CCI-004046

Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

The macOS system must disable password authentication for SSH.

The macOS system must enforce smart card authentication.

The ALG providing user authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The ALG providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The application server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

The Central Log Server must be configured to use multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.

The DBMS must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The DNS server implementation must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

The operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

The AIX operating system must use Multi Factor Authentication.

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

The Sentry providing mobile device authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.

The Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.

OL 8 must have the package required for multifactor authentication installed.

OL 8 must implement certificate status checking for multifactor authentication.

The Oracle Linux operating system must have the required packages for multifactor authentication installed.

The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

The Oracle Linux operating system must implement certificate status checking for PKI authentication.

The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.

RHEL 8 must have the packages required for multifactor authentication installed.

RHEL 8 must implement certificate status checking for multifactor authentication.

RHEL 9 must have the openssl-pkcs11 package installed.

RHEL 9 must enable certificate based smart card authentication.

RHEL 9 must implement certificate status checking for multifactor authentication.

RHEL 9 must have the pcsc-lite package installed.

The pcscd service on RHEL 9 must be active.

RHEL 9 must have the opensc package installed.

The SUSE operating system must have the packages required for multifactor authentication to be installed.

The SUSE operating system must implement certificate status checking for multifactor authentication.

The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

Multifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

TOSS must have the packages required for multifactor authentication installed.

The VMM must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The VPN Client must implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The web server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The UEM server must be configured to use DOD PKI for multifactor authentication. This requirement is included in SRG-APP-000149.