STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-5 (13) — Authenticator Management

CCI-002007

Definition

Prohibit the use of cached authenticators after an organization-defined time period.

Parent Control

IA-5 (13)Authenticator ManagementIdentification and Authentication

Linked STIG Checks (83)

V-274062CAT IIAmazon Linux 2023 must prohibit the use of cached authenticators after one day.Amazon Linux 2023 Security Technical Implementation Guide V-268178CAT IINixOS must prohibit the use of cached authenticators after one day.Anduril NixOS Security Technical Implementation Guide V-268037CAT IIApple iOS/iPadOS 18 must implement the management setting: treat AirDrop as an unmanaged destination.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-268038CAT IIIApple iOS/iPadOS 18 must implement the management setting: not have any Family Members in Family Sharing.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-278796CAT IIApple iOS/iPadOS 26 must implement the management setting: treat AirDrop as an unmanaged destination.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-278797CAT IIIApple iOS/iPadOS 26 must implement the management setting: not have any Family Members in Family Sharing.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-276399CAT IIApple visionOS 2 must implement the management setting: treat AirDrop as an unmanaged destination.Apple visionOS 2 Security Technical Implementation Guide V-282808CAT IIApple visionOS 26 must implement the management setting: treat AirDrop as an unmanaged destination.Apple visionOS 26 Security Technical Implementation Guide V-205000CAT IIThe ALG must prohibit the use of cached authenticators after an organization-defined time period.Application Layer Gateway Security Requirements Guide V-274677CAT IIThe API must have a mechanism for cache invalidation when using cache policy data.Application Programming Interface (API) Security Requirements Guide V-274678CAT IIWhen stateless authentication tokens are used, the API must configure them with appropriate security settings.Application Programming Interface (API) Security Requirements Guide V-274679CAT IIThe API's internal authorization tokens must not be provided back to the user.Application Programming Interface (API) Security Requirements Guide V-274680CAT IIAPI access tokens must be configured to expire.Application Programming Interface (API) Security Requirements Guide V-274681CAT IIAPI refresh tokens must be configured to expire.Application Programming Interface (API) Security Requirements Guide V-222549CAT IIThe application must terminate existing user sessions upon account deletion.Application Security and Development Security Technical Implementation Guide V-204804CAT IIThe application server must prohibit the use of cached authenticators after an organization-defined time period.Application Server Security Requirements Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-237395CAT IIThe CA API Gateway must prohibit the use of cached authenticators after an organization-defined time period.CA API Gateway ALG Security Technical Implementation Guide V-219163CAT IIIThe Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238362CAT IIIThe Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274856CAT IIIUbuntu 20.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260581CAT IIIUbuntu 22.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270734CAT IIIUbuntu 24.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-242652CAT IIThe Cisco ISE must prohibit the use of cached authenticators after an organization-defined time period.Cisco ISE NDM Security Technical Implementation Guide V-234225CAT IICitrix License Server must prohibit the use of cached authenticators after an organization-defined time period.Citrix Virtual Apps and Desktop 7.x License Server Security Technical Implementation Guide V-213203CAT IIXenDesktop License Server must prohibit the use of cached authenticators after an organization-defined time period.Citrix XenDesktop 7.x License Server Security Technical Implementation Guide V-269409CAT IIAlmaLinux OS 9 must prohibit the use of cached authenticators after one day.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233200CAT IIThe container platform must prohibit the use of cached authenticators after an organization-defined time period.Container Platform Security Requirements Guide V-206601CAT IIThe DBMS must prohibit the use of cached authenticators after an organization-defined time period.Database Security Requirements Guide V-269795CAT IIThe Dell OS10 Switch must prohibit the use of cached authenticators after an organization-defined time period.Dell OS10 Switch NDM Security Technical Implementation Guide V-235825CAT IIThe Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-266093CAT IIThe F5 BIG-IP appliance must prohibit the use of cached authenticators after eight hours or less.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-278401CAT IINGINX must be configured to expire cached authenticators after an organization-defined time period.F5 NGINX Security Technical Implementation Guide V-203733CAT IIThe operating system must prohibit the use of cached authenticators after one day.General Purpose Operating System Security Requirements Guide V-266959CAT IIAOS must prohibit the use of cached authenticators after an organization-defined time period.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-215205CAT IIIf LDAP authentication is required, AIX must setup LDAP client to refresh user and group caches less than a day.IBM AIX 7.x Security Technical Implementation Guide V-252626CAT IIThe IBM Aspera High-Speed Transfer Endpoint must prohibit the use of cached authenticators after an organization-defined time period.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252649CAT IIThe IBM Aspera High-Speed Transfer Server must prohibit the use of cached authenticators after an organization-defined time period.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-65263CAT IIThe DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period.IBM DataPower ALG Security Technical Implementation Guide V-65167CAT IIThe DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period.IBM DataPower Network Device Management Security Technical Implementation Guide V-255781CAT IIThe MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255790CAT IIThe MQ Appliance SSH interface to the messaging server must prohibit the use of cached authenticators after 600 seconds.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255764CAT IIThe MQ Appliance network device must prohibit the use of cached authenticators after an organization-defined time period.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-250345CAT IIThe WebSphere Liberty Server must prohibit the use of cached authenticators after an organization-defined time period.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255872CAT IIThe WebSphere Application Server must prohibit the use of cached authenticators after an organization-defined time period.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-253927CAT IIThe Juniper EX switch must be configured to prohibit the use of cached authenticators after an organization-defined time period.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-205573CAT IIThe Mainframe Product must prohibit the use of cached authenticators after one hour.Mainframe Product Security Requirements Guide V-253736CAT IIMariaDB must prohibit the use of cached authenticators after an organization-defined time period.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220385CAT IIMarkLogic Server must prohibit the use of cached authenticators after an organization-defined time period.MarkLogic Server v9 Security Technical Implementation Guide V-235756CAT IIThe Password Manager must be disabled.Microsoft Edge Security Technical Implementation Guide V-228437CAT IIThe remember password for internet e-mail accounts must be disabled.Microsoft Outlook 2016 Security Technical Implementation Guide V-260903CAT IIThe Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.Mirantis Kubernetes Engine Security Technical Implementation Guide V-221194CAT IIMongoDB must prohibit the use of cached authenticators after an organization-defined time period.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252177CAT IIMongoDB must prohibit the use of cached authenticators after an organization-defined time period.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-202115CAT IIThe network device must prohibit the use of cached authenticators after an organization-defined time period.Network Device Management Security Requirements Guide V-254221CAT IINutanix AOS must prohibit the use of cached authenticators.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279441CAT IINutanix VMM must terminate UI network connections associated with a communications session at the end of the session for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.Nutanix Acropolis Application Server Security Technical Implementation Guide V-273206CAT IIOkta must be configured to disable persistent global session cookies.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-248710CAT IIOL 8 must prohibit the use of cached authentications after one day.Oracle Linux 8 Security Technical Implementation Guide V-271609CAT IIOL 9 must prohibit the use of cached authenticators after one day.Oracle Linux 9 Security Technical Implementation Guide V-235177CAT IIThe MySQL Database Server 8.0 must prohibit the use of cached authenticators after an organization-defined time period.Oracle MySQL 8.0 Security Technical Implementation Guide V-253538CAT IIPrisma Cloud Compute local accounts must enforce strong password requirements.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-281331CAT IIRHEL 10 must prohibit the use of cached authenticators after one day.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230376CAT IIRHEL 8 must prohibit the use of cached authentications after one day.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258133CAT IIRHEL 9 must prohibit the use of cached authenticators after one day.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257562CAT IIOpenShift must set server token max age no greater than eight hours.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257562CAT IIOpenShift must set server token max age no greater than eight hours.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251224CAT IIRedis Enterprise DBMS must prohibit the use of cached authenticators after an organization-defined time period.Redis Enterprise 6.x Security Technical Implementation Guide V-275668CAT IIUbuntu OS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.Riverbed NetIM OS Security Technical Implementation Guide V-261399CAT IIIf Network Security Services (NSS) is being used by SLEM 5 it must prohibit the use of cached authentications after one day.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261400CAT IISLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217166CAT IIIf Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217167CAT IIThe SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-279216CAT IIThe Edge SWG providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.Symantec Edge SWG ALG Security Technical Implementation Guide V-279270CAT IIThe Edge SWG must prohibit the use of cached authenticators after an organization-defined time period.Symantec Edge SWG NDM Security Technical Implementation Guide V-94293CAT IISymantec ProxySG must prohibit the use of cached authenticators after 300 seconds at a minimum.Symantec ProxySG ALG Security Technical Implementation Guide V-252933CAT IITOSS must prohibit the use of cached authentications after one day.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282597CAT IITOSS 5 must prohibit the use of cached authenticators after one day.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234543CAT IIThe UEM server must prohibit the use of cached authenticators after an organization-defined time period.Unified Endpoint Management Server Security Requirements Guide V-265327CAT IThe NSX Manager must terminate all network connections associated with a session after five minutes of inactivity.VMware NSX 4.x Manager NDM Security Technical Implementation Guide V-251784CAT IIThe NSX-T Manager must prohibit the use of cached authenticators after an organization-defined time period.VMware NSX-T Manager NDM Security Technical Implementation Guide V-207486CAT IIThe VMM must prohibit the use of cached authenticators after one day.Virtual Machine Manager Security Requirements Guide