z/VM TCP/IP configuration must include an SSLSERVERID statement.
2
Rule
Severity: Medium
The ISEC7 EMM Suite must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
2
Rule
Severity: Medium
The Sentry providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
2
Rule
Severity: Medium
If Sentry stores secret or private keys, it must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
2
Rule
Severity: Medium
The Sentry that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
2
Rule
Severity: Medium
The Juniper router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
2
Rule
Severity: High
The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
2
Rule
Severity: High
The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.
1
Rule
Severity: Medium
Exchange must use Encryption for OWA access.
1
Rule
Severity: Medium
Exchange must have Forms-based Authentication disabled.
1
Rule
Severity: High
SharePoint must utilize approved cryptography to protect the confidentiality of remote access sessions.
1
Rule
Severity: High
Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
1
Rule
Severity: High
Nutanix AOS must implement cryptography mechanisms to protect the confidentiality and integrity of the remote access session.
1
Rule
Severity: High
OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
1
Rule
Severity: High
OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
1
Rule
Severity: Medium
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server.
1
Rule
Severity: High
OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
1
Rule
Severity: Medium
Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions.
1
Rule
Severity: Medium
If TLS WAN optimization is used, Riverbed Optimization System (RiOS) providing SSL Optimization must protect private keys ensuring that they stay in the data center by ensuring end-to-end security.
1
Rule
Severity: Medium
If TLS optimization is used, the Riverbed Optimization System (RiOS) providing intermediary services for TLS communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of TLS.
1
Rule
Severity: Medium
If TLS optimization is used, the Riverbed Optimization System (RiOS) that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
1
Rule
Severity: Medium
The Riverbed Optimization System (RiOS) that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
2
Rule
Severity: High
The SDN controller must be configured to encrypt all southbound Application Program Interface (API) control-plane messages using a FIPS-validated cryptographic module.
2
Rule
Severity: High
The SDN controller must be configured to encrypt all northbound Application Program Interface (API) messages using a FIPS-validated cryptographic module.
2
Rule
Severity: High
The SDN controller must be configured to encrypt all southbound Application Program Interface (API) management-plane messages using a FIPS-validated cryptographic module.
1
Rule
Severity: High
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1
Rule
Severity: High
Symantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
1
Rule
Severity: Medium
Symantec ProxySG providing reverse proxy intermediary services for TLS must be configured to version 1.1 or higher with an approved cipher suite.
1
Rule
Severity: Medium
Symantec ProxySG storing secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
2
Rule
Severity: Medium
The UEM server must use TLS 1.2, or higher, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
2
Rule
Severity: High
The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.
2
Rule
Severity: High
The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.
2
Rule
Severity: Medium
If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic.
2
Rule
Severity: High
The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
2
Rule
Severity: High
The IPsec VPN must use AES256 or greater encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
2
Rule
Severity: Medium
The Apache web server must use cryptography to protect the integrity of remote sessions.
2
Rule
Severity: Medium
Secured connectors must be configured to use strong encryption ciphers.
3
Rule
Severity: High
The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
3
Rule
Severity: High
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
3
Rule
Severity: High
The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
1
Rule
Severity: High
The macOS system must disable the SSHD service.
1
Rule
Severity: High
The macOS system must implement approved ciphers to protect the confidentiality of SSH connections.
1
Rule
Severity: High
The macOS system must implement approved Message Authentication Codes (MACs).
1
Rule
Severity: High
The macOS system must implement approved Key Exchange Algorithms.
3
Rule
Severity: High
The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
3
Rule
Severity: High
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
3
Rule
Severity: High
The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
3
Rule
Severity: High
The macOS system must limit SSHD to FIPS-compliant connections.
3
Rule
Severity: High
The macOS system must limit SSH to FIPS-compliant connections.
1
Rule
Severity: Medium
The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
3
Rule
Severity: Medium
The Ubuntu operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.
2
Rule
Severity: Medium
The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
2
Rule
Severity: High
The Cisco ASA must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.
2
Rule
Severity: High
The Cisco ASA remote access VPN server must be configured to use TLS 1.2 or higher to protect the confidentiality of remote access connections.
2
Rule
Severity: High
The Cisco VPN remote access server must be configured to use AES256 or greater encryption for the Internet Key Exchange (IKE) Phase 1 to protect confidentiality of remote access sessions.
2
Rule
Severity: High
The Cisco ASA VPN remote access server must be configured to use AES256 or greater encryption for the IPsec security association to protect the confidentiality of remote access sessions.
6
Rule
Severity: Medium
The Cisco router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
6
Rule
Severity: Medium
The Cisco switch must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
2
Rule
Severity: High
The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE. This is This is required for compliance with C2C Step 1.
2
Rule
Severity: Medium
The container platform must use TLS 1.2 or greater for secure communication.
2
Rule
Severity: High
The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
2
Rule
Severity: High
SSMC web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.
2
Rule
Severity: High
The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.
2
Rule
Severity: High
The HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
2
Rule
Severity: High
The HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
2
Rule
Severity: Medium
The AIX SSH server must use SSH Protocol 2.
2
Rule
Severity: Medium
The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
2
Rule
Severity: High
IBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
4
Rule
Severity: Medium
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
2
Rule
Severity: High
The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
2
Rule
Severity: Medium
IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
2
Rule
Severity: High
The IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm to protect confidential information and remote access sessions.
2
Rule
Severity: High
The ICS must be configured to use TLS 1.2, at a minimum.
2
Rule
Severity: Medium
The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
2
Rule
Severity: Medium
The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
4
Rule
Severity: Medium
The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
2
Rule
Severity: Medium
Exchange must use encryption for RPC client access.
3
Rule
Severity: Medium
Exchange must use encryption for Outlook Web App (OWA) access.
1
Rule
Severity: Medium
Exchange must have forms-based authentication disabled.
2
Rule
Severity: Medium
Exchange must have forms-based authentication enabled.
2
Rule
Severity: Medium
SchUseStrongCrypto must be enabled.
2
Rule
Severity: Medium
A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.
2
Rule
Severity: Medium
A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.
4
Rule
Severity: Medium
Remote Desktop Services must be configured with the client connection encryption set to the required level.
2
Rule
Severity: Medium
Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
2
Rule
Severity: Medium
Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
2
Rule
Severity: Medium
Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
2
Rule
Severity: Medium
Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
2
Rule
Severity: Medium
Windows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level.
2
Rule
Severity: High
OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: High
The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: Medium
The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
2
Rule
Severity: Medium
OL 8 must force a frequent session key renegotiation for SSH connections to the server.
2
Rule
Severity: Medium
The Palo Alto Networks security platform, if used as a TLS gateway/decryption point or VPN concentrator, must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
2
Rule
Severity: Medium
The Palo Alto Networks security platform that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
2
Rule
Severity: Medium
Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
2
Rule
Severity: Medium
The Automation Controller servers must use encrypted communication for all channels given the high impact of those services to an organization's infrastructure.
2
Rule
Severity: Medium
OpenShift must use TLS 1.2 or greater for secure communication.
2
Rule
Severity: High
RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
2
Rule
Severity: Medium
RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.
3
Rule
Severity: Medium
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
2
Rule
Severity: Medium
RHEL 9 must force a frequent session key renegotiation for SSH connections to the server.
2
Rule
Severity: High
RHEL 9 must enable FIPS mode.
2
Rule
Severity: Medium
RHEL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.
4
Rule
Severity: Medium
The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
2
Rule
Severity: Medium
The VMM must use DoD-approved encryption to protect the confidentiality of remote access sessions.
1
Rule
Severity: Medium
The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
1
Rule
Severity: Medium
The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
1
Rule
Severity: High
VAMI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
3
Rule
Severity: High
The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
1
Rule
Severity: Low
The Photon operating system must configure sshd to use approved encryption algorithms.
1
Rule
Severity: Medium
Envoy must be configured to operate in FIPS mode.
3
Rule
Severity: High
The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.
2
Rule
Severity: Medium
The vCenter STS service must be configured to use strong encryption ciphers.
2
Rule
Severity: High
The vCenter VAMI service must enable FIPS mode.
2
Rule
Severity: Medium
The web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.
6
Rule
Severity: Medium
The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to use encryption services that implement NIST SP 800-52 Revision 2 compliant cryptography to protect the confidentiality of connections to virtual servers.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to comply with the required TLS settings in NIST SP 800-52 Revision 1 for TLS services to virtual servers.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the SSH daemon to use FIPSĀ 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS SSH server must be configured to use only FIPS-validated key exchange algorithms.
1
Rule
Severity: High
The F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must use TLS 1.2 or greater to protect the confidentiality of remote access.
1
Rule
Severity: High
The F5 BIG-IP appliance must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.
1
Rule
Severity: High
The F5 BIG-IP appliance IPsec VPN Gateway must use AES256 or higher encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
1
Rule
Severity: High
The F5 BIG-IP appliance IPsec VPN must use AES256 or greater encryption for the IPsec proposal.
1
Rule
Severity: Medium
Communications between Forescout endpoint agent and the switch must transmit access authorization information via a protected path using a cryptographic mechanism. This is required for compliance with C2C Step 1.
1
Rule
Severity: High
When connecting with endpoints, Forescout must be configured to use FIPS 140-2/3 validated algorithms for encryption processes and communications. This is required for compliance with C2C Step 1.
1
Rule
Severity: Medium
The ISEC7 SPHERE must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1
Rule
Severity: High
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
1
Rule
Severity: High
SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.
1
Rule
Severity: Medium
The SUSE operating system must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.
1
Rule
Severity: Medium
TOSS must force a frequent session key renegotiation for SSH connections by the client.
1
Rule
Severity: Medium
TOSS must force a frequent session key renegotiation for SSH connections to the server.
1
Rule
Severity: High
TOSS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: Medium
The ESXi host must use DOD-approved encryption to protect the confidentiality of network sessions.
1
Rule
Severity: Medium
The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules