Skip to content
ATO Pathways
  Log In

CCI-000382

Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.

Logo
21

Rule

Severity: Medium
Verify firewalld Enabled
Logo
15

Rule

Severity: Low
Disable Apache Qpid (qpidd)
Logo
15

Rule

Severity: Medium
Disable Network Router Discovery Daemon (rdisc)
Logo
11

Rule

Severity: Medium
Configure the Firewalld Ports
Logo
13

Rule

Severity: Low
Disable ntpdate Service (ntpdate)
Logo
7

Rule

Severity: Low
Disable Red Hat Network Service (rhnsd)
Logo
16

Rule

Severity: Medium
Disable Postfix Network Listening
Logo
1

Rule

Severity: Medium
Install SuSEfirewall2 Package
Logo
1

Rule

Severity: Medium
Enable the SuSEfirewall 2
Logo
1

Rule

Severity: Medium
Only Allow Authorized Network Services in SuSEfirewall2
Logo
1

Rule

Severity: Medium
Only Allow Authorized Network Services in ufw
Logo
1

Rule

Severity: Medium
The A10 Networks ADC must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The A10 Networks ADC must disable management protocol access to all interfaces except the management interface.
Logo
2

Rule

Severity: High
AAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
AAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: High
Compliance Guardian must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
Logo
1

Rule

Severity: Medium
Compliance Guardian must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
8

Rule

Severity: Medium
The Apache web server must be configured to use a specified IP address and port.
Logo
2

Rule

Severity: Medium
The ALG must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The Arista Multilayer Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The application server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: High
The Arista network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Logo
1

Rule

Severity: Medium
DocAve must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL.
Logo
1

Rule

Severity: Medium
The BlackBerry UEM server platform must be protected by a DoD-approved firewall.
Logo
1

Rule

Severity: Medium
The firewall protecting the BlackBerry UEM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BlackBerry UEM server and platform functions.
Logo
1

Rule

Severity: Medium
The firewall protecting the BlackBerry UEM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).
Logo
1

Rule

Severity: Medium
The BlackBerry UEM server Blackberry Web Services must not be authorized access from external sources unnecessarily.
Logo
1

Rule

Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DoD-approved firewall.
Logo
1

Rule

Severity: Medium
The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions.
Logo
1

Rule

Severity: Medium
The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DoD-approved ports, protocols, and services are enabled. See the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list for DoD-approved ports, protocols, and services.
Logo
1

Rule

Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DOD-approved firewall.
Logo
1

Rule

Severity: Medium
The firewall protecting the BEMS must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions.
Logo
1

Rule

Severity: Medium
The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DOD-approved ports, protocols, and services are enabled.
Logo
2

Rule

Severity: Medium
The BIND 9.x server implementation must be configured to use only approved ports and protocols.
Logo
1

Rule

Severity: Medium
The CA API Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
IDMS nodes, lines, and pterms must be protected from unauthorized use.
Logo
1

Rule

Severity: Medium
Citrix Linux Virtual Delivery Agent (LVDA) must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: High
Citrix Receiver must implement DoD-approved encryption.
Logo
2

Rule

Severity: Medium
Citrix Windows Virtual Delivery Agent must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
Logo
1

Rule

Severity: High
Docker Enterprise privileged ports must not be mapped within containers.
Logo
1

Rule

Severity: Medium
Docker Enterprise incoming container traffic must be bound to a specific host interface.
Logo
1

Rule

Severity: Medium
Docker Enterprise Swarm services must be bound to a specific host interface.
Logo
2

Rule

Severity: Medium
The DNS server implementation must be configured to prohibit or restrict unapproved ports and protocols.
Logo
1

Rule

Severity: High
The FortiGate device must prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services.
Logo
1

Rule

Severity: High
CounterACT must disable all unnecessary and/or nonsecure plugins.
Logo
1

Rule

Severity: High
Forescout must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Logo
2

Rule

Severity: Low
Forescout must disable the Request Customer Verification setting.
Logo
1

Rule

Severity: Medium
The HP FlexFabric Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: High
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
Logo
5

Rule

Severity: High
The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Logo
1

Rule

Severity: Medium
The Infoblox system must prohibit or restrict unapproved services, ports, and protocols.
Logo
1

Rule

Severity: Medium
The DataPower Gateway must have SSH and web management bound to the management interface and Telnet disabled.
Logo
1

