Skip to content
ATO Pathways
  Log In

CCI-000765

Implement multifactor authentication for network access to privileged accounts.

Logo
10

Rule

Severity: Medium
Enable the GNOME3 Login Smartcard Authentication
Logo
14

Rule

Severity: Medium
Install Smart Card Packages For Multifactor Authentication
Logo
14

Rule

Severity: Medium
Configure opensc Smart Card Drivers
Logo
5

Rule

Severity: Medium
Configure NSS DB To Use opensc
Logo
14

Rule

Severity: Medium
Force opensc To Use Defined Smart Card Driver
Logo
5

Rule

Severity: Medium
Enable Smart Card Login
Logo
29

Rule

Severity: Medium
Enable Public Key Authentication
Logo
15

Rule

Severity: Medium
Enable Smartcards in SSSD
Logo
3

Rule

Severity: Medium
Enable Smart Card Logins in PAM
Logo
2

Rule

Severity: Medium
AAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts.
Logo
1

Rule

Severity: High
Compliance Guardian must use multifactor authentication for network access to privileged accounts.
Logo
2

Rule

Severity: High
The application server must use multifactor authentication for network access to privileged accounts.
Logo
1

Rule

Severity: High
DocAve must use multifactor authentication for network access to privileged accounts.
Logo
1

Rule

Severity: High
The underlying IIS platform must be configured for Smart Card (CAC) Authorization.
Logo
2

Rule

Severity: Medium
The application must use multifactor (Alt. Token) authentication for network access to privileged accounts.
Logo
2

Rule

Severity: Medium
The Central Log Server must use multifactor authentication for network access to privileged user accounts.
Logo
1

Rule

Severity: Medium
The DBN-6300 must use multifactor authentication for network access (remote and nonlocal) to privileged accounts.
Logo
1

Rule

Severity: Medium
SAML integration must be enabled in Docker Enterprise.
Logo
1

Rule

Severity: High
The HYCU VM console and HYCU Web UI must be configured to use an authentication server for authenticating users prior to granting access to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined requirements.
Logo
2

Rule

Severity: High
Multifactor authentication for network access to privileged accounts must be used.
Logo
1

Rule

Severity: Medium
The MQ Appliance network device must use multifactor authentication for network access to privileged accounts.
Logo
1

Rule

Severity: Medium
The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.
Logo
1

Rule

Severity: Medium
The Ivanti MobileIron Core server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.
Logo
1

Rule

Severity: High
MobileIron Sentry must be configured to use DoD PKI as multi-factor authentication (MFA) for interactive logins.
Logo
2

Rule

Severity: Medium
The JBoss Server must be configured to use certificates to authenticate admins.
Logo
2

Rule

Severity: Medium
The Mainframe Product must use multifactor authentication for network access to privileged accounts.
Logo
2

Rule

Severity: High
ONTAP must be configured to use an authentication server to provide multifactor authentication.
Logo
2

Rule

Severity: High
The network device must be configured to use DoD PKI as multi-factor authentication (MFA) for interactive logins.
Logo
1

Rule

Severity: Medium
Nutanix AOS must use multifactor authentication for account access.
Logo
1

Rule

Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged  using external identity providers for authentication and grouping to role-based assignments when possible.
Logo
1

Rule

Severity: High
Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.
Logo
1

Rule

Severity: High
Common Access Card (CAC)-based authentication must be enforced and enabled on the Tanium Server for network and local access with privileged and non-privileged accounts.
Logo
2

Rule

Severity: High
Multifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.
Logo
1

Rule

Severity: High
Common Access Card (CAC)-based authentication must be enabled on the Tanium Server for network access with privileged accounts.
Logo
1

Rule

Severity: Medium
Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
Logo
1

Rule

Severity: Medium
Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
Logo
2

Rule

Severity: High
The Tanium Operating System (TanOS) must use multifactor authentication for network access to privileged accounts.
Logo
2

Rule

Severity: Medium
The UEM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.
Logo
1

Rule

Severity: High
The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.
Logo
2

Rule

Severity: Medium
JMX authentication must be secured.
Logo
3

Rule

Severity: High
The macOS system must disable password authentication for SSH.
Logo
3

Rule

Severity: Medium
The macOS system must enforce smart card authentication.
Logo
3

Rule

Severity: Medium
The macOS system must allow smart card authentication.
Logo
2

Rule

Severity: Medium
The macOS system must enforce multifactor authentication for logon.
Logo
3

Rule

Severity: Medium
The macOS system must enforce multifactor authentication for the su command.
Logo
3

Rule

Severity: Medium
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts.
Logo
2

Rule

Severity: Medium
The container platform must use multifactor authentication for network access to privileged accounts.
Logo
2

Rule

Severity: Medium
The operating system must use multifactor authentication for network access to privileged accounts.
Logo
2

Rule

Severity: Medium
SSMC web server must enable strict two-factor authentication for access to the webUI.
Logo
2

Rule

Severity: Medium
The AIX operating system must use Multi Factor Authentication.
Logo
2

Rule

Severity: High
The ICS must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.
Logo
2

Rule

Severity: Medium
Windows 10 must use multifactor authentication for local and network access to privileged and nonprivileged accounts.
Logo
2

Rule

Severity: Medium
Windows 11 must use multifactor authentication for local and network access to privileged and nonprivileged accounts.
Logo
2

Rule

Severity: Medium
Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
Logo
1

Rule

Severity: Medium
Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
Logo
1

Rule

Severity: Medium
Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
Logo
2

Rule

Severity: Medium
Two-factor authentication must be implemented to restrict access to all network elements.
Logo
3

Rule

Severity: High
The DBMS must use multifactor authentication for access to user accounts.
Logo
2

Rule

Severity: Medium
OL 8 must implement multifactor authentication for access to interactive accounts.
Logo
2

Rule

Severity: Medium
Automation Controller must be configured to use an enterprise user management system.
Logo
2

Rule

Severity: Medium
OpenShift must use multifactor authentication for network access to accounts.
Logo
2

Rule

Severity: Medium
RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts.
Logo
2

Rule

Severity: Medium
RHEL 9 must have the openssl-pkcs11 package installed.
Logo
2

Rule

Severity: Medium
RHEL 9 SSHD must accept public key authentication.
Logo
4

Rule

Severity: Medium
The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
Logo
2

Rule

Severity: Medium
RHEL 9 must enable certificate based smart card authentication.
Logo
2

Rule

Severity: Medium
The VMM must use multifactor authentication for network access to privileged accounts.
Logo
4

Rule

Severity: Medium
The vCenter Server must require multifactor authentication.
Logo
1

Rule

Severity: Medium
Apple iOS/iPadOS 16 must be configured to disable Auto Unlock of the iPhone by an Apple Watch.
Logo
1

Rule

Severity: Medium
Apple iOS/iPadOS 17 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.
Logo
1

Rule

Severity: Medium
The macOS system must enforce multifactor authentication for login.
Logo
1

Rule

Severity: High
The application server must use multifactor authentication for local access to privileged accounts.
Logo
1

Rule

Severity: Medium
The application must use multifactor (Alt. Token) authentication for local access to privileged accounts.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.
Logo
1

Rule

Severity: Medium
The Central Log Server must use multifactor authentication for local access using privileged user accounts.
Logo
1

Rule

Severity: Medium
The container platform must use multifactor authentication for local access to privileged accounts.
Logo
1

Rule

Severity: Medium
Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.
Logo
1

Rule

Severity: High
The F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.
Logo
2

Rule

Severity: Medium
Google Android 13 must be configured to disable trust agents.
Logo
2

Rule

Severity: Medium
Google Android 14 must be configured to disable trust agents.
Logo
1

Rule

Severity: Medium
The operating system must use multifactor authentication for local access to privileged accounts.
Logo
1

Rule

Severity: Medium
The Ivanti EPMM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.
Logo
1

Rule

Severity: High
Sentry must be configured to use DOD PKI as multi-factor authentication (MFA) for interactive logins.
Logo
1

Rule

Severity: Medium
The Mainframe Product must use multifactor authentication for local access to privileged accounts.
Logo
1

Rule

Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
Logo
1

Rule

Severity: Medium
Microsoft Intune service must be configured to use a DOD Central Directory Service to provide multifactor authentication for network access to privileged and nonprivileged accounts and individual and group accounts.
Logo
1

Rule

Severity: Medium
The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.
Logo
1

Rule

Severity: Medium
The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
Logo
1

Rule

Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
Logo
1

Rule

Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
Logo
1

Rule

Severity: Medium
RHEL 9 must use the common access card (CAC) smart card driver.
Logo
1

Rule

Severity: Medium
SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
Logo
2

Rule

Severity: Medium
Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.
Logo
4

Rule

Severity: Medium
Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.
Logo
2

Rule

Severity: Medium
Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including face recognition.
Logo
1

Rule

Severity: Medium
Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
Logo
1

Rule

Severity: Medium
TOSS must use multifactor authentication for network and local access to privileged and nonprivileged accounts.
Logo
1

Rule

Severity: High
The NSX Manager must be configured to integrate with an identity provider that supports multifactor authentication (MFA).
Logo
1

Rule

Severity: Medium
The VMM must use multifactor authentication for local access to privileged accounts.
Logo
1

Rule

Severity: Medium
The ESXi host Secure Shell (SSH) daemon must ignore .rhosts files.
Logo
1

Rule

Severity: Medium
Apple iOS/iPadOS 18 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.
Logo
1

Rule

Severity: Medium
All UEM server local accounts created during application installation and configuration must be removed. Note: In this context local accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules