STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-3 — Access Enforcement

CCI-000213

Definition

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Parent Control

AC-3Access EnforcementAccess Control

Linked STIG Checks (200)

V-243485CAT IISelective Authentication must be enabled on outgoing forest trusts.Active Directory Domain Security Technical Implementation Guide V-279072CAT IIThe ColdFusion error messages must be restricted to only authorized users.Adobe ColdFusion Security Technical Implementation Guide V-214230CAT IIThe Apache web server must use cryptography to protect the integrity of remote sessions.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214278CAT IIThe Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214308CAT IIThe Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-222931CAT IDefault password for keystore must be changed.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222932CAT IICookies must have secure flag set.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222933CAT IICookies must have http-only flag set.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222934CAT IIDefaultServlet must be set to readonly for PUT and DELETE.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222935CAT IIConnectors must be secured.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-257094CAT IThe BYOAD and DOD enterprise must be configured to limit access to only enterprise corporate-owned IT resources approved by the authorizing official (AO).Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257097CAT IIThe iOS/iPadOS 16 BYOAD must be deployed in Device Enrollment mode or User Enrollment mode.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-259751CAT IThe BYOAD and DOD enterprise must be configured to limit access to only enterprise IT resources approved by the authorizing official (AO).Apple iOS/iPadOS 17 BYOAD Security Technical Implementation Guide V-259754CAT IIThe iOS/iPadOS 17 BYOAD must be deployed in Device Enrollment mode or User Enrollment mode.Apple iOS/iPadOS 17 BYOAD Security Technical Implementation Guide V-259434CAT IIThe macOS system must disable FileVault automatic log on.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259478CAT IIThe macOS system must disable Server Message Block sharing.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259479CAT IIThe macOS system must disable Network File System service.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259482CAT IIThe macOS system must disable Unix-to-Unix Copy Protocol service.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259484CAT IIThe macOS system must disable the built-in web server.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259485CAT IIThe macOS system must disable AirDrop.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259495CAT IIThe macOS system must disable Remote Apple Events.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259505CAT IIThe macOS system must disable Screen Sharing and Apple Remote Desktop.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259518CAT IIThe macOS system must disable Media Sharing.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259519CAT IIThe macOS system must disable Bluetooth sharing.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259567CAT IIThe macOS system must disable Handoff.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259570CAT IIThe macOS system must enable Authenticated Root.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268434CAT IIThe macOS system must disable FileVault automatic login.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268478CAT IIThe macOS system must disable Server Message Block (SMB) sharing.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268479CAT IIThe macOS system must disable Network File System (NFS) service.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268482CAT IIThe macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268484CAT IIThe macOS system must disable the built-in web server.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268485CAT IIThe macOS system must disable AirDrop.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268495CAT IIThe macOS system must disable Remote Apple Events.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268499CAT IThe macOS system must disable Trivial File Transfer Protocol (TFTP) service.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268505CAT IIThe macOS system must disable Screen Sharing and Apple Remote Desktop.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268517CAT IIThe macOS system must disable Media Sharing.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268518CAT IIThe macOS system must disable Bluetooth Sharing.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268555CAT IThe macOS system must ensure System Integrity Protection is enabled.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268562CAT IIThe macOS system must disable Handoff.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268565CAT IIThe macOS system must enable Authenticated Root.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-272477CAT IIThe macOS system must disable iPhone Mirroring.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277042CAT IIThe macOS system must disable FileVault automatic login.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277085CAT IIThe macOS system must disable Server Message Block (SMB) sharing.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277086CAT IIThe macOS system must disable Network File System (NFS) service.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277089CAT IIThe macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277091CAT IIThe macOS system must disable the built-in web server.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277092CAT IIThe macOS system must disable AirDrop.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277102CAT IIThe macOS system must disable Remote Apple Events.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277108CAT IThe macOS system must disable Trivial File Transfer Protocol (TFTP) service.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277114CAT IIThe macOS system must disable Screen Sharing and Apple Remote Desktop.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277126CAT IIThe macOS system must disable Media Sharing.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277127CAT IIThe macOS system must disable Bluetooth Sharing.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277142CAT IIThe macOS system must disable iPhone Mirroring.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277165CAT IThe macOS system must ensure System Integrity Protection (SIP) is enabled.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277172CAT IIThe macOS system must disable Handoff.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277175CAT IIThe macOS system must enable Authenticated Root.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204909CAT IIThe ALG must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.Application Layer Gateway Security Requirements Guide V-274507CAT IIThe API must be configured to use approved authorizations for access control.Application Programming Interface (API) Security Requirements Guide V-222425CAT IThe application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Application Security and Development Security Technical Implementation Guide V-204712CAT IIThe application server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Application Server Security Requirements Guide V-237322CAT IThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276005CAT IIAx-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-79019CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-237342CAT IIThe CA API Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.CA API Gateway ALG Security Technical Implementation Guide V-251584CAT IIDMS must allow only authorized users to sign on to an IDMS CV.CA IDMS Security Technical Implementation Guide V-251585CAT IIDMS must enforce applicable access control policies, even after a user successfully signs on to CV.CA IDMS Security Technical Implementation Guide V-251586CAT IIAll installation-delivered IDMS USER-level tasks must be properly secured.CA IDMS Security Technical Implementation Guide V-251587CAT IIAll installation-delivered IDMS DEVELOPER-level tasks must be properly secured.CA IDMS Security Technical Implementation Guide V-251588CAT IIAll installation-delivered IDMS DBADMIN-level tasks must be properly secured.CA IDMS Security Technical Implementation Guide V-251589CAT IIAll installation-delivered IDMS DCADMIN-level tasks must be properly secured.CA IDMS Security Technical Implementation Guide V-251590CAT IIAll installation-delivered IDMS User-level programs must be properly secured.CA IDMS Security Technical Implementation Guide V-251591CAT IIAll installation-delivered IDMS Developer-level Programs must be properly secured.CA IDMS Security Technical Implementation Guide V-251592CAT IIAll installation-delivered IDMS Database-Administrator-level programs must be properly secured.CA IDMS Security Technical Implementation Guide V-251593CAT IIAll installation-delivered IDMS DC-Administrator-level programs must be properly secured.CA IDMS Security Technical Implementation Guide V-219147CAT IUbuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-219148CAT IUbuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238204CAT IUbuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260470CAT IUbuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270675CAT IUbuntu 24.04 LTS when booted must require authentication upon booting into single-user and maintenance modes.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206447CAT IThe Central Log Server must be configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Central Log Server Security Requirements Guide V-271927CAT IThe Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users.Cisco ACI NDM Security Technical Implementation Guide V-242576CAT IThe Cisco ISE must enforce approved access by employing authorization policies with specific attributes; such as resource groups, device type, certificate attributes, or any other attributes that are specific to a group of endpoints, and/or mission conditions as defined in the site's Cisco ISE System Security Plan (SSP). This is required for compliance with C2C Step 4.Cisco ISE NAC Security Technical Implementation Guide V-242577CAT IThe Cisco ISE must be configured to profile endpoints connecting to the network. This is required for compliance with C2C Step 4.Cisco ISE NAC Security Technical Implementation Guide V-242578CAT IThe Cisco ISE must verify host-based firewall software is running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.Cisco ISE NAC Security Technical Implementation Guide V-242579CAT IThe Cisco ISE must verify anti-malware software is installed and up to date on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.Cisco ISE NAC Security Technical Implementation Guide V-242580CAT IThe Cisco ISE must verify host-based IDS/IPS software is authorized and running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.Cisco ISE NAC Security Technical Implementation Guide V-242581CAT IIFor endpoints that require automated remediation, the Cisco ISE must be configured to redirect endpoints to a logically separate VLAN for remediation services. This is required for compliance with C2C Step 4.Cisco ISE NAC Security Technical Implementation Guide V-242582CAT IIIThe Cisco ISE must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. This is required for compliance with C2C Step 3.Cisco ISE NAC Security Technical Implementation Guide V-242583CAT IIThe Cisco ISE must be configured so that all endpoints that are allowed to bypass policy assessment are approved by the Information System Security Manager (ISSM) and documented in the System Security Plan (SSP). This is This is required for compliance with C2C Step 1.Cisco ISE NAC Security Technical Implementation Guide V-242584CAT IIThe Cisco ISE must send an alert to the Information System Security Manager (ISSM) and System Administrator (SA), at a minimum, when security issues are found that put the network at risk. This is required for compliance with C2C Step 2.Cisco ISE NAC Security Technical Implementation Guide V-242585CAT IIWhen endpoints fail the policy assessment, the Cisco ISE must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. This is required for compliance with C2C Step 3.Cisco ISE NAC Security Technical Implementation Guide V-242586CAT IIThe Cisco ISE must place client machines on the blacklist and terminate the agent connection when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 4.Cisco ISE NAC Security Technical Implementation Guide V-242587CAT IIThe Cisco ISE must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. This is required for compliance with C2C Step 2.Cisco ISE NAC Security Technical Implementation Guide V-242588CAT IIThe Cisco ISE must deny or restrict access for endpoints that fail required posture checks. This is required for compliance with C2C Step 4.Cisco ISE NAC Security Technical Implementation Guide V-234252CAT IICitrix StoreFront server must accept Personal Identity Verification (PIV) credentials.Citrix Virtual Apps and Desktop 7.x StoreFront Security Technical Implementation Guide V-213211CAT IIXenDesktop StoreFront must accept Personal Identity Verification (PIV) credentials.Citrix XenDesktop 7.x StoreFront Security Technical Implementation Guide V-81431CAT IIXenDesktop StoreFront must accept Personal Identity Verification (PIV) credentials.Citrix XenDesktop v7.x StoreFront Security Technical Implementation Guide V-269136CAT IIAlmaLinux OS 9 must require authentication to access emergency mode.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269137CAT IIAlmaLinux OS 9 must require a boot loader password.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269138CAT IIAlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269139CAT IIAlmaLinux OS 9 must require authentication to access single-user mode.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233026CAT IILeast privilege access and need-to-know must be required to access the container platform registry.Container Platform Security Requirements Guide V-233027CAT IILeast privilege access and need-to-know must be required to access the container platform runtime.Container Platform Security Requirements Guide V-233028CAT IILeast privilege access and need-to-know must be required to access the container platform keystore.Container Platform Security Requirements Guide V-233520CAT IPostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261859CAT IPostgreSQL must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206521CAT IThe DBMS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Database Security Requirements Guide V-269769CAT IThe Dell OS10 Switch must be configured to assign appropriate user roles or access levels to authenticated users.Dell OS10 Switch NDM Security Technical Implementation Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235783CAT IIDocker Enterprise sensitive host system directories must not be mounted on containers.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-279953CAT IIThe DNS server implementation must provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.Domain Name System (DNS) Security Requirements Guide V-279954CAT IIThe private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must have appropriate directory/file-level access control list-based or cryptography-based protections.Domain Name System (DNS) Security Requirements Guide V-224132CAT IThe EDB Postgres Advanced Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213563CAT IThe EDB Postgres Advanced Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259940CAT IIThe Enterprise Voice, Video, and Messaging Endpoint must not be configured with any vendor default accounts, PINs, or passwords to access configuration settings.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-259941CAT IIThe Enterprise Voice, Video, and Messaging Endpoint must be configured to prevent the configuration or display of configuration settings without the use of a PIN or password.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-259942CAT IThe Enterprise Voice, Video, and Messaging Endpoint must be configured to register with an Enterprise Voice, Video, and Messaging Session Manager.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-259988CAT IThe Enterprise Voice, Video, and Messaging Session Manager must disable (prevent) auto-registration of Voice Video Endpoints.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259212CAT IThe EDB Postgres Advanced Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-215714CAT IIThe BIG-IP APM module must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-260057CAT IIThe F5 BIG-IP appliance must enforce approved authorizations for logical access to resources by explicitly configuring assigned resources with an authorization list.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-217387CAT IThe BIG-IP appliance must be configured to enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.F5 BIG-IP Device Management Security Technical Implementation Guide V-215738CAT IIThe BIG-IP Core implementation must be configured to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266143CAT IThe F5 BIG-IP appliance providing user access control intermediary services must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266067CAT IThe F5 BIG-IP appliance must be configured to assign appropriate user roles or access levels to authenticated users.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-278382CAT IIThe NGINX service account must be configured to not have shell access.F5 NGINX Security Technical Implementation Guide V-233309CAT IForescout must enforce approved access by employing admissions assessment filters that include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in Forescout System Security Plan (SSP). This is required for compliance with C2C Step 4.Forescout Network Access Control Security Technical Implementation Guide V-233310CAT IEndpoint policy assessment must proceed after the endpoint attempting access has been identified using an approved identification method such as IP address. This is required for compliance with C2C Step 2.Forescout Network Access Control Security Technical Implementation Guide V-233311CAT IFor endpoints that require automated remediation, Forescout must be configured to logically separate endpoints from the trusted network traffic during remediation. This is required for compliance with C2C Step 4.Forescout Network Access Control Security Technical Implementation Guide V-233312CAT IIf a device requesting access fails Forescout policy assessment, Forescout must communicate with other components and the switch to either terminate the session or isolate the device from the trusted network for remediation. This is required for compliance with C2C Step 3.Forescout Network Access Control Security Technical Implementation Guide V-233313CAT IIForescout must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. This is required for compliance with C2C Step 3.Forescout Network Access Control Security Technical Implementation Guide V-233314CAT IForescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the information system security manager (ISSM) and documented in the System Security Plan (SSP). This is required for compliance with C2C Step 1.Forescout Network Access Control Security Technical Implementation Guide V-233317CAT IIWhen devices fail the policy assessment, Forescout must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. This is required for compliance with C2C Step 3.Forescout Network Access Control Security Technical Implementation Guide V-233318CAT IForescout must place client machines on a blacklist or terminate network communications on devices when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 4.Forescout Network Access Control Security Technical Implementation Guide V-233319CAT IIForescout must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. This is required for compliance with C2C Step 2.Forescout Network Access Control Security Technical Implementation Guide V-233320CAT IIForescout must enforce the revocation of endpoint access authorizations when devices are removed from an authorization group. This is required for compliance with C2C Step 4.Forescout Network Access Control Security Technical Implementation Guide V-233321CAT IIForescout must enforce the revocation of endpoint access authorizations at the next compliance assessment interval based on changes to the compliance assessment security policy. This is required for compliance with C2C Step 4.Forescout Network Access Control Security Technical Implementation Guide V-233322CAT IIForescout must deny or restrict access for endpoints that fail critical endpoint security checks. This is required for compliance with C2C Step 4.Forescout Network Access Control Security Technical Implementation Guide V-203636CAT IIThe operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.General Purpose Operating System Security Requirements Guide V-258469CAT IThe Google Android 13 BYOAD and DOD enterprise must be configured to limit access to only AO-approved, corporate-owned enterprise IT resources.Google Android 13 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-260069CAT IIThe Google Android 14 BYOAD and DOD enterprise must be configured to limit access to only AO-approved, corporate-owned enterprise IT resources.Google Android 14 BYOAD Security Technical Implementation Guide V-217431CAT IThe HP FlexFabric Switch must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.HP FlexFabric Switch NDM Security Technical Implementation Guide V-266909CAT IAOS must be configured to assign appropriate user roles or access levels to authenticated users.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-268222CAT IThe HYCU virtual appliance must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.HYCU Protege Security Technical Implementation Guide V-215404CAT IIAIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.IBM AIX 7.x Security Technical Implementation Guide V-252595CAT IIThe IBM Aspera Faspex Server must restrict users from using transfer services by default.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252596CAT IIThe IBM Aspera Faspex Server must restrict users read, write, and browse permissions by default.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252618CAT IIThe IBM Aspera High-Speed Transfer Endpoint must enable password protection of the node database.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252624CAT IIThe IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252625CAT IIThe IBM Aspera High-Speed Transfer Endpoint must restrict users read, write, and browse permissions by default.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252633CAT IIThe IBM Aspera High-Speed Transfer Server must enable password protection of the node database.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252643CAT IIThe IBM Aspera High-Speed Transfer Server must restrict users from using transfer services by default.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252644CAT IIThe IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-213672CAT IIDB2 must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-64979CAT IIThe DataPower Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.IBM DataPower ALG Security Technical Implementation Guide V-64981CAT IIThe DataPower Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.IBM DataPower Network Device Management Security Technical Implementation Guide V-24354CAT IIPredefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.IBM Hardware Management Console (HMC) STIG V-24379CAT IIOn Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.IBM Hardware Management Console (HMC) STIG V-24381CAT IClassified Logical Partition (LPAR) channel paths must be restricted.IBM Hardware Management Console (HMC) STIG V-24382CAT IIOn Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data. IBM Hardware Management Console (HMC) STIG V-24383CAT ICentral processors must be restricted for classified/restricted Logical Partitions (LPARs).IBM Hardware Management Console (HMC) STIG V-256863CAT IIOn Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-256864CAT IIProcessor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-256865CAT IClassified Logical Partition (LPAR) channel paths must be restricted.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-256866CAT IIOn Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-256867CAT ICentral processors must be restricted for classified/restricted Logical Partitions (LPARs).IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-256876CAT IIPredefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-250326CAT IUsers in the REST API admin role must be authorized.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255828CAT IIThe WebSphere Application Server users in a local user registry group must be authorized for that group.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255833CAT IThe WebSphere Application Server Java 2 security must be enabled.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255834CAT IThe WebSphere Application Server Java 2 security must not be bypassed.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255835CAT IIThe WebSphere Application Server users in the admin role must be authorized.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255836CAT IIThe WebSphere Application Server LDAP groups must be authorized for the WebSphere role.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223423CAT IIThe number of ACF2 users granted the special privilege PPGM must be justified.IBM z/OS ACF2 Security Technical Implementation Guide V-223424CAT IIIThe number of ACF2 users granted the special privilege OPERATOR must be kept to a strictly controlled minimum.IBM z/OS ACF2 Security Technical Implementation Guide V-223425CAT IIIThe number of ACF2 users granted the special privilege CONSOLE must be justified.IBM z/OS ACF2 Security Technical Implementation Guide V-223426CAT IIThe number of ACF2 users granted the special privilege ALLCMDS must be justified.IBM z/OS ACF2 Security Technical Implementation Guide V-223427CAT IIIBM z/OS system commands must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223428CAT IIIBM z/OS Sensitive Utility Controls must be properly defined and protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223429CAT IICA-ACF2 NJE GSO record value must indicate validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS).IBM z/OS ACF2 Security Technical Implementation Guide V-223430CAT IICA-ACF2 must protect Memory and privileged program dumps in accordance with proper security requirements.IBM z/OS ACF2 Security Technical Implementation Guide V-223431CAT IICA-ACF2 must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.IBM z/OS ACF2 Security Technical Implementation Guide V-223433CAT IICA-ACF2 must limit access to SYSTEM DUMP data sets to appropriate authorized users.IBM z/OS ACF2 Security Technical Implementation Guide V-223434CAT IICA-ACF2 must limit access to SYS(x).TRACE to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223435CAT IICA-ACF2 allocate access to system user catalogs must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223436CAT IIACF2 Classes required to properly security the z/OS UNIX environment must be ACTIVE.IBM z/OS ACF2 Security Technical Implementation Guide V-223437CAT IIAccess to IBM z/OS special privilege TAPE-LBL or TAPE-BLP must be limited and/or justified.IBM z/OS ACF2 Security Technical Implementation Guide V-223438CAT IICA-ACF2 must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.IBM z/OS ACF2 Security Technical Implementation Guide V-223439CAT IIBM z/OS must protect dynamic lists in accordance with proper security requirements.IBM z/OS ACF2 Security Technical Implementation Guide V-223440CAT IIBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223441CAT ICA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.IBM z/OS ACF2 Security Technical Implementation Guide V-223442CAT ICA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users.IBM z/OS ACF2 Security Technical Implementation Guide V-223443CAT ICA-ACF2 access to the System Master Catalog must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223444CAT IIIBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223445CAT ICA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223446CAT ICA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide V-223447CAT ICA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers.IBM z/OS ACF2 Security Technical Implementation Guide V-223448CAT ICA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.IBM z/OS ACF2 Security Technical Implementation Guide