Skip to content
Log In

CCI-004047

Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements.

Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

1 rule found Severity: Medium

Logo

The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.

1 rule found Severity: Medium

Logo

The DNS server implementation must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

1 rule found Severity: Medium

Logo

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

1 rule found Severity: High

Logo

The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

1 rule found Severity: High

Logo

The network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

1 rule found Severity: Medium

Logo

The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.

1 rule found Severity: High

Logo

Splunk Enterprise must use an SSO proxy service, F5 device, or SAML implementation to accept the DOD common access card (CAC) or other smart card credential for identity management, personal authentication, and multifactor authentication.

1 rule found Severity: Medium

Logo

Splunk Enterprise must accept the DOD CAC or other PKI credential for identity management and personal authentication.

1 rule found Severity: High

Logo

The Tanium Operating System (TanOS) must use multifactor authentication for network access to privileged accounts.

1 rule found Severity: High

Logo

The Tanium Operating System (TanOS) must use multifactor authentication for network access to nonprivileged accounts.

1 rule found Severity: Medium

Logo

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

2 rules found Severity: Medium

Logo

Multifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.

1 rule found Severity: High

Logo

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

1 rule found Severity: High

Logo

TOSS must use multifactor authentication for network and local access to privileged and nonprivileged accounts.

1 rule found Severity: Medium

Logo

The web server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

1 rule found Severity: Medium

Logo

Enable Smartcards in SSSD

12 rules found Severity: Medium

Logo

Enable Smart Card Logins in PAM

5 rules found Severity: Medium

Logo

NixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

1 rule found Severity: Medium

Logo

The macOS system must enforce multifactor authentication for logon.

1 rule found Severity: Medium

Logo

The macOS system must enforce multifactor authentication for the su command.

2 rules found Severity: Medium

Logo

The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.

2 rules found Severity: Medium

Logo

The macOS system must enforce smart card authentication.

1 rule found Severity: Medium

Logo

The macOS system must enforce multifactor authentication for login.

1 rule found Severity: Medium

Logo

The application server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.

1 rule found Severity: Medium

Logo

The Central Log Server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must enable certificate based smart card authentication.

1 rule found Severity: Medium

Logo

The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

1 rule found Severity: Medium

Logo

The Dell OS10 Switch must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.

1 rule found Severity: High

Logo

The DBMS must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

1 rule found Severity: Medium

Logo

Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

1 rule found Severity: Medium

Logo

The HYCU virtual appliance must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.

1 rule found Severity: High

Logo

The operating system must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.

1 rule found Severity: Medium

Logo

The Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

1 rule found Severity: Medium

Logo

OL 8 must have the package required for multifactor authentication installed.

1 rule found Severity: Low

Logo

OL 8 must implement certificate status checking for multifactor authentication.

1 rule found Severity: Medium

Logo

OL 8 must implement multifactor authentication for access to interactive accounts.

1 rule found Severity: Medium

Logo

RHEL 9 must enable certificate based smart card authentication.

1 rule found Severity: Medium

Logo

The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

1 rule found Severity: Medium

Logo

The VMM must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.

1 rule found Severity: Medium

Logo