CCI-001368
Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
1 rule found Severity: Medium
The CA API Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1 rule found Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1 rule found Severity: Medium
The FortiGate device must allow full access to only those individuals or roles designated by the ISSM.
1 rule found Severity: Medium
The HP FlexFabric Switch must enforce approved authorizations for controlling the flow of management information within the HP FlexFabric Switch based on information flow control policies.
1 rule found Severity: Medium
The HYCU virtual machine must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
1 rule found Severity: Medium
The DataPower Gateway must enforce approved authorizations for controlling the flow of management information within DataPower based on information flow control policies.
1 rule found Severity: Medium
1 rule found Severity: Medium
The DataPower Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
MobileIron Sentry must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
1 rule found Severity: Low
The Sentry must enforce approved authorizations for controlling the flow of information within the network based on attribute-based inspection of the source, destination, and headers, of the communications traffic.
2 rules found Severity: Medium
3 rules found Severity: Medium
Innoslate must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
1 rule found Severity: Medium
Symantec ProxySG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
Symantec ProxySG must be configured to enforce assigned privilege levels for approved administrators when accessing the management console, SSH, and the command line interface (CLI).
1 rule found Severity: Medium
The NSX-T Tier-0 Gateway must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
1 rule found Severity: Medium
The BIG-IP Core implementation must be configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
The Arista network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
1 rule found Severity: Medium
The Arista BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.
1 rule found Severity: Medium
The Arista BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
1 rule found Severity: Medium
The Arista BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.
1 rule found Severity: Medium
The Arista BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
1 rule found Severity: Medium
The Arista Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
1 rule found Severity: Low
The Arista Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
1 rule found Severity: Low
The Arista MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.
1 rule found Severity: Low
The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.
3 rules found Severity: Medium
The Cisco ASA must be configured to enforce approved authorizations for controlling the flow of management information within the Cisco ASA based on information flow control policies.
1 rule found Severity: Medium
The Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.
3 rules found Severity: Medium
The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
3 rules found Severity: Medium
The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
3 rules found Severity: Medium
The Cisco BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.
3 rules found Severity: Medium
The Cisco BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
3 rules found Severity: Medium
The Cisco BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.
3 rules found Severity: Medium
The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
3 rules found Severity: Medium
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
3 rules found Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
3 rules found Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on a per-peer basis.
3 rules found Severity: Low
The Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes.
2 rules found Severity: Medium
The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
2 rules found Severity: Medium
The Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer.
2 rules found Severity: Medium
The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
2 rules found Severity: Medium
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
2 rules found Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
2 rules found Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to limit the amount of source-active messages it accepts on a per-peer basis.
2 rules found Severity: Low
The Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to maintain VLAN separation from the voice video VLAN, or be disabled.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to integrate into the implemented 802.1x network access control system.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to connect to an 802.1x supplicant or the PC port must be disabled.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x must be configured to use MAC Authentication Bypass (MAB) on the access switchport.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use a voice video VLAN, separate from all other VLANs.
1 rule found Severity: Medium
The F5 BIG-IP appliance providing user access control intermediary services must implement attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must be configured to only enable the extension mobility feature for endpoints on a per user basis.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to globally disable the extension mobility feature for endpoints.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use DNS servers assigned to support the VVoIP system.
1 rule found Severity: Medium
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
1 rule found Severity: Medium
Sentry must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
1 rule found Severity: Low
The Juniper EX switch must be configured to enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
1 rule found Severity: Medium
The Juniper router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
2 rules found Severity: Medium
The Juniper BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.
2 rules found Severity: Medium
The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
2 rules found Severity: Medium
The Juniper BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.
1 rule found Severity: Medium
The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
2 rules found Severity: Medium
The Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter received source-active multicast advertisements for any undesirable multicast groups and sources.
1 rule found Severity: Low
The Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
1 rule found Severity: Low
The Juniper router configured for MSDP must limit the amount of source-active messages it accepts on per-peer basis.
1 rule found Severity: Low
1 rule found Severity: Medium
The network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
1 rule found Severity: Medium
The router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
1 rule found Severity: Medium
1 rule found Severity: Medium
The BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
1 rule found Severity: Medium
The BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.
1 rule found Severity: Medium
The BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
1 rule found Severity: Medium
The BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.
1 rule found Severity: Low
The Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
1 rule found Severity: Low
The Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
1 rule found Severity: Low
The MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.
1 rule found Severity: Low
The BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.
1 rule found Severity: Low
The SDN controller must be configured to enforce approved authorizations for controlling the flow of traffic within the network based on organization-defined information flow control policies.
1 rule found Severity: Medium
The Trend Micro TippingPoint Security Management System (SMS) must be configured to send security IPS policy to the Trend Micro Threat Protection System (TPS).
1 rule found Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
1 rule found Severity: High
The ALG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
1 rule found Severity: Medium
The container platform must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.
1 rule found Severity: Medium
The Dell OS10 Switch must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
1 rule found Severity: Medium
The Dell OS10 Router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
1 rule found Severity: Medium
The Dell OS10 BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.
1 rule found Severity: Medium
The Dell OS10 BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
1 rule found Severity: Medium
The Dell OS10 BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.
1 rule found Severity: Medium
The Dell OS10 BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
1 rule found Severity: Medium
The Dell OS10 BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.
1 rule found Severity: Low
The Dell OS10 BGP router must be configured to reject route advertisements from CE routers with an originating autonomous system (AS) in the AS_PATH attribute that does not belong to that customer.
1 rule found Severity: Low
AOS must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
1 rule found Severity: Medium
The HYCU virtual appliance must enforce approved authorizations for controlling the flow of management information within the appliance based on information flow control policies.
1 rule found Severity: Medium
The IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.
1 rule found Severity: Medium
The Juniper router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.
1 rule found Severity: Medium
The Juniper BGP router must be configured to reject inbound route advertisements from a customer edge (CE) Juniper router for prefixes that are not allocated to that customer.
1 rule found Severity: Medium
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
1 rule found Severity: Low
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
1 rule found Severity: Low
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on per-peer basis.
1 rule found Severity: Low
The Juniper Networks SRX Series Gateway IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.
1 rule found Severity: Medium
The Mainframe Product must enforce approved authorizations for controlling the flow of information within the system based on site security plan information flow control policies.
1 rule found Severity: Medium
Prisma Cloud Compute Collections must be used to partition views and enforce organizational-defined need-to-know access.
1 rule found Severity: Medium
OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.
1 rule found Severity: Medium
The Palo Alto Networks security platform must enable Antivirus, Anti-spyware, and Vulnerability Protection for all authorized traffic.
1 rule found Severity: Medium
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.
1 rule found Severity: High
All interactions among guest VMs must be mediated by the VMM or its service VMs to support proper function.
1 rule found Severity: Medium
The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
1 rule found Severity: Medium
The Arista router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
1 rule found Severity: Medium
The BIG-IP AFM module must be configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1 rule found Severity: Medium
Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
1 rule found Severity: High