CCI-000068
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
1 rule found Severity: High
Kona Site Defender that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
1 rule found Severity: High
Compliance Guardian must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: High
DocAve must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: High
The CA API Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1 rule found Severity: Medium
The CA API Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
1 rule found Severity: Medium
The CA API Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
1 rule found Severity: Medium
2 rules found Severity: High
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP when using LDAP Lookup for users.
2 rules found Severity: Medium
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP for certificate directory lookup.
2 rules found Severity: Medium
1 rule found Severity: High
The Citrix Storefront server must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
1 rule found Severity: High
2 rules found Severity: High
TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
1 rule found Severity: Medium
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: High
The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1 rule found Severity: High
The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1 rule found Severity: High
The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1 rule found Severity: High
The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52.
1 rule found Severity: High
The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
1 rule found Severity: High
The IBM Aspera High-Speed Transfer Server must be configured to comply with the required TLS settings in NIST SP 800-52.
1 rule found Severity: High
The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
1 rule found Severity: High
1 rule found Severity: Medium
The DataPower Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1 rule found Severity: Medium
The DataPower Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
1 rule found Severity: Medium
The DataPower Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
1 rule found Severity: Medium
The MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
The WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security.
1 rule found Severity: High
1 rule found Severity: Medium
The ISEC7 EMM Suite must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: Medium
The Sentry providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
2 rules found Severity: Medium
If Sentry stores secret or private keys, it must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
2 rules found Severity: Medium
The Sentry that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
2 rules found Severity: Medium
Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
1 rule found Severity: High
Nutanix AOS must implement cryptography mechanisms to protect the confidentiality and integrity of the remote access session.
1 rule found Severity: High
OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
1 rule found Severity: High
OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
1 rule found Severity: High
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server.
1 rule found Severity: Medium
OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
1 rule found Severity: High
Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions.
1 rule found Severity: Medium
If TLS WAN optimization is used, Riverbed Optimization System (RiOS) providing SSL Optimization must protect private keys ensuring that they stay in the data center by ensuring end-to-end security.
1 rule found Severity: Medium
If TLS optimization is used, the Riverbed Optimization System (RiOS) providing intermediary services for TLS communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of TLS.
1 rule found Severity: Medium
If TLS optimization is used, the Riverbed Optimization System (RiOS) that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
1 rule found Severity: Medium
The Riverbed Optimization System (RiOS) that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
1 rule found Severity: Medium
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: High
Symantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
1 rule found Severity: High
Symantec ProxySG providing reverse proxy intermediary services for TLS must be configured to version 1.1 or higher with an approved cipher suite.
1 rule found Severity: Medium
Symantec ProxySG storing secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
1 rule found Severity: Medium
The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
2 rules found Severity: High
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
2 rules found Severity: High
The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
2 rules found Severity: High
The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
2 rules found Severity: High
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
2 rules found Severity: High
The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
2 rules found Severity: High
The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
1 rule found Severity: Medium
The Ubuntu operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.
2 rules found Severity: Medium
The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1 rule found Severity: High
The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
1 rule found Severity: Medium
The BIG-IP Core implementation must be configured to use encryption services that implement NIST SP 800-52 Revision 2 compliant cryptography to protect the confidentiality of connections to virtual servers.
1 rule found Severity: Medium
The BIG-IP Core implementation must be configured to comply with the required TLS settings in NIST SP 800-52 Revision 1 for TLS services to virtual servers.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
1 rule found Severity: Medium
The Cisco ASA must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.
1 rule found Severity: High
The Cisco ASA remote access VPN server must be configured to use TLS 1.2 or higher to protect the confidentiality of remote access connections.
1 rule found Severity: High
The Cisco VPN remote access server must be configured to use AES256 or greater encryption for the Internet Key Exchange (IKE) Phase 1 to protect confidentiality of remote access sessions.
1 rule found Severity: High
The Cisco ASA VPN remote access server must be configured to use AES256 or greater encryption for the IPsec security association to protect the confidentiality of remote access sessions.
1 rule found Severity: High
3 rules found Severity: Medium
3 rules found Severity: Medium
The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE. This is This is required for compliance with C2C Step 1.
1 rule found Severity: High
The F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.
1 rule found Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must use TLS 1.2 or greater to protect the confidentiality of remote access.
1 rule found Severity: High
The F5 BIG-IP appliance must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.
1 rule found Severity: High
The F5 BIG-IP appliance IPsec VPN Gateway must use AES256 or higher encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
1 rule found Severity: High
1 rule found Severity: High
SSMC web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.
1 rule found Severity: High
The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.
1 rule found Severity: High
The HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
1 rule found Severity: High
The HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
The ISEC7 SPHERE must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: Medium
The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
1 rule found Severity: Medium
The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
1 rule found Severity: Medium
The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
2 rules found Severity: Medium
1 rule found Severity: Medium
A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.
1 rule found Severity: Medium
Remote Desktop Services must be configured with the client connection encryption set to the required level.
2 rules found Severity: Medium
Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
1 rule found Severity: Medium
The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1 rule found Severity: High
The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
1 rule found Severity: Medium
Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
1 rule found Severity: Medium
The Automation Controller servers must use encrypted communication for all channels given the high impact of those services to an organization's infrastructure.
1 rule found Severity: Medium
The SDN controller must be configured to encrypt all southbound Application Program Interface (API) control-plane messages using a FIPS-validated cryptographic module.
1 rule found Severity: High
The SDN controller must be configured to encrypt all northbound Application Program Interface (API) messages using a FIPS-validated cryptographic module.
1 rule found Severity: High
The SDN controller must be configured to encrypt all southbound Application Program Interface (API) management-plane messages using a FIPS-validated cryptographic module.
1 rule found Severity: High
SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
TOSS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1 rule found Severity: High
The web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.
1 rule found Severity: Medium
NixOS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.
1 rule found Severity: High
1 rule found Severity: Medium
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
2 rules found Severity: Medium
An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
1 rule found Severity: High
Apple iOS/iPadOS 18 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis].
1 rule found Severity: Low
The ALG providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1 rule found Severity: Medium
The ALG that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
1 rule found Severity: Medium
The ALG that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
1 rule found Severity: Medium
The application server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
1 rule found Severity: Medium
The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
1 rule found Severity: Medium
The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary.
1 rule found Severity: Medium
The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.
1 rule found Severity: High
The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion.
1 rule found Severity: High
The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion.
1 rule found Severity: Medium
1 rule found Severity: Medium
Ubuntu 22.04 LTS must configure the SSH daemon to use FIPSÂ 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
The container platform must use TLS 1.2 or greater for secure container image transport from trusted sources.
1 rule found Severity: Medium
1 rule found Severity: Medium
Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment. This is required for compliance with C2C Step 1.
1 rule found Severity: Medium
Communications between Forescout endpoint agent and the switch must transmit access authorization information via a protected path using a cryptographic mechanism. This is required for compliance with C2C Step 1.
1 rule found Severity: Medium
When connecting with endpoints, Forescout must be configured to use FIPS 140-2/3 validated algorithms for encryption processes and communications. This is required for compliance with C2C Step 1.
1 rule found Severity: High
The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
1 rule found Severity: High
AOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.
1 rule found Severity: Medium
AOS, when used as an IPsec VPN Gateway, must use Advanced Encryption Standard (AES) encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
1 rule found Severity: High
AOS must use Transport Layer Security (TLS) 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: Medium
1 rule found Severity: High
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
2 rules found Severity: Medium
The IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm to protect confidential information and remote access sessions.
1 rule found Severity: High
The Juniper router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
1 rule found Severity: Medium
1 rule found Severity: High
IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
1 rule found Severity: Medium
The Juniper SRX Services Gateway VPN must use AES256 for the IPsec proposal to protect the confidentiality of remote access sessions.
1 rule found Severity: High
The Juniper SRX Services Gateway VPN must use AES256 encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.
1 rule found Severity: High
The Juniper SRX Services Gateway VPN must be configured to use Diffie-Hellman (DH) group 15 or higher.
1 rule found Severity: High
SharePoint must utilize approved cryptography to protect the confidentiality of remote access sessions.
1 rule found Severity: High
Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
1 rule found Severity: Medium
Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
1 rule found Severity: Medium
Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
1 rule found Severity: Medium
Windows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level.
1 rule found Severity: Medium
Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL).
1 rule found Severity: High
OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1 rule found Severity: High
The Palo Alto Networks security platform, if used as a TLS gateway/decryption point or VPN concentrator, must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
1 rule found Severity: Medium
The Palo Alto Networks security platform that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
1 rule found Severity: Medium
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The SUSE operating system must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.
1 rule found Severity: Medium
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
1 rule found Severity: Medium
The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
2 rules found Severity: Medium
1 rule found Severity: Medium
The UEM server must use TLS 1.2, or higher, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: Medium
The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
1 rule found Severity: Medium
The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
1 rule found Severity: Medium
1 rule found Severity: High
The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
2 rules found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Low
The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: High
The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.
2 rules found Severity: High
The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.
1 rule found Severity: High
The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.
1 rule found Severity: High
If the site-to-site VPN implementation uses L2TP, L2TPv3 sessions must be authenticated prior to transporting traffic.
1 rule found Severity: Medium
The IPsec VPN Gateway must use AES encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
1 rule found Severity: High
The IPsec VPN must use AES256 or greater encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
1 rule found Severity: High
1 rule found Severity: Medium
The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.
1 rule found Severity: Medium
The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
3 rules found Severity: Medium
3 rules found Severity: High
The A10 Networks ADC, when used for TLS encryption and decryption, must be configured to comply with the required TLS settings in NIST SP 800-52.
1 rule found Severity: Medium
Citrix License Server must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
1 rule found Severity: High
XenDesktop License Server must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
1 rule found Severity: High
The SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: High