STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-17 (2) — Remote Access

CCI-001453

Definition

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

Parent Control

AC-17 (2)Remote AccessAccess Control

Linked STIG Checks (200)

V-279031CAT IIThe ColdFusion built-in Tomcat Web Server must use FIPS-validated ciphers on secured connectors.Adobe ColdFusion Security Technical Implementation Guide V-274042CAT IAmazon Linux 2023 server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Amazon Linux 2023 Security Technical Implementation Guide V-274043CAT IAmazon Linux 2023 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2/140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Amazon Linux 2023 Security Technical Implementation Guide V-283442CAT IThe Amazon Linux 2023 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Amazon Linux 2023 Security Technical Implementation Guide V-283443CAT IThe Amazon Linux 2023 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Amazon Linux 2023 Security Technical Implementation Guide V-268089CAT INixOS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.Anduril NixOS Security Technical Implementation Guide V-214230CAT IIThe Apache web server must use cryptography to protect the integrity of remote sessions.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214278CAT IIThe Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214308CAT IIThe Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-222928CAT IIIHTTP Strict Transport Security (HSTS) must be enabled.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-257773CAT IThe macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257774CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257775CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257165CAT IThe macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257166CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257167CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257293CAT IThe macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257294CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257295CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268438CAT IThe macOS system must limit SSHD to FIPS-compliant connections.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268439CAT IThe macOS system must limit SSH to FIPS-compliant connections.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277046CAT IThe macOS system must limit SSHD to FIPS-compliant connections.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277047CAT IThe macOS system must limit SSH to FIPS-compliant connections.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204927CAT IIThe ALG providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.Application Layer Gateway Security Requirements Guide V-222397CAT IIThe application must implement cryptographic mechanisms to protect the integrity of remote access sessions.Application Security and Development Security Technical Implementation Guide V-222398CAT IIApplications with SOAP messages requiring integrity must include the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion (optionally included in messages) and all elements of the message must be digitally signed.Application Security and Development Security Technical Implementation Guide V-204710CAT IIThe application server must implement cryptography mechanisms to protect the integrity of the remote access session.Application Server Security Requirements Guide V-237320CAT IThe ArcGIS Server must protect the integrity of remote access sessions by enabling HTTPS with DoD-approved certificates.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272629CAT ICylanceON-PREM must be configured to use TLS 1.2 or higher.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-256841CAT ICompliance Guardian must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.AvePoint Compliance Guardian Security Technical Implementation Guide V-79039CAT IIIf the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable SSL support for BlackBerry Proxy and use only DoD approved certificates.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-79045CAT IIf the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use SSL for LDAP lookup to connect to the Office Web App Server (e.g., SharePoint).BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-254724CAT IIIf the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable SSL support for BlackBerry Proxy and use only DOD approved certificates.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-254727CAT IIf the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use SSL for LDAP lookup to connect to the Office Web App Server (e.g., SharePoint).BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-237352CAT IIThe CA API Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.CA API Gateway ALG Security Technical Implementation Guide V-219312CAT IIThe Ubuntu operating system must configure the SSH daemon to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms to protect the integrity of nonlocal maintenance and diagnostic communications.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238216CAT IIThe Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260532CAT IIUbuntu 22.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3-approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270668CAT IIUbuntu 24.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270670CAT IIUbuntu 24.04 LTS must configure the SSH client to use FIPS 140-3 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270671CAT IIUbuntu 24.04 LTS SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-239976CAT IIThe Cisco ASA remote access VPN server must be configured to use a FIPS-validated algorithm and hash function to protect the integrity of TLS remote access sessions.Cisco ASA VPN Security Technical Implementation Guide V-239978CAT IIThe Cisco ASA remote access VPN server must be configured to use SHA-2 at 384 bits or greater for hashing to protect the integrity of IPsec remote access sessions.Cisco ASA VPN Security Technical Implementation Guide V-234565CAT ICitrix Delivery Controller must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Delivery Controller Security Technical Implementation Guide V-234257CAT ICitrix Linux Virtual Delivery Agent must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide V-234253CAT ICitrix Windows Virtual Delivery Agent must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide V-213208CAT ICitrix Receiver must implement DoD-approved encryption.Citrix XenDesktop 7.x Receiver Security Technical Implementation Guide V-213213CAT ICitrix Windows Virtual Delivery Agent must implement DoD-approved encryption.Citrix XenDesktop 7.x Windows VDA Security Technical Implementation Guide V-269113CAT IAlmaLinux OS 9 SSH client must be configured to use only encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269115CAT IAlmaLinux OS 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269116CAT IThe AlmaLinux 9 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269118CAT IIAlmaLinux OS 9 must implement DOD-approved systemwide cryptographic policies to protect the confidentiality of SSH server connections.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269119CAT IThe AlmaLinux OS 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-283675CAT IAlmaLinux OS 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH connections.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-283676CAT IAlmaLinux OS 9 must implement DOD-approved encryption in the OpenSSL package.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233276CAT IIThe container platform must prohibit communication using TLS versions 1.0 and 1.1, and SSL 2.0 and 3.0.Container Platform Security Requirements Guide V-235777CAT IFIPS mode must be enabled on all Docker Engine - Enterprise nodes.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235874CAT IIDocker Enterprise Universal Control Plane (UCP) must be configured to use TLS 1.2.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-279958CAT IIThe DNS implementation must be conformant to the IETF DNS specification.Domain Name System (DNS) Security Requirements Guide V-259986CAT IThe Enterprise Voice, Video, and Messaging Endpoint must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-260046CAT IThe Enterprise Voice, Video, and Messaging Session Manager must be configured to use only TLS 1.2 or greater for all TLS and SSL communications.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-215748CAT IIThe BIG-IP Core implementation must be configured to use NIST SP 800-52 Revision 1 compliant cryptography to protect the integrity of remote access sessions to virtual servers.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266139CAT IThe F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-278381CAT INGINX must use TLS 1.2, at a minimum, to protect data confidentiality using remote access.F5 NGINX Security Technical Implementation Guide V-203669CAT IThe operating system must implement cryptography to protect the integrity of remote access sessions.General Purpose Operating System Security Requirements Guide V-255239CAT IISSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.HPE 3PAR SSMC Operating System Security Technical Implementation Guide V-255251CAT IThe SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-255254CAT ISSMC web server must use cryptography to protect the integrity of remote sessions.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-237818CAT IDoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255272CAT IThe HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-266983CAT IIAOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-266557CAT IIAOS must use Transport Layer Security (TLS) 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.HPE Aruba Networking AOS Wireless Security Technical Implementation Guide V-215214CAT IIIf LDAP authentication is required on AIX, SSL must be used between LDAP clients and the LDAP servers to protect the integrity of remote access sessions.IBM AIX 7.x Security Technical Implementation Guide V-252570CAT IThe IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252590CAT IIBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252607CAT IIBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252616CAT IThe IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252619CAT IIThe IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252630CAT IThe IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252635CAT IIThe IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-65207CAT IIThe DataPower Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.IBM DataPower ALG Security Technical Implementation Guide V-24373CAT IIHardware Management Console management must be accomplished by using the out-of-band or direct connection method.IBM Hardware Management Console (HMC) STIG V-256888CAT IIHardware Management Console management must be accomplished by using the out-of-band or direct connection method.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-255776CAT IIThe MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-250324CAT IISecurity cookies must be set to HTTPOnly.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255832CAT IIThe WebSphere Application Server security cookies must be set to HTTPOnly.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223589CAT IIBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.IBM z/OS ACF2 Security Technical Implementation Guide V-223610CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS ACF2 Security Technical Implementation Guide V-223807CAT IThe IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm to protect confidential information and remote access sessions.IBM z/OS RACF Security Technical Implementation Guide V-223831CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS RACF Security Technical Implementation Guide V-224044CAT IThe SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.IBM z/OS TSS Security Technical Implementation Guide V-224067CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS TSS Security Technical Implementation Guide V-237906CAT IIThe IBM z/VM TCP/IP configuration must include an SSLSERVERID statement.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-224776CAT IIIf cipher suites using pre-shared keys are used for device authentication, the ISEC7 SPHERE must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.ISEC7 Sphere Security Technical Implementation Guide V-258586CAT IThe ICS must be configured to use TLS 1.2, at a minimum.Ivanti Connect Secure VPN Security Technical Implementation Guide V-251014CAT IIThe Sentry providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251014CAT IIThe Sentry providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-213495CAT IIHTTPS must be enabled for JBoss web interfaces.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-66649CAT IIThe Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions.Juniper SRX SG VPN Security Technical Implementation Guide V-214675CAT IIThe Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA256 or greater to negotiate hashing to protect the integrity of remote access sessions.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-220851CAT IIThe Remote Desktop Session Host must require secure RPC communications.Microsoft Windows 10 Security Technical Implementation Guide V-253405CAT IIThe Remote Desktop Session Host must require secure RPC communications.Microsoft Windows 11 Security Technical Implementation Guide V-224947CAT IIThe Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224948CAT IIRemote Desktop Services must be configured with the client connection encryption set to High Level.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205636CAT IIWindows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205637CAT IIWindows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254368CAT IIWindows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254369CAT IIWindows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278115CAT IIWindows Server 2025 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278116CAT IIWindows Server 2025 Remote Desktop Services must be configured with the client connection encryption set to High Level.Microsoft Windows Server 2025 Security Technical Implementation Guide V-251546CAT IFirefox must be configured to allow only TLS 1.2 or above.Mozilla Firefox Security Technical Implementation Guide V-243209CAT IIWLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.Network WLAN AP-IG Platform Security Technical Implementation Guide V-243212CAT IIThe WLAN access point must be configured for Wi-Fi Alliance WPA2 or WPA3 security.Network WLAN AP-IG Platform Security Technical Implementation Guide V-243219CAT IIWLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.Network WLAN AP-NIPR Platform Security Technical Implementation Guide V-243228CAT IIWLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3.Network WLAN Bridge Platform Security Technical Implementation Guide V-254099CAT INutanix AOS must implement cryptography mechanisms to protect the confidentiality and integrity of the remote access session.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-254125CAT INutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279418CAT IINutanix AOS must have TLS enabled.Nutanix Acropolis Application Server Security Technical Implementation Guide V-279534CAT INutanix OS must implement cryptography to protect the integrity of remote access sessions by using only HMACs employing FIPS 140-3-approved algorithms.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279535CAT INutanix OS must implement cryptography to protect the integrity of remote access session by setting the systemwide policy to use FIPS mode.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279536CAT INutanix OS must implement TLS to protect the integrity and confidentiality of remote access and nonlocal maintenance and diagnostic sessions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279537CAT INutanix OS must implement cryptography to protect the integrity of remote access sessions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279538CAT INutanix OS must implement cryptography to protect the integrity and confidentiality of remote access and nonlocal maintenance and diagnostic sessions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221281CAT IOHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221282CAT IOHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221283CAT IOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221284CAT IOHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221285CAT IIOHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221286CAT IIOHS must have the WLSSLWallet directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221287CAT IIOHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221288CAT IIOHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221843CAT IIThe Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.Oracle Linux 7 Security Technical Implementation Guide V-221844CAT IIThe Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.Oracle Linux 7 Security Technical Implementation Guide V-221845CAT IIThe Oracle Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.Oracle Linux 7 Security Technical Implementation Guide V-221857CAT IIThe Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.Oracle Linux 7 Security Technical Implementation Guide V-255899CAT IIThe Oracle Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.Oracle Linux 7 Security Technical Implementation Guide V-248524CAT IOL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.Oracle Linux 8 Security Technical Implementation Guide V-283448CAT IThe OL 8 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Oracle Linux 8 Security Technical Implementation Guide V-283449CAT IThe OL 8 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Oracle Linux 8 Security Technical Implementation Guide V-283457CAT IThe OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Oracle Linux 8 Security Technical Implementation Guide V-283458CAT IThe OL 8 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Oracle Linux 8 Security Technical Implementation Guide V-271485CAT IOL 9 SSH server must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Oracle Linux 9 Security Technical Implementation Guide V-271486CAT IOL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Oracle Linux 9 Security Technical Implementation Guide V-271489CAT IOL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Oracle Linux 9 Security Technical Implementation Guide V-271490CAT IOL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Oracle Linux 9 Security Technical Implementation Guide V-235929CAT IIOracle WebLogic must use cryptography to protect the integrity of the remote access session.Oracle WebLogic Server 12c Security Technical Implementation Guide V-228835CAT IIThe Palo Alto Networks security platform, if used as a TLS gateway/decryption point or VPN concentrator, must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.Palo Alto Networks ALG Security Technical Implementation Guide V-254553CAT IRancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-281009CAT IRHEL 10 must enable FIPS mode.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281010CAT IRHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281011CAT IRHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281012CAT IRHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281013CAT IRHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204581CAT IIThe Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204582CAT IIThe Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204583CAT IIThe Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204595CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-255925CAT IIThe Red Hat Enterprise Linux operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230251CAT IThe RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230252CAT IThe RHEL 8 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-272482CAT IThe RHEL 8 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-272483CAT IThe RHEL 8 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257989CAT IThe RHEL 9 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257991CAT IThe RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-270177CAT IThe RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-270178CAT IThe RHEL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257506CAT IIOpenShift must use TLS 1.2 or greater for secure communication.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275625CAT IUbuntu OS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 -approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.Riverbed NetIM OS Security Technical Implementation Guide V-238503CAT IIThe Riverbed Optimization System (RiOS) providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.Riverbed SteelHead CX v8 ALG Security Technical Implementation Guide V-255914CAT IIThe SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.SLES 12 Security Technical Implementation Guide V-254087CAT IInnoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-261334CAT ISLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261336CAT ISLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217271CAT IIThe SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-255914CAT IIThe SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-22448CAT IIThe SNMP service must require the use of a FIPS 140-2 approved cryptographic hash algorithm as part of its authentication and integrity methods.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22460CAT IIThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22463CAT IIThe SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22555CAT IIIf the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-216387CAT IIThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).Solaris 11 SPARC Security Technical Implementation Guide V-216150CAT IIThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).Solaris 11 X86 Security Technical Implementation Guide V-240976CAT IIThe Tanium endpoint must have the Tanium Servers public key in its installation, which will allow it to authenticate and uniquely identify all network-connected endpoint devices before establishing any connection.Tanium 7.0 Security Technical Implementation Guide V-241018CAT IITanium Trusted Content providers must be documented.Tanium 7.0 Security Technical Implementation Guide V-241019CAT IIContent providers must provide their public key to the Tanium administrator to import for validating signed content.Tanium 7.0 Security Technical Implementation Guide V-241020CAT IITanium public keys of content providers must be validated against documented trusted content providers.Tanium 7.0 Security Technical Implementation Guide V-234035CAT IIThe Tanium endpoint must have the Tanium Servers public key in its installation.Tanium 7.3 Security Technical Implementation Guide V-234079CAT IITanium Trusted Content providers must be documented.Tanium 7.3 Security Technical Implementation Guide V-234080CAT IIContent providers must provide their public key to the Tanium administrator to import for validating signed content.Tanium 7.3 Security Technical Implementation Guide V-234081CAT IITanium public keys of content providers must be validated against documented trusted content providers.Tanium 7.3 Security Technical Implementation Guide V-254877CAT IIThe Tanium Server must be set to only allow connections from endpoints when TLS is used.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254878CAT IITanium Trusted Content providers must be documented.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254879CAT IIContent providers must provide their public key to the Tanium administrator to import for validating signed content.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254880CAT IITanium public keys of content providers must be validated against documented trusted content providers.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253805CAT IIThe Tanium endpoint must have the Tanium Server's pki.db in its installation.Tanium 7.x Security Technical Implementation Guide V-253838CAT IITanium Trusted Content providers must be documented.Tanium 7.x Security Technical Implementation Guide V-253839CAT IIContent providers must provide their public key to the Tanium administrator to import for validating signed content.Tanium 7.x Security Technical Implementation Guide V-253840CAT IITanium public keys of content providers must be validated against documented trusted content providers.Tanium 7.x Security Technical Implementation Guide V-252919CAT IThe TOSS operating system must implement DOD-approved encryption in the OpenSSL package.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-252924CAT IThe TOSS operating system must implement DOD-approved encryption to protect the confidentiality of SSH connections.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-252925CAT IThe TOSS operating system must implement DOD-approved TLS encryption in the GnuTLS package.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide