STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-4 — Information Flow Enforcement

CCI-001414

Definition

Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies.

Parent Control

AC-4Information Flow EnforcementAccess Control

Linked STIG Checks (200)

V-76391CAT IKona Site Defender must immediately use updates made to policy enforcement mechanisms to enforce that all traffic flows over HTTPS port 443.Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-76393CAT IKona Site Defender must immediately apply updates to the Kona Rule Set to block designated traffic of interest in response to new or emerging threats.Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-76395CAT IIKona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined geographic regions.Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-76397CAT IIKona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined IP addresses (i.e., IP blacklist).Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-76399CAT IIKona Site Defender must immediately use updates made to policy enforcement mechanisms to allow traffic from organizationally defined IP addresses (i.e., IP whitelist).Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-204911CAT IIThe ALG must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.Application Layer Gateway Security Requirements Guide V-204912CAT IIThe ALG must immediately use updates made to policy enforcement mechanisms such as policy filters, rules, signatures, and analysis algorithms for gateway and/or intermediary functions.Application Layer Gateway Security Requirements Guide V-204913CAT IIThe ALG that is part of a CDS must apply information flow control to data transferred between security domains by means of a policy filter which consists of a set of hardware and/or software.Application Layer Gateway Security Requirements Guide V-222428CAT IIThe application must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.Application Security and Development Security Technical Implementation Guide V-217488CAT IIThe Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217489CAT IIThe Arista Multilayer Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217490CAT IIThe Arista Multilayer Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217491CAT IIThe Arista Multilayer Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217492CAT IIThe Arista Multilayer Switch must be configured so inactive router interfaces are disabled.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217493CAT IIThe Arista Multilayer Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217494CAT IIIf Border Gateway Protocol (BGP) is enabled on The Arista Multilayer Switch, The Arista Multilayer Switch must not be a BGP peer with a router from an Autonomous System belonging to any Alternate Gateway.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217495CAT IIThe Arista Multilayer Switch must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217496CAT IIThe Arista Multilayer Switch must enforce that Interior Gateway Protocol instances configured on the out-of-band management gateway router only peer with their own routing domain.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217497CAT IIThe Arista Multilayer Switch must enforce that the managed network domain and the management network domain are separate routing domains and the Interior Gateway Protocol instances are not redistributed or advertised to each other.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217498CAT IIThe Arista Multilayer Switch must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol that is utilized on that management interface.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-255997CAT IIThe Arista perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255998CAT IIThe Arista multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255999CAT IIThe Arista multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256000CAT IIIThe Arista multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256001CAT IIIThe Arista router must be configured to have all inactive interfaces disabled.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256002CAT IThe Arista perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256003CAT IThe Arista perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256004CAT IIIThe Arista perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256005CAT IIThe out-of-band management (OOBM) Arista gateway router must be configured to have separate IGP instances for the managed network and management network.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256006CAT IIThe out-of-band management (OOBM) Arista gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256007CAT IIIThe multicast Rendezvous Point (RP) Arista router must be configured to filter Protocol Independent Multicast (PIM) Register and Join messages received from the Designated Router (DR) for any undesirable multicast groups and sources.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255997CAT IIThe Arista perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-255998CAT IIThe Arista multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-255999CAT IIThe Arista multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256000CAT IIIThe Arista multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256001CAT IIIThe Arista router must be configured to have all inactive interfaces disabled.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256002CAT IThe Arista perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256003CAT IThe Arista perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256004CAT IIIThe Arista perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256005CAT IIThe out-of-band management (OOBM) Arista gateway router must be configured to have separate IGP instances for the managed network and management network.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256006CAT IIThe out-of-band management (OOBM) Arista gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256007CAT IIIThe multicast Rendezvous Point (RP) Arista router must be configured to filter Protocol Independent Multicast (PIM) Register and Join messages received from the Designated Router (DR) for any undesirable multicast groups and sources.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-214663CAT IIThe Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.Arista Multilayer Switch DCS-7000 Series L2S Security Technical Implementation Guide V-237344CAT IIThe CA API Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.CA API Gateway ALG Security Technical Implementation Guide V-272061CAT IIThe Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Cisco ACI Router Security Technical Implementation Guide V-272069CAT IIThe multicast Cisco ACI must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Cisco ACI Router Security Technical Implementation Guide V-272073CAT IIIThe Cisco ACI multicast rendezvous point (RP) must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the designated router (DR) for any undesirable multicast groups and sources.Cisco ACI Router Security Technical Implementation Guide V-272074CAT IIIThe multicast rendezvous point (RP) Cisco ACI must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the designated router (DR) for any undesirable multicast groups.Cisco ACI Router Security Technical Implementation Guide V-239852CAT IThe Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services.Cisco ASA Firewall Security Technical Implementation Guide V-239853CAT IIThe Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.Cisco ASA Firewall Security Technical Implementation Guide V-239960CAT IIThe Cisco ASA VPN gateway must be configured to restrict what traffic is transported via the IPsec tunnel according to flow control policies.Cisco ASA VPN Security Technical Implementation Guide V-216556CAT IIIThe Cisco router must be configured to have all inactive interfaces disabled.Cisco IOS Router RTR Security Technical Implementation Guide V-216571CAT IIIThe Cisco router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.Cisco IOS Router RTR Security Technical Implementation Guide V-216573CAT IIThe Cisco perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Cisco IOS Router RTR Security Technical Implementation Guide V-216576CAT IThe Cisco perimeter router must be configured to protect an enclave connected to an approved gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.Cisco IOS Router RTR Security Technical Implementation Guide V-216577CAT IThe Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an approved gateway service provider.Cisco IOS Router RTR Security Technical Implementation Guide V-216578CAT IIIThe Cisco perimeter router must be configured to not redistribute static routes to an approved gateway service provider into BGP, an IGP peering with the NIPRNet, or other autonomous systems.Cisco IOS Router RTR Security Technical Implementation Guide V-216590CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.Cisco IOS Router RTR Security Technical Implementation Guide V-216591CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.Cisco IOS Router RTR Security Technical Implementation Guide V-216622CAT IIThe Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Cisco IOS Router RTR Security Technical Implementation Guide V-216623CAT IIThe Cisco multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Cisco IOS Router RTR Security Technical Implementation Guide V-216624CAT IIIThe Cisco multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.Cisco IOS Router RTR Security Technical Implementation Guide V-216626CAT IIIThe Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.Cisco IOS Router RTR Security Technical Implementation Guide V-216627CAT IIIThe Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.Cisco IOS Router RTR Security Technical Implementation Guide V-220424CAT IIIThe Cisco switch must be configured to have all inactive Layer 3 interfaces disabled.Cisco IOS Switch RTR Security Technical Implementation Guide V-220439CAT IIIThe Cisco switch must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.Cisco IOS Switch RTR Security Technical Implementation Guide V-220441CAT IIThe Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Cisco IOS Switch RTR Security Technical Implementation Guide V-220461CAT IIThe Cisco multicast switch must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Cisco IOS Switch RTR Security Technical Implementation Guide V-220462CAT IIThe Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Cisco IOS Switch RTR Security Technical Implementation Guide V-220463CAT IIIThe Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic.Cisco IOS Switch RTR Security Technical Implementation Guide V-216646CAT IIIThe Cisco router must be configured to have all inactive interfaces disabled.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216661CAT IIIThe Cisco router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216663CAT IIThe Cisco perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216666CAT IThe Cisco perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216667CAT IThe Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216668CAT IIIThe Cisco perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an Interior Gateway Protocol (IGP) peering with the NIPRNet or to other autonomous systems.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216680CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to have separate Interior Gateway Protocol (IGP) instances for the managed network and management network.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216681CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216717CAT IIThe Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216718CAT IIThe Cisco multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216719CAT IIIThe Cisco multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216721CAT IIIThe Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216722CAT IIIThe Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.Cisco IOS XE Router RTR Security Technical Implementation Guide V-220991CAT IIIThe Cisco switch must be configured to have all inactive layer 3 interfaces disabled.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221006CAT IIIThe Cisco switch must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221008CAT IIThe Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221053CAT IIThe Cisco multicast switch must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221054CAT IIThe Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221055CAT IIIThe Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221057CAT IIIThe Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated switch (DR) for any undesirable multicast groups and sources.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221058CAT IIIThe Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Cisco switch (DR) for any undesirable multicast groups.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216740CAT IIIThe Cisco router must be configured to have all inactive interfaces disabled.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216753CAT IIThe Cisco perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216756CAT IThe Cisco perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216757CAT IThe Cisco perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216758CAT IIIThe Cisco perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216770CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216771CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216807CAT IIThe Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216808CAT IIThe Cisco multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216809CAT IIIThe Cisco multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216811CAT IIIThe Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216812CAT IIIThe Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.Cisco IOS XR Router RTR Security Technical Implementation Guide V-221076CAT IIIThe Cisco switch must be configured to have all inactive layer 3 interfaces disabled.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221088CAT IIThe Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221132CAT IIThe Cisco multicast switch must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221133CAT IIThe Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221134CAT IIIThe Cisco multicast edge switch must be configured to establish boundaries for administratively scoped multicast traffic.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221136CAT IIIThe Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated switch (DR) for any undesirable multicast groups and sources.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221137CAT IIIThe Cisco multicast Rendezvous Point (RP) switch must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Cisco switch (DR) for any undesirable multicast groups.Cisco NX OS Switch RTR Security Technical Implementation Guide V-234565CAT ICitrix Delivery Controller must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Delivery Controller Security Technical Implementation Guide V-234257CAT ICitrix Linux Virtual Delivery Agent must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide V-234253CAT ICitrix Windows Virtual Delivery Agent must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide V-213213CAT ICitrix Windows Virtual Delivery Agent must implement DoD-approved encryption.Citrix XenDesktop 7.x Windows VDA Security Technical Implementation Guide V-233030CAT IIThe container platform must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies.Container Platform Security Requirements Guide V-269857CAT IIThe Dell OS10 multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Dell OS10 Switch Router Security Technical Implementation Guide V-269858CAT IIThe Dell OS10 multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Dell OS10 Switch Router Security Technical Implementation Guide V-269859CAT IIIThe Dell OS10 Router must be configured to have all inactive interfaces disabled.Dell OS10 Switch Router Security Technical Implementation Guide V-269861CAT IThe perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.Dell OS10 Switch Router Security Technical Implementation Guide V-269863CAT IIThe Dell OS10 out-of-band management (OOBM) gateway router must be configured to have separate Interior Gateway Protocol (IGP) instances for the managed network and management network.Dell OS10 Switch Router Security Technical Implementation Guide V-269864CAT IIThe Dell OS10 out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.Dell OS10 Switch Router Security Technical Implementation Guide V-269865CAT IIIThe Dell OS10 multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.Dell OS10 Switch Router Security Technical Implementation Guide V-269866CAT IIIThe Dell OS10 multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.Dell OS10 Switch Router Security Technical Implementation Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235784CAT IIThe Docker Enterprise hosts process namespace must not be shared.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235785CAT IIThe Docker Enterprise hosts IPC namespace must not be shared.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-214499CAT IThe BIG-IP AFM module must be configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.F5 BIG-IP Advanced Firewall Manager Security Technical Implementation Guide V-215740CAT IThe BIG-IP Core implementation must be configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266144CAT IThe F5 BIG-IP appliance providing user access control intermediary services must implement attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266255CAT IThe F5 BIG-IP appliance must be configured to use filters that use packet headers and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies, including perimeter firewalls and server VLANs.F5 BIG-IP TMOS Firewall Security Technical Implementation Guide V-266280CAT IThe F5 BIG-IP appliance IPsec VPN must ensure inbound and outbound traffic is configured with a security policy.F5 BIG-IP TMOS VPN Security Technical Implementation Guide V-278409CAT IINGINX must separate API maintenance sessions from other network sessions within the system by logically separated communications paths.F5 NGINX Security Technical Implementation Guide V-206674CAT IThe firewall must be configured to use filters that use packet headers and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies (including perimeter firewalls and server VLANs).Firewall Security Requirements Guide V-206675CAT IIThe firewall must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.Firewall Security Requirements Guide V-234133CAT IThe FortiGate firewall must use filters that use packet headers and packet attributes, including source and destination IP addresses and ports.Fortinet FortiGate Firewall Security Technical Implementation Guide V-221558CAT IIFirewall traversal from remote host must be disabled.Google Chrome Current Windows Security Technical Implementation Guide V-65965CAT IIThe HP FlexFabric Switch must be configured so inactive HP FlexFabric Switch interfaces are disabled.HP FlexFabric Switch RTR Security Technical Implementation Guide V-66099CAT IIThe HP FlexFabric Switch must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System.HP FlexFabric Switch RTR Security Technical Implementation Guide V-66101CAT IThe HP FlexFabric Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.HP FlexFabric Switch RTR Security Technical Implementation Guide V-66103CAT IIIf Border Gateway Protocol (BGP) is enabled on the HP FlexFabric Switch, the HP FlexFabric Switch must not be a BGP peer with a HP FlexFabric Switch from an Autonomous System belonging to any Alternate Gateway (AG).HP FlexFabric Switch RTR Security Technical Implementation Guide V-66115CAT IIThe HP FlexFabric Switch must enforce that Interior Gateway Protocol (IGP) instances configured on the out-of-band management gateway only peer with their own routing domain.HP FlexFabric Switch RTR Security Technical Implementation Guide V-66117CAT IIThe HP FlexFabric Switch must enforce that the managed network domain and the management network domain are separate routing domains and the Interior Gateway Protocol (IGP) instances are not redistributed or advertised to each other.HP FlexFabric Switch RTR Security Technical Implementation Guide V-66119CAT IIThe HP FlexFabric Switch must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol (IGP) that is utilized on that management interface.HP FlexFabric Switch RTR Security Technical Implementation Guide V-66131CAT IIThe HP FlexFabric Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.HP FlexFabric Switch RTR Security Technical Implementation Guide V-66135CAT IIThe HP FlexFabric Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.HP FlexFabric Switch RTR Security Technical Implementation Guide V-66137CAT IIThe HP FlexFabric Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.HP FlexFabric Switch RTR Security Technical Implementation Guide V-66139CAT IIThe HP FlexFabric Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.HP FlexFabric Switch RTR Security Technical Implementation Guide V-266992CAT IIAOS, when used as a VPN Gateway, must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-65193CAT IIThe DataPower Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.IBM DataPower ALG Security Technical Implementation Guide V-34485CAT IIThe IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-55317CAT IIThe IDPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-206865CAT IIThe IPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.Intrusion Detection and Prevention Systems Security Requirements Guide V-206866CAT IIThe IDPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions.Intrusion Detection and Prevention Systems Security Requirements Guide V-258583CAT IIThe ICS must be configured to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.Ivanti Connect Secure VPN Security Technical Implementation Guide V-251010CAT IIThe Sentry must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251010CAT IIThe Sentry must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-253983CAT IIIThe Juniper router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.Juniper EX Series Switches Router Security Technical Implementation Guide V-253984CAT IIThe Juniper router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Juniper EX Series Switches Router Security Technical Implementation Guide V-253985CAT IIThe Juniper router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Juniper EX Series Switches Router Security Technical Implementation Guide V-253986CAT IIThe Juniper router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Juniper EX Series Switches Router Security Technical Implementation Guide V-253987CAT IIIThe Juniper multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.Juniper EX Series Switches Router Security Technical Implementation Guide V-253988CAT IIIThe Juniper router must be configured to have all inactive interfaces disabled.Juniper EX Series Switches Router Security Technical Implementation Guide V-253989CAT IThe Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.Juniper EX Series Switches Router Security Technical Implementation Guide V-253990CAT IThe Juniper perimeter router must not be configured to be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.Juniper EX Series Switches Router Security Technical Implementation Guide V-253991CAT IIIThe Juniper perimeter router must not be configured to redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.Juniper EX Series Switches Router Security Technical Implementation Guide V-253992CAT IIThe Juniper out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.Juniper EX Series Switches Router Security Technical Implementation Guide V-253993CAT IIThe Juniper out-of-band management (OOBM) gateway router must not be configured to redistribute routes between the management network routing domain and the managed network routing domain.Juniper EX Series Switches Router Security Technical Implementation Guide V-253994CAT IIIThe Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.Juniper EX Series Switches Router Security Technical Implementation Guide V-253995CAT IIIThe Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.Juniper EX Series Switches Router Security Technical Implementation Guide V-217016CAT IIIThe Juniper router must be configured to have all inactive interfaces disabled.Juniper Router RTR Security Technical Implementation Guide V-217028CAT IIIThe Juniper router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.Juniper Router RTR Security Technical Implementation Guide V-217030CAT IIThe Juniper perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.Juniper Router RTR Security Technical Implementation Guide V-217033CAT IThe Juniper perimeter router must be configured to protect an enclave connected to an approved gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.Juniper Router RTR Security Technical Implementation Guide V-217034CAT IThe Juniper perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an approved gateway service provider.Juniper Router RTR Security Technical Implementation Guide V-217035CAT IIIThe Juniper perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.Juniper Router RTR Security Technical Implementation Guide V-217046CAT IIThe Juniper out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.Juniper Router RTR Security Technical Implementation Guide V-217047CAT IIThe Juniper out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain.Juniper Router RTR Security Technical Implementation Guide V-217082CAT IIThe Juniper multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.Juniper Router RTR Security Technical Implementation Guide V-217083CAT IIThe Juniper multicast router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.Juniper Router RTR Security Technical Implementation Guide V-217084CAT IIIThe Juniper multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.Juniper Router RTR Security Technical Implementation Guide V-217086CAT IIIThe Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.Juniper Router RTR Security Technical Implementation Guide V-217087CAT IIIThe Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Juniper router (DR) for any undesirable multicast groups.Juniper Router RTR Security Technical Implementation Guide V-66385CAT IIThe Juniper Networks SRX Series Gateway IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.Juniper SRX SG IDPS Security Technical Implementation Guide V-66385CAT IIThe Juniper Networks SRX Series Gateway IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.Juniper SRX SG IDPS Security Technical Implementation Guide V-66651CAT IIThe Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.Juniper SRX SG VPN Security Technical Implementation Guide V-214612CAT IIThe Juniper Networks SRX Series Gateway IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.Juniper SRX Services Gateway IDPS Security Technical Implementation Guide V-214676CAT IIThe Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-235719CAT IIIUser control of proxy settings must be disabled.Microsoft Edge Security Technical Implementation Guide V-223021CAT IIAccessing data sources across domains must be disallowed (Internet zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223024CAT IINavigating windows and frames across different domains must be disallowed (Internet zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223032CAT IIDragging of content from different domains within a window must be disallowed (Internet zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223033CAT IIDragging of content from different domains across windows must be disallowed (Restricted Sites zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223036CAT IIDragging of content from different domains within a window must be disallowed (Restricted Sites zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223062CAT IIAccessing data sources across domains must be disallowed (Restricted Sites zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223066CAT IINavigating windows and frames across different domains must be disallowed (Restricted Sites zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223097CAT IIWebsites in less privileged web content zones must be prevented from navigating into the Internet zone.Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223098CAT IIWebsites in less privileged web content zones must be prevented from navigating into the Restricted Sites zone.Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223149CAT IIDragging of content from different domains across windows must be disallowed (Internet zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-241989CAT IIWindows Defender Firewall with Advanced Security must be enabled when connected to a domain.Microsoft Windows Defender Firewall with Advanced Security Security Technical Implementation Guide