STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-8 — Transmission Confidentiality and Integrity

CCI-002418

Definition

Protect the confidentiality and/or integrity of transmitted information.

Parent Control

SC-8Transmission Confidentiality and IntegritySystem and Communications Protection

Linked STIG Checks (200)

V-243495CAT IIA VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.Active Directory Domain Security Technical Implementation Guide V-279092CAT IJVM Arguments must be configured for Transport Layer Security (TLS) 1.2 or higher.Adobe ColdFusion Security Technical Implementation Guide V-279093CAT IColdFusion must configure Lightweight Directory Access Protocol (LDAP) for Transport Layer Security (TLS).Adobe ColdFusion Security Technical Implementation Guide V-279094CAT IColdFusion must remove all export ciphers to protect the confidentiality and integrity of transmitted information.Adobe ColdFusion Security Technical Implementation Guide V-279106CAT IIColdFusion must be configured to set the cookie settings.Adobe ColdFusion Security Technical Implementation Guide V-274038CAT IAmazon Linux 2023 must have SSH installed.Amazon Linux 2023 Security Technical Implementation Guide V-274039CAT IAmazon Linux 2023 must implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.Amazon Linux 2023 Security Technical Implementation Guide V-274046CAT IAmazon Linux 2023 must force a frequent session key renegotiation for SSH connections to the server.Amazon Linux 2023 Security Technical Implementation Guide V-274057CAT IAmazon Linux 2023 must enable FIPS mode.Amazon Linux 2023 Security Technical Implementation Guide V-283440CAT IAmazon Linux 2023 must implement DOD-approved encryption in the bind package.Amazon Linux 2023 Security Technical Implementation Guide V-268146CAT INixOS must protect wireless access to and from the system using encryption.Anduril NixOS Security Technical Implementation Guide V-268159CAT INixOS must protect the confidentiality and integrity of transmitted information.Anduril NixOS Security Technical Implementation Guide V-214230CAT IIThe Apache web server must use cryptography to protect the integrity of remote sessions.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214268CAT IICookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214269CAT IIThe Apache web server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214308CAT IIThe Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214355CAT IIThe Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214394CAT IICookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-214395CAT IICookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-222968CAT ITomcat must use FIPS-validated ciphers on secured connectors.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-252699CAT IIIThe macOS system must be configured with Bluetooth turned off unless approved by the organization.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257218CAT IIIThe macOS system must be configured with Bluetooth turned off unless approved by the organization.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259510CAT IThe macOS system must disable Bluetooth when no approved device is connected.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268509CAT IThe macOS system must disable Bluetooth when no approved device is connected.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277118CAT IThe macOS system must disable Bluetooth when no approved device is connected.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-274709CAT IThe amount of data returned by the API must be restricted.Application Programming Interface (API) Security Requirements Guide V-274710CAT IThe API must use TLS version 1.2 at a minimum.Application Programming Interface (API) Security Requirements Guide V-222596CAT IThe application must protect the confidentiality and integrity of transmitted information.Application Security and Development Security Technical Implementation Guide V-204816CAT IThe application server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.Application Server Security Requirements Guide V-204817CAT IThe application server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.Application Server Security Requirements Guide V-237338CAT IThe ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272629CAT ICylanceON-PREM must be configured to use TLS 1.2 or higher.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-272435CAT IThe BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer, and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.BIND 9.x Security Technical Implementation Guide V-79015CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-79017CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) must remove all export ciphers to protect the confidentiality and integrity of transmitted information.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-254712CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-254713CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) must remove all export ciphers to protect the confidentiality and integrity of transmitted information.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-224386CAT IIThe BlackBerry UEM server must connect to [assignment: [SQL Server]] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.BlackBerry UEM Security Technical Implementation Guide V-219313CAT IThe Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-252703CAT IIThe Ubuntu operating system must disable all wireless network adapters.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238215CAT IThe Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-252704CAT IIThe Ubuntu operating system must disable all wireless network adapters.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260523CAT IUbuntu 22.04 LTS must have SSH installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260524CAT IUbuntu 22.04 LTS must use SSH to protect the confidentiality and integrity of transmitted information.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260541CAT IIUbuntu 22.04 LTS must disable all wireless network adapters.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270665CAT IUbuntu 24.04 LTS must have SSH installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270666CAT IUbuntu 24.04 LTS must use SSH to protect the confidentiality and integrity of transmitted information.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270755CAT IIUbuntu 24.04 LTS must disable all wireless network adapters.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206509CAT IThe Central Log Server must be configured to protect the confidentiality and integrity of transmitted information.Central Log Server Security Requirements Guide V-239954CAT IIThe Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation.Cisco ASA VPN Security Technical Implementation Guide V-234565CAT ICitrix Delivery Controller must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Delivery Controller Security Technical Implementation Guide V-234226CAT IICitrix License Server must protect the confidentiality and integrity of transmitted information.Citrix Virtual Apps and Desktop 7.x License Server Security Technical Implementation Guide V-234257CAT ICitrix Linux Virtual Delivery Agent must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide V-234252CAT IICitrix StoreFront server must accept Personal Identity Verification (PIV) credentials.Citrix Virtual Apps and Desktop 7.x StoreFront Security Technical Implementation Guide V-234253CAT ICitrix Windows Virtual Delivery Agent must implement DoD-approved encryption.Citrix Virtual Apps and Desktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide V-213204CAT IIXenDesktop License Server must protect the confidentiality and integrity of transmitted information.Citrix XenDesktop 7.x License Server Security Technical Implementation Guide V-213208CAT ICitrix Receiver must implement DoD-approved encryption.Citrix XenDesktop 7.x Receiver Security Technical Implementation Guide V-213211CAT IIXenDesktop StoreFront must accept Personal Identity Verification (PIV) credentials.Citrix XenDesktop 7.x StoreFront Security Technical Implementation Guide V-213213CAT ICitrix Windows Virtual Delivery Agent must implement DoD-approved encryption.Citrix XenDesktop 7.x Windows VDA Security Technical Implementation Guide V-269436CAT IAll AlmaLinux OS 9 networked systems must have the OpenSSH client installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269441CAT IIAlmaLinux OS 9 wireless network adapters must be disabled.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-283456CAT IAlmaLinux OS 9 must implement DOD-approved encryption in the bind package.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233224CAT IThe application must protect the confidentiality and integrity of transmitted information.Container Platform Security Requirements Guide V-235776CAT IITCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-205216CAT IThe DNS server implementation must protect the integrity of transmitted information.Domain Name System (DNS) Security Requirements Guide V-259973CAT IThe Enterprise Voice, Video, and Messaging Endpoint must be configured to use FIPS-compliant algorithms for network traffic.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-260034CAT IThe Enterprise Voice, Video, and Messaging Session Manager must be configured to protect the confidentiality and integrity of transmitted configuration files, signaling, and media streams.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-266288CAT IIThe F5 BIG-IP appliance IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.F5 BIG-IP TMOS VPN Security Technical Implementation Guide V-278405CAT IINGINX must be configured to use FIPS-approved algorithms to protect the confidentiality and integrity of transmitted information.F5 NGINX Security Technical Implementation Guide V-203748CAT IThe operating system must protect the confidentiality and integrity of transmitted information.General Purpose Operating System Security Requirements Guide V-252688CAT IThe operating system must protect the confidentiality and integrity of communications with wireless peripherals.General Purpose Operating System Security Requirements Guide V-255239CAT IISSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.HPE 3PAR SSMC Operating System Security Technical Implementation Guide V-255251CAT IThe SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-255253CAT ISSMC web server must use encryption strength in accordance with the categorization of data hosted by the web server when remote connections are provided.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-237817CAT IThe CIM service must use DoD-approved encryption.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-237818CAT IDoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255272CAT IThe HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-266982CAT IAOS, when used as an IPsec VPN Gateway, must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-266985CAT IAOS, when used as an IPsec VPN Gateway, must use Advanced Encryption Standard (AES) encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-215284CAT IIAIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.IBM AIX 7.x Security Technical Implementation Guide V-255810CAT IIThe MQ Appliance messaging server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255811CAT IIThe MQ Appliance messaging server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-250339CAT IThe WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.IBM WebSphere Liberty Server Security Technical Implementation Guide V-250347CAT IIThe WebSphere Liberty Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.IBM WebSphere Liberty Server Security Technical Implementation Guide V-283668CAT IThe WebSphere Liberty Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255875CAT IIThe WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255888CAT IIThe WebSphere Application Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-283677CAT IIThe WebSphere Application Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223610CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS ACF2 Security Technical Implementation Guide V-223831CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS RACF Security Technical Implementation Guide V-224067CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS TSS Security Technical Implementation Guide V