Skip to content
Log In

CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

Firefox must be configured to allow only TLS 1.2 or above.

1 rule found Severity: Medium

Logo

Configure OpenSSL library to use System Crypto Policy

17 rules found Severity: Medium

Logo

Configure SSH to use System Crypto Policy

19 rules found Severity: Medium

Logo

Enable the LDAP Client For Use in Authconfig

10 rules found Severity: Medium

Logo

Configure LDAP Client to Use TLS For All Transactions

8 rules found Severity: Medium

Logo

Configure Certificate Directives for LDAP Use of TLS

6 rules found Severity: Medium

Logo

Use Only FIPS 140-2 Validated Key Exchange Algorithms

12 rules found Severity: Medium

Logo

Use Only FIPS 140-2 Validated MACs

20 rules found Severity: Medium

Logo

Configure SSSD LDAP Backend Client CA Certificate

7 rules found Severity: Medium

Logo

Configure SSSD LDAP Backend Client CA Certificate Location

7 rules found Severity: Medium

Logo

Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server

11 rules found Severity: Medium

Logo

Configure SSSD LDAP Backend to Use TLS For All Transactions

11 rules found Severity: High

Logo

Configure GnuTLS library to use DoD-approved TLS Encryption

6 rules found Severity: Medium

Logo

Configure OpenSSL library to use TLS Encryption

8 rules found Severity: Medium

Logo

Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config

7 rules found Severity: High

Logo

Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config

6 rules found Severity: Medium

Logo

Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config

7 rules found Severity: Medium

Logo

Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config

6 rules found Severity: Medium

Logo

Set kernel parameter 'crypto.fips_enabled' to 1

1 rule found Severity: High

Logo

Compliance Guardian must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

1 rule found Severity: High

Logo

The CA API Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable SSL support for BlackBerry Proxy and use only DoD approved certificates.

1 rule found Severity: Medium

Logo

If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use SSL for LDAP lookup to connect to the Office Web App Server (e.g., SharePoint).

2 rules found Severity: High

Logo

If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable SSL support for BlackBerry Proxy and use only DOD approved certificates.

1 rule found Severity: Medium

Logo

Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.

1 rule found Severity: High

Logo

Citrix Receiver must implement DoD-approved encryption.

1 rule found Severity: High

Logo

Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.

2 rules found Severity: High

Logo

FIPS mode must be enabled on all Docker Engine - Enterprise nodes.

1 rule found Severity: High

Logo

Docker Enterprise Universal Control Plane (UCP) must be configured to use TLS 1.2.

1 rule found Severity: Medium

Logo

DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.

1 rule found Severity: High

Logo

The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.

1 rule found Severity: High

Logo

IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.

1 rule found Severity: High

Logo

IBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.

1 rule found Severity: High

Logo

The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

1 rule found Severity: High

Logo

The IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key.

1 rule found Severity: Medium

Logo

The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

1 rule found Severity: High

Logo

The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key.

1 rule found Severity: Medium

Logo

The DataPower Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

The MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.

1 rule found Severity: Medium

Logo

The WebSphere Application Server security cookies must be set to HTTPOnly.

1 rule found Severity: Medium

Logo

The IBM z/VM TCP/IP configuration must include an SSLSERVERID statement.

1 rule found Severity: Medium

Logo

If cipher suites using pre-shared keys are used for device authentication, the ISEC7 EMM Suite must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are Government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.

1 rule found Severity: Medium

Logo

The Sentry providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

2 rules found Severity: Medium

Logo

Firefox must be configured to allow only TLS 1.2 or above.

1 rule found Severity: High

Logo

Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

1 rule found Severity: High

Logo

Nutanix AOS must implement cryptography mechanisms to protect the confidentiality and integrity of the remote access session.

1 rule found Severity: High

Logo

OHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.

1 rule found Severity: High

Logo

OHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.

1 rule found Severity: High

Logo

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.

1 rule found Severity: High

Logo

OHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.

1 rule found Severity: High

Logo

OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.

1 rule found Severity: Medium

Logo

OHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.

1 rule found Severity: Medium

Logo

OHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.

1 rule found Severity: Medium

Logo

OHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.

1 rule found Severity: Medium

Logo

Oracle WebLogic must use cryptography to protect the integrity of the remote access session.

1 rule found Severity: Medium

Logo

The Riverbed Optimization System (RiOS) providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

1 rule found Severity: High

Logo

The Tanium endpoint must have the Tanium Servers public key in its installation, which will allow it to authenticate and uniquely identify all network-connected endpoint devices before establishing any connection.

1 rule found Severity: Medium

Logo

Tanium Trusted Content providers must be documented.

5 rules found Severity: Medium

Logo

Content providers must provide their public key to the Tanium administrator to import for validating signed content.

5 rules found Severity: Medium

Logo

Tanium public keys of content providers must be validated against documented trusted content providers.

5 rules found Severity: Medium

Logo

The Tanium endpoint must have the Tanium Servers public key in its installation.

1 rule found Severity: Medium

Logo

The Tanium endpoint must have the Tanium Server's pki.db in its installation.

3 rules found Severity: Medium

Logo

The Horizon Connection Server must be configured to only support TLS 1.2 connections.

1 rule found Severity: High

Logo

The Blast Secure Gateway must be configured to only support TLS 1.2 connections.

1 rule found Severity: High

Logo

The Horizon Connection Server must force server cipher preference.

1 rule found Severity: High

Logo

The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.

2 rules found Severity: High

Logo

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.

2 rules found Severity: High

Logo

The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.

2 rules found Severity: High

Logo

The Ubuntu operating system must configure the SSH daemon to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms to protect the integrity of nonlocal maintenance and diagnostic communications.

1 rule found Severity: Medium

Logo

WLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.

3 rules found Severity: Medium

Logo

The WLAN access point must be configured for Wi-Fi Alliance WPA2 or WPA3 security.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.

2 rules found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.

1 rule found Severity: Medium

Logo

The BIG-IP Core implementation must be configured to use NIST SP 800-52 Revision 1 compliant cryptography to protect the integrity of remote access sessions to virtual servers.

1 rule found Severity: Medium

Logo

HTTP Strict Transport Security (HSTS) must be enabled.

1 rule found Severity: Low

Logo

TLS 1.2 must be used on secured HTTP connectors.

1 rule found Severity: Medium

Logo

The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.

1 rule found Severity: High

Logo

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.

1 rule found Severity: High

Logo

The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.

1 rule found Severity: High

Logo

The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

1 rule found Severity: Medium

Logo

The Cisco ASA remote access VPN server must be configured to use a FIPS-validated algorithm and hash function to protect the integrity of TLS remote access sessions.

1 rule found Severity: Medium

Logo

The Cisco ASA remote access VPN server must be configured to use SHA-2 at 384 bits or greater for hashing to protect the integrity of IPsec remote access sessions.

1 rule found Severity: Medium

Logo

The Enterprise Voice, Video, and Messaging Endpoint must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.

1 rule found Severity: High

Logo

The F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.

1 rule found Severity: High

Logo

The Enterprise Voice, Video, and Messaging Session Manager must be configured to use only TLS 1.2 or greater for all TLS and SSL communications.

1 rule found Severity: High

Logo

SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

SSMC web server must use cryptography to protect the integrity of remote sessions.

1 rule found Severity: High

Logo

The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.

1 rule found Severity: High

Logo

If LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

Hardware Management Console management must be accomplished by using the out-of-band or direct connection method.

1 rule found Severity: Medium

Logo

Security cookies must be set to HTTPOnly.

1 rule found Severity: Medium

Logo

If cipher suites using pre-shared keys are used for device authentication, the ISEC7 SPHERE must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.

1 rule found Severity: Medium

Logo

The ICS must be configured to use TLS 1.2, at a minimum.

1 rule found Severity: High

Logo

HTTPS must be enabled for JBoss web interfaces.

1 rule found Severity: Medium

Logo

The Remote Desktop Session Host must require secure RPC communications.

2 rules found Severity: Medium

Logo

The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.

1 rule found Severity: Medium

Logo

Remote Desktop Services must be configured with the client connection encryption set to High Level.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.

2 rules found Severity: Medium

Logo

The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.

1 rule found Severity: Medium

Logo

Automation Controller must implement cryptography mechanisms to protect the integrity of information.

1 rule found Severity: High

Logo

The Automation Controller NGINX web server must use cryptography on all remote connections.

1 rule found Severity: Medium

Logo

SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.

1 rule found Severity: High

Logo

SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms.

1 rule found Severity: High

Logo

The TOSS operating system must implement DoD-approved encryption in the OpenSSL package.

1 rule found Severity: Medium

Logo

The TOSS operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.

1 rule found Severity: Medium

Logo

The TOSS operating system must implement DoD-approved TLS encryption in the GnuTLS package.

1 rule found Severity: Medium

Logo

The TOSS SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.

1 rule found Severity: Medium

Logo

The web server must use cryptography to protect the integrity of remote sessions.

1 rule found Severity: Medium

Logo

Configure System Cryptography Policy

17 rules found Severity: High

Logo

The File /etc/ssh/sshd_config.d/50-redhat.conf Must Exist

1 rule found Severity: Medium

Logo

SSHD Must Include System Crypto Policy Config File

1 rule found Severity: Medium

Logo

NixOS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.

1 rule found Severity: High

Logo

The Apache web server must use cryptography to protect the integrity of remote sessions.

1 rule found Severity: Medium

Logo

The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.

2 rules found Severity: Medium

Logo

An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

1 rule found Severity: High

Logo

The macOS system must limit SSHD to FIPS-compliant connections.

2 rules found Severity: High

Logo

The macOS system must limit SSH to FIPS-compliant connections.

2 rules found Severity: High

Logo

The ALG providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

The application server must implement cryptography mechanisms to protect the integrity of the remote access session.

1 rule found Severity: Medium

Logo

The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

Applications with SOAP messages requiring integrity must include the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3-approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 SSH client must be configured to use only encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 SSH server must be configured to use only FIPS 140-3 validated key exchange algorithms.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must implement DOD-approved systemwide cryptographic policies to protect the confidentiality of SSH server connections.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must implement DOD-approved TLS encryption in the GnuTLS package.

1 rule found Severity: High

Logo

AlmaLinux OS 9 must implement DOD-approved encryption in the OpenSSL package.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must implement DOD-approved TLS encryption in the OpenSSL package.

1 rule found Severity: Medium

Logo

The container platform must prohibit communication using TLS versions 1.0 and 1.1, and SSL 2.0 and 3.0.

1 rule found Severity: Medium

Logo

The operating system must implement cryptography to protect the integrity of remote access sessions.

1 rule found Severity: High

Logo

AOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

AOS must use Transport Layer Security (TLS) 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

1 rule found Severity: Medium

Logo

IBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.

1 rule found Severity: High

Logo

IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

2 rules found Severity: Medium

Logo

The IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm to protect confidential information and remote access sessions.

1 rule found Severity: High

Logo

The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.

1 rule found Severity: High

Logo

IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA256 or greater to negotiate hashing to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

SharePoint must use cryptography to protect the integrity of the remote access session.

1 rule found Severity: High

Logo

Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.

1 rule found Severity: Medium

Logo

Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.

1 rule found Severity: Medium

Logo

Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.

1 rule found Severity: Medium

Logo

Windows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level.

1 rule found Severity: Medium

Logo

OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

1 rule found Severity: High

Logo

The OL 8 SSH daemon must be configured to use system-wide crypto policies.

1 rule found Severity: Medium

Logo

The OL 8 operating system must implement DoD-approved encryption in the OpenSSL package.

1 rule found Severity: Medium

Logo

The OL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.

1 rule found Severity: Medium

Logo

The OL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform, if used as a TLS gateway/decryption point or VPN concentrator, must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.

1 rule found Severity: High

Logo

OpenShift must use TLS 1.2 or greater for secure communication.

1 rule found Severity: Medium

Logo

The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

1 rule found Severity: Medium

Logo

The RHEL 8 operating system must implement DOD-approved encryption to protect the confidentiality of SSH server connections.

1 rule found Severity: Medium

Logo

The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.

1 rule found Severity: Medium

Logo

The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.

1 rule found Severity: Medium

Logo

The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.

1 rule found Severity: Medium

Logo

OL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.

1 rule found Severity: Medium

Logo

RHEL 9 SSH daemon must be configured to use system-wide crypto policies.

1 rule found Severity: Medium

Logo

RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH connections.

1 rule found Severity: Medium

Logo

The RHEL 9 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.

1 rule found Severity: Medium

Logo

The RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.

1 rule found Severity: Medium

Logo

The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.

1 rule found Severity: Medium

Logo

RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.

1 rule found Severity: Medium

Logo

The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.

1 rule found Severity: Medium

Logo

The RHEL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.

1 rule found Severity: Medium

Logo

The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

2 rules found Severity: Medium

Logo

The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.

2 rules found Severity: Medium

Logo

The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

2 rules found Severity: Medium

Logo

The UEM server must be configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.

1 rule found Severity: Medium

Logo

The VMM must implement cryptography to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

VAMI must use cryptography to protect the integrity of remote sessions.

1 rule found Severity: Medium

Logo

The Photon operating system must configure sshd to use approved encryption algorithms.

1 rule found Severity: Low

Logo

Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections.

1 rule found Severity: Medium

Logo

The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

1 rule found Severity: High

Logo

The Photon operating system must implement only approved ciphers to protect the integrity of remote access sessions.

2 rules found Severity: High

Logo

The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.

1 rule found Severity: Medium

Logo

The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.

1 rule found Severity: Medium

Logo

The TLS VPN Gateway that supports Government-only services must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.

1 rule found Severity: Medium

Logo

The Photon operating system must implement only approved Message Authentication Codes (MACs) to protect the integrity of remote access sessions.

2 rules found Severity: High

Logo

The vCenter STS service must be configured to use strong encryption ciphers.

1 rule found Severity: Medium

Logo

The TLS VPN Gateway that supports citizen- or business-facing network devices must prohibit client negotiation to SSL 2.0 or SSL 3.0.

1 rule found Severity: Medium

Logo

The vCenter VAMI service must use cryptography to protect the integrity of remote sessions.

2 rules found Severity: Medium

Logo

The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.

1 rule found Severity: Medium

Logo

Citrix Delivery Controller must implement DoD-approved encryption.

1 rule found Severity: High

Logo

The SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

1 rule found Severity: High

Logo