Skip to content
Log In

CCI-001184

Protect the authenticity of communications sessions.

The CA API Gateway must protect the authenticity of communications sessions.

1 rule found Severity: Medium

Logo

Citrix License Server must protect the authenticity of communications sessions.

1 rule found Severity: Medium

Logo

XenDesktop License Server must protect the authenticity of communications sessions.

1 rule found Severity: Medium

Logo

Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.

1 rule found Severity: High

Logo

Citrix Receiver must implement DoD-approved encryption.

1 rule found Severity: High

Logo

Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.

2 rules found Severity: High

Logo

TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.

1 rule found Severity: Medium

Logo

Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers when communicating with external DNS servers.

1 rule found Severity: Medium

Logo

Infoblox DNS servers must protect the authenticity of communications sessions for dynamic updates.

1 rule found Severity: Medium

Logo

Infoblox DNS servers must protect the authenticity of communications sessions for queries.

1 rule found Severity: Medium

Logo

The IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions.

1 rule found Severity: Medium

Logo

The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions.

1 rule found Severity: Medium

Logo

The DataPower Gateway must protect the authenticity of communications sessions.

1 rule found Severity: Medium

Logo

The MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session.

1 rule found Severity: Medium

Logo

The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.

1 rule found Severity: Medium

Logo

The WebSphere Application Server DoD root CAs must be in the trust store.

1 rule found Severity: Medium

Logo

Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers.

1 rule found Severity: Medium

Logo

Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.

1 rule found Severity: Medium

Logo

Infoblox DNS servers must be configured to protect the authenticity of communications sessions for queries.

1 rule found Severity: Medium

Logo

Session Initiation Protocol (SIP) security mode must be configured.

1 rule found Severity: Medium

Logo

In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP.

1 rule found Severity: Medium

Logo

Exchange internal Receive connectors must require encryption.

2 rules found Severity: Medium

Logo

Exchange internal Receive connectors must use Domain Security (mutual authentication Transport Layer Security).

1 rule found Severity: Medium

Logo

Exchange internal Send connectors must require encryption.

1 rule found Severity: Medium

Logo

Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.

2 rules found Severity: Medium

Logo

Session Initiation Protocol (SIP) security mode must be configured.

1 rule found Severity: Medium

Logo

In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP.

1 rule found Severity: Medium

Logo

The Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing.

1 rule found Severity: Medium

Logo

The Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing.

1 rule found Severity: High

Logo

The Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC.

1 rule found Severity: Medium

Logo

Oracle WebLogic must ensure authentication of both client and server during the entire session.

1 rule found Severity: Medium

Logo

The Riverbed Optimization System (RiOS) must protect the authenticity of communications sessions by configuring securing pairing trusts for SSL and secure protocols.

1 rule found Severity: Medium

Logo

Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

1 rule found Severity: High

Logo

Symantec ProxySG must use Transport Layer Security (TLS) to protect the authenticity of communications sessions.

1 rule found Severity: High

Logo

The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients, which will ensure the authenticity of communications sessions when answering requests from the Tanium Server.

1 rule found Severity: Medium

Logo

The Tanium Server must protect the confidentiality and integrity of transmitted information with cryptographic signing capabilities enabled to ensure the authenticity of communications sessions when making requests from Tanium Clients.

1 rule found Severity: Medium

Logo

The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.

4 rules found Severity: Medium

Logo

Logon options must be configured to prompt (Internet zone).

1 rule found Severity: Medium

Logo

Logon options must be configured and enforced (Restricted Sites zone).

1 rule found Severity: Medium

Logo

The F5 BIG-IP appliance must not use the On-Demand Cert Auth VPE agent as part of the APM Policy Profiles.

1 rule found Severity: Medium

Logo

The F5 BIG-IP appliance must be configured to limit authenticated client sessions to initial session source IP.

2 rules found Severity: Low

Logo

The BIG-IP Core implementation must be configured to protect the authenticity of communications sessions.

1 rule found Severity: Medium

Logo

Tomcat servers must mutually authenticate proxy or load balancer connections.

1 rule found Severity: Medium

Logo

A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.

1 rule found Severity: High

Logo

The Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 2.

1 rule found Severity: High

Logo

The DNS implementation must protect the authenticity of communications sessions for zone transfers.

1 rule found Severity: Medium

Logo

The DNS implementation must protect the authenticity of communications sessions for dynamic updates.

1 rule found Severity: Medium

Logo

The DNS implementation must protect the authenticity of communications sessions for queries.

1 rule found Severity: Medium

Logo

The Enterprise Voice, Video, and Messaging Endpoint must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions.

1 rule found Severity: Medium

Logo

The F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.

1 rule found Severity: High

Logo

The F5 BIG-IP appliance must not use the On-demand Cert Auth VPE agent as part of the APM Policy Profiles.

1 rule found Severity: Medium

Logo

The F5 BIG-IP appliance must be configured to restrict a consistent inbound IP for the entire management session.

1 rule found Severity: Medium

Logo

The VPN Gateway must use Always On VPN connections for remote computing.

2 rules found Severity: Medium

Logo

An authoritative name server must be configured to enable DNSSEC Resource Records.

1 rule found Severity: Medium

Logo

The F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers.

1 rule found Severity: High

Logo

The Enterprise Voice, Video, and Messaging Session Manager must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions.

1 rule found Severity: High

Logo

The F5 BIG-IP appliance IPsec VPN must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE).

1 rule found Severity: High

Logo

The Kubernetes API server must use approved cipher suites.

1 rule found Severity: Medium

Logo

Kubernetes API Server must have the SSL Certificate Authority set.

1 rule found Severity: Medium

Logo

Kubernetes Kubelet must have the SSL Certificate Authority set.

1 rule found Severity: Medium

Logo

Kubernetes Controller Manager must have the SSL Certificate Authority set.

1 rule found Severity: Medium

Logo

Kubernetes API Server must have a certificate for communication.

1 rule found Severity: Medium

Logo

Kubernetes etcd must enable client authentication to secure service.

2 rules found Severity: Medium

Logo

Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service.

1 rule found Severity: Medium

Logo

Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.

1 rule found Severity: Medium

Logo

Kubernetes etcd must have a key file for secure communication.

2 rules found Severity: Medium

Logo

Kubernetes etcd must have a certificate for communication.

2 rules found Severity: Medium

Logo

Kubernetes etcd must have the SSL Certificate Authority set.

1 rule found Severity: Medium

Logo

Kubernetes etcd must have peer-cert-file set for secure communication.

1 rule found Severity: Medium

Logo

Kubernetes etcd must have a peer-key-file set for secure communication.

1 rule found Severity: Medium

Logo

FIPS mode must be enabled.

1 rule found Severity: High

Logo

The Windows DNS Server must protect the authenticity of zone transfers via transaction signing.

1 rule found Severity: Medium

Logo

The Windows DNS Server must protect the authenticity of dynamic updates via transaction signing.

1 rule found Severity: High

Logo

The Windows DNS Server must protect the authenticity of query responses via DNSSEC.

1 rule found Severity: Medium

Logo

The router must be configured to implement message authentication for all control plane protocols.

1 rule found Severity: Medium

Logo

The BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.

1 rule found Severity: Medium

Logo

The router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

1 rule found Severity: Medium

Logo

The web server must restrict a consistent inbound source IP for the entire management session.

1 rule found Severity: Medium

Logo

The web server must restrict a consistent inbound source IP for the entire user session.

1 rule found Severity: Info

Logo

The ALG must protect the authenticity of communications sessions.

1 rule found Severity: Medium

Logo

The application server must be configured to mutually authenticate connecting proxies, application servers or gateways.

1 rule found Severity: Medium

Logo

The application must set the HTTPOnly flag on session cookies.

1 rule found Severity: Medium

Logo

The application must set the secure flag on session cookies.

1 rule found Severity: Medium

Logo

The application must not expose session IDs.

1 rule found Severity: High

Logo

The container platform must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.

1 rule found Severity: High

Logo

The Dell OS10 Router must be configured to implement message authentication for all control plane protocols.

1 rule found Severity: Medium

Logo

The Dell OS10 BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.

1 rule found Severity: Medium

Logo

The Dell OS10 Router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

1 rule found Severity: Medium

Logo

AOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.

1 rule found Severity: High

Logo

Remoting Services HTTP channels must utilize authentication and encryption.

1 rule found Severity: Medium

Logo

Remoting Services TCP channels must utilize authentication and encryption.

1 rule found Severity: Medium

Logo

Exchange internal send connectors must use domain security (mutual authentication Transport Layer Security).

1 rule found Severity: Medium

Logo

Exchange internet-facing receive connectors must offer Transport Layer Security (TLS) before using basic authentication.

1 rule found Severity: Medium

Logo

Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security).

1 rule found Severity: Medium

Logo

The application must protect the confidentiality and integrity of transmitted information.

1 rule found Severity: High

Logo

SharePoint must ensure authentication of both client and server during the entire session. An example of this is SSL Mutual Authentication.

1 rule found Severity: High

Logo

The SIP security mode in Lync must be enabled.

1 rule found Severity: Medium

Logo

The HTTP fallback for SIP connection in Lync must be disabled.

1 rule found Severity: Medium

Logo

SharePoint must implement an information system isolation boundary that minimizes the number of nonsecurity functions included within the boundary containing security functions.

1 rule found Severity: High

Logo

Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.

1 rule found Severity: High

Logo

OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.

1 rule found Severity: High

Logo

The UEM server must protect the authenticity of communications sessions.

1 rule found Severity: Medium

Logo

The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

1 rule found Severity: High

Logo

The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.

1 rule found Severity: Medium

Logo

The IPSec VPN must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE).

1 rule found Severity: High

Logo

The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.

1 rule found Severity: Medium

Logo

Citrix Delivery Controller must implement DoD-approved encryption.

1 rule found Severity: High

Logo