STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-4 — Information Flow Enforcement

CCI-001368

Definition

Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Parent Control

AC-4Information Flow EnforcementAccess Control

Linked STIG Checks (181)

V-255621CAT IIThe A10 Networks ADC must restrict management connections to the management network.A10 Networks ADC NDM Security Technical Implementation Guide V-204910CAT IIThe ALG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.Application Layer Gateway Security Requirements Guide V-222427CAT IIThe application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.Application Security and Development Security Technical Implementation Guide V-237322CAT IThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.ArcGIS for Server 10.3 Security Technical Implementation Guide V-255948CAT IIThe Arista network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.Arista MLS EOS 4.2x NDM Security Technical Implementation Guide V-255987CAT IIThe Arista router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255988CAT IIThe Arista BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255989CAT IIThe Arista BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255990CAT IIThe Arista BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255991CAT IIThe Arista BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255993CAT IIIThe Arista Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255994CAT IIIThe Arista Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255995CAT IIIThe Arista MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255948CAT IIThe Arista network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.Arista MLS EOS 4.X NDM Security Technical Implementation Guide V-255987CAT IIThe Arista router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-255988CAT IIThe Arista BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-255989CAT IIThe Arista BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Arista MLS EOS 4.X Router Security Technical Implementation Guide V-255990CAT IIThe Arista BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-255991CAT IIThe Arista BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Arista MLS EOS 4.X Router Security Technical Implementation Guide V-255993CAT IIIThe Arista Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-255994CAT IIIThe Arista Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-255995CAT IIIThe Arista MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-214662CAT IIThe Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Arista Multilayer Switch DCS-7000 Series L2S Security Technical Implementation Guide V-237343CAT IIThe CA API Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.CA API Gateway ALG Security Technical Implementation Guide V-272061CAT IIThe Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Cisco ACI Router Security Technical Implementation Guide V-272062CAT IIThe BGP Cisco ACI must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Cisco ACI Router Security Technical Implementation Guide V-272063CAT IIThe BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Cisco ACI Router Security Technical Implementation Guide V-272064CAT IIIThe BGP Cisco ACI must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.Cisco ACI Router Security Technical Implementation Guide V-239901CAT IIThe Cisco ASA must be configured to enforce approved authorizations for controlling the flow of management information within the Cisco ASA based on information flow control policies.Cisco ASA NDM Security Technical Implementation Guide V-215667CAT IIThe Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.Cisco IOS Router NDM Security Technical Implementation Guide V-216551CAT IIThe Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Cisco IOS Router RTR Security Technical Implementation Guide V-216597CAT IIThe Cisco BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.Cisco IOS Router RTR Security Technical Implementation Guide V-216598CAT IIThe Cisco BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Cisco IOS Router RTR Security Technical Implementation Guide V-216599CAT IIThe Cisco BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.Cisco IOS Router RTR Security Technical Implementation Guide V-216600CAT IIThe Cisco BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Cisco IOS Router RTR Security Technical Implementation Guide V-216635CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.Cisco IOS Router RTR Security Technical Implementation Guide V-216636CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.Cisco IOS Router RTR Security Technical Implementation Guide V-216637CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on a per-peer basis.Cisco IOS Router RTR Security Technical Implementation Guide V-220575CAT IIThe Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.Cisco IOS Switch NDM Security Technical Implementation Guide V-220419CAT IIThe Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Cisco IOS Switch RTR Security Technical Implementation Guide V-215812CAT IIThe Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.Cisco IOS XE Router NDM Security Technical Implementation Guide V-216641CAT IIThe Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216687CAT IIThe Cisco BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216688CAT IIThe Cisco BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Cisco IOS XE Router RTR Security Technical Implementation Guide V-216689CAT IIThe Cisco BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216690CAT IIThe Cisco BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Cisco IOS XE Router RTR Security Technical Implementation Guide V-216730CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216731CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216732CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on a per-peer basis.Cisco IOS XE Router RTR Security Technical Implementation Guide V-220523CAT IIThe Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.Cisco IOS XE Switch NDM Security Technical Implementation Guide V-220986CAT IIThe Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221023CAT IIThe Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221024CAT IIThe Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221025CAT IIThe Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221026CAT IIThe Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221066CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221067CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221068CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to limit the amount of source-active messages it accepts on a per-peer basis.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216523CAT IIThe Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.Cisco IOS XR Router NDM Security Technical Implementation Guide V-216735CAT IIThe Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216777CAT IIThe Cisco BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216778CAT IIThe Cisco BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Cisco IOS XR Router RTR Security Technical Implementation Guide V-216779CAT IIThe Cisco BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216780CAT IIThe Cisco BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Cisco IOS XR Router RTR Security Technical Implementation Guide V-216820CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216821CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216822CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on a per-peer basis.Cisco IOS XR Router RTR Security Technical Implementation Guide V-220479CAT IIThe Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.Cisco NX OS Switch NDM Security Technical Implementation Guide V-221071CAT IIThe Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221103CAT IIThe Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221104CAT IIThe Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Cisco NX OS Switch RTR Security Technical Implementation Guide V-221105CAT IIThe Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221106CAT IIThe Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Cisco NX OS Switch RTR Security Technical Implementation Guide V-221144CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221145CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221146CAT IIIThe Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to limit the amount of source-active messages it accepts on a per-peer basis.Cisco NX OS Switch RTR Security Technical Implementation Guide V-233029CAT IIThe container platform must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.Container Platform Security Requirements Guide V-269770CAT IIThe Dell OS10 Switch must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.Dell OS10 Switch NDM Security Technical Implementation Guide V-269849CAT IIThe Dell OS10 Router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Dell OS10 Switch Router Security Technical Implementation Guide V-269850CAT IIThe Dell OS10 BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.Dell OS10 Switch Router Security Technical Implementation Guide V-269851CAT IIThe Dell OS10 BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Dell OS10 Switch Router Security Technical Implementation Guide V-269852CAT IIThe Dell OS10 BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.Dell OS10 Switch Router Security Technical Implementation Guide V-269853CAT IIThe Dell OS10 BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Dell OS10 Switch Router Security Technical Implementation Guide V-269854CAT IIIThe Dell OS10 BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.Dell OS10 Switch Router Security Technical Implementation Guide V-269855CAT IIIThe Dell OS10 BGP router must be configured to reject route advertisements from CE routers with an originating autonomous system (AS) in the AS_PATH attribute that does not belong to that customer.Dell OS10 Switch Router Security Technical Implementation Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-259943CAT IIThe Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to maintain VLAN separation from the voice video VLAN, or be disabled.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-259944CAT IIThe Enterprise Voice, Video, and Messaging Endpoint must be configured to integrate into the implemented 802.1x network access control system.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-259945CAT IIThe Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to connect to an 802.1x supplicant or the PC port must be disabled.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-259946CAT IIThe Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x must be configured to use MAC Authentication Bypass (MAB) on the access switchport.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-259947CAT IIThe Enterprise Voice, Video, and Messaging Endpoint must be configured to use a voice video VLAN, separate from all other VLANs.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-259989CAT IIThe Enterprise Voice, Video, and Messaging Session Manager must be configured to only enable the extension mobility feature for endpoints on a per user basis.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259990CAT IIThe Enterprise Voice, Video, and Messaging Session Manager must be configured to globally disable the extension mobility feature for endpoints.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259991CAT IIThe Enterprise Voice, Video, and Messaging Session Manager must be configured to use DNS servers assigned to support the VVoIP system.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-214498CAT IIThe BIG-IP AFM module must be configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.F5 BIG-IP Advanced Firewall Manager Security Technical Implementation Guide V-215739CAT IIThe BIG-IP Core implementation must be configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266144CAT IThe F5 BIG-IP appliance providing user access control intermediary services must implement attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-278383CAT IIThe NGINX service account must be configured to not have admin group access.F5 NGINX Security Technical Implementation Guide V-234166CAT IIThe FortiGate device must allow full access to only those individuals or roles designated by the ISSM.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-217432CAT IIThe HP FlexFabric Switch must enforce approved authorizations for controlling the flow of management information within the HP FlexFabric Switch based on information flow control policies.HP FlexFabric Switch NDM Security Technical Implementation Guide V-266910CAT IIAOS must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-268225CAT IIThe HYCU virtual appliance must enforce approved authorizations for controlling the flow of management information within the appliance based on information flow control policies.HYCU Protege Security Technical Implementation Guide V-65191CAT IIThe DataPower Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.IBM DataPower ALG Security Technical Implementation Guide V-65063CAT IIThe DataPower Gateway must enforce approved authorizations for controlling the flow of management information within DataPower based on information flow control policies.IBM DataPower Network Device Management Security Technical Implementation Guide V-65189CAT IIThe DataPower Gateway must not use 0.0.0.0 as the management IP address.IBM DataPower Network Device Management Security Technical Implementation Guide V-34484CAT IIThe IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-206864CAT IIThe IPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network.Intrusion Detection and Prevention Systems Security Requirements Guide V-258601CAT IIThe ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.Ivanti Connect Secure NDM Security Technical Implementation Guide V-251009CAT IIThe Sentry must enforce approved authorizations for controlling the flow of information within the network based on attribute-based inspection of the source, destination, and headers, of the communications traffic.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-250985CAT IIIMobileIron Sentry must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.Ivanti MobileIron Sentry 9.x NDM Security Technical Implementation Guide V-251009CAT IIThe Sentry must enforce approved authorizations for controlling the flow of information within the network based on attribute-based inspection of the source, destination, and headers, of the communications traffic.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-250985CAT IIISentry must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.Ivanti Sentry 9.x NDM Security Technical Implementation Guide V-253884CAT IIThe Juniper EX switch must be configured to enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-253973CAT IIThe Juniper router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Juniper EX Series Switches Router Security Technical Implementation Guide V-253974CAT IIThe Juniper BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.Juniper EX Series Switches Router Security Technical Implementation Guide V-253975CAT IIThe Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Juniper EX Series Switches Router Security Technical Implementation Guide V-253976CAT IIThe Juniper BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.Juniper EX Series Switches Router Security Technical Implementation Guide V-253977CAT IIThe Juniper BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Juniper EX Series Switches Router Security Technical Implementation Guide V-253979CAT IIIThe Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter received source-active multicast advertisements for any undesirable multicast groups and sources.Juniper EX Series Switches Router Security Technical Implementation Guide V-253980CAT IIIThe Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.Juniper EX Series Switches Router Security Technical Implementation Guide V-253981CAT IIIThe Juniper router configured for MSDP must limit the amount of source-active messages it accepts on per-peer basis.Juniper EX Series Switches Router Security Technical Implementation Guide V-217310CAT IIThe Juniper router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.Juniper Router NDM Security Technical Implementation Guide V-217011CAT IIThe Juniper router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Juniper Router RTR Security Technical Implementation Guide V-217053CAT IIThe Juniper BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.Juniper Router RTR Security Technical Implementation Guide V-217054CAT IIThe Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Juniper Router RTR Security Technical Implementation Guide V-217055CAT IIThe Juniper BGP router must be configured to reject inbound route advertisements from a customer edge (CE) Juniper router for prefixes that are not allocated to that customer.Juniper Router RTR Security Technical Implementation Guide V-217056CAT IIThe Juniper BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Juniper Router RTR Security Technical Implementation Guide V-217095CAT IIIThe Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.Juniper Router RTR Security Technical Implementation Guide V-217096CAT IIIThe Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.Juniper Router RTR Security Technical Implementation Guide V-217097CAT IIIThe Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on per-peer basis.Juniper Router RTR Security Technical Implementation Guide V-66383CAT IIThe Juniper Networks SRX Series Gateway IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.Juniper SRX SG IDPS Security Technical Implementation Guide V-66383CAT IIThe Juniper Networks SRX Series Gateway IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.Juniper SRX SG IDPS Security Technical Implementation Guide V-214611CAT IIThe Juniper Networks SRX Series Gateway IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.Juniper SRX Services Gateway IDPS Security Technical Implementation Guide V-205454CAT IIThe Mainframe Product must enforce approved authorizations for controlling the flow of information within the system based on site security plan information flow control policies.Mainframe Product Security Requirements Guide V-221204CAT IIExchange must have accepted domains configured.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221206CAT IIExchange external Receive connectors must be domain secure-enabled.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-228356CAT IIExchange auto-forwarding email to remote domains must be disabled or restricted.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259579CAT IIExchange must have accepted domains configured.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259651CAT IIExchange auto-forwarding email to remote domains must be disabled or restricted.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-260912CAT IIMKE must have Grants created to control authorization to cluster resources.Mirantis Kubernetes Engine Security Technical Implementation Guide V-202018CAT IIThe network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.Network Device Management Security Requirements Guide V-207688CAT IIThe Palo Alto Networks security platform must enable Antivirus, Anti-spyware, and Vulnerability Protection for all authorized traffic.Palo Alto Networks IDPS Security Technical Implementation Guide V-253525CAT IIPrisma Cloud Compute Collections must be used to partition views and enforce organizational-defined need-to-know access.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-273785CAT IIThe RUCKUS ICX device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.RUCKUS ICX NDM Security Technical Implementation Guide V-273569CAT IIThe RUCKUS ICX router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.RUCKUS ICX Router Security Technical Implementation Guide V-273570CAT IIThe RUCKUS ICX BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.RUCKUS ICX Router Security Technical Implementation Guide V-273571CAT IIThe RUCKUS ICX BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).RUCKUS ICX Router Security Technical Implementation Guide V-273572CAT IIThe RUCKUS ICX BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.RUCKUS ICX Router Security Technical Implementation Guide V-273573CAT IIThe RUCKUS ICX BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customer or the local autonomous system (AS).RUCKUS ICX Router Security Technical Implementation Guide V-273574CAT IIIThe RUCKUS ICX BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.RUCKUS ICX Router Security Technical Implementation Guide V-273575CAT IIIThe RUCKUS ICX Multicast Source Discovery Protocol router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.RUCKUS ICX Router Security Technical Implementation Guide V-273576CAT IIIThe RUCKUS ICX Multicast Source Discovery Protocol router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.RUCKUS ICX Router Security Technical Implementation Guide V-273577CAT IIIThe RUCKUS ICX MSDP router must be configured to limit the amount of source-active messages it accepts on a per peer basis.RUCKUS ICX Router Security Technical Implementation Guide V-273578CAT IIIThe RUCKUS ICX BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.RUCKUS ICX Router Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-257514CAT IIOpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257514CAT IIOpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-207097CAT IIThe router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Router Security Requirements Guide V-207098CAT IIThe BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.Router Security Requirements Guide V-207099CAT IIThe BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).Router Security Requirements Guide V-207100CAT IIThe BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.Router Security Requirements Guide V-207101CAT IIThe BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).Router Security Requirements Guide V-207102CAT IIIThe BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.Router Security Requirements Guide V-207103CAT IIIThe Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.Router Security Requirements Guide V-207104CAT IIIThe Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.Router Security Requirements Guide V-207105CAT IIIThe MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.Router Security Requirements Guide V-207106CAT IIIThe BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.Router Security Requirements Guide V-206716CAT IIThe SDN controller must be configured to enforce approved authorizations for controlling the flow of traffic within the network based on organization-defined information flow control policies.SDN Controller Security Requirements Guide V-254090CAT IIInnoslate must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-279166CAT IIThe ALG providing user authentication intermediary services must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).Symantec Edge SWG ALG Security Technical Implementation Guide V-279250CAT IThe Edge SWG must be configured to assign appropriate user roles or access levels to authenticated users.Symantec Edge SWG NDM Security Technical Implementation Guide V-94231CAT IISymantec ProxySG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.Symantec ProxySG ALG Security Technical Implementation Guide V-94659CAT IISymantec ProxySG must be configured to enforce assigned privilege levels for approved administrators when accessing the management console, SSH, and the command line interface (CLI).Symantec ProxySG NDM Security Technical Implementation Guide V-241115CAT IITrend Deep Security must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-242173CAT IThe Trend Micro TippingPoint Security Management System (SMS) must be configured to send security IPS policy to the Trend Micro Threat Protection System (TPS).Trend Micro TippingPoint IDPS Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-265292CAT IThe NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.VMware NSX 4.x Manager NDM Security Technical Implementation Guide V-251744CAT IIThe NSX-T Tier-0 Gateway must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).VMware NSX-T Tier-0 Gateway RTR Security Technical Implementation Guide V-207412CAT IIAll interactions among guest VMs must be mediated by the VMM or its service VMs to support proper function.Virtual Machine Manager Security Requirements Guide V-279019CAT IIThe VPN Gateway must enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Virtual Private Network (VPN) Security Requirements Guide