Rule

Severity: Medium
DB2 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The IBM Aspera Console must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
IBM Aspera Faspex must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
IBM Aspera Shares must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The IBM Aspera High-Speed Transfer Endpoint must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The IBM Aspera High-Speed Transfer Server must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The IBM Aspera High-Speed Transfer Server must not use the root account for transfers.
Logo
1

Rule

Severity: Medium
The IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system.
Logo
1

Rule

Severity: Medium
The IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder.
Logo
1

Rule

Severity: Medium
The DataPower Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The WebSphere Liberty Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The MaaS360 server platform must be protected by a DoD-approved firewall.
Logo
1

Rule

Severity: Medium
The firewall protecting the MaaS360 server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MaaS360 server and platform functions.
Logo
1

Rule

Severity: Medium
The firewall protecting the MaaS360 server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services.)
Logo
1

Rule

Severity: Medium
The WebSphere Application Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
All IBM z/VM TCP/IP Ports must be restricted to ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The IDPS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
Infoblox systems configured to run the DNS service must be configured to prohibit or restrict unapproved ports and protocols.
Logo
1

Rule

Severity: Medium
The DHCP service must not be enabled on an external authoritative name server.
Logo
2

Rule

Severity: Medium
JBoss application and management ports must be approved by the PPSM CAL.
Logo
2

Rule

Severity: Medium
If cipher suites using pre-shared keys are used for device authentication, the ISEC7 EMM Suite must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are Government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.
Logo
2

Rule

Severity: Medium
The Sentry must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The Jamf Pro EMM server platform must be protected by a DoD-approved firewall.
Logo
2

Rule

Severity: Medium
The firewall protecting the Jamf Pro EMM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Jamf Pro EMM server and platform functions.
Logo
2

Rule

Severity: Medium
The firewall protecting the Jamf Pro EMM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).
Logo
2

Rule

Severity: High
The Juniper router must be configured to be configured to prohibit the use of all unnecessary and nonsecure functions and services.
Logo
2

Rule

Severity: Medium
The Juniper SRX Services Gateway Firewall must be configured to prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services, as defined in the PPSM CAL, vulnerability assessments.
Logo
2

Rule

Severity: Medium
The Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols.
Logo
2

Rule

Severity: High
If SNMP is enabled, the Juniper SRX Services Gateway must use and securely configure SNMPv3.
Logo
2

Rule

Severity: Medium
The Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account.
Logo
2

Rule

Severity: Medium
The Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account.
Logo
2

Rule

Severity: Medium
The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access.
Logo
2

Rule

Severity: Medium
The Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort.
Logo
2

Rule

Severity: High
For nonlocal maintenance sessions, the Juniper SRX Services Gateway must explicitly deny the use of J-Web.
Logo
2

Rule

Severity: Medium
The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.
Logo
2

Rule

Severity: Medium
The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The MDM server platform must be protected by a DoD-approved firewall.
Logo
1

Rule

Severity: Medium
The firewall protecting the MDM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions.
Logo
1

Rule

Severity: Medium
The firewall protecting the MDM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services.)
Logo
2

Rule

Severity: Medium
The Azure SQL Database must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
Supported authentication schemes must be configured.
Logo
1

Rule

Severity: Medium
When configuring SharePoint Central Administration, the port number selected must comply with DoD Ports and Protocol Management (PPSM) program requirements.
Logo
1

Rule

Severity: Medium
SQL Server must be configured to prohibit or restrict the use of unauthorized network protocols.
Logo
1

Rule

Severity: Medium
SQL Server must be configured to prohibit or restrict the use of unauthorized network ports.
Logo
1

Rule

Severity: Medium
The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.
Logo
1

Rule

Severity: Medium
The MFD must be configured to prohibit the use of all unnecessary and/or nonsecure functions, physical and logical ports, protocols, and/or services.
Logo
2

Rule

Severity: High
ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Logo
2

Rule

Severity: High
The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services
Logo
1

Rule

Severity: Medium
Nutanix AOS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
OHS must be configured to use a specified IP address, port, and protocol.
Logo
1

Rule

Severity: Medium
Oracle WebLogic must support the capability to disable network protocols deemed by the organization to be non-secure except for explicitly identified components in support of specific operational requirements.
Logo
1

Rule

Severity: Medium
Oracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
Logo
2

Rule

Severity: Medium
Prisma Cloud Compute must use TCP ports above 1024.
Logo
2

Rule

Severity: Medium
The Riverbed NetProfiler must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Logo
2

Rule

Severity: High
Rancher MCM must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.
Logo
1

Rule

Severity: Medium
The Riverbed Optimization System (RiOS) must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
Riverbed Optimization System (RiOS) must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: High
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
Logo
1

Rule

Severity: Medium
The Samsung SDS EMM platform must be protected by a DoD-approved firewall.
Logo
1

Rule

Severity: Medium
The firewall protecting the Samsung SDS EMM platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Samsung SDS EMM and platform functions.
Logo
1

Rule

Severity: Medium
The firewall protecting the Samsung SDS EMM platform must be configured so that only DoD-approved ports, protocols, and services are enabled. See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services.
Logo
1

Rule

Severity: High
Symantec ProxySG must be configured to prohibit or restrict the use of network services as defined in the PPSM CAL and vulnerability assessments.
Logo
4

Rule

Severity: Medium
Firewall rules must be configured on the Tanium Endpoints for Client-to-Server communications.
Logo
4

Rule

Severity: Medium
Firewall rules must be configured on the Tanium Server for Client-to-Server communications.
Logo
6

Rule

Severity: Medium
Firewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.
Logo
1

Rule

Severity: Medium
The Tanium Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: High
Symantec ProxySG must use only approved management services protocols.
Logo
2

Rule

Severity: Medium
Firewall rules must be configured on the Tanium endpoints for client-to-server communications.
Logo
3

Rule

Severity: Medium
The Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
Firewall rules must be configured on the Tanium Server for client-to-server communications.
Logo
2

Rule

Severity: Medium
The Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM Category Assurance List (CAL) and vulnerability assessments.
Logo
2

Rule

Severity: High
The TippingPoint SMS must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Logo
2

Rule

Severity: Medium
The firewall protecting the UEM server platform must be configured so only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).
Logo
2

Rule

Severity: Medium
The UEM server must be configured to use only documented platform APIs.
Logo
1

Rule

Severity: Medium
The NSX-T Manager must not provide environment information to third parties.
Logo
1

Rule

Severity: Low
The NSX-T Manager must disable SSH.
Logo
1

Rule

Severity: Medium
The NSX-T Manager must disable unused local accounts.
Logo
1

Rule

Severity: Medium
The NSX-T Manager must disable TLS 1.1 and enable TLS 1.2.
Logo
1

Rule

Severity: Medium
The NSX-T Manager must disable SNMP v2.
Logo
1

Rule

Severity: Medium
The NSX-T Manager must enable the global FIPS compliance mode for load balancers.
Logo
1

Rule

Severity: Medium
The Workspace ONE UEM server must be protected by a DoD-approved firewall.
Logo
1

Rule

Severity: Medium
The firewall protecting the Workspace ONE UEM server must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions.
Logo
1

Rule

Severity: Medium
The firewall protecting the Workspace ONE UEM server must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).
Logo
2

Rule

Severity: Medium
The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations.
Logo
2

Rule

Severity: Medium
The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F.
Logo
2

Rule

Severity: Medium
For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.
Logo
2

Rule

Severity: Medium
Applications in privileged mode must be approved by the ISSO.
Logo
2

Rule

Severity: Medium
The DOD Mobile Service Provider must not allow BYOADs in facilities where personally owned mobile devices are prohibited.
Logo
1

Rule

Severity: Medium
The iOS/iPadOS 16 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.
Logo
4

Rule

Severity: Medium
The macOS system must be configured to disable sending diagnostic and usage data to Apple.
Logo
4

Rule

Severity: Medium
The macOS system must be configured to disable Remote Apple Events.
Logo
3

Rule

Severity: Medium
The macOS system must disable Remote Apple Events.
Logo
3

Rule

Severity: Medium
PostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
3

Rule

Severity: Medium
The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.
Logo
2

Rule

Severity: High
The Cisco ASA must be configured to prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services.
Logo
4

Rule

Severity: High
The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.
Logo
2

Rule

Severity: High
The Cisco switch must be configured to prohibit the use of all unnecessary and non-secure functions and services.
Logo
4

Rule

Severity: High
The Cisco switch must be configured to prohibit the use of all unnecessary and nonsecure functions and services.
Logo
2

Rule

Severity: High
The Cisco router must be configured to be configured to prohibit the use of all unnecessary and nonsecure functions and services.
Logo
2

Rule

Severity: High
The Cisco ISE must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Logo
2

Rule

Severity: High
The Cisco ISE must be configured to disable Wireless Setup for production systems.
Logo
2

Rule

Severity: Medium
The container platform runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.
Logo
2

Rule

Severity: Medium
The container platform runtime must enforce the use of ports that are non-privileged.
Logo
2

Rule

Severity: High
The container platform must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.
Logo
3

Rule

Severity: Medium
The EDB Postgres Advanced Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The DBMS must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The DOD Mobile Service Provider must not allow Google Android 13 BYOADs in facilities where personally owned mobile devices are prohibited.
Logo
2

Rule

Severity: Medium
The Google Android 13 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.
Logo
2

Rule

Severity: Medium
HPE Nimble must be configured to disable HPE InfoSight.
Logo
2

Rule

Severity: Medium
HPE Nimble must not be configured to use "HPE Greenlake: Data Services Cloud Console".
Logo
2

Rule

Severity: Medium
HPE Alletra 5000/6000 must be configured to disable management by "HPE Greenlake: Data Services Cloud Console".
Logo
2

Rule

Severity: Medium
The operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The SSMC web server must be configured to use a specified IP address and port.
Logo
2

Rule

Severity: High
The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.
Logo
2

Rule

Severity: High
The HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
Logo
2

Rule

Severity: High
The HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
Logo
2

Rule

Severity: Medium
If Stream Control Transmission Protocol (SCTP) must be disabled on AIX.
Logo
2

Rule

Severity: Medium
The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX.
Logo
6

Rule

Severity: Medium
IBM z/OS must properly protect MCS console userid(s).
Logo
2

Rule

Severity: Medium
ACF2 BLPPGM GSO record must not be defined.
Logo
6

Rule

Severity: Medium
IBM z/OS must properly configure CONSOLxx members.
Logo
6

Rule

Severity: High
IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.
Logo
2

Rule

Severity: Medium
IBM z/OS User exits for the FTP Server must not be used without proper approval and documentation.
Logo
6

Rule

Severity: Medium
IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.
Logo
4

Rule

Severity: Medium
IBM z/OS user exits for the FTP server must not be used without proper approval and documentation.
Logo
2

Rule

Severity: Medium
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
Logo
2

Rule

Severity: High
The Juniper EX switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Logo
2

Rule

Severity: Medium
The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
Logo
2

Rule

Severity: Medium
The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
Logo
2

Rule

Severity: Medium
The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
Logo
2

Rule

Severity: Medium
The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
Logo
2

Rule

Severity: Medium
The Kubernetes cluster must use non-privileged host ports for user pods.
Logo
2

Rule

Severity: Medium
MarkLogic Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
MariaDB must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
3

Rule

Severity: Medium
Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled.
Logo
2

Rule

Severity: Medium
Each IIS 10.0 website must be assigned a default host header.
Logo
2

Rule

Severity: Medium
SQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
SQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the PPSM CAL and vulnerability assessments.
Logo
4

Rule

Severity: Medium
Simple Network Management Protocol (SNMP) must not be installed on the system.
Logo
4

Rule

Severity: Medium
The Telnet Client must not be installed on the system.
Logo
4

Rule

Severity: Medium
The TFTP Client must not be installed on the system.
Logo
1

Rule

Severity: High
Windows Defender Firewall with Advanced Security must block unsolicited inbound connections when connected to a domain.
Logo
1

Rule

Severity: High
Windows Defender Firewall with Advanced Security must block unsolicited inbound connections when connected to a private network.
Logo
1

Rule

Severity: High
Windows Defender Firewall with Advanced Security must block unsolicited inbound connections when connected to a public network.
Logo
2

Rule

Severity: Medium
The Microsoft FTP service must not be installed unless required.
Logo
2

Rule

Severity: Medium
The Telnet Client must not be installed.
Logo
2

Rule

Severity: Medium
Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.
Logo
2

Rule

Severity: Medium
Windows Server 2019 must not have the Telnet Client installed.
Logo
2

Rule

Severity: Medium
Windows Server 2022 must not have the Microsoft FTP service installed unless required by the organization.
Logo
2

Rule

Severity: Medium
Windows Server 2022 must not have the Telnet Client installed.
Logo
3

Rule

Severity: Medium
The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
Logo
1

Rule

Severity: Medium
The DBMS must support the disabling of network protocols deemed by the organization to be non-secure.
Logo
2

Rule

Severity: Medium
The DBMS must support the disabling of network protocols deemed by the organization to be nonsecure.
Logo
2

Rule

Severity: Medium
The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.
Logo
2

Rule

Severity: Medium
OL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The MySQL Database Server 8.0 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The Palo Alto Networks security platform must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
The Palo Alto Networks security platform must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
Logo
2

Rule

Severity: Medium
Redis Enterprise DBMS must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
2

Rule

Severity: Medium
Rancher RKE2 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.
Logo
2

Rule

Severity: Medium
OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.
Logo
2

Rule

Severity: High
Container images instantiated by OpenShift must execute using least privileges.
Logo
2

Rule

Severity: Medium
All Automation Controller NGINX web servers must be configured to use a specified IP address and port.
Logo
1

Rule

Severity: Medium
The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.
Logo
2

Rule

Severity: Medium
RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
Logo
2

Rule

Severity: Medium
RHEL 9 must have the firewalld package installed.
Logo
2

Rule

Severity: Medium
The firewalld service on RHEL 9 must be active.
Logo
1

Rule

Severity: Medium
RHEL 9 must control remote access methods.
Logo
2

Rule

Severity: Medium
RHEL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
Logo
2

Rule

Severity: Low
RHEL 9 must disable the chrony daemon from acting as a server.
Logo
2

Rule

Severity: Low
RHEL 9 must disable network management of the chrony daemon.
Logo
4

Rule

Severity: Medium
The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
Logo
4

Rule

Severity: Medium
The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
Logo
2

Rule

Severity: Medium
The VMM must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The Photon operating system must disable the loading of unnecessary kernel modules.
Logo
3

Rule

Severity: Medium
The vCenter ESX Agent Manager service must be configured to use a specified IP address and port.
Logo
1

Rule

Severity: Medium
VMware Postgres must be configured to use the correct port.
Logo
3

Rule

Severity: Medium
The vCenter Lookup service must be configured to use a specified IP address and port.
Logo
3

Rule

Severity: Medium
The vCenter Perfcharts service must be configured to use a specified IP address and port.
Logo
3

Rule

Severity: Medium
The vCenter PostgreSQL service must be configured to use an authorized port.
Logo
3

Rule

Severity: Medium
The vCenter STS service must be configured to use a specified IP address and port.
Logo
3

Rule

Severity: Medium
The vCenter UI service must be configured to use a specified IP address and port.
Logo
2

Rule

Severity: Medium
The web server must be configured to use a specified IP address and port.
Logo
6

Rule

Severity: Medium
The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
Logo
1

Rule

Severity: Medium
The BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The BIG-IP Core implementation must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocol, and Service Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.
Logo
1

Rule

Severity: High
AAA Services must be configured to use secure protocols when connecting to directory services.
Logo
1

Rule

Severity: Medium
The iOS/iPadOS 17 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) to prohibit or restrict the use of functions, ports, protocols, and/or services.
Logo
1

Rule

Severity: High
The Enterprise Voice, Video, and Messaging Endpoint must be configured to only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).
Logo
1

Rule

Severity: High
The F5 BIG-IP appliance must be configured to prohibit or restrict the use of unnecessary or prohibited functions, ports, protocols, and/or services, including those defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).
Logo
1

Rule

Severity: High
The F5 BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Logo
1

Rule

Severity: Medium
The IPsec BIG-IP appliance must use IKEv2 for IPsec VPN security associations.
Logo
1

Rule

Severity: High
Forescout must use DOD-approved PKI rather than proprietary or self-signed device certificates.
Logo
1

Rule

Severity: Medium
The DOD Mobile Service Provider must not allow Google Android 14 BYOADs in facilities where personally owned mobile devices are prohibited.
Logo
1

Rule

Severity: Medium
The Google Android 14 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.
Logo
1

Rule

Severity: Medium
If cipher suites using pre-shared keys are used for device authentication, the ISEC7 SPHERE must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.
Logo
1

Rule

Severity: High
Only required ports must be open on containers in MKE.
Logo
1

Rule

Severity: Medium
MKE must use a non-AUFS storage driver.
Logo
1

Rule

Severity: Medium
Containers must not map to privileged ports.
Logo
1

Rule

Severity: Medium
Copilot in Windows must be disabled for Windows 10.
Logo
1

Rule

Severity: Medium
Copilot in Windows must be disabled for Windows 11
Logo
1

Rule

Severity: High
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
Logo
1

Rule

Severity: Medium
SLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The DOD Mobile Service Provider must not allow Samsung Android 14 BYOADs in facilities where personally owned mobile devices are prohibited.
Logo
1

Rule

Severity: Medium
The Samsung Android 14 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.
Logo
1

Rule

Severity: Medium
TOSS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Logo
1

Rule

Severity: Medium
The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules