CCI-001967

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

If cipher suites using pre-shared keys are used for device authentication, the ISEC7 EMM Suite must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are Government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Low

5 rules found Severity: Medium

4 rules found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

If cipher suites using pre-shared keys are used for device authentication, the ISEC7 SPHERE must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Low

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: High

3 rules found Severity: Medium

1 rule found Severity: Medium

The A10 Networks ADC must authenticate Network Time Protocol sources.

The Arista Multilayer Switch must authenticate all endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.

The Arista Multilayer Switch must re-authenticate all endpoint devices every 60 minutes or less.

The CA API Gateway must authenticate NTP endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.

The CA API Gateway must authenticate SNMP endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.

The CA API Gateway must authenticate RADIUS endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.

The CA API Gateway must authenticate LDAPS endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.

The CA API Gateway must obtain LDAPS server certificates securely to use bidirectional authentication that is cryptographically based.

FIPS mode must be enabled on all Docker Engine - Enterprise nodes.

The FortiGate device must authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The FortiGate device must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

CounterACT must authenticate any endpoint used for network management before establishing a local, remote, and/or network connection using cryptographically based bidirectional authentication.

CounterACT must authenticate SNMPv3 endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

The HYCU server must authenticate Network Time Protocol sources using authentication that is cryptographically based.

The Infoblox DNS server must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.

The DataPower Gateway must use SNMPv3.

The MQ Appliance messaging server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

The WebSphere Application Server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

The DNS server implementation must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.

The MobileIron Sentry must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

Before establishing a local, remote, and/or network connection with any endpoint device, the ISEC7 EMM Suite must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.

RPC encryption between Outlook and Exchange server must be enforced.

Outlook must be configured to force authentication when connecting to an Exchange server.

Authentication with Exchange Server must be required.

RPC encryption between Outlook and Exchange server must be enforced.

Outlook must be configured to force authentication when connecting to an Exchange server.

The Microsoft SCOM SNMP Monitoring in SCOM must use SNMP V3.

Riverbed Optimization System (RiOS) must authenticate network management endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Riverbed Optimization System (RiOS) must authenticate SNMP server before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Riverbed Optimization System (RiOS) must authenticate NTP server before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

The SEL-2740S must authenticate Network Time Protocol sources using authentication that is cryptographically based.

The Tanium Server must protect the confidentiality and integrity of transmitted information with cryptographic signing capabilities enabled to ensure the authenticity of communications sessions when making requests from Tanium Clients.

Symantec ProxySG must configure SNMPv3 so that cryptographically-based bidirectional authentication is used.

The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.

The macOS system must restrict the ability to utilize external writeable media devices.

The macOS system must be configured with Bluetooth turned off unless approved by the organization.

The network device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The network device must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

WLAN components must be FIPS 140-2 or FIPS 140-3 certified and configured to operate in FIPS mode.

The Arista network device must be configured to synchronize internal system clocks using redundant authenticated time sources.

The Arista network device must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The Cisco ASA must be configured to authenticate Simple Network Management Protocol (SNMP) messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The Cisco ASA must be configured to encrypt Simple Network Management Protocol (SNMP) messages using a FIPS 140-2 approved algorithm.

The Cisco ASA must be configured to authenticate Network Time Protocol sources using authentication that is cryptographically based.

The Cisco switch must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The Cisco switch must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

The Cisco router must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The Cisco router must be configured to authenticate NTP sources using authentication that is cryptographically based.

The Cisco ISE must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The Cisco ISE must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

The F5 BIG-IP appliance must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

Before establishing a local, remote, and/or network connection with any endpoint device, the ISEC7 SPHERE must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.

If SNMP is used, the ICS must be configured to use SNMPv3 with FIPS-140-2/3 validated Keyed-Hash Message Authentication Code (HMAC).

The ICS must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

The ICS that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm.

The Sentry must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The Juniper EX switch must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The Juniper EX switch must use an an NTP service that is hosted by a trusted source or a DOD-compliant enterprise or local NTP server.

Unauthenticated RPC clients must be restricted from connecting to the RPC server.

Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.

The computer account password must not be prevented from being reset.

The network device must authenticate Network Time Protocol sources using authentication that is cryptographically based.

ONTAP must be configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC.

ONTAP must authenticate NTP sources using authentication that is cryptographically based.

The Riverbed NetProfiler must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The Riverbed NetProfiler must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

The Tanium application must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

The TippingPoint SMS must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The TippingPoint SMS must authenticate Network Time Protocol sources using authentication that is cryptographically based.

Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.

The Cisco router must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

AlmaLinux OS 9 must not have the autofs package installed.

The Dell OS10 Switch must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

The Dell OS10 Switch must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

Forescout must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the endpoint device. This is required for compliance with C2C Step 1.

Forescout must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

Before establishing a connection with a Network Time Protocol (NTP) server, Forescout must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server.

AOS must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

AOS must authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.