STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-7 — Least Functionality

CCI-000382

Definition

Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.

Parent Control

CM-7Least FunctionalityConfiguration Management

Linked STIG Checks (200)

V-237037CAT IIThe A10 Networks ADC must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.A10 Networks ADC ALG Security Technical Implementation Guide V-255595CAT IIThe A10 Networks ADC must disable management protocol access to all interfaces except the management interface.A10 Networks ADC NDM Security Technical Implementation Guide V-204657CAT IAAA Services must be configured to use secure protocols when connecting to directory services.AAA Services Security Requirements Guide V-204658CAT IAAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.AAA Services Security Requirements Guide V-204659CAT IIAAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.AAA Services Security Requirements Guide V-279054CAT IIColdFusion must restrict unauthorized remote access to the ColdFusion Administrator Console and ensure all ports used are approved and properly secured.Adobe ColdFusion Security Technical Implementation Guide V-274027CAT IIAmazon Linux 2023 must have the firewalld package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274028CAT IIAmazon Linux 2023 must have the firewalld service active.Amazon Linux 2023 Security Technical Implementation Guide V-274158CAT IIAmazon Linux 2023 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.Amazon Linux 2023 Security Technical Implementation Guide V-268078CAT IINixOS must enable the built-in firewall.Anduril NixOS Security Technical Implementation Guide V-214246CAT IIThe Apache web server must be configured to use a specified IP address and port.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214285CAT IIThe Apache web server must be configured to use a specified IP address and port.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214326CAT IIThe Apache web server must be configured to use a specified IP address and port.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-222961CAT IIApplications in privileged mode must be approved by the ISSO.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-257102CAT IIThe DOD Mobile Service Provider must not allow BYOADs in facilities where personally owned mobile devices are prohibited.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-257103CAT IIThe iOS/iPadOS 16 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.Apple iOS/iPad OS 16 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-259757CAT IIThe DOD Mobile Service Provider must not allow BYOADs in facilities where personally owned mobile devices are prohibited.Apple iOS/iPadOS 17 BYOAD Security Technical Implementation Guide V-259758CAT IIThe iOS/iPadOS 17 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.Apple iOS/iPadOS 17 BYOAD Security Technical Implementation Guide V-252494CAT IIThe macOS system must be configured to disable sending diagnostic and usage data to Apple.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252495CAT IIThe macOS system must be configured to disable Remote Apple Events.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257200CAT IIThe macOS system must be configured to disable sending diagnostic and usage data to Apple.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257201CAT IIThe macOS system must be configured to disable Remote Apple Events.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268495CAT IIThe macOS system must disable Remote Apple Events.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277102CAT IIThe macOS system must disable Remote Apple Events.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204944CAT IIThe ALG must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Application Layer Gateway Security Requirements Guide V-274785CAT IIAPI services identified within the system as unnecessary and/or nonsecure must be disabled.Application Programming Interface (API) Security Requirements Guide V-222519CAT IIThe application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL.Application Security and Development Security Technical Implementation Guide V-204744CAT IIThe application server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.Application Server Security Requirements Guide V-237326CAT IIThe ArcGIS Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272629CAT ICylanceON-PREM must be configured to use TLS 1.2 or higher.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-217365CAT IIThe Arista Multilayer Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide V-255952CAT IThe Arista network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.Arista MLS EOS 4.2x NDM Security Technical Implementation Guide V-255952CAT IThe Arista network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.Arista MLS EOS 4.X NDM Security Technical Implementation Guide V-256841CAT ICompliance Guardian must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.AvePoint Compliance Guardian Security Technical Implementation Guide V-256843CAT IICompliance Guardian must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.AvePoint Compliance Guardian Security Technical Implementation Guide V-253514CAT IIDocAve must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.AvePoint DocAve 6 Security Technical Implementation Guide V-272419CAT IIThe BIND 9.x server implementation must be configured to use only approved ports and protocols.BIND 9.x Security Technical Implementation Guide V-79009CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DoD-approved firewall.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-79011CAT IIThe firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-79013CAT IIThe firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DoD-approved ports, protocols, and services are enabled. See the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list for DoD-approved ports, protocols, and services.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-254709CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DOD-approved firewall.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-254710CAT IIThe firewall protecting the BEMS must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-254711CAT IIThe firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DOD-approved ports, protocols, and services are enabled.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-224382CAT IIThe BlackBerry UEM server platform must be protected by a DoD-approved firewall.BlackBerry UEM Security Technical Implementation Guide V-224383CAT IIThe firewall protecting the BlackBerry UEM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BlackBerry UEM server and platform functions.BlackBerry UEM Security Technical Implementation Guide V-224384CAT IIThe firewall protecting the BlackBerry UEM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).BlackBerry UEM Security Technical Implementation Guide V-224387CAT IIThe BlackBerry UEM server Blackberry Web Services must not be authorized access from external sources unnecessarily.BlackBerry UEM Security Technical Implementation Guide V-237361CAT IIThe CA API Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.CA API Gateway ALG Security Technical Implementation Guide V-251611CAT IIIDMS nodes, lines, and pterms must be protected from unauthorized use.CA IDMS Security Technical Implementation Guide V-219334CAT IIThe Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238328CAT IIThe Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260518CAT IIUbuntu 22.04 LTS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270719CAT IIUbuntu 24.04 LTS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-271920CAT IThe Cisco ACI must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.Cisco ACI NDM Security Technical Implementation Guide V-271972CAT IIThe Cisco ACI must be configured to disable the auxiliary USB port.Cisco ACI NDM Security Technical Implementation Guide V-239911CAT IThe Cisco ASA must be configured to prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services.Cisco ASA NDM Security Technical Implementation Guide V-239952CAT IIThe Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.Cisco ASA VPN Security Technical Implementation Guide V-215678CAT IThe Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.Cisco IOS Router NDM Security Technical Implementation Guide V-220586CAT IThe Cisco switch must be configured to prohibit the use of all unnecessary and non-secure functions and services.Cisco IOS Switch NDM Security Technical Implementation Guide V-215823CAT IThe Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.Cisco IOS XE Router NDM Security Technical Implementation Guide V-220534CAT IThe Cisco switch must be configured to prohibit the use of all unnecessary and nonsecure functions and services.Cisco IOS XE Switch NDM Security Technical Implementation Guide V-216529CAT IThe Cisco router must be configured to be configured to prohibit the use of all unnecessary and nonsecure functions and services.Cisco IOS XR Router NDM Security Technical Implementation Guide V-242640CAT IThe Cisco ISE must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.Cisco ISE NDM Security Technical Implementation Guide V-242641CAT IThe Cisco ISE must be configured to disable Wireless Setup for production systems.Cisco ISE NDM Security Technical Implementation Guide V-220486CAT IThe Cisco switch must be configured to prohibit the use of all unnecessary and nonsecure functions and services.Cisco NX OS Switch NDM Security Technical Implementation Guide V-234565CAT ICitrix Delivery Controller must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Delivery Controller Security Technical Implementation Guide V-234259CAT IICitrix Linux Virtual Delivery Agent (LVDA) must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide V-234254CAT IICitrix Windows Virtual Delivery Agent must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.Citrix Virtual Apps and Desktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide V-213208CAT ICitrix Receiver must implement DoD-approved encryption.Citrix XenDesktop 7.x Receiver Security Technical Implementation Guide V-213214CAT IICitrix Windows Virtual Delivery Agent must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.Citrix XenDesktop 7.x Windows VDA Security Technical Implementation Guide V-81435CAT IICitrix Windows Virtual Delivery Agent must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.Citrix XenDesktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide V-259874CAT IIThe Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) to prohibit or restrict the use of functions, ports, protocols, and/or services.Cloud Computing Mission Owner Operating System Security Requirements Guide V-269245CAT IIThe firewalld service on AlmaLinux OS 9 must be active.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269358CAT IIAlmaLinux OS 9 must have the firewalld package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233073CAT IIThe container platform runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.Container Platform Security Requirements Guide V-233074CAT IIThe container platform runtime must enforce the use of ports that are non-privileged.Container Platform Security Requirements Guide V-233290CAT IThe container platform must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.Container Platform Security Requirements Guide V-233511CAT IIPostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261889CAT IIPostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206553CAT IIThe DBMS must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Database Security Requirements Guide V-269776CAT IThe Dell OS10 Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.Dell OS10 Switch NDM Security Technical Implementation Guide V-269777CAT IThe Dell OS10 Switch must be configured to disable the Bash shell.Dell OS10 Switch NDM Security Technical Implementation Guide V-235776CAT IITCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235819CAT IDocker Enterprise privileged ports must not be mapped within containers.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235820CAT IIDocker Enterprise incoming container traffic must be bound to a specific host interface.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235873CAT IIDocker Enterprise Swarm services must be bound to a specific host interface.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-205168CAT IIThe DNS server implementation must be configured to prohibit or restrict unapproved ports and protocols.Domain Name System (DNS) Security Requirements Guide V-224164CAT IIThe EDB Postgres Advanced Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213595CAT IIThe EDB Postgres Advanced Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259963CAT IThe Enterprise Voice, Video, and Messaging Endpoint must be configured to only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-260008CAT IThe Enterprise Voice, Video, and Messaging Session Manager must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259244CAT IIThe EDB Postgres Advanced Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-217396CAT IIThe BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.F5 BIG-IP Device Management Security Technical Implementation Guide V-215757CAT IIThe BIG-IP Core implementation must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocol, and Service Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266150CAT IThe F5 BIG-IP appliance must be configured to prohibit or restrict the use of unnecessary or prohibited functions, ports, protocols, and/or services, including those defined in the PPSM CAL and vulnerability assessments.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266084CAT IThe F5 BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-266282CAT IIThe IPsec BIG-IP appliance must use IKEv2 for IPsec VPN security associations.F5 BIG-IP TMOS VPN Security Technical Implementation Guide V-278389CAT IINGINX must be configured to prohibit or restrict using ports, protocols, and/or services.F5 NGINX Security Technical Implementation Guide V-255642CAT ICounterACT must disable all unnecessary and/or nonsecure plugins.ForeScout CounterACT NDM Security Technical Implementation Guide V-230959CAT IForescout must use DOD-approved PKI rather than proprietary or self-signed device certificates.Forescout Network Device Management Security Technical Implementation Guide V-230960CAT IIIForescout must disable the Request Customer Verification setting.Forescout Network Device Management Security Technical Implementation Guide V-234199CAT IThe FortiGate device must prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-203638CAT IIThe operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.General Purpose Operating System Security Requirements Guide V-258472CAT IIThe DOD Mobile Service Provider must not allow Google Android 13 BYOADs in facilities where personally owned mobile devices are prohibited.Google Android 13 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-258473CAT IIThe Google Android 13 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.Google Android 13 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-260072CAT IIThe DOD Mobile Service Provider must not allow Google Android 14 BYOADs in facilities where personally owned mobile devices are prohibited.Google Android 14 BYOAD Security Technical Implementation Guide V-260073CAT IIThe Google Android 14 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.Google Android 14 BYOAD Security Technical Implementation Guide V-217451CAT IIThe HP FlexFabric Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.HP FlexFabric Switch NDM Security Technical Implementation Guide V-255258CAT IIThe SSMC web server must be configured to use a specified IP address and port.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-237818CAT IDoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255272CAT IThe HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-255291CAT IThe HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-255295CAT IThe HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-283377CAT IThe HPE Alletra Storage ArcusOS device must be configured to prohibit using all unnecessary and/or nonsecure ports, protocols, and/or services.HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide V-266928CAT IAOS must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-266991CAT IIFor site-to-site VPN implementations using AOS, the Layer 2 Tunneling Protocol (L2TP) must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-266998CAT IIThe Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F).HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-267001CAT IAOS, when used as an IPsec VPN Gateway, must use Internet Key Exchange (IKE) for IPsec VPN security associations (SAs).HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-252902CAT IIHPE Nimble must be configured to disable HPE InfoSight.HPE Nimble Storage Array NDM Security Technical Implementation Guide V-259800CAT IIHPE Nimble must not be configured to use "HPE Greenlake: Data Services Cloud Console".HPE Nimble Storage Array NDM Security Technical Implementation Guide V-259801CAT IIHPE Alletra 5000/6000 must be configured to disable management by "HPE Greenlake: Data Services Cloud Console".HPE Nimble Storage Array NDM Security Technical Implementation Guide V-268259CAT IThe HYCU virtual appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.HYCU Protege Security Technical Implementation Guide V-215393CAT IIIf Stream Control Transmission Protocol (SCTP) must be disabled on AIX.IBM AIX 7.x Security Technical Implementation Guide V-215394CAT IIThe Reliable Datagram Sockets (RDS) protocol must be disabled on AIX.IBM AIX 7.x Security Technical Implementation Guide V-252569CAT IIThe IBM Aspera Console must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252588CAT IIIBM Aspera Faspex must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252605CAT IIIBM Aspera Shares must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252614CAT IIThe IBM Aspera High-Speed Transfer Endpoint must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252628CAT IIThe IBM Aspera High-Speed Transfer Server must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252640CAT IIThe IBM Aspera High-Speed Transfer Server must not use the root account for transfers.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252641CAT IIThe IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252645CAT IIThe IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-213698CAT IIDB2 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-65213CAT IIThe DataPower Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.IBM DataPower ALG Security Technical Implementation Guide V-65089CAT IIThe DataPower Gateway must have SSH and web management bound to the management interface and Telnet disabled.IBM DataPower Network Device Management Security Technical Implementation Guide V-82187CAT IIThe MaaS360 server platform must be protected by a DoD-approved firewall.IBM MaaS360 with Watson v10.x MDM Security Technical Implementation Guide V-82189CAT IIThe firewall protecting the MaaS360 server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MaaS360 server and platform functions.IBM MaaS360 with Watson v10.x MDM Security Technical Implementation Guide V-82191CAT IIThe firewall protecting the MaaS360 server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services.)IBM MaaS360 with Watson v10.x MDM Security Technical Implementation Guide V-250332CAT IIThe WebSphere Liberty Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255862CAT IIThe WebSphere Application Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223491CAT IIIBM z/OS must properly protect MCS console userid(s).IBM z/OS ACF2 Security Technical Implementation Guide V-223492CAT IIACF2 BLPPGM GSO record must not be defined.IBM z/OS ACF2 Security Technical Implementation Guide V-223567CAT IIIBM z/OS must properly configure CONSOLxx members.IBM z/OS ACF2 Security Technical Implementation Guide V-223588CAT IIBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.IBM z/OS ACF2 Security Technical Implementation Guide V-223632CAT IIIBM z/OS User exits for the FTP Server must not be used without proper approval and documentation.IBM z/OS ACF2 Security Technical Implementation Guide V-223633CAT IIIBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.IBM z/OS ACF2 Security Technical Implementation Guide V-223715CAT IIIBM z/OS must properly configure CONSOLxx members.IBM z/OS RACF Security Technical Implementation Guide V-223716CAT IIIBM z/OS must properly protect MCS console userid(s).IBM z/OS RACF Security Technical Implementation Guide V-223741CAT IIIBM z/OS user exits for the FTP server must not be used without proper approval and documentation.IBM z/OS RACF Security Technical Implementation Guide V-223810CAT IIBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.IBM z/OS RACF Security Technical Implementation Guide V-223855CAT IIIBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.IBM z/OS RACF Security Technical Implementation Guide V-223942CAT IIIBM z/OS must properly configure CONSOLxx members.IBM z/OS TSS Security Technical Implementation Guide V-223943CAT IIIBM z/OS must properly protect MCS console userid(s).IBM z/OS TSS Security Technical Implementation Guide V-223978CAT IIIBM z/OS user exits for the FTP server must not be used without proper approval and documentation.IBM z/OS TSS Security Technical Implementation Guide V-224045CAT IIBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.IBM z/OS TSS Security Technical Implementation Guide V-224091CAT IIIBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.IBM z/OS TSS Security Technical Implementation Guide V-237918CAT IIAll IBM z/VM TCP/IP Ports must be restricted to ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-224776CAT IIIf cipher suites using pre-shared keys are used for device authentication, the ISEC7 SPHERE must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.ISEC7 Sphere Security Technical Implementation Guide V-214163CAT IIInfoblox systems configured to run the DNS service must be configured to prohibit or restrict unapproved ports and protocols.Infoblox 7.x DNS Security Technical Implementation Guide V-214225CAT IIThe DHCP service must not be enabled on an external authoritative name server.Infoblox 7.x DNS Security Technical Implementation Guide V-233897CAT IIThe Infoblox system must prohibit or restrict unapproved services, ports, and protocols.Infoblox 8.x DNS Security Technical Implementation Guide V-55341CAT IIThe IDPS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-206880CAT IIThe IDPS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Intrusion Detection and Prevention Systems Security Requirements Guide V-258601CAT IIThe ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.Ivanti Connect Secure NDM Security Technical Implementation Guide V-251022CAT IIThe Sentry must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-213525CAT IIJBoss application and management ports must be approved by the PPSM CAL.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-241814CAT IIThe Jamf Pro EMM server platform must be protected by a DoD-approved firewall.Jamf Pro v10.x EMM Security Technical Implementation Guide V-241815CAT IIThe firewall protecting the Jamf Pro EMM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Jamf Pro EMM server and platform functions.Jamf Pro v10.x EMM Security Technical Implementation Guide V-241816CAT IIThe firewall protecting the Jamf Pro EMM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).Jamf Pro v10.x EMM Security Technical Implementation Guide V-253900CAT IThe Juniper EX switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-217320CAT IThe Juniper router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.Juniper Router NDM Security Technical Implementation Guide V-66451CAT IIf SNMP is enabled, the Juniper SRX Services Gateway must use and securely configure SNMPv3.Juniper SRX SG NDM Security Technical Implementation Guide V-66497CAT IIThe Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Juniper SRX SG NDM Security Technical Implementation Guide V-66499CAT IIFor nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols.Juniper SRX SG NDM Security Technical Implementation Guide V-66503CAT IIThe Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account.Juniper SRX SG NDM Security Technical Implementation Guide V-66507CAT IIThe Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account.Juniper SRX SG NDM Security Technical Implementation Guide V-66509CAT IIThe Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access.Juniper SRX SG NDM Security Technical Implementation Guide V-66511CAT IIThe Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort.Juniper SRX SG NDM Security Technical Implementation Guide V-66605CAT IFor nonlocal maintenance sessions, the Juniper SRX Services Gateway must explicitly deny the use of J-Web.Juniper SRX SG NDM Security Technical Implementation Guide V-66661CAT IIThe Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.Juniper SRX SG VPN Security Technical Implementation Guide V-66663CAT IIThe Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Juniper SRX SG VPN Security Technical Implementation Guide V-214527CAT IIThe Juniper SRX Services Gateway Firewall must be configured to prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services, as defined in the PPSM CAL, vulnerability assessments.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-223208CAT IIThe Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-223209CAT IIFor nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-223211CAT IThe Juniper SRX Services Gateway must use and securely configure SNMPv3 if SNMP is enabled.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-223212CAT IIThe Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-223213CAT IIThe Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-223214CAT IIThe Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-223215CAT IIThe Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-223237CAT IFor nonlocal maintenance sessions, the Juniper SRX Services Gateway must explicitly deny the use of J-Web.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-214683CAT IIThe Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-214684CAT IIThe Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-242410CAT IIThe Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).Kubernetes Security Technical Implementation Guide V-242411CAT IIThe Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).Kubernetes Security Technical Implementation Guide V-242412CAT IIThe Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).Kubernetes Security Technical Implementation Guide V-242413CAT IIThe Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).Kubernetes Security Technical Implementation Guide V-242414CAT IIThe Kubernetes cluster must use non-privileged host ports for user pods.Kubernetes Security Technical Implementation Guide V-213850CAT IISQL Server must be configured to prohibit or restrict the use of unauthorized network protocols.MS SQL Server 2014 Instance Security Technical Implementation Guide V-213851CAT IISQL Server must be configured to prohibit or restrict the use of unauthorized network ports.MS SQL Server 2014 Instance Security Technical Implementation Guide V-213961CAT IISQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.MS SQL Server 2016 Instance Security Technical Implementation Guide