STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-23 (3) — Session Authenticity

CCI-001188

Definition

Generate a unique session identifier for each session with organization-defined randomness requirements.

Parent Control

SC-23 (3)Session AuthenticitySystem and Communications Protection

Linked STIG Checks (62)

V-279068CAT IColdFusion must generate a unique session identifier using a FIPS 140-2/140-3 or higher approved random number generator.Adobe ColdFusion Security Technical Implementation Guide V-214230CAT IIThe Apache web server must use cryptography to protect the integrity of remote sessions.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214252CAT IIThe Apache web server must generate a session ID long enough that it cannot be guessed through brute force.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214253CAT IThe Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214333CAT IIThe Apache web server must accept only system-generated session identifiers.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214335CAT IIThe Apache web server must generate unique session identifiers with definable entropy.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-222968CAT ITomcat must use FIPS-validated ciphers on secured connectors.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-204960CAT IIThe ALG must generate unique session identifiers using a FIPS 140-2 approved random number generator.Application Layer Gateway Security Requirements Guide V-274603CAT IIThe API keys must be securely generated using a FIPS-validated Random Number Generator (RNG).Application Programming Interface (API) Security Requirements Guide V-222583CAT IIThe application must generate a unique session identifier using a FIPS 140-2/140-3 approved random number generator.Application Security and Development Security Technical Implementation Guide V-204766CAT IThe application server must generate a unique session identifier using a FIPS 140-2 approved random number generator.Application Server Security Requirements Guide V-237329CAT IThe ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.ArcGIS for Server 10.3 Security Technical Implementation Guide V-237374CAT IIThe CA API Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.CA API Gateway ALG Security Technical Implementation Guide V-239977CAT IIThe Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.Cisco ASA VPN Security Technical Implementation Guide V-242658CAT IIThe Cisco ISE must generate unique session identifiers using a FIPS 140-2 approved Random Number Generator (RNG) using DRGB.Cisco ISE NDM Security Technical Implementation Guide V-234565CAT ICitrix Delivery Controller must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Delivery Controller Security Technical Implementation Guide V-233611CAT IIPostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261900CAT IIPostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206567CAT IIThe DBMS must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.Database Security Requirements Guide V-235777CAT IFIPS mode must be enabled on all Docker Engine - Enterprise nodes.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-234215CAT IIThe FortiGate device must generate unique session identifiers using a FIPS 140-2-approved random number generator.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-255251CAT IThe SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-283387CAT IThe HPE Alletra Storage ArcusOS device must use FIPS 140-approved algorithms for authentication to a cryptographic module.HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide V-266940CAT IAOS must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-268302CAT IIThe HYCU virtual appliance must generate unique session identifiers using a FIPS 140-2 approved random number generator.HYCU Protege Security Technical Implementation Guide V-213704CAT IIDB2 must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-65109CAT IIThe DataPower Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.IBM DataPower Network Device Management Security Technical Implementation Guide V-255805CAT IIThe MQ Appliance messaging server must generate a unique session identifier using a FIPS 140-2 approved random number generator.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255752CAT IIThe MQ Appliance network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-250339CAT IThe WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.IBM WebSphere Liberty Server Security Technical Implementation Guide V-283668CAT IThe WebSphere Liberty Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255875CAT IIThe WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-283677CAT IIThe WebSphere Application Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-258601CAT IIThe ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.Ivanti Connect Secure NDM Security Technical Implementation Guide V-250997CAT IIMobileIron Sentry must generate unique session identifiers using a FIPS 140-2 approved random number generator.Ivanti MobileIron Sentry 9.x NDM Security Technical Implementation Guide V-250997CAT IISentry must generate unique session identifiers using a FIPS 140-2 approved random number generator.Ivanti Sentry 9.x NDM Security Technical Implementation Guide V-253707CAT IIMariaDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220371CAT IIMarkLogic Server must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.MarkLogic Server v9 Security Technical Implementation Guide V-218749CAT IIA private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-218751CAT IIThe IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-237439CAT IAll SCOM servers must be configured for FIPS 140-2 compliance.Microsoft SCOM Security Technical Implementation Guide V-271314CAT ISQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic operations for encryption, hashing, and signing.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-221176CAT IIMongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252164CAT IIMongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265925CAT IIMongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279358CAT IIMongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-202077CAT IIThe network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.Network Device Management Security Requirements Guide V-235154CAT IIThe MySQL Database Server 8.0 must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.Oracle MySQL 8.0 Security Technical Implementation Guide V-214145CAT IIPostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.PostgreSQL 9.x Security Technical Implementation Guide V-251238CAT IIRedis Enterprise DBMS must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.Redis Enterprise 6.x Security Technical Implementation Guide V-256090CAT IThe Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.Riverbed NetProfiler Security Technical Implementation Guide V-279248CAT IThe Edge SWG must be configured to use FIPS mode.Symantec Edge SWG NDM Security Technical Implementation Guide V-234408CAT IThe UEM server must generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.Unified Endpoint Management Server Security Requirements Guide V-256331CAT IThe vCenter Server must enable FIPS-validated cryptography.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-259178CAT IIThe vCenter PostgreSQL service must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-258917CAT IThe vCenter Server must enable FIPS-validated cryptography.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207226CAT IIThe VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.Virtual Private Network (VPN) Security Requirements Guide V-206399CAT IThe web server must generate a unique session identifier for each session using a FIPS 140-2 approved random number generator.Web Server Security Requirements Guide V-206400CAT IIThe web server must generate unique session identifiers that cannot be reliably reproduced.Web Server Security Requirements Guide V-206401CAT IIThe web server must generate a session ID long enough that it cannot be guessed through brute force.Web Server Security Requirements Guide V-206402CAT IIThe web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.Web Server Security Requirements Guide V-206403CAT IIThe web server must generate unique session identifiers with definable entropy.Web Server Security Requirements Guide