STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-23 — Session Authenticity

CCI-001184

Definition

Protect the authenticity of communications sessions.

Parent Control

SC-23Session AuthenticitySystem and Communications Protection

Linked STIG Checks (126)

V-279067CAT IIColdFusion must be configured to mutually authenticate connecting proxies and load balancers.Adobe ColdFusion Security Technical Implementation Guide V-222971CAT IITomcat servers must mutually authenticate proxy or load balancer connections.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-204957CAT IIThe ALG must protect the authenticity of communications sessions.Application Layer Gateway Security Requirements Guide V-274600CAT IIThe API must protect Session IDs via encryption.Application Programming Interface (API) Security Requirements Guide V-222575CAT IIThe application must set the HTTPOnly flag on session cookies.Application Security and Development Security Technical Implementation Guide V-222576CAT IIThe application must set the secure flag on session cookies.Application Security and Development Security Technical Implementation Guide V-222577CAT IThe application must not expose session IDs.Application Security and Development Security Technical Implementation Guide V-204762CAT IIThe application server must be configured to mutually authenticate connecting proxies, application servers or gateways.Application Server Security Requirements Guide V-237329CAT IThe ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272629CAT ICylanceON-PREM must be configured to use TLS 1.2 or higher.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276013CAT IAx-OS must protect the authenticity of communications sessions.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-272417CAT IA BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and must perform integrity verification and data origin verification for all DNS information.BIND 9.x Security Technical Implementation Guide V-237372CAT IIThe CA API Gateway must protect the authenticity of communications sessions.CA API Gateway ALG Security Technical Implementation Guide V-272078CAT IIThe Cisco ACI must be configured to authenticate all routing protocol messages using a NIST-validated FIPS 198-1 message authentication code algorithm.Cisco ACI Router Security Technical Implementation Guide V-272082CAT IIThe Cisco ACI must be configured to implement message authentication and secure communications for all control plane protocols.Cisco ACI Router Security Technical Implementation Guide V-239959CAT IThe Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 2.Cisco ASA VPN Security Technical Implementation Guide V-234565CAT ICitrix Delivery Controller must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Delivery Controller Security Technical Implementation Guide V-234224CAT IICitrix License Server must protect the authenticity of communications sessions.Citrix Virtual Apps and Desktop 7.x License Server Security Technical Implementation Guide V-234257CAT ICitrix Linux Virtual Delivery Agent must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide V-234253CAT ICitrix Windows Virtual Delivery Agent must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide V-213202CAT IIXenDesktop License Server must protect the authenticity of communications sessions.Citrix XenDesktop 7.x License Server Security Technical Implementation Guide V-213208CAT ICitrix Receiver must implement DoD-approved encryption.Citrix XenDesktop 7.x Receiver Security Technical Implementation Guide V-213213CAT ICitrix Windows Virtual Delivery Agent must implement DoD-approved encryption.Citrix XenDesktop 7.x Windows VDA Security Technical Implementation Guide V-233118CAT IThe container platform must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.Container Platform Security Requirements Guide V-269882CAT IIThe Dell OS10 Router must be configured to implement message authentication for all control plane protocols.Dell OS10 Switch Router Security Technical Implementation Guide V-269883CAT IIThe Dell OS10 BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.Dell OS10 Switch Router Security Technical Implementation Guide V-269884CAT IIThe Dell OS10 Router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.Dell OS10 Switch Router Security Technical Implementation Guide V-235776CAT IITCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-205182CAT IIThe DNS implementation must protect the authenticity of communications sessions for zone transfers.Domain Name System (DNS) Security Requirements Guide V-205183CAT IIThe DNS implementation must protect the authenticity of communications sessions for dynamic updates.Domain Name System (DNS) Security Requirements Guide V-205184CAT IIThe DNS implementation must protect the authenticity of communications sessions for queries.Domain Name System (DNS) Security Requirements Guide V-259968CAT IIThe Enterprise Voice, Video, and Messaging Endpoint must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-260016CAT IThe Enterprise Voice, Video, and Messaging Session Manager must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-260053CAT IIThe F5 BIG-IP appliance must not use the On-Demand Cert Auth VPE agent as part of the APM Policy Profiles.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-260055CAT IIIThe F5 BIG-IP appliance must be configured to limit authenticated client sessions to initial session source IP.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-215766CAT IIThe BIG-IP Core implementation must be configured to protect the authenticity of communications sessions.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266139CAT IThe F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266166CAT IIThe F5 BIG-IP appliance must not use the On-demand Cert Auth VPE agent as part of the APM Policy Profiles.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266167CAT IIThe F5 BIG-IP appliance must be configured to restrict a consistent inbound IP for the entire management session.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266168CAT IIIThe F5 BIG-IP appliance must be configured to limit authenticated client sessions to initial session source IP.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266174CAT IIThe VPN Gateway must use Always On VPN connections for remote computing.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-265982CAT IIAn authoritative name server must be configured to enable DNSSEC Resource Records.F5 BIG-IP TMOS DNS Security Technical Implementation Guide V-265990CAT IThe F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers.F5 BIG-IP TMOS DNS Security Technical Implementation Guide V-266287CAT IThe F5 BIG-IP appliance IPsec VPN must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE).F5 BIG-IP TMOS VPN Security Technical Implementation Guide V-278405CAT IINGINX must be configured to use FIPS-approved algorithms to protect the confidentiality and integrity of transmitted information.F5 NGINX Security Technical Implementation Guide V-266983CAT IIAOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-252615CAT IIThe IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252629CAT IIThe IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-65233CAT IIThe DataPower Gateway must protect the authenticity of communications sessions.IBM DataPower ALG Security Technical Implementation Guide V-255804CAT IIThe MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255865CAT IIThe WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255879CAT IIThe WebSphere Application Server DoD root CAs must be in the trust store.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-214174CAT IIInfoblox DNS servers must protect the authenticity of communications sessions for zone transfers.Infoblox 7.x DNS Security Technical Implementation Guide V-214175CAT IIInfoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.Infoblox 7.x DNS Security Technical Implementation Guide V-214176CAT IIInfoblox DNS servers must be configured to protect the authenticity of communications sessions for queries.Infoblox 7.x DNS Security Technical Implementation Guide V-233917CAT IIInfoblox DNS service members must protect the authenticity of communications sessions for zone transfers when communicating with external DNS service members (i.e., DNS systems outside the Infoblox grid).Infoblox 8.x DNS Security Technical Implementation Guide V-233918CAT IIInfoblox DNS service members must protect the authenticity of communications sessions for dynamic updates.Infoblox 8.x DNS Security Technical Implementation Guide V-233919CAT IIInfoblox DNS service members must protect the authenticity of communications sessions for queries.Infoblox 8.x DNS Security Technical Implementation Guide V-66641CAT IThe Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.Juniper SRX SG VPN Security Technical Implementation Guide V-214692CAT IThe Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-242418CAT IIThe Kubernetes API server must use approved cipher suites.Kubernetes Security Technical Implementation Guide V-242419CAT IIKubernetes API Server must have the SSL Certificate Authority set.Kubernetes Security Technical Implementation Guide V-242420CAT IIKubernetes Kubelet must have the SSL Certificate Authority set.Kubernetes Security Technical Implementation Guide V-242421CAT IIKubernetes Controller Manager must have the SSL Certificate Authority set.Kubernetes Security Technical Implementation Guide V-242422CAT IIKubernetes API Server must have a certificate for communication.Kubernetes Security Technical Implementation Guide V-242423CAT IIKubernetes etcd must enable client authentication to secure service.Kubernetes Security Technical Implementation Guide V-242424CAT IIKubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service.Kubernetes Security Technical Implementation Guide V-242425CAT IIKubernetes Kubelet must enable tlsCertFile for client authentication to secure service.Kubernetes Security Technical Implementation Guide V-242426CAT IIKubernetes etcd must enable client authentication to secure service.Kubernetes Security Technical Implementation Guide V-242427CAT IIKubernetes etcd must have a key file for secure communication.Kubernetes Security Technical Implementation Guide V-242428CAT IIKubernetes etcd must have a certificate for communication.Kubernetes Security Technical Implementation Guide V-242429CAT IIKubernetes etcd must have the SSL Certificate Authority set.Kubernetes Security Technical Implementation Guide V-242430CAT IIKubernetes etcd must have a certificate for communication.Kubernetes Security Technical Implementation Guide V-242431CAT IIKubernetes etcd must have a key file for secure communication.Kubernetes Security Technical Implementation Guide V-242432CAT IIKubernetes etcd must have peer-cert-file set for secure communication.Kubernetes Security Technical Implementation Guide V-242433CAT IIKubernetes etcd must have a peer-key-file set for secure communication.Kubernetes Security Technical Implementation Guide V-225228CAT IIRemoting Services HTTP channels must utilize authentication and encryption.Microsoft DotNet Framework 4.0 Security Technical Implementation Guide V-225237CAT IIRemoting Services TCP channels must utilize authentication and encryption.Microsoft DotNet Framework 4.0 Security Technical Implementation Guide V-221218CAT IIExchange internal Send connectors must use domain security (mutual authentication Transport Layer Security).Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221219CAT IIExchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-228375CAT IIExchange internal Receive connectors must require encryption.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259594CAT IIExchange internal send connectors must use domain security (mutual authentication Transport Layer Security).Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259595CAT IIExchange internet-facing receive connectors must offer Transport Layer Security (TLS) before using basic authentication.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259710CAT IThe application must protect the confidentiality and integrity of transmitted information.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-223027CAT IILogon options must be configured to prompt (Internet zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223070CAT IILogon options must be configured and enforced (Restricted Sites zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223344CAT IIThe SIP security mode in Lync must be enabled.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223345CAT IIThe HTTP fallback for SIP connection in Lync must be disabled.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-238106CAT IISession Initiation Protocol (SIP) security mode must be configured.Microsoft Skype for Business 2016 Security Technical Implementation Guide V-238107CAT IIIn the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP.Microsoft Skype for Business 2016 Security Technical Implementation Guide V-215626CAT IIThe Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-215627CAT IThe Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-215628CAT IIThe Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-259389CAT IIThe Windows DNS Server must protect the authenticity of zone transfers via transaction signing.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-259390CAT IThe Windows DNS Server must protect the authenticity of dynamic updates via transaction signing.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-259391CAT IIThe Windows DNS Server must protect the authenticity of query responses via DNSSEC.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-260908CAT IFIPS mode must be enabled.Mirantis Kubernetes Engine Security Technical Implementation Guide V-235984CAT IIOracle WebLogic must ensure authentication of both client and server during the entire session.Oracle WebLogic Server 12c Security Technical Implementation Guide V-273621CAT IIThe RUCKUS ICX router must be configured to implement message authentication for all control plane protocols.RUCKUS ICX Router Security Technical Implementation Guide V-273622CAT IIThe RUCKUS ICX BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.RUCKUS ICX Router Security Technical Implementation Guide V-273623CAT IIThe RUCKUS ICX router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.RUCKUS ICX Router Security Technical Implementation Guide V-254553CAT IRancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-257546CAT IOpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257546CAT IOpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-238508CAT IIThe Riverbed Optimization System (RiOS) must protect the authenticity of communications sessions by configuring securing pairing trusts for SSL and secure protocols.Riverbed SteelHead CX v8 ALG Security Technical Implementation Guide V-216982CAT IIThe router must be configured to implement message authentication for all control plane protocols.Router Security Requirements Guide V-216983CAT IIThe BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.Router Security Requirements Guide V-216984CAT IIThe router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.Router Security Requirements Guide V-254087CAT IInnoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-281376CAT ITCMax must protect the confidentiality and integrity of transmitted information.Soaring Software Solutions TCMax 9.x Security Technical Implementation Guide V-94311CAT ISymantec ProxySG must use Transport Layer Security (TLS) to protect the authenticity of communications sessions.Symantec ProxySG ALG Security Technical Implementation Guide V-240978CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients, which will ensure the authenticity of communications sessions when answering requests from the Tanium Server.Tanium 7.0 Security Technical Implementation Guide V-241016CAT IIThe Tanium Server must protect the confidentiality and integrity of transmitted information with cryptographic signing capabilities enabled to ensure the authenticity of communications sessions when making requests from Tanium Clients.Tanium 7.0 Security Technical Implementation Guide V-234037CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.Tanium 7.3 Security Technical Implementation Guide V-254903CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253807CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.Tanium 7.x Security Technical Implementation Guide V-234405CAT IIThe UEM server must protect the authenticity of communications sessions.Unified Endpoint Management Server Security Requirements Guide V-240943CAT IIThe vAMI must use sfcBasicPAMAuthentication for authentication of the remote administrator.VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide V-256318CAT IThe vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-265978CAT IIThe vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207222CAT IIThe VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.Virtual Private Network (VPN) Security Requirements Guide V-207223CAT IThe IPSec VPN must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE).Virtual Private Network (VPN) Security Requirements Guide V-264336CAT IIThe VPN Gateway must use Always On VPN connections for remote computing.Virtual Private Network (VPN) Security Requirements Guide V-264360CAT IIThe web server must restrict a consistent inbound source IP for the entire management session.Web Server Security Requirements Guide V-264361CAT IIThe web server must restrict a consistent inbound source IP for the entire user session.Web Server Security Requirements Guide V-269573CAT IXylok Security Suite must prevent access except through HTTPS.Xylok Security Suite 20.x Security Technical Implementation Guide