STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-3 — Device Identification and Authentication

CCI-001958

Definition

Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection.

Parent Control

IA-3Device Identification and AuthenticationIdentification and Authentication

Linked STIG Checks (130)

V-204693CAT IIAAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection.AAA Services Security Requirements Guide V-274182CAT IIAmazon Linux 2023 file system automount function must be disabled unless required.Amazon Linux 2023 Security Technical Implementation Guide V-268139CAT IINixOS must enable USBguard.Anduril NixOS Security Technical Implementation Guide V-259572CAT IIThe macOS system must authorize USB devices before allowing connection.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268567CAT IIThe macOS system must authorize USB devices before allowing connection.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277177CAT IIThe macOS system must authorize USB devices before allowing connection.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222533CAT IIThe application must authenticate all network connected endpoint devices before establishing any connection.Application Security and Development Security Technical Implementation Guide V-237337CAT IThe ArcGIS Server Windows authentication must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.ArcGIS for Server 10.3 Security Technical Implementation Guide V-256028CAT IIThe PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255968CAT IThe Arista MLS layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-256028CAT IIThe PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-214666CAT IIThe Arista Multilayer Switch must authenticate 802.1X connected devices before establishing any connection.Arista Multilayer Switch DCS-7000 Series L2S Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-272435CAT IThe BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer, and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.BIND 9.x Security Technical Implementation Guide V-219339CAT IIThe Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-251505CAT IIThe Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260540CAT IIUbuntu 22.04 LTS must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270718CAT IIUbuntu 24.04 LTS must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-274872CAT IIUbuntu 24.04 LTS must prevent a user from overriding the disabling of the graphical user interface autorun function.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-272032CAT IIThe Cisco ACI layer 2 switch must authenticate all network-connected endpoint devices before establishing any connection.Cisco ACI Layer 2 Switch Security Technical Implementation Guide V-216614CAT IIThe Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.Cisco IOS Router RTR Security Technical Implementation Guide V-216634CAT IIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.Cisco IOS Router RTR Security Technical Implementation Guide V-220623CAT IThe Cisco switch must uniquely identify and authenticate all network-connected endpoint devices before establishing any connection.Cisco IOS Switch L2S Security Technical Implementation Guide V-220454CAT IIThe Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.Cisco IOS Switch RTR Security Technical Implementation Guide V-216704CAT IIThe Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216729CAT IIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.Cisco IOS XE Router RTR Security Technical Implementation Guide V-220649CAT IThe Cisco switch must uniquely identify and authenticate all network-connected endpoint devices before establishing any connection.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-221040CAT IIThe Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221065CAT IIThe Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to authenticate all received MSDP packets.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216794CAT IIThe Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216819CAT IIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.Cisco IOS XR Router RTR Security Technical Implementation Guide V-242601CAT IIThe Cisco ISE must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. This is required for compliance with C2C Step 4.Cisco ISE NAC Security Technical Implementation Guide V-242602CAT IIThe Cisco ISE must be configured to dynamically apply restricted access of endpoints that are granted access using MAC Authentication Bypass (MAB). This is required for compliance with C2C Step 4.Cisco ISE NAC Security Technical Implementation Guide V-220679CAT IIThe Cisco switch must authenticate all endpoint devices before establishing any connection.Cisco NX OS Switch L2S Security Technical Implementation Guide V-221120CAT IIThe Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221143CAT IIThe Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to authenticate all received MSDP packets.Cisco NX OS Switch RTR Security Technical Implementation Guide V-269357CAT IIAlmaLinux OS 9 must be configured to disable USB mass storage.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269377CAT IIAlmaLinux OS 9 must disable the graphical user interface automount function unless required.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269378CAT IIAlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface automount function.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269379CAT IIAlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269380CAT IIAlmaLinux OS 9 must have the USBGuard package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269381CAT IIAlmaLinux OS 9 must have the USBGuard package enabled.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269382CAT IIAlmaLinux OS 9 must block unauthorized peripherals before establishing a connection.