STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AU-10 — Non-Repudiation

CCI-000166

Definition

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

Parent Control

AU-10Non-RepudiationAudit and Accountability

Linked STIG Checks (123)

V-279032CAT IIColdFusion must require enforced authentication.Adobe ColdFusion Security Technical Implementation Guide V-279033CAT IIIColdFusion must not have local users.Adobe ColdFusion Security Technical Implementation Guide V-222930CAT IIAccessLogValve must be configured for each application context.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222438CAT IIThe application must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.Application Security and Development Security Technical Implementation Guide V-204715CAT IIThe application server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.Application Server Security Requirements Guide V-237322CAT IThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272631CAT IISession-only-based cookies must be enabled.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-217361CAT IIIThe Arista Multilayer Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide V-255951CAT IIThe Arista network device must be configured to audit all administrator activity.Arista MLS EOS 4.X NDM Security Technical Implementation Guide V-251594CAT IIIIDMS must protect against the use of default userids.CA IDMS Security Technical Implementation Guide V-251595CAT IIIIDMS must protect against the use of external request exits that change the userid to a shared id when actions are performed that may be audited.CA IDMS Security Technical Implementation Guide V-251596CAT IIIIDMS must protect against the use of numbered exits that change the userid to a shared id.CA IDMS Security Technical Implementation Guide V-251597CAT IIIIDMS must protect against the use of web-based applications that use generic IDs.CA IDMS Security Technical Implementation Guide V-251598CAT IIIIDMS must protect against the use web services that do not require a sign on when actions are performed that may be audited.CA IDMS Security Technical Implementation Guide V-206448CAT IIThe Central Log Server must be configured to protect the data sent from hosts and devices from being altered in a way that may prevent the attribution of an action to an individual (or process acting on behalf of an individual).Central Log Server Security Requirements Guide V-271927CAT IThe Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users.Cisco ACI NDM Security Technical Implementation Guide V-271933CAT IIThe Cisco ACI must audit the enforcement actions used to restrict access associated with changes to the device.Cisco ACI NDM Security Technical Implementation Guide V-239903CAT IIThe Cisco ASA must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.Cisco ASA NDM Security Technical Implementation Guide V-215670CAT IIThe Cisco device must be configured to audit all administrator activity.Cisco IOS Router NDM Security Technical Implementation Guide V-220578CAT IIThe Cisco device must be configured to audit all administrator activity.Cisco IOS Switch NDM Security Technical Implementation Guide V-215815CAT IIThe Cisco device must be configured to audit all administrator activity.Cisco IOS XE Router NDM Security Technical Implementation Guide V-220526CAT IIThe Cisco device must be configured to audit all administrator activity.Cisco IOS XE Switch NDM Security Technical Implementation Guide V-242619CAT IIThe Cisco ISE must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.Cisco ISE NDM Security Technical Implementation Guide V-220482CAT IIThe Cisco switch must be configured to protect against an individual falsely denying having performed organization-defined actions to be covered by non-repudiation.Cisco NX OS Switch NDM Security Technical Implementation Guide V-233598CAT IIPostgreSQL must protect against a user falsely repudiating having performed organization-defined actions.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261860CAT IIPostgreSQL must protect against a user falsely repudiating having performed organization-defined actions.Crunchy Data Postgres 16 Security Technical Implementation Guide V-255534CAT IIIThe DBN-6300 must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.DBN-6300 NDM Security Technical Implementation Guide V-206522CAT IIThe DBMS must protect against a user falsely repudiating having performed organization-defined actions.Database Security Requirements Guide V-269773CAT IIThe Dell OS10 Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by nonrepudiation.Dell OS10 Switch NDM Security Technical Implementation Guide V-269787CAT IThe Dell OS10 Switch, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.Dell OS10 Switch NDM Security Technical Implementation Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-270919CAT IIThe Dragos Platform must only allow local administrative and service user accounts.Dragos Platform 2.x Security Technical Implementation Guide V-224133CAT IIThe EDB Postgres Advanced Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213564CAT IIThe EDB Postgres Advanced Server must protect against a user falsely repudiating having performed organization-defined actions.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259213CAT IIThe EDB Postgres Advanced Server must protect against a user falsely repudiating having performed organization-defined actions.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-217390CAT IIThe BIG-IP appliance must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed system configuration changes.F5 BIG-IP Device Management Security Technical Implementation Guide V-266068CAT IIThe F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-266085CAT IThe F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-278385CAT IINGINX must provide audit records for DOD-defined auditable events.F5 NGINX Security Technical Implementation Guide V-234171CAT IIThe FortiGate device must log all user activity.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-221578CAT IIIncognito mode must be disabled.Google Chrome Current Windows Security Technical Implementation Guide V-245539CAT IISession only based cookies must be enabled.Google Chrome Current Windows Security Technical Implementation Guide V-217436CAT IIIThe HP FlexFabric Switch must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.HP FlexFabric Switch NDM Security Technical Implementation Guide V-283425CAT IThe HPE Alletra Storage ArcusOS device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide V-266929CAT IAOS must be configured to use DOD public key infrastructure (PKI) as multifactor authentication (MFA) for interactive logins.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-268235CAT IThe HYCU virtual appliance must be configured to use DOD-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for PKI-based authentication.HYCU Protege Security Technical Implementation Guide V-213673CAT IIDB2 must protect against a user falsely repudiating having performed organization-defined actions.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-255775CAT IIThe MQ Appliance messaging server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255732CAT IIThe MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-250325CAT IIThe WebSphere Liberty Server must log remote session and security activity.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255820CAT IIThe WebSphere Application Server security auditing must be enabled.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-250994CAT IMobileIron Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.Ivanti MobileIron Sentry 9.x NDM Security Technical Implementation Guide V-250994CAT ISentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.Ivanti Sentry 9.x NDM Security Technical Implementation Guide V-217313CAT IIThe Juniper router must be configured to protect against an individual falsely denying having performed organization-defined actions to be covered by non-repudiation.Juniper Router NDM Security Technical Implementation Guide V-213856CAT IISQL Server must protect against an individual using a shared account from falsely denying having performed a particular action.MS SQL Server 2014 Instance Security Technical Implementation Guide V-213902CAT IISQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.MS SQL Server 2016 Database Security Technical Implementation Guide V-213903CAT IIISQL Server must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables).MS SQL Server 2016 Database Security Technical Implementation Guide V-213904CAT IISQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship.MS SQL Server 2016 Database Security Technical Implementation Guide V-213933CAT IISQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.MS SQL Server 2016 Instance Security Technical Implementation Guide V-213934CAT IISQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.MS SQL Server 2016 Instance Security Technical Implementation Guide V-213935CAT IISQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.MS SQL Server 2016 Instance Security Technical Implementation Guide V-205457CAT IIThe Mainframe Product must protect against an individual (or process acting on behalf of an individual) falsely denying having performed actions defined in the site security plan to be covered by non-repudiation.Mainframe Product Security Requirements Guide V-253669CAT IIMariaDB must protect against a user falsely repudiating having performed organization-defined actions.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220342CAT IIMarkLogic Server must protect against a user falsely repudiating having performed organization-defined actions.MarkLogic Server v9 Security Technical Implementation Guide V-255304CAT IIAzure SQL Database must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.Microsoft Azure SQL Database Security Technical Implementation Guide V-255305CAT IIAzure SQL Database must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables).Microsoft Azure SQL Database Security Technical Implementation Guide V-276240CAT IIAzure SQL Managed Instance must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-276241CAT IIAzure SQL Managed Instance must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables).Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-276294CAT IIAzure SQL Managed Instance must protect against a user falsely repudiating by ensuring databases are not in a trust relationship.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-235723CAT IIInPrivate mode must be disabled.Microsoft Edge Security Technical Implementation Guide V-235750CAT IIBrowser history must be saved.Microsoft Edge Security Technical Implementation Guide V-260467CAT IISession only-based cookies must be enabled.Microsoft Edge Security Technical Implementation Guide V-223128CAT IIInPrivate Browsing must be disallowed.Microsoft Internet Explorer 11 Security Technical Implementation Guide V-271121CAT IISQL Server must protect against a user falsely repudiating by using system-versioned tables (Temporal Tables).Microsoft SQL Server 2022 Database Security Technical Implementation Guide V-271122CAT IISQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship.Microsoft SQL Server 2022 Database Security Technical Implementation Guide V-283667CAT IISQL Server must protect against a user falsely repudiating by ensuring that only unique Active Directory user accounts can connect to the database.Microsoft SQL Server 2022 Database Security Technical Implementation Guide V-271267CAT IISQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-271268CAT IISQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-271269CAT IISQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-221160CAT IIMongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252134CAT IIMongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265907CAT IIMongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279334CAT IIMongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-251562CAT IIFirefox must prevent the user from quickly deleting data.Mozilla Firefox Security Technical Implementation Guide V-246940CAT IONTAP must be configured to use an authentication server to provide multifactor authentication.NetApp ONTAP DSC 9.x Security Technical Implementation Guide V-202025CAT IIThe network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.Network Device Management Security Requirements Guide V-237781CAT IThe network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.Network Device Management Security Requirements Guide V-254103CAT IINutanix AOS must offload log records onto a syslog server.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-279423CAT IINutanix AOS must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by nonrepudiation.Nutanix Acropolis Application Server Security Technical Implementation Guide V-273202CAT IOkta must off-load audit records onto a central log server.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-219797CAT IIIThe DBMS must protect against an individual using a group account from falsely denying having performed a particular action.Oracle Database 11.2g Security Technical Implementation Guide V-220313CAT IIIThe DBMS must protect against an individual who uses a shared account falsely denying having performed a particular action.Oracle Database 12c Security Technical Implementation Guide V-270501CAT IIIOracle Database must protect against an individual who uses a shared account falsely denying having performed a particular action.Oracle Database 19c Security Technical Implementation Guide V-235102CAT IIThe MySQL Database Server 8.0 must protect against a user falsely repudiating having performed organization-defined actions.Oracle MySQL 8.0 Security Technical Implementation Guide V-235939CAT IIOracle WebLogic must protect against an individual falsely denying having performed a particular action.Oracle WebLogic Server 12c Security Technical Implementation Guide V-214132CAT IIPostgreSQL must protect against a user falsely repudiating having performed organization-defined actions.PostgreSQL 9.x Security Technical Implementation Guide V-273788CAT IIThe RUCKUS ICX device must initiate session auditing upon startup.RUCKUS ICX NDM Security Technical Implementation Guide V-275452CAT IThe Riverbed NetIM must enable and configure user audit logging.Riverbed NetIM NDM Security Technical Implementation Guide V-256072CAT IThe Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.Riverbed NetProfiler Security Technical Implementation Guide V-256079CAT IThe Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.Riverbed NetProfiler Security Technical Implementation Guide V-216269CAT IIIThe operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.Solaris 11 SPARC Security Technical Implementation Guide V-216034CAT IIIThe operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.Solaris 11 X86 Security Technical Implementation Guide V-221613CAT IISplunk Enterprise must be configured to protect the log data stored in the indexes from alteration.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251662CAT IISplunk Enterprise must be configured to protect the log data stored in the indexes from alteration.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-279251CAT IThe Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Symantec Edge SWG NDM Security Technical Implementation Guide V-241005CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.0 Security Technical Implementation Guide V-234066CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.3 Security Technical Implementation Guide V-254897CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253828CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Security Technical Implementation Guide V-234318CAT IIThe UEM server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.Unified Endpoint Management Server Security Requirements Guide V-246888CAT IThe Horizon Connection Server must require DoD PKI for administrative logins.VMware Horizon 7.13 Connection Server Security Technical Implementation Guide V-265296CAT IThe NSX Manager must be configured to integrate with an identity provider that supports multifactor authentication (MFA).VMware NSX 4.x Manager NDM Security Technical Implementation Guide V-251789CAT IThe NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.VMware NSX-T Manager NDM Security Technical Implementation Guide V-256324CAT IIThe vCenter Server must require multifactor authentication.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-259006CAT IIThe vCenter ESX Agent Manager service must produce log records containing sufficient information regarding event details.VMware vSphere 8.0 vCenter Appliance ESX Agent Manager (EAM) Security Technical Implementation Guide V-259040CAT IIThe vCenter Lookup service must produce log records containing sufficient information regarding event details.VMware vSphere 8.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-259074CAT IIThe vCenter Perfcharts service must produce log records containing sufficient information regarding event details.VMware vSphere 8.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-258974CAT IIThe vCenter STS service must produce log records containing sufficient information regarding event details.VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide V-259107CAT IIThe vCenter UI service must produce log records containing sufficient information regarding event details.VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide V-258910CAT IIThe vCenter Server must require multifactor authentication.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide