STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-2 (1) — Identification and Authentication (Organizational Users)

CCI-000765

Definition

Implement multifactor authentication for access to privileged accounts.

Parent Control

IA-2 (1)Identification and Authentication (Organizational Users)Identification and Authentication

Linked STIG Checks (168)

V-204661CAT IIAAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts.AAA Services Security Requirements Guide V-279055CAT IColdFusion must be using an enterprise solution for authentication.Adobe ColdFusion Security Technical Implementation Guide V-274047CAT IIAmazon Linux 2023 SSHD must accept public key authentication.Amazon Linux 2023 Security Technical Implementation Guide V-268136CAT IINixOS must use multifactor authentication for network access to privileged accounts.Anduril NixOS Security Technical Implementation Guide V-222963CAT IIJMX authentication must be secured.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-254641CAT IIApple iOS/iPadOS 16 must be configured to disable Auto Unlock of the iPhone by an Apple Watch.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-258376CAT IIApple iOS/iPadOS 17 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.Apple iOS/iPadOS 17 Security Technical Implementation Guide V-268064CAT IIApple iOS/iPadOS 18 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-278823CAT IIApple iOS/iPadOS 26 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-259547CAT IIThe macOS system must enforce multifactor authentication for logon.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259548CAT IIThe macOS system must enforce multifactor authentication for the su command.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259549CAT IIThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268477CAT IThe macOS system must disable password authentication for SSH.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268542CAT IIThe macOS system must enforce smart card authentication.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268543CAT IIThe macOS system must allow smart card authentication.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268544CAT IIThe macOS system must enforce multifactor authentication for login.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268545CAT IIThe macOS system must enforce multifactor authentication for the su command.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268546CAT IIThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277084CAT IThe macOS system must disable password authentication for SSH.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277150CAT IIThe macOS system must enforce smart card authentication.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277151CAT IIThe macOS system must allow smart card authentication.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277152CAT IIThe macOS system must enforce multifactor authentication for login.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277153CAT IIThe macOS system must enforce multifactor authentication for the su command.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277154CAT IIThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222523CAT IIThe application must use multifactor (Alt. Token) authentication for network access to privileged accounts.Application Security and Development Security Technical Implementation Guide V-222527CAT IIThe application must use multifactor (Alt. Token) authentication for local access to privileged accounts.Application Security and Development Security Technical Implementation Guide V-204746CAT IThe application server must use multifactor authentication for network access to privileged accounts.Application Server Security Requirements Guide V-204747CAT IThe application server must use multifactor authentication for local access to privileged accounts.Application Server Security Requirements Guide V-237322CAT IThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-256844CAT ICompliance Guardian must use multifactor authentication for network access to privileged accounts.AvePoint Compliance Guardian Security Technical Implementation Guide V-253515CAT IDocAve must use multifactor authentication for network access to privileged accounts.AvePoint DocAve 6 Security Technical Implementation Guide V-253516CAT IThe underlying IIS platform must be configured for Smart Card (CAC) Authorization.AvePoint DocAve 6 Security Technical Implementation Guide V-276009CAT IAx-OS must use multifactor authentication for network access to the customer account.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-276010CAT IAx-OS must use multifactor authentication for network access to the files account.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219317CAT IIThe Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238210CAT IIThe Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274853CAT IIUbuntu 20.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274854CAT IIUbuntu 20.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260573CAT IIUbuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260575CAT IIUbuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274864CAT IIUbuntu 22.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274866CAT IIUbuntu 22.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270662CAT IIUbuntu 24.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270663CAT IIUbuntu 24.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270721CAT IIUbuntu 24.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270722CAT IIUbuntu 24.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts over SSH.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206461CAT IIThe Central Log Server must use multifactor authentication for network access to privileged user accounts.Central Log Server Security Requirements Guide V-206463CAT IIThe Central Log Server must use multifactor authentication for local access using privileged user accounts.Central Log Server Security Requirements Guide V-271924CAT IThe Cisco APIC must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Cisco ACI NDM Security Technical Implementation Guide V-269367CAT IIAlmaLinux OS 9 SSHD must accept public key authentication.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269372CAT IIAlmaLinux OS 9 must enable certificate based smart card authentication.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269373CAT IIAlmaLinux OS 9 must have the openssl-pkcs11 package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269375CAT IIAlmaLinux OS 9 must use the CAC smart card driver.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233079CAT IIThe container platform must use multifactor authentication for network access to privileged accounts.Container Platform Security Requirements Guide V-233081CAT IIThe container platform must use multifactor authentication for local access to privileged accounts.Container Platform Security Requirements Guide V-255549CAT IIThe DBN-6300 must use multifactor authentication for network access (remote and nonlocal) to privileged accounts.DBN-6300 NDM Security Technical Implementation Guide V-269779CAT IThe Dell OS10 Switch must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.Dell OS10 Switch NDM Security Technical Implementation Guide V-235821CAT IISAML integration must be enabled in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-270910CAT IIDragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.Dragos Platform 2.x Security Technical Implementation Guide V-266085CAT IThe F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-203640CAT IIThe operating system must use multifactor authentication for network access to privileged accounts.General Purpose Operating System Security Requirements Guide V-203642CAT IIThe operating system must use multifactor authentication for local access to privileged accounts.General Purpose Operating System Security Requirements Guide V-258387CAT IIGoogle Android 14 must be configured to disable trust agents.Google Android 14 COBO Security Technical Implementation Guide V-258418CAT IIGoogle Android 14 must be configured to disable trust agents.Google Android 14 COPE Security Technical Implementation Guide V-255265CAT IISSMC web server must enable strict two-factor authentication for access to the webUI.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-266929CAT IAOS must be configured to use DOD public key infrastructure (PKI) as multifactor authentication (MFA) for interactive logins.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-268237CAT IThe HYCU virtual appliance must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.HYCU Protege Security Technical Implementation Guide V-274294CAT IIHoneywell Android 13 must be configured to disable trust agents.Honeywell Android 13 COBO Security Technical Implementation Guide V-274389CAT IIHoneywell Android 13 must be configured to disable trust agents.Honeywell Android 13 COPE Security Technical Implementation Guide V-215436CAT IIThe AIX operating system must use Multi Factor Authentication.IBM AIX 7.x Security Technical Implementation Guide V-255737CAT IIThe MQ Appliance network device must use multifactor authentication for network access to privileged accounts.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-250335CAT IMultifactor authentication for network access to privileged accounts must be used.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255865CAT IIThe WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-258609CAT IThe ICS must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.Ivanti Connect Secure NDM Security Technical Implementation Guide V-251406CAT IIThe Ivanti EPMM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.Ivanti EPMM Server Security Technical Implementation Guide V-251406CAT IIThe Ivanti MobileIron Core server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.Ivanti MobileIron Core MDM Server Security Technical Implementation Guide V-250988CAT IMobileIron Sentry must be configured to use DoD PKI as multi-factor authentication (MFA) for interactive logins.Ivanti MobileIron Sentry 9.x NDM Security Technical Implementation Guide V-250988CAT ISentry must be configured to use DOD PKI as multi-factor authentication (MFA) for interactive logins.Ivanti Sentry 9.x NDM Security Technical Implementation Guide V-213527CAT IIThe JBoss Server must be configured to use certificates to authenticate admins.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-205489CAT IIThe Mainframe Product must use multifactor authentication for network access to privileged accounts.Mainframe Product Security Requirements Guide V-205491CAT IIThe Mainframe Product must use multifactor authentication for local access to privileged accounts.Mainframe Product Security Requirements Guide V-270233CAT IMicrosoft Entra ID must be configured to use multifactor authentication (MFA).Microsoft Entra ID Security Technical Implementation Guide V-220946CAT IIWindows 10 must use multifactor authentication for local and network access to privileged and nonprivileged accounts.Microsoft Windows 10 Security Technical Implementation Guide V-253470CAT IIWindows 11 must use multifactor authentication for local and network access to privileged and nonprivileged accounts.Microsoft Windows 11 Security Technical Implementation Guide V-243457CAT IIThe Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.Microsoft Windows PAW Security Technical Implementation Guide V-224994CAT IIActive Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.Microsoft Windows Server 2016 Security Technical Implementation Guide V-278162CAT IIWindows Server 2025 Active Directory (AD) user accounts, including administrators, must be configured to require the use of a common access card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260909CAT IIMKE must be configured to integrate with an Enterprise Identity Provider.Mirantis Kubernetes Engine Security Technical Implementation Guide V-272181CAT IIMotorola Solutions Android 13 must be configured to disable trust agents.Motorola Solutions Android 13 COBO Security Technical Implementation Guide V-272320CAT IIMotorola Solutions Android 13 must be configured to disable trust agents.Motorola Solutions Android 13 COPE Security Technical Implementation Guide V-246940CAT IONTAP must be configured to use an authentication server to provide multifactor authentication.NetApp ONTAP DSC 9.x Security Technical Implementation Guide V-237779CAT IThe network device must be configured to use DoD PKI as multi-factor authentication (MFA) for interactive logins.Network Device Management Security Requirements Guide V-251369CAT IITwo-factor authentication must be implemented to restrict access to all network elements.Network Infrastructure Policy Security Technical Implementation Guide V-254110CAT IINutanix AOS must use multifactor authentication for account access.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-279434CAT INutanix AOS must use multifactor authentication for access to privileged and nonprivileged accounts by enabling common access card (CAC) authentication.Nutanix Acropolis Application Server Security Technical Implementation Guide V-279435CAT INutanix AOS must use multifactor authentication for local access to privileged accounts.Nutanix Acropolis Application Server Security Technical Implementation Guide V-273193CAT IThe Okta Admin Console application must be configured to use multifactor authentication.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-238458CAT IThe DBMS must use multifactor authentication for access to user accounts.Oracle Database 11.2g Security Technical Implementation Guide V-237723CAT IThe DBMS must use multifactor authentication for access to user accounts.Oracle Database 12c Security Technical Implementation Guide V-221703CAT IIThe Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.Oracle Linux 7 Security Technical Implementation Guide V-248702CAT IIOL 8 must implement multifactor authentication for access to interactive accounts.Oracle Linux 8 Security Technical Implementation Guide V-271491CAT IIOL 9 must have the openssl-pkcs11 package installed.Oracle Linux 9 Security Technical Implementation Guide V-271493CAT IIOL 9 must have the SSSD package installed.Oracle Linux 9 Security Technical Implementation Guide V-271494CAT IIOL 9 must use the SSSD package for multifactor authentication services.Oracle Linux 9 Security Technical Implementation Guide V-271607CAT IIOL 9 must enable certificate-based smart card authentication.Oracle Linux 9 Security Technical Implementation Guide V-271610CAT IIOL 9 must use the CAC smart card driver.Oracle Linux 9 Security Technical Implementation Guide V-271721CAT IIOL 9 SSHD must accept public key authentication.Oracle Linux 9 Security Technical Implementation Guide V-253523CAT IIAccess to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-253539CAT IIPrisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-280976CAT IIRHEL 10 must use the common access card (CAC) smart card driver.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281005CAT IIRHEL 10 must have the "pkcs11-provider" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281263CAT IIRHEL 10 must be configured so that SSHD accepts public key authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281324CAT IIRHEL 10 must enable certificate-based smart card authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230372CAT IIRHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257838CAT IIRHEL 9 must have the openssl-pkcs11 package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257983CAT IIRHEL 9 SSHD must accept public key authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258121CAT IIRHEL 9 must use the common access card (CAC) smart card driver.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258122CAT IIRHEL 9 must enable certificate based smart card authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257541CAT IIOpenShift must use multifactor authentication for network access to accounts.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257541CAT IIOpenShift must use multifactor authentication for network access to accounts.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-254093CAT IInnoslate must use multifactor authentication for network access to privileged and non-privileged accounts.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-261397CAT IISLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217301CAT IIThe SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-272528CAT IISamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.Samsung Android 15 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-272586CAT IISamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.Samsung Android 15 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-276556CAT IISamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.Samsung Android 16 COBO Security Technical Implementation Guide V-276557CAT IISamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.Samsung Android 16 COBO Security Technical Implementation Guide V-276664CAT IISamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.Samsung Android 16 COPE Security Technical Implementation Guide V-276665CAT IISamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.Samsung Android 16 COPE Security Technical Implementation Guide V-255114CAT IISamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including face recognition.Samsung Android OS 13 with Knox 3.x COBO Security Technical Implementation Guide V-255115CAT IISamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.Samsung Android OS 13 with Knox 3.x COBO Security Technical Implementation Guide V-255144CAT IISamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including face recognition.Samsung Android OS 13 with Knox 3.x COPE Security Technical Implementation Guide V-255145CAT IISamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.Samsung Android OS 13 with Knox 3.x COPE Security Technical Implementation Guide V-258633CAT IISamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.Samsung Android OS 14 with Knox 3.x COBO Security Technical Implementation Guide V-258634CAT IISamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.Samsung Android OS 14 with Knox 3.x COBO Security Technical Implementation Guide V-258670CAT IISamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.Samsung Android OS 14 with Knox 3.x COPE Security Technical Implementation Guide V-258671CAT IISamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.Samsung Android OS 14 with Knox 3.x COPE Security Technical Implementation Guide V-268927CAT IISamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.Samsung Android OS 15 with Knox 3.x COBO Security Technical Implementation Guide V-268936CAT IISamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.Samsung Android OS 15 with Knox 3.x COBO Security Technical Implementation Guide V-269026CAT IISamsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.Samsung Android OS 15 with Knox 3.x COPE Security Technical Implementation Guide V-269035CAT IISamsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.Samsung Android OS 15 with Knox 3.x COPE Security Technical Implementation Guide V-279251CAT IThe Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Symantec Edge SWG NDM Security Technical Implementation Guide V-240996CAT ICommon Access Card (CAC)-based authentication must be enforced and enabled on the Tanium Server for network and local access with privileged and non-privileged accounts.Tanium 7.0 Security Technical Implementation Guide V-234056CAT ICommon Access Card (CAC)-based authentication must be enabled on the Tanium Server for network access with privileged accounts.Tanium 7.3 Security Technical Implementation Guide V-234066CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.3 Security Technical Implementation Guide V-254897CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254847CAT IThe Tanium Operating System (TanOS) must use multifactor authentication for network access to privileged accounts.Tanium 7.x Operating System on TanOS Security Technical Implementation Guide V-253821CAT IMultifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.Tanium 7.x Security Technical Implementation Guide V-252952CAT IITOSS must use multifactor authentication for network and local access to privileged and nonprivileged accounts.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282492CAT IITOSS 5 must have the openssl-pkcs11 package installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234356CAT IIThe UEM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.Unified Endpoint Management Server Security Requirements Guide V-234358CAT IIAll UEM server local accounts created during application installation and configuration must be removed. Note: In this context local accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.Unified Endpoint Management Server Security Requirements Guide V-265296CAT IThe NSX Manager must be configured to integrate with an identity provider that supports multifactor authentication (MFA).VMware NSX 4.x Manager NDM Security Technical Implementation Guide V-251789CAT IThe NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.VMware NSX-T Manager NDM Security Technical Implementation Guide V-256324CAT IIThe vCenter Server must require multifactor authentication.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258910CAT IIThe vCenter Server must require multifactor authentication.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207387CAT IIThe VMM must use multifactor authentication for network access to privileged accounts.Virtual Machine Manager Security Requirements Guide V-207389CAT IIThe VMM must use multifactor authentication for local access to privileged accounts.Virtual Machine Manager Security Requirements Guide V-73617CAT IIActive Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.Windows Server 2016 Security Technical Implementation Guide V-73617CAT IIActive Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.Windows Server 2016 Security Technical Implementation Guide V-93441CAT IIWindows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.Windows Server 2019 Security Technical Implementation Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide V-270135CAT IIZebra Android 13 must be configured to disable trust agents.Zebra Android 13 COPE Security Technical Implementation Guide V-283518CAT IIZebra Android 14 must be configured to disable trust agents.Zebra Technologies Android 14 COBO Security Technical Implementation Guide V-283620CAT IIZebra Android 14 must be configured to disable trust agents.Zebra Technologies Android 14 COPE Security Technical Implementation Guide