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269953CAT IThe Dell OS10 Switch must uniquely identify all network-connected endpoint devices before establishing any connection.Dell OS10 Switch Layer 2 Switch Security Technical Implementation Guide V-205203CAT IIThe DNS server implementation must authenticate the other DNS server before responding to a server-to-server transaction.Domain Name System (DNS) Security Requirements Guide V-260027CAT IIThe Enterprise Voice, Video, and Messaging Session Manager must be configured to authenticate each Voice Video Endpoint device before registration.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-260028CAT IIThe Enterprise Voice, Video, and Messaging Session Manager must be configured to authenticate each Voice Video peer (trunk) before registration.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-266171CAT IIThe F5 BIG-IP must be configured to identify and authenticate all endpoint devices or peers before establishing a connection.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-233326CAT IIForescout must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. This is required for compliance with C2C Step 4.Forescout Network Access Control Security Technical Implementation Guide V-233327CAT IIForescout must be configured to apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Authentication Bypass (MAB). This is required for compliance with C2C Step 4.Forescout Network Access Control Security Technical Implementation Guide V-233330CAT IIForescout switch module must only allow a maximum of one registered MAC address per access port. This is required for compliance with C2C Step 4.Forescout Network Access Control Security Technical Implementation Guide V-203730CAT IIThe operating system must authenticate peripherals before establishing a connection.General Purpose Operating System Security Requirements Guide V-66051CAT IHP FlexFabric Switch must authenticate all network-connected endpoint devices before establishing any connection.HP FlexFabric Switch L2S Security Technical Implementation Guide V-266988CAT IIAOS, when used as a VPN Gateway, must authenticate all network-connected endpoint devices before establishing a connection.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-266632CAT IIThe network element must authenticate all network-connected endpoint devices before establishing any connection.HPE Aruba Networking AOS Wireless Security Technical Implementation Guide V-215395CAT IIIf automated file system mounting tool is not required on AIX, it must be disabled.IBM AIX 7.x Security Technical Implementation Guide V-255806CAT IIThe MQ Appliance messaging server must authenticate all network-connected endpoint devices before establishing any connection.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255868CAT IIThe WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-214186CAT IIThe Infoblox system must authenticate the other DNS server before responding to a server-to-server transaction.Infoblox 7.x DNS Security Technical Implementation Guide V-233900CAT IIThe Infoblox DNS service member must authenticate to any external (non-Grid) DNS service members before responding to a server-to-server transaction.Infoblox 8.x DNS Security Technical Implementation Guide V-258594CAT IIThe ICS must be configured to authenticate all clients before establishing a connection.Ivanti Connect Secure VPN Security Technical Implementation Guide V-253954CAT IIThe Juniper EX switch must be configured to authenticate all network-connected endpoint devices before establishing any connection.Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide V-254028CAT IIThe router providing MPLS L2VPN services must be configured to authenticate targeted LDP sessions used to exchange VC information using a FIPS-approved message authentication code algorithm.Juniper EX Series Switches Router Security Technical Implementation Guide V-254029CAT IIThe Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.Juniper EX Series Switches Router Security Technical Implementation Guide V-217070CAT IIThe Juniper PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.Juniper Router RTR Security Technical Implementation Guide V-217094CAT IIThe Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.Juniper Router RTR Security Technical Implementation Guide V-206653CAT IIThe layer 2 switch must authenticate all network-connected endpoint devices before establishing any connection.Layer 2 Switch Security Requirements Guide V-215601CAT IIThe secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-215602CAT IIThe Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-215603CAT IIThe Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-259364CAT IIThe secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-221712CAT IIThe Oracle Linux operating system must be configured to disable USB mass storage.Oracle Linux 7 Security Technical Implementation Guide V-221713CAT IIThe Oracle Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.Oracle Linux 7 Security Technical Implementation Guide V-228567CAT IIThe Oracle Linux operating system must disable the graphical user interface automounter unless required.Oracle Linux 7 Security Technical Implementation Guide V-248862CAT IIOL 8 must have the USBGuard installed.Oracle Linux 8 Security Technical Implementation Guide V-248863CAT IIOL 8 must block unauthorized peripherals before establishing a connection.Oracle Linux 8 Security Technical Implementation Guide V-248864CAT IIOL 8 must enable the USBGuard.Oracle Linux 8 Security Technical Implementation Guide V-271450CAT IIOL 9 must be configured to disable USB mass storage.Oracle Linux 9 Security Technical Implementation Guide V-271503CAT IIOL 9 must have the USBGuard package installed.Oracle Linux 9 Security Technical Implementation Guide V-271504CAT IIOL 9 must enable the USBGuard package.Oracle Linux 9 Security Technical Implementation Guide V-271639CAT IIOL 9 file system automount function must be disabled unless required.Oracle Linux 9 Security Technical Implementation Guide V-271670CAT IIOL 9 must disable the graphical user interface automount function unless required.Oracle Linux 9 Security Technical Implementation Guide V-271678CAT IIOL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.Oracle Linux 9 Security Technical Implementation Guide V-271679CAT IIOL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.Oracle Linux 9 Security Technical Implementation Guide V-271701CAT IIOL 9 must block unauthorized peripherals before establishing a connection.Oracle Linux 9 Security Technical Implementation Guide V-273676CAT IIThe RUCKUS ICX switch must authenticate all network-connected endpoint devices before establishing any connection.RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide V-273626CAT IIThe RUCKUS Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.RUCKUS ICX Router Security Technical Implementation Guide V-280962CAT IIRHEL 10 must have the USBGuard package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280963CAT IIRHEL 10 must have the USBGuard package enabled.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280964CAT IIRHEL 10 must block unauthorized peripherals before establishing a connection.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281273CAT IIRHEL 10 must prevent a user from overriding the disabling of the graphical user interface automount function.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281274CAT IIRHEL 10 must prevent a user from overriding the disabling of the graphical user interface autorun function.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281288CAT IIRHEL 10 must be configured to disable USB mass storage.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281291CAT IIRHEL 10 must disable the graphical user interface automounter unless required.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281292CAT IIIRHEL 10 must disable the graphical user interface autorunner unless required.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281323CAT IIRHEL 10 must disable file system automount function unless required.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204449CAT IIThe Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204450CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204451CAT IIThe Red Hat Enterprise Linux operating system must disable the file system automounter unless required.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-219059CAT IIThe Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230524CAT IIRHEL 8 must block unauthorized peripherals before establishing a connection.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-244547CAT IIRHEL 8 must have the USBGuard installed.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-244548CAT IIRHEL 8 must enable the USBGuard.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257849CAT IIRHEL 9 file system automount function must be disabled unless required.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258014CAT IIRHEL 9 must disable the graphical user interface automount function unless required.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258015CAT IIRHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258017CAT IIRHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258034CAT IIRHEL 9 must be configured to disable USB mass storage.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258035CAT IIRHEL 9 must have the USBGuard package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258036CAT IIRHEL 9 must have the USBGuard package enabled.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258038CAT IIRHEL 9 must block unauthorized peripherals before establishing a connection.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-275631CAT IIUbuntu OS must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.Riverbed NetIM OS Security Technical Implementation Guide V-207147CAT IIThe PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.Router Security Requirements Guide V-207148CAT IIThe Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.Router Security Requirements Guide V-94587CAT IIThe SEL-2740S must authenticate all network-connected endpoint devices before establishing any connection.SEL-2740S L2S Security Technical Implementation Guide V-261347CAT IISLEM 5 must disable the USB mass storage kernel module.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217155CAT IIThe SUSE operating system must disable the USB mass storage kernel module.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217156CAT IIThe SUSE operating system must disable the file system automounter.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-240976CAT IIThe Tanium endpoint must have the Tanium Servers public key in its installation, which will allow it to authenticate and uniquely identify all network-connected endpoint devices before establishing any connection.Tanium 7.0 Security Technical Implementation Guide V-234035CAT IIThe Tanium endpoint must have the Tanium Servers public key in its installation.Tanium 7.3 Security Technical Implementation Guide V-253082CAT IITOSS must be configured to disable USB mass storage.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282498CAT IITOSS 5 must disable the graphical user interface automount function unless required.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282499CAT IITOSS 5 must prevent a user from overriding the disabling of the graphical user interface automount function.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282500CAT IITOSS 5 must prevent a user from overriding the disabling of the graphical user interface autorun function.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282501CAT IITOSS 5 must be configured to disable USB mass storage.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282593CAT IITOSS 5 must have the USBGuard package installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282594CAT IITOSS 5 must have the USBGuard package enabled.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282595CAT IITOSS 5 must block unauthorized peripherals before establishing a connection.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-207483CAT IIThe VMM must authenticate peripherals before establishing a connection.Virtual Machine Manager Security Requirements Guide V-207241CAT IIThe VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection.Virtual Private Network (VPN) Security Requirements Guide