CCI-004047

Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

The macOS system must enforce multifactor authentication for logon.

The macOS system must enforce multifactor authentication for the su command.

The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.

The macOS system must enforce smart card authentication.

The macOS system must enforce multifactor authentication for login.

The application server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

Ubuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.

The Central Log Server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.

The DBMS must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

The DNS server implementation must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

The operating system must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.

The Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

The network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

OL 8 must have the package required for multifactor authentication installed.

OL 8 must implement certificate status checking for multifactor authentication.

OL 8 must implement multifactor authentication for access to interactive accounts.

The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.

RHEL 9 must enable certificate based smart card authentication.

The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

Splunk Enterprise must use an SSO proxy service, F5 device, or SAML implementation to accept the DOD common access card (CAC) or other smart card credential for identity management, personal authentication, and multifactor authentication.

Splunk Enterprise must accept the DOD CAC or other PKI credential for identity management and personal authentication.

The Tanium Operating System (TanOS) must use multifactor authentication for network access to privileged accounts.

The Tanium Operating System (TanOS) must use multifactor authentication for network access to nonprivileged accounts.

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

Multifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

TOSS must use multifactor authentication for network and local access to privileged and nonprivileged accounts.

The VMM must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

The web server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.