Capacity
CCI-000370
Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.
1
Rule
Severity: Medium
Apple iOS/iPadOS 15 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
1
Rule
Severity: High
The Arista Multilayer Switch must employ AAA service to centrally manage authentication settings.
6
Rule
Severity: High
The network device must be configured to use an authentication server to authenticate users prior to granting administrative access.
1
Rule
Severity: Medium
The CA API Gateway must employ RADIUS + LDAPS or LDAPS to centrally manage authentication settings.
1
Rule
Severity: Medium
Accounts for device management must be configured on the authentication server and not the network device itself, except for the account of last resort.
1
Rule
Severity: Medium
The FortiGate device must use LDAP for authentication.
1
Rule
Severity: Medium
Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort).
2
Rule
Severity: Medium
Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
4
Rule
Severity: Medium
The Google Android 13 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.
2
Rule
Severity: Medium
Google Android 12 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.
1
Rule
Severity: High
The HYCU VM console and HYCU Web UI must be configured to use an authentication server for authenticating users prior to granting access to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined requirements.
1
Rule
Severity: Medium
The DataPower Gateway must employ automated mechanisms to centrally manage authentication settings.
1
Rule
Severity: Medium
Administrative accounts for device management must be configured on the authentication server and not the MQ Appliance network device itself (except for the emergency administration account).
2
Rule
Severity: High
The Juniper router must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.
1
Rule
Severity: Medium
Microsoft Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
2
Rule
Severity: Medium
Microsoft Android 11 must allow the Administrator (EMM) to perform the following management function: Wipe Enterprise data.
2
Rule
Severity: Medium
Microsoft Android 11 must be configured to enable audit logging.
2
Rule
Severity: Medium
Microsoft Android 11 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to disable trust agents.
Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
1
Rule
Severity: Low
Motorola Solutions Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must be configured to enable audit logging.
1
Rule
Severity: Medium
Motorola Solutions Android 11 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.
1
Rule
Severity: Medium
Microsoft Android 11 must be configured to disable trust agents.
Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.
2
Rule
Severity: High
ONTAP must be configured to use an authentication server to provide multifactor authentication.
2
Rule
Severity: High
The network device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must employ automated mechanisms to centrally manage authentication settings.
2
Rule
Severity: Medium
Samsung Android must be configured to disable trust agents.
NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
2
Rule
Severity: Medium
Samsung Android must be configured to disable Face Recognition.
NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.
2
Rule
Severity: Medium
Samsung Android Work Environment must allow only the Administrator (management tool) to perform the following management function: install/remove DoD root and intermediate PKI certificates.
2
Rule
Severity: Medium
Samsung Android must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.
2
Rule
Severity: Medium
Samsung Android's Work profile must allow only the Administrator (management tool) to perform the following management function: Install/remove DOD root and intermediate PKI certificates.
1
Rule
Severity: Medium
Accounts for device management must be configured on the authentication server and not on Symantec ProxySG itself, except for the account of last resort.
2
Rule
Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
1
Rule
Severity: High
The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (managed applications data stored in iCloud).
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.
3
Rule
Severity: High
iPhone and iPad must have the latest available iOS/iPadOS operating system installed.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 16 Mail app.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 users must complete required training.
3
Rule
Severity: Low
Apple iOS/iPadOS 16 must not allow managed apps to write contacts to unmanaged contacts accounts.
3
Rule
Severity: Low
Apple iOS/iPadOS 16 must not allow unmanaged apps to read contacts from managed contacts accounts.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable copy/paste of data from managed to unmanaged applications.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must allow the Administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: other methods].
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud document and data synchronization).
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Keychain).
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (My Photo Stream).
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Photo Streams).
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must [selection: wipe protected data, wipe sensitive data] upon unenrollment from MDM.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: limit Ad Tracking.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: Not allow automatic completion of Safari browser passcodes.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: not allow use of Handoff.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Disable Allow MailDrop.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: Not have any Family Members in Family Sharing.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Enable USB Restricted Mode.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: Disable AirDrop.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: Disable paired Apple Watch.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable Password AutoFill in browsers and applications.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable allow setting up new nearby devices.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable password proximity requests.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable password sharing.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must disable Find My Friends in the Find My app.
2
Rule
Severity: Medium
The Apple iOS/iPadOS 16 must be supervised by the MDM.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable "Allow USB drive access in Files app" if the authorizing official (AO) has not approved the use of DoD-approved USB storage drives with iOS/iPadOS devices.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable "Allow network drive access in Files access".
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable connections to Siri servers for the purpose of dictation.
2
Rule
Severity: Medium
Apple iOS/iPadOS 16 must disable connections to Siri servers for the purpose of translation.
2
Rule
Severity: High
The Cisco ASA must be configured to use at least two authentication servers to authenticate users prior to granting administrative access.
4
Rule
Severity: High
The Cisco router must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.
2
Rule
Severity: High
The Cisco switch must be configured to use at least two authentication servers to authenticate users prior to granting administrative access.
2
Rule
Severity: High
The Cisco router must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.
4
Rule
Severity: High
The Cisco switch must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.
2
Rule
Severity: Medium
The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.
2
Rule
Severity: High
The HPE Nimble must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
2
Rule
Severity: Medium
The Google Android 13 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).
4
Rule
Severity: Medium
The Google Android 14 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.
2
Rule
Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
2
Rule
Severity: High
The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to disable trust agents.
1
Rule
Severity: Low
Zebra Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.
1
Rule
Severity: Medium
Zebra Android 11 must be configured to enable audit logging.
1
Rule
Severity: Medium
Zebra Android 11 must allow only the administrator (EMM) to install/remove DoD root and intermediate PKI certificates.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to employ automated mechanisms to centrally manage authentication settings.
1
Rule
Severity: High
The F5 BIG-IP appliance must be configured to use at least two authentication servers to authenticate administrative users.
1
Rule
Severity: Medium
The Google Android 14 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).
2
Rule
Severity: Medium
The Google Android 15 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates.
2
Rule
Severity: High
Google Android 15 must be configured to disable "Private Space" use.
1
Rule
Severity: High
The NSX Manager must be configured to integrate with an identity provider that supports multifactor authentication (MFA).
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must have DOD root and intermediate PKI certificates installed.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules