STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-2 (2) — Identification and Authentication (Organizational Users)

CCI-000766

Definition

Implement multifactor authentication for access to non-privileged accounts.

Parent Control

IA-2 (2)Identification and Authentication (Organizational Users)Identification and Authentication

Linked STIG Checks (109)

V-204662CAT IIAAA Services must be configured to require multifactor authentication using Common Access Card (CAC) Personal Identity Verification (PIV) credentials for authenticating non-privileged user accounts.AAA Services Security Requirements Guide V-274047CAT IIAmazon Linux 2023 SSHD must accept public key authentication.Amazon Linux 2023 Security Technical Implementation Guide V-274048CAT IIAmazon Linux 2023 SSHD must not allow blank passwords.Amazon Linux 2023 Security Technical Implementation Guide V-268136CAT IINixOS must use multifactor authentication for network access to privileged accounts.Anduril NixOS Security Technical Implementation Guide V-268477CAT IThe macOS system must disable password authentication for SSH.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268542CAT IIThe macOS system must enforce smart card authentication.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268543CAT IIThe macOS system must allow smart card authentication.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268544CAT IIThe macOS system must enforce multifactor authentication for login.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268545CAT IIThe macOS system must enforce multifactor authentication for the su command.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268546CAT IIThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277084CAT IThe macOS system must disable password authentication for SSH.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277150CAT IIThe macOS system must enforce smart card authentication.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277151CAT IIThe macOS system must allow smart card authentication.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277152CAT IIThe macOS system must enforce multifactor authentication for login.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277153CAT IIThe macOS system must enforce multifactor authentication for the su command.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277154CAT IIThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204948CAT IIThe ALG providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.Application Layer Gateway Security Requirements Guide V-222526CAT IIThe application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts.Application Security and Development Security Technical Implementation Guide V-222528CAT IIThe application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to nonprivileged accounts.Application Security and Development Security Technical Implementation Guide V-237322CAT IThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-256844CAT ICompliance Guardian must use multifactor authentication for network access to privileged accounts.AvePoint Compliance Guardian Security Technical Implementation Guide V-276011CAT IAx-OS must use multifactor authentication for network access to nonprivileged accounts.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-237365CAT IIThe ALG providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.CA API Gateway ALG Security Technical Implementation Guide V-219317CAT IIThe Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238210CAT IIThe Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274853CAT IIUbuntu 20.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274854CAT IIUbuntu 20.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260573CAT IIUbuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260575CAT IIUbuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274864CAT IIUbuntu 22.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274866CAT IIUbuntu 22.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270662CAT IIUbuntu 24.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270663CAT IIUbuntu 24.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270721CAT IIUbuntu 24.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270722CAT IIUbuntu 24.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts over SSH.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206462CAT IIThe Central Log Server must use multifactor authentication for network access to non-privileged user accounts.Central Log Server Security Requirements Guide V-239968CAT IThe Cisco ASA remote access VPN server must be configured to enforce certificate-based authentication before granting access to the network.Cisco ASA VPN Security Technical Implementation Guide V-269374CAT IIAlmaLinux OS 9 SSHD must not allow blank passwords.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269375CAT IIAlmaLinux OS 9 must use the CAC smart card driver.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233080CAT IIThe container platform must use multifactor authentication for network access to non-privileged accounts.Container Platform Security Requirements Guide V-233082CAT IIThe container platform must use multifactor authentication for local access to nonprivileged accounts.Container Platform Security Requirements Guide V-235821CAT IISAML integration must be enabled in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-270910CAT IIDragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.Dragos Platform 2.x Security Technical Implementation Guide V-259965CAT IIThe Enterprise Voice, Video, and Messaging Endpoint must use multifactor authentication for network access to nonprivileged (nonadmin) accounts.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-215721CAT IIThe BIG-IP APM module must use multifactor authentication for network access to non-privileged accounts.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-215761CAT IIThe BIG-IP Core implementation providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266152CAT IThe F5 BIG-IP appliance providing user authentication intermediary services must uniquely identify and authenticate users using redundant authentication servers and multifactor authentication (MFA).F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-203641CAT IIThe operating system must use multifactor authentication for network access to non-privileged accounts.General Purpose Operating System Security Requirements Guide V-203643CAT IIThe operating system must use multifactor authentication for local access to nonprivileged accounts.General Purpose Operating System Security Requirements Guide V-255265CAT IISSMC web server must enable strict two-factor authentication for access to the webUI.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-215436CAT IIThe AIX operating system must use Multi Factor Authentication.IBM AIX 7.x Security Technical Implementation Guide V-252561CAT IIIBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252589CAT IIIBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252606CAT IIIBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).IBM Aspera Platform 4.2 Security Technical Implementation Guide V-65221CAT IIThe DataPower Gateway providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.IBM DataPower ALG Security Technical Implementation Guide V-258589CAT IThe ICS must be configured to use multifactor authentication (e.g., DOD PKI) for network access to nonprivileged accounts.Ivanti Connect Secure VPN Security Technical Implementation Guide V-251025CAT IIThe Sentry providing mobile device authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251025CAT IIThe Sentry providing mobile device authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-66623CAT IThe Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.Juniper SRX SG VPN Security Technical Implementation Guide V-214686CAT IThe Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-205490CAT IIThe Mainframe Product must use multifactor authentication for network access to non-privileged accounts.Mainframe Product Security Requirements Guide V-205492CAT IIThe Mainframe Product must use multifactor authentication for local access to nonprivileged accounts.Mainframe Product Security Requirements Guide V-270233CAT IMicrosoft Entra ID must be configured to use multifactor authentication (MFA).Microsoft Entra ID Security Technical Implementation Guide V-224994CAT IIActive Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.Microsoft Windows Server 2016 Security Technical Implementation Guide V-278162CAT IIWindows Server 2025 Active Directory (AD) user accounts, including administrators, must be configured to require the use of a common access card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260909CAT IIMKE must be configured to integrate with an Enterprise Identity Provider.Mirantis Kubernetes Engine Security Technical Implementation Guide V-273194CAT IThe Okta Dashboard application must be configured to use multifactor authentication.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-238458CAT IThe DBMS must use multifactor authentication for access to user accounts.Oracle Database 11.2g Security Technical Implementation Guide V-237723CAT IThe DBMS must use multifactor authentication for access to user accounts.Oracle Database 12c Security Technical Implementation Guide V-221688CAT IThe Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.Oracle Linux 7 Security Technical Implementation Guide V-221703CAT IIThe Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.Oracle Linux 7 Security Technical Implementation Guide V-248702CAT IIOL 8 must implement multifactor authentication for access to interactive accounts.Oracle Linux 8 Security Technical Implementation Guide V-271493CAT IIOL 9 must have the SSSD package installed.Oracle Linux 9 Security Technical Implementation Guide V-271610CAT IIOL 9 must use the CAC smart card driver.Oracle Linux 9 Security Technical Implementation Guide V-271706CAT IOL 9 SSHD must not allow blank passwords.Oracle Linux 9 Security Technical Implementation Guide V-271721CAT IIOL 9 SSHD must accept public key authentication.Oracle Linux 9 Security Technical Implementation Guide V-253523CAT IIAccess to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-280976CAT IIRHEL 10 must use the common access card (CAC) smart card driver.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281263CAT IIRHEL 10 must be configured so that SSHD accepts public key authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281264CAT IIRHEL 10 must be configured so that SSHD does not allow blank passwords.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281324CAT IIRHEL 10 must enable certificate-based smart card authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204425CAT IThe Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204441CAT IIThe Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-257983CAT IIRHEL 9 SSHD must accept public key authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257984CAT IRHEL 9 SSHD must not allow blank passwords.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258121CAT IIRHEL 9 must use the common access card (CAC) smart card driver.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257541CAT IIOpenShift must use multifactor authentication for network access to accounts.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-261397CAT IISLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217301CAT IIThe SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-279166CAT IIThe ALG providing user authentication intermediary services must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).Symantec Edge SWG ALG Security Technical Implementation Guide V-94289CAT IISymantec ProxySG providing user authentication intermediary services must use multifactor authentication for network access to nonprivileged accounts.Symantec ProxySG ALG Security Technical Implementation Guide V-241005CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.0 Security Technical Implementation Guide V-234066CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.3 Security Technical Implementation Guide V-254897CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254848CAT IIThe Tanium Operating System (TanOS) must use multifactor authentication for network access to nonprivileged accounts.Tanium 7.x Operating System on TanOS Security Technical Implementation Guide V-253828CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Security Technical Implementation Guide V-252952CAT IITOSS must use multifactor authentication for network and local access to privileged and nonprivileged accounts.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282492CAT IITOSS 5 must have the openssl-pkcs11 package installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282493CAT ITOSS 5 SSHD must not allow blank or null passwords.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-256324CAT IIThe vCenter Server must require multifactor authentication.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258910CAT IIThe vCenter Server must require multifactor authentication.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207388CAT IIThe VMM must use multifactor authentication for network access to non-privileged accounts.Virtual Machine Manager Security Requirements Guide V-207390CAT IIThe VMM must use multifactor authentication for local access to nonprivileged accounts.Virtual Machine Manager Security Requirements Guide V-207209CAT IThe VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.Virtual Private Network (VPN) Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide