Capacity
CCI-002421
Implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
22
Rule
Severity: Medium
Deactivate Wireless Network Interfaces
29
Rule
Severity: Medium
Install the OpenSSH Server Package
14
Rule
Severity: Medium
Enable the OpenSSH Service
3
Rule
Severity: Medium
Install the OpenSSH Client and Server Package
2
Rule
Severity: Medium
The application server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
2
Rule
Severity: Medium
The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
1
Rule
Severity: Medium
The BlackBerry UEM server must connect to [assignment: [SQL Server]] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.
2
Rule
Severity: High
The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.
1
Rule
Severity: High
Citrix License Server must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution Systems (PDS).
1
Rule
Severity: High
XenDesktop License Server must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution Systems (PDS).
1
Rule
Severity: High
Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.
1
Rule
Severity: High
Citrix Receiver must implement DoD-approved encryption.
1
Rule
Severity: Medium
Citrix StoreFront server must accept Personal Identity Verification (PIV) credentials.
2
Rule
Severity: High
Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.
1
Rule
Severity: Medium
TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
2
Rule
Severity: Medium
The DNS server implementation must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
1
Rule
Severity: High
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: Medium
The Infoblox DNS server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
1
Rule
Severity: Medium
The MQ Appliance messaging server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
2
Rule
Severity: Medium
The WebSphere Liberty Server must be configured to use HTTPS only.
1
Rule
Severity: Medium
The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
1
Rule
Severity: Medium
The WebSphere Application Server plugin must be configured to use HTTPS only.
1
Rule
Severity: Medium
The Infoblox system must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
2
Rule
Severity: Medium
The ISEC7 EMM Suite must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms.
2
Rule
Severity: High
The Jamf Pro EMM server must connect to [Authentication Gateway Service (AGS)] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.
2
Rule
Severity: Medium
JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.
1
Rule
Severity: Medium
Exchange OWA must have S/MIME Certificates enabled.
1
Rule
Severity: High
SharePoint must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission, unless the transmitted data is otherwise protected by alternative physical measures.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must maintain the integrity of information during preparation for transmission.
1
Rule
Severity: High
Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
1
Rule
Severity: Medium
Oracle WebLogic must employ cryptographic encryption to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
1
Rule
Severity: Medium
Oracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications.
1
Rule
Severity: Medium
Oracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data.
1
Rule
Severity: Medium
The Tanium Server must protect the confidentiality and integrity of transmitted information, in preparation to be transmitted and data at rest, with cryptographic signing capabilities enabled to protect the authenticity of communications sessions when making requests from Tanium Clients.
2
Rule
Severity: High
Tomcat must use FIPS-validated ciphers on secured connectors.
1
Rule
Severity: High
The macOS system must disable the SSHD service.
3
Rule
Severity: High
The macOS system must limit SSHD to FIPS-compliant connections.
3
Rule
Severity: High
The macOS system must limit SSH to FIPS-compliant connections.
1
Rule
Severity: High
The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
2
Rule
Severity: Medium
The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
2
Rule
Severity: Medium
The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
2
Rule
Severity: High
The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
2
Rule
Severity: Medium
SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
2
Rule
Severity: High
The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.
2
Rule
Severity: Medium
AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.
4
Rule
Severity: Medium
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
2
Rule
Severity: Medium
IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
4
Rule
Severity: Medium
Outgoing secure channel traffic must be encrypted or signed.
2
Rule
Severity: Medium
Outgoing secure channel traffic must be encrypted when possible.
2
Rule
Severity: Medium
Outgoing secure channel traffic must be signed when possible.
2
Rule
Severity: Medium
The system must be configured to require a strong session key.
2
Rule
Severity: Medium
The Windows SMB client must be configured to always perform SMB packet signing.
2
Rule
Severity: Medium
The Windows SMB server must be configured to always perform SMB packet signing.
2
Rule
Severity: Medium
Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.
2
Rule
Severity: Medium
Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
2
Rule
Severity: Medium
Secure Boot must be enabled on Windows 11 systems.
2
Rule
Severity: Medium
Outgoing secure channel traffic must be encrypted.
2
Rule
Severity: Medium
Outgoing secure channel traffic must be signed.
2
Rule
Severity: Medium
Domain controllers must require LDAP access signing.
2
Rule
Severity: Medium
The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
2
Rule
Severity: Medium
The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
2
Rule
Severity: Medium
The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2016 must be configured to require a strong session key.
2
Rule
Severity: Medium
The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
2
Rule
Severity: Medium
The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
2
Rule
Severity: Medium
The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
2
Rule
Severity: Medium
The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2019 domain controllers must require LDAP access signing.
2
Rule
Severity: Medium
Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
2
Rule
Severity: Medium
Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to require a strong session key.
2
Rule
Severity: Medium
Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2022 domain controllers must require LDAP access signing.
2
Rule
Severity: Medium
Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2022 must be configured to require a strong session key.
2
Rule
Severity: Medium
Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
2
Rule
Severity: Medium
Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
2
Rule
Severity: High
The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that all wireless network adapters are disabled.
2
Rule
Severity: Medium
All OL 8 networked systems must have SSH installed.
2
Rule
Severity: Medium
All OL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
2
Rule
Severity: High
Automation Controller must implement cryptography mechanisms to protect the integrity of information.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.
2
Rule
Severity: Medium
All RHEL 9 networked systems must have SSH installed.
2
Rule
Severity: Medium
All RHEL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
4
Rule
Severity: High
All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
2
Rule
Severity: Medium
RHEL 9 must force a frequent session key renegotiation for SSH connections to the server.
2
Rule
Severity: Medium
RHEL 9 wireless network adapters must be disabled.
4
Rule
Severity: Medium
The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
4
Rule
Severity: Medium
The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
1
Rule
Severity: Low
The Photon operating system must configure sshd to use FIPS 140-2 ciphers.
2
Rule
Severity: Medium
The Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the SSH daemon to use FIPSĀ 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3-approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
1
Rule
Severity: Medium
The ISEC7 SPHERE must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms.
1
Rule
Severity: High
SLEM 5 must use SSH to protect the confidentiality and integrity of transmitted information.
1
Rule
Severity: Medium
All TOSS networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
1
Rule
Severity: Medium
The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules