STIGhub
STIGs
RMF Controls
Compare
← AC-17 (2) — Remote Access
CCI-000068
Definition
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
Parent Control
AC-17 (2)
Remote Access
Access Control
Linked STIG Checks (200)
V-237032
CAT II
The A10 Networks ADC, when used for TLS encryption and decryption, must be configured to comply with the required TLS settings in NIST SP 800-52.
A10 Networks ADC ALG Security Technical Implementation Guide
V-279094
CAT I
ColdFusion must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
Adobe ColdFusion Security Technical Implementation Guide
V-76401
CAT I
Kona Site Defender that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide
V-274046
CAT I
Amazon Linux 2023 must force a frequent session key renegotiation for SSH connections to the server.
Amazon Linux 2023 Security Technical Implementation Guide
V-274057
CAT I
Amazon Linux 2023 must enable FIPS mode.
Amazon Linux 2023 Security Technical Implementation Guide
V-283441
CAT I
Amazon Linux 2023 must enable FIPS mode.
Amazon Linux 2023 Security Technical Implementation Guide
V-268089
CAT I
NixOS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.
Anduril NixOS Security Technical Implementation Guide
V-214230
CAT II
The Apache web server must use cryptography to protect the integrity of remote sessions.
Apache Server 2.4 UNIX Server Security Technical Implementation Guide
V-214278
CAT II
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
Apache Server 2.4 UNIX Site Security Technical Implementation Guide
V-214308
CAT II
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
Apache Server 2.4 Windows Server Security Technical Implementation Guide
V-267937
CAT III
Apple iOS/iPadOS 18 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis].
Apple iOS/iPadOS 18 Security Technical Implementation Guide
V-278697
CAT III
Apple iOS/iPadOS 26 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis].
Apple iOS/iPadOS 26 Security Technical Implementation Guide
V-252459
CAT I
The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
Apple macOS 12 (Monterey) Security Technical Implementation Guide
V-252460
CAT I
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
Apple macOS 12 (Monterey) Security Technical Implementation Guide
V-252461
CAT I
The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
Apple macOS 12 (Monterey) Security Technical Implementation Guide
V-257773
CAT I
The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
Apple macOS 12 (Monterey) Security Technical Implementation Guide
V-257774
CAT I
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
Apple macOS 12 (Monterey) Security Technical Implementation Guide
V-257775
CAT I
The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
Apple macOS 12 (Monterey) Security Technical Implementation Guide
V-257165
CAT I
The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
Apple macOS 13 (Ventura) Security Technical Implementation Guide
V-257166
CAT I
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
Apple macOS 13 (Ventura) Security Technical Implementation Guide
V-257167
CAT I
The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
Apple macOS 13 (Ventura) Security Technical Implementation Guide
V-257293
CAT I
The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
Apple macOS 13 (Ventura) Security Technical Implementation Guide
V-257294
CAT I
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
Apple macOS 13 (Ventura) Security Technical Implementation Guide
V-257295
CAT I
The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
Apple macOS 13 (Ventura) Security Technical Implementation Guide
V-259438
CAT I
The macOS system must limit SSHD to FIPS-compliant connections.
Apple macOS 14 (Sonoma) Security Technical Implementation Guide
V-259439
CAT I
The macOS system must limit SSH to FIPS-compliant connections.
Apple macOS 14 (Sonoma) Security Technical Implementation Guide
V-268438
CAT I
The macOS system must limit SSHD to FIPS-compliant connections.
Apple macOS 15 (Sequoia) Security Technical Implementation Guide
V-268439
CAT I
The macOS system must limit SSH to FIPS-compliant connections.
Apple macOS 15 (Sequoia) Security Technical Implementation Guide
V-277046
CAT I
The macOS system must limit SSHD to FIPS-compliant connections.
Apple macOS 26 (Tahoe) Security Technical Implementation Guide
V-277047
CAT I
The macOS system must limit SSH to FIPS-compliant connections.
Apple macOS 26 (Tahoe) Security Technical Implementation Guide
V-276374
CAT III
Apple visionOS 2 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis].
Apple visionOS 2 Security Technical Implementation Guide
V-282783
CAT III
Apple visionOS 26 must allow the administrator (MDM) to perform the following management function: enable/disable VPN protection across the device and [selection: on a per-app basis, on a per-group of applications processes basis].
Apple visionOS 26 Security Technical Implementation Guide
V-204924
CAT II
The ALG providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
Application Layer Gateway Security Requirements Guide
V-204925
CAT II
The ALG that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
Application Layer Gateway Security Requirements Guide
V-204926
CAT II
The ALG that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
Application Layer Gateway Security Requirements Guide
V-274497
CAT II
The API must encrypt data in transit.
Application Programming Interface (API) Security Requirements Guide
V-222396
CAT II
The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Application Security and Development Security Technical Implementation Guide
V-222399
CAT I
Messages protected with WS_Security must use time stamps with creation and expiration times.
Application Security and Development Security Technical Implementation Guide
V-222400
CAT I
Validity periods must be verified on all application messages using WS-Security or SAML assertions.
Application Security and Development Security Technical Implementation Guide
V-222401
CAT II
The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
Application Security and Development Security Technical Implementation Guide
V-222402
CAT II
The application must ensure encrypted assertions, or equivalent confidentiality protections are used when assertion data is passed through an intermediary, and confidentiality of the assertion data is required when passing through the intermediary.
Application Security and Development Security Technical Implementation Guide
V-222403
CAT I
The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.
Application Security and Development Security Technical Implementation Guide
V-222404
CAT I
The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion.
Application Security and Development Security Technical Implementation Guide
V-222405
CAT II
The application must ensure if a OneTimeUse element is used in an assertion, there is only one of the same used in the Conditions element portion of an assertion.
Application Security and Development Security Technical Implementation Guide
V-222406
CAT II
The application must ensure messages are encrypted when the SessionIndex is tied to privacy data.
Application Security and Development Security Technical Implementation Guide
V-204709
CAT II
The application server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
Application Server Security Requirements Guide
V-237329
CAT I
The ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
ArcGIS for Server 10.3 Security Technical Implementation Guide
V-272629
CAT I
CylanceON-PREM must be configured to use TLS 1.2 or higher.
Arctic Wolf CylanceON-PREM Security Technical Implementation Guide
V-256841
CAT I
Compliance Guardian must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
AvePoint Compliance Guardian Security Technical Implementation Guide
V-253512
CAT I
DocAve must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
AvePoint DocAve 6 Security Technical Implementation Guide
V-276004
CAT I
Ax-OS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.
Axonius Federal Systems Ax-OS Security Technical Implementation Guide
V-79023
CAT I
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use HTTPS.
BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide
V-79033
CAT II
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP when using LDAP Lookup for users.
BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide
V-79035
CAT II
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP for certificate directory lookup.
BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide
V-254716
CAT I
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use HTTPS.
BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide
V-254721
CAT II
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP when using LDAP Lookup for users.
BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide
V-254722
CAT II
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP for certificate directory lookup.
BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide
V-237349
CAT II
The CA API Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
CA API Gateway ALG Security Technical Implementation Guide
V-237350
CAT II
The CA API Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
CA API Gateway ALG Security Technical Implementation Guide
V-237351
CAT II
The CA API Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
CA API Gateway ALG Security Technical Implementation Guide
V-219307
CAT II
The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide
V-255906
CAT II
The Ubuntu operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.
Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide
V-238217
CAT II
The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
V-255912
CAT II
The Ubuntu operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.
Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
V-260531
CAT II
Ubuntu 22.04 LTS must configure the SSH daemon to use FIPS 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide
V-260533
CAT II
Ubuntu 22.04 LTS SSH server must be configured to use only FIPS-validated key exchange algorithms.
Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide
V-270667
CAT II
Ubuntu 24.04 LTS must configure the SSH daemon to use FIPS 140-3 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.
Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide
V-270669
CAT II
Ubuntu 24.04 LTS SSH server must be configured to use only FIPS 140-3 validated key exchange algorithms.
Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide
V-239957
CAT I
The Cisco ASA must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.
Cisco ASA VPN Security Technical Implementation Guide
V-239975
CAT I
The Cisco ASA remote access VPN server must be configured to use TLS 1.2 or higher to protect the confidentiality of remote access connections.
Cisco ASA VPN Security Technical Implementation Guide
V-239979
CAT I
The Cisco VPN remote access server must be configured to use AES256 or greater encryption for the Internet Key Exchange (IKE) Phase 1 to protect confidentiality of remote access sessions.
Cisco ASA VPN Security Technical Implementation Guide
V-239980
CAT I
The Cisco ASA VPN remote access server must be configured to use AES256 or greater encryption for the IPsec security association to protect the confidentiality of remote access sessions.
Cisco ASA VPN Security Technical Implementation Guide
V-215697
CAT II
The Cisco router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
Cisco IOS Router NDM Security Technical Implementation Guide
V-220605
CAT II
The Cisco switch must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
Cisco IOS Switch NDM Security Technical Implementation Guide
V-215842
CAT II
The Cisco router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
Cisco IOS XE Router NDM Security Technical Implementation Guide
V-220553
CAT II
The Cisco switch must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
Cisco IOS XE Switch NDM Security Technical Implementation Guide
V-216539
CAT II
The Cisco router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
Cisco IOS XR Router NDM Security Technical Implementation Guide
V-242575
CAT I
The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE. This is This is required for compliance with C2C Step 1.
Cisco ISE NAC Security Technical Implementation Guide
V-220501
CAT II
The Cisco switch must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
Cisco NX OS Switch NDM Security Technical Implementation Guide
V-234565
CAT I
Citrix Delivery Controller must implement DoD-approved encryption.
Citrix Virtual Apps and Desktop 7.x Delivery Controller Security Technical Implementation Guide
V-234222
CAT I
Citrix License Server must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Citrix Virtual Apps and Desktop 7.x License Server Security Technical Implementation Guide
V-234257
CAT I
Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.
Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide
V-234251
CAT I
The Citrix Storefront server must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Citrix Virtual Apps and Desktop 7.x StoreFront Security Technical Implementation Guide
V-234253
CAT I
Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.
Citrix Virtual Apps and Desktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide
V-213200
CAT I
XenDesktop License Server must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Citrix XenDesktop 7.x License Server Security Technical Implementation Guide
V-213208
CAT I
Citrix Receiver must implement DoD-approved encryption.
Citrix XenDesktop 7.x Receiver Security Technical Implementation Guide
V-213213
CAT I
Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.
Citrix XenDesktop 7.x Windows VDA Security Technical Implementation Guide
V-81433
CAT I
Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.
Citrix XenDesktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide
V-269120
CAT II
AlmaLinux OS 9 must force a frequent session key renegotiation for SSH connections to the server.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269122
CAT I
AlmaLinux OS 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269125
CAT I
AlmaLinux OS 9 must use the TuxCare ESU repository.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269126
CAT I
AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269127
CAT I
AlmaLinux OS 9 must enable FIPS mode.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-233015
CAT II
The container platform must use TLS 1.2 or greater for secure container image transport from trusted sources.
Container Platform Security Requirements Guide
V-233016
CAT II
The container platform must use TLS 1.2 or greater for secure communication.
Container Platform Security Requirements Guide
V-235776
CAT II
TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide
V-235777
CAT I
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide
V-259995
CAT I
The Enterprise Voice, Video, and Messaging Session Manager must use TLS 1.2 or greater to protect the confidentiality of remote access.
Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide
V-215746
CAT II
The BIG-IP Core implementation must be configured to use encryption services that implement NIST SP 800-52 Revision 2 compliant cryptography to protect the confidentiality of connections to virtual servers.
F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide
V-215747
CAT II
The BIG-IP Core implementation must be configured to comply with the required TLS settings in NIST SP 800-52 Revision 1 for TLS services to virtual servers.
F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide
V-266139
CAT I
The F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.
F5 BIG-IP TMOS ALG Security Technical Implementation Guide
V-266277
CAT I
The F5 BIG-IP appliance must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.
F5 BIG-IP TMOS VPN Security Technical Implementation Guide
V-266278
CAT I
The F5 BIG-IP appliance IPsec VPN Gateway must use AES256 or higher encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
F5 BIG-IP TMOS VPN Security Technical Implementation Guide
V-266279
CAT I
The F5 BIG-IP appliance IPsec VPN must use AES256 or greater encryption for the IPsec proposal.
F5 BIG-IP TMOS VPN Security Technical Implementation Guide
V-278381
CAT I
NGINX must use TLS 1.2, at a minimum, to protect data confidentiality using remote access.
F5 NGINX Security Technical Implementation Guide
V-233332
CAT II
Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment. This is required for compliance with C2C Step 1.
Forescout Network Access Control Security Technical Implementation Guide
V-233334
CAT II
Communications between Forescout endpoint agent and the switch must transmit access authorization information via a protected path using a cryptographic mechanism. This is required for compliance with C2C Step 1.
Forescout Network Access Control Security Technical Implementation Guide
V-233340
CAT I
When connecting with endpoints, Forescout must be configured to use FIPS 140-2/3 validated algorithms for encryption processes and communications. This is required for compliance with C2C Step 1.
Forescout Network Access Control Security Technical Implementation Guide
V-203603
CAT I
The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
General Purpose Operating System Security Requirements Guide
V-255251
CAT I
The SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
HPE 3PAR SSMC Web Server Security Technical Implementation Guide
V-255253
CAT I
SSMC web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.
HPE 3PAR SSMC Web Server Security Technical Implementation Guide
V-237818
CAT I
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide
V-255272
CAT I
The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.
HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide
V-255291
CAT I
The HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide
V-255295
CAT I
The HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide
V-266983
CAT II
AOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.
HPE Aruba Networking AOS VPN Security Technical Implementation Guide
V-266985
CAT I
AOS, when used as an IPsec VPN Gateway, must use Advanced Encryption Standard (AES) encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.
HPE Aruba Networking AOS VPN Security Technical Implementation Guide
V-266557
CAT II
AOS must use Transport Layer Security (TLS) 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
HPE Aruba Networking AOS Wireless Security Technical Implementation Guide
V-215289
CAT II
The AIX SSH server must use SSH Protocol 2.
IBM AIX 7.x Security Technical Implementation Guide
V-215402
CAT II
The AIX SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
IBM AIX 7.x Security Technical Implementation Guide
V-252562
CAT I
The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252587
CAT I
The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252604
CAT I
The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252613
CAT I
The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252616
CAT I
The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252627
CAT I
The IBM Aspera High-Speed Transfer Server must be configured to comply with the required TLS settings in NIST SP 800-52.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252630
CAT I
The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252634
CAT II
The IBM Aspera High-Speed Transfer Server must enable the use of dynamic token encryption keys.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-65201
CAT II
The DataPower Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
IBM DataPower ALG Security Technical Implementation Guide
V-65203
CAT II
The DataPower Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
IBM DataPower ALG Security Technical Implementation Guide
V-65205
CAT II
The DataPower Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
IBM DataPower ALG Security Technical Implementation Guide
V-255816
CAT II
The MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
IBM MQ Appliance V9.0 AS Security Technical Implementation Guide
V-250323
CAT II
The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
IBM WebSphere Liberty Server Security Technical Implementation Guide
V-250341
CAT I
Application security must be enabled on the WebSphere Liberty Server.
IBM WebSphere Liberty Server Security Technical Implementation Guide
V-255829
CAT II
The WebSphere Application Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher.
IBM WebSphere Traditional V9.x Security Technical Implementation Guide
V-255830
CAT I
The WebSphere Application Server global application security must be enabled.
IBM WebSphere Traditional V9.x Security Technical Implementation Guide
V-255831
CAT I
The WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security.
IBM WebSphere Traditional V9.x Security Technical Implementation Guide
V-223589
CAT I
IBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223610
CAT II
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223807
CAT I
The IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm to protect confidential information and remote access sessions.
IBM z/OS RACF Security Technical Implementation Guide
V-223831
CAT II
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
IBM z/OS RACF Security Technical Implementation Guide
V-224044
CAT I
The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
IBM z/OS TSS Security Technical Implementation Guide
V-224067
CAT II
IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
IBM z/OS TSS Security Technical Implementation Guide
V-237906
CAT II
The IBM z/VM TCP/IP configuration must include an SSLSERVERID statement.
IBM zVM Using CA VM:Secure Security Technical Implementation Guide
V-224762
CAT II
The ISEC7 SPHERE must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
ISEC7 Sphere Security Technical Implementation Guide
V-258586
CAT I
The ICS must be configured to use TLS 1.2, at a minimum.
Ivanti Connect Secure VPN Security Technical Implementation Guide
V-251011
CAT II
The Sentry providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide
V-251012
CAT II
If Sentry stores secret or private keys, it must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide
V-251013
CAT II
The Sentry that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide
V-251011
CAT II
The Sentry providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
Ivanti Sentry 9.x ALG Security Technical Implementation Guide
V-251012
CAT II
If Sentry stores secret or private keys, it must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
Ivanti Sentry 9.x ALG Security Technical Implementation Guide
V-251013
CAT II
The Sentry that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.
Ivanti Sentry 9.x ALG Security Technical Implementation Guide
V-213494
CAT II
HTTP management session traffic must be encrypted.
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide
V-217338
CAT II
The Juniper router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.
Juniper Router NDM Security Technical Implementation Guide
V-66021
CAT I
The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
Juniper SRX SG VPN Security Technical Implementation Guide
V-66617
CAT I
The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.
Juniper SRX SG VPN Security Technical Implementation Guide
V-66647
CAT II
The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.
Juniper SRX SG VPN Security Technical Implementation Guide
V-214672
CAT I
The Juniper SRX Services Gateway VPN must use AES256 for the IPsec proposal to protect the confidentiality of remote access sessions.
Juniper SRX Services Gateway VPN Security Technical Implementation Guide
V-214673
CAT I
The Juniper SRX Services Gateway VPN must use AES256 encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.
Juniper SRX Services Gateway VPN Security Technical Implementation Guide
V-214674
CAT I
The Juniper SRX Services Gateway VPN must be configured to use Diffie-Hellman (DH) group 15 or higher.
Juniper SRX Services Gateway VPN Security Technical Implementation Guide
V-242376
CAT II
The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
Kubernetes Security Technical Implementation Guide
V-242377
CAT II
The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
Kubernetes Security Technical Implementation Guide
V-242378
CAT II
The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
Kubernetes Security Technical Implementation Guide
V-242379
CAT II
The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
Kubernetes Security Technical Implementation Guide
V-242380
CAT II
The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
Kubernetes Security Technical Implementation Guide
V-228415
CAT II
Exchange must use encryption for RPC client access.
Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide
V-228416
CAT II
Exchange must use encryption for Outlook Web App (OWA) access.
Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide
V-228417
CAT II
Exchange must have forms-based authentication disabled.
Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide
V-259577
CAT II
SchUseStrongCrypto must be enabled.
Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide
V-259645
CAT II
Exchange must use encryption for RPC client access.
Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide
V-259646
CAT II
Exchange must use encryption for Outlook Web App (OWA) access.
Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide
V-259647
CAT II
Exchange must have forms-based authentication enabled.
Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide
V-218737
CAT II
A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.
Microsoft IIS 10.0 Site Security Technical Implementation Guide
V-218738
CAT II
A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.
Microsoft IIS 10.0 Site Security Technical Implementation Guide
V-220852
CAT II
Remote Desktop Services must be configured with the client connection encryption set to the required level.
Microsoft Windows 10 Security Technical Implementation Guide
V-253406
CAT II
Remote Desktop Services must be configured with the client connection encryption set to the required level.
Microsoft Windows 11 Security Technical Implementation Guide
V-225059
CAT II
Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
Microsoft Windows Server 2016 Security Technical Implementation Guide
V-205636
CAT II
Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205637
CAT II
Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
Microsoft Windows Server 2019 Security Technical Implementation Guide
V-254368
CAT II
Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
Microsoft Windows Server 2022 Security Technical Implementation Guide
V-254369
CAT II
Windows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level.
Microsoft Windows Server 2022 Security Technical Implementation Guide
V-278115
CAT II
Windows Server 2025 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
Microsoft Windows Server 2025 Security Technical Implementation Guide
V-278116
CAT II
Windows Server 2025 Remote Desktop Services must be configured with the client connection encryption set to High Level.
Microsoft Windows Server 2025 Security Technical Implementation Guide
V-254099
CAT I
Nutanix AOS must implement cryptography mechanisms to protect the confidentiality and integrity of the remote access session.
Nutanix AOS 5.20.x Application Security Technical Implementation Guide
V-254125
CAT I
Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Nutanix AOS 5.20.x OS Security Technical Implementation Guide
V-279418
CAT II
Nutanix AOS must have TLS enabled.
Nutanix Acropolis Application Server Security Technical Implementation Guide
V-279533
CAT I
Nutanix OS must implement DOD-approved encryption to protect the confidentiality of SSH sessions.
Nutanix Acropolis GPOS Security Technical Implementation Guide
V-221277
CAT I
OHS must have the LoadModule ossl_module directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide
V-221278
CAT I
OHS must have the SSLFIPS directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide
V-221279
CAT II
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to encrypt remote connections in accordance with the categorization of data hosted by the web server.
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide
V-221280
CAT I
OHS must have the SSLCipherSuite directive enabled to encrypt remote connections in accordance with the categorization of data hosted by the web server.
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide
V-221758
CAT I
The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Oracle Linux 7 Security Technical Implementation Guide
V-221840
CAT II
The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
Oracle Linux 7 Security Technical Implementation Guide
V-248524
CAT I
OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Oracle Linux 8 Security Technical Implementation Guide
V-248868
CAT II
OL 8 must force a frequent session key renegotiation for SSH connections to the server.
Oracle Linux 8 Security Technical Implementation Guide
V-283446
CAT I
OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Oracle Linux 8 Security Technical Implementation Guide
V-283450
CAT I
OL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms.
Oracle Linux 8 Security Technical Implementation Guide
V-271454
CAT I
OL 9 must enable FIPS mode.
Oracle Linux 9 Security Technical Implementation Guide
V-271705
CAT II
OL 9 must force a frequent session key renegotiation for SSH connections to the server.
Oracle Linux 9 Security Technical Implementation Guide
V-271743
CAT I
OL 9 IP tunnels must use 140-3 approved cryptographic algorithms.
Oracle Linux 9 Security Technical Implementation Guide