CCI-002421

Implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.

25 rules found Severity: Medium

33 rules found Severity: Medium

19 rules found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

24 rules found Severity: Medium

1 rule found Severity: High

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: High

2 rules found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: High

1 rule found Severity: Medium

3 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

CCI-002421

Deactivate Wireless Network Interfaces

Install the OpenSSH Server Package

Enable the OpenSSH Service

Install the OpenSSH Client and Server Package

The BlackBerry UEM server must connect to [assignment: [SQL Server]] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.

Citrix License Server must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution Systems (PDS).

XenDesktop License Server must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution Systems (PDS).

Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.

Citrix Receiver must implement DoD-approved encryption.

Citrix StoreFront server must accept Personal Identity Verification (PIV) credentials.

Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.

TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.

The Infoblox DNS server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

The MQ Appliance messaging server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.

The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.

The WebSphere Application Server plugin must be configured to use HTTPS only.

The Infoblox system must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

The ISEC7 EMM Suite must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms.

Exchange OWA must have S/MIME Certificates enabled.

The Windows 2012 DNS Server must maintain the integrity of information during preparation for transmission.

Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

Oracle WebLogic must employ cryptographic encryption to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.

Oracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications.

Oracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data.

The Tanium Server must protect the confidentiality and integrity of transmitted information, in preparation to be transmitted and data at rest, with cryptographic signing capabilities enabled to protect the authenticity of communications sessions when making requests from Tanium Clients.

The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.

The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.

Tomcat must use FIPS-validated ciphers on secured connectors.

The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

The DNS server implementation must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.

AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.

The WebSphere Liberty Server must be configured to use HTTPS only.

The ISEC7 SPHERE must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms.

The Jamf Pro EMM server must connect to [Authentication Gateway Service (AGS)] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.

JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.

Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.

Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.

Secure Boot must be enabled on Windows 11 systems.

Outgoing secure channel traffic must be encrypted or signed.

Outgoing secure channel traffic must be encrypted.

Outgoing secure channel traffic must be signed.

Domain controllers must require LDAP access signing.

The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.

The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.

The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.

Windows Server 2016 must be configured to require a strong session key.

The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.

The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.

The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.

The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.

The Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission.

The Oracle Linux operating system must be configured so that all wireless network adapters are disabled.

Automation Controller must implement cryptography mechanisms to protect the integrity of information.

SLEM 5 must use SSH to protect the confidentiality and integrity of transmitted information.

All TOSS networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.

Force frequent session key renegotiation

NixOS must protect the confidentiality and integrity of transmitted information.

The macOS system must limit SSHD to FIPS-compliant connections.

The macOS system must limit SSH to FIPS-compliant connections.

The application server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.

The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

Ubuntu 22.04 LTS must configure the SSH daemon to use FIPS 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

Ubuntu 22.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3-approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

All AlmaLinux OS 9 networked systems must implement SSH to protect the confidentiality and integrity of transmitted and received information, including information being prepared for transmission.

All AlmaLinux OS 9 networked systems must have the OpenSSH server installed.

The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

SharePoint must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission, unless the transmitted data is otherwise protected by alternative physical measures.

Outgoing secure channel traffic must be encrypted when possible.

Outgoing secure channel traffic must be signed when possible.

The system must be configured to require a strong session key.

The Windows SMB client must be configured to always perform SMB packet signing.

The Windows SMB server must be configured to always perform SMB packet signing.

Windows Server 2019 domain controllers must require LDAP access signing.