CCI-003123

Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

22 rules found Severity: Medium

20 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: High

1 rule found Severity: Medium

4 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

3 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

3 rules found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

7 rules found Severity: Medium

17 rules found Severity: High

1 rule found Severity: High

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Low

3 rules found Severity: High

2 rules found Severity: High

1 rule found Severity: High

CCI-003123

Use Only FIPS 140-2 Validated Ciphers

Use Only FIPS 140-2 Validated MACs

Set kernel parameter 'crypto.fips_enabled' to 1

Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config

The A10 Networks ADC must not use SNMP Versions 1 or 2.

Arista Multilayer Switches used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

FIPS mode must be enabled on all Docker Engine - Enterprise nodes.

The FortiGate device must implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

The HYCU server must use FIPS-validated algorithms for authentication to a cryptographic module and Keyed-Hash Message Authentication Code (HMAC) to protect the integrity and confidentiality of remote maintenance sessions.

Applications used for nonlocal maintenance sessions using the MQ Appliance WebGUI must implement cryptographic mechanisms to protect the confidentiality and integrity of nonlocal maintenance and diagnostic communications.

The Ivanti MobileIron Core server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

MobileIron Sentry must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

The ISEC7 EMM Suite must use a FIPS-validated cryptographic module to provision digital signatures.

The SCOM Web Console must be configured for HTTPS.

Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

The SEL-2740S must be adopted by OTSDN Controllers for secure communication identifiers and initial trust for configuration of remote maintenance and diagnostic communications.

The Symantec ProxySG Web Management Console and SSH sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.

The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.

The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.

The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.

The Ubuntu operating system must configure the SSH daemon to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms to protect the integrity of nonlocal maintenance and diagnostic communications.

The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

The Arista network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

The Cisco ASA must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

The Cisco switch must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.

The Cisco router must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.

The Cisco ISE must be configured to implement cryptographic mechanisms using a FIPS 140-2 validated algorithm to protect the confidentiality of remote maintenance sessions.

SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.

AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.

The ISEC7 SPHERE must use a FIPS-validated cryptographic module to provision digital signatures.

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

The Ivanti EPMM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

Sentry must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

The Juniper EX switch must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

FIPS mode must be enabled.

The Windows Remote Management (WinRM) service must not allow unencrypted traffic.

The Windows Remote Management (WinRM) client must not allow unencrypted traffic.

The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions

ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.

The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.

The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.

SLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.

The TippingPoint TPS must have FIPS mode enforced.

The TOSS operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.

Install crypto-policies package

Configure System Cryptography Policy

NixOS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.

The macOS system must limit SSHD to FIPS-compliant connections.

Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications.

Ubuntu 22.04 LTS must configure the SSH daemon to use FIPS 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

AlmaLinux OS 9 must have the crypto-policies package installed.

AlmaLinux OS 9 must implement a systemwide encryption policy.

The container platform must configure web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

The Dell OS10 Switch must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

AOS must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.

The operating system must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

The HYCU virtual appliance must be configured to implement cryptographic mechanisms using a FIPS 140-2-approved algorithm to protect the confidentiality of remote maintenance sessions.

IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

The Juniper router must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.

IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

The Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of nonlocal maintenance and diagnostic communications using SNMP.

The Juniper SRX Services Gateway must use SSHv2 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions using SSH.

For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured.

Mainframe Products must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.

Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.

Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic.

Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic.

OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.

The Palo Alto Networks security platform must not use SNMP Versions 1 or 2.

RHEL 9 must have the crypto-policies package installed.

RHEL 9 cryptographic policy must not be overridden.

RHEL 9 must implement a FIPS 140-3 compliant systemwide cryptographic policy.