Skip to content
ATO Pathways
  Log In

CCI-000166

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

Logo
1

Rule

Severity: Low
The Arista Multilayer Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
2

Rule

Severity: Medium
The application server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
2

Rule

Severity: Medium
The Arista network device must be configured to audit all administrator activity.
Logo
2

Rule

Severity: Medium
The application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
2

Rule

Severity: Low
IDMS must protect against the use of default userids.
Logo
2

Rule

Severity: Low
IDMS must protect against the use of external request exits that change the userid to a shared id when actions are performed that may be audited.
Logo
2

Rule

Severity: Low
IDMS must protect against the use of numbered exits that change the userid to a shared id.
Logo
2

Rule

Severity: Low
IDMS must protect against the use of web-based applications that use generic IDs.
Logo
2

Rule

Severity: Low
IDMS must protect against the use web services that do not require a sign on when actions are performed that may be audited.
Logo
2

Rule

Severity: Medium
The Central Log Server must be configured to protect the data sent from hosts and devices from being altered in a way that may prevent the attribution of an action to an individual (or process acting on behalf of an individual).
Logo
1

Rule

Severity: Low
The DBN-6300 must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
1

Rule

Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
Logo
1

Rule

Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
Logo
1

Rule

Severity: Medium
The FortiGate device must log all user activity.
Logo
1

Rule

Severity: Low
The HP FlexFabric Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
1

Rule

Severity: High
The HYCU VM console and HYCU Web UI must be configured to use an authentication server for authenticating users prior to granting access to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined requirements.
Logo
1

Rule

Severity: Medium
DB2 must protect against a user falsely repudiating having performed organization-defined actions.
Logo
2

Rule

Severity: Medium
The WebSphere Liberty Server must log remote session and security activity.
Logo
1

Rule

Severity: Medium
The MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
1

Rule

Severity: Medium
The WebSphere Application Server security auditing must be enabled.
Logo
1

Rule

Severity: High
MobileIron Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
Logo
2

Rule

Severity: Medium
The Juniper router must be configured to protect against an individual falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
2

Rule

Severity: Medium
The Mainframe Product must protect against an individual (or process acting on behalf of an individual) falsely denying having performed actions defined in the site security plan to be covered by non-repudiation.
Logo
2

Rule

Severity: Medium
Azure SQL Database must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.
Logo
2

Rule

Severity: Medium
Azure SQL Database must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables).
Logo
2

Rule

Severity: Medium
InPrivate mode must be disabled.
Logo
2

Rule

Severity: Medium
Browser history must be saved.
Logo
1

Rule

Severity: Medium
SQL Server must protect against an individual using a shared account from falsely denying having performed a particular action.
Logo
2

Rule

Severity: Medium
The network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
2

Rule

Severity: High
ONTAP must be configured to use an authentication server to provide multifactor authentication.
Logo
2

Rule

Severity: High
The network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
Logo
1

Rule

Severity: Medium
Nutanix AOS must offload log records onto a syslog server.
Logo
1

Rule

Severity: Medium
Oracle WebLogic must protect against an individual falsely denying having performed a particular action.
Logo
2

Rule

Severity: High
The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.
Logo
2

Rule

Severity: High
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
Logo
4

Rule

Severity: Medium
Splunk Enterprise must be configured to protect the log data stored in the indexes from alteration.
Logo
2

Rule

Severity: Medium
Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
Logo
3

Rule

Severity: Medium
Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
Logo
1

Rule

Severity: Medium
Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
Logo
2

Rule

Severity: Medium
The UEM server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
1

Rule

Severity: High
The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.
Logo
1

Rule

Severity: High
The Horizon Connection Server must require DoD PKI for administrative logins.
Logo
2

Rule

Severity: Medium
AccessLogValve must be configured for each application context.
Logo
4

Rule

Severity: Medium
PostgreSQL must protect against a user falsely repudiating having performed organization-defined actions.
Logo
2

Rule

Severity: Medium
The Cisco ASA must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
8

Rule

Severity: Medium
The Cisco device must be configured to audit all administrator activity.
Logo
2

Rule

Severity: Medium
The Cisco ISE must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
2

Rule

Severity: Medium
The Cisco switch must be configured to protect against an individual falsely denying having performed organization-defined actions to be covered by non-repudiation.
Logo
2

Rule

Severity: Medium
The DBMS must protect against a user falsely repudiating having performed organization-defined actions.
Logo
2

Rule

Severity: Medium
The EDB Postgres Advanced Server must protect against a user falsely repudiating having performed organization-defined actions.
Logo
2

Rule

Severity: Medium
Incognito mode must be disabled.
Logo
2

Rule

Severity: Medium
Session only based cookies must be enabled.
Logo
2

Rule

Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
Logo
2

Rule

Severity: Medium
MarkLogic Server must protect against a user falsely repudiating having performed organization-defined actions.
Logo
2

Rule

Severity: Medium
MariaDB must protect against a user falsely repudiating having performed organization-defined actions.
Logo
2

Rule

Severity: Medium
MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.
Logo
1

Rule

Severity: Medium
InPrivate Browsing must be disallowed.
Logo
2

Rule

Severity: Medium
SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.
Logo
2

Rule

Severity: Low
SQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables).
Logo
2

Rule

Severity: Medium
SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship.
Logo
2

Rule

Severity: Medium
SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
Logo
2

Rule

Severity: Medium
SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.
Logo
2

Rule

Severity: Medium
SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.
Logo
1

Rule

Severity: Low
The DBMS must protect against an individual using a group account from falsely denying having performed a particular action.
Logo
2

Rule

Severity: Low
The DBMS must protect against an individual who uses a shared account falsely denying having performed a particular action.
Logo
2

Rule

Severity: Medium
The MySQL Database Server 8.0 must protect against a user falsely repudiating having performed organization-defined actions.
Logo
2

Rule

Severity: Medium
Automation Controller must use external log providers that can collect user activity logs in independent, protected repositories to prevent modification or repudiation.
Logo
4

Rule

Severity: Low
The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.
Logo
4

Rule

Severity: Medium
The vCenter Server must require multifactor authentication.
Logo
3

Rule

Severity: Medium
The vCenter ESX Agent Manager service must produce log records containing sufficient information regarding event details.
Logo
3

Rule

Severity: Medium
The vCenter Lookup service must produce log records containing sufficient information regarding event details.
Logo
3

Rule

Severity: Medium
The vCenter Perfcharts service must produce log records containing sufficient information regarding event details.
Logo
3

Rule

Severity: Medium
The vCenter STS service must produce log records containing sufficient information regarding event details.
Logo
3

Rule

Severity: Medium
The vCenter UI service must produce log records containing sufficient information regarding event details.
Logo
1

Rule

Severity: Medium
The EDB Postgres Advanced Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
Logo
1

Rule

Severity: Medium
The BIG-IP appliance must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed system configuration changes.
Logo
1

Rule

Severity: Medium
The Dragos Platform must only allow local administrative and service user accounts.
Logo
1

Rule

Severity: Medium
The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.
Logo
1

Rule

Severity: High
The F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.
Logo
1

Rule

Severity: High
Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
Logo
1

Rule

Severity: Medium
MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.
Logo
1

Rule

Severity: Medium
Session only-based cookies must be enabled.
Logo
1

Rule

Severity: High
The NSX Manager must be configured to integrate with an identity provider that supports multifactor authentication (MFA).

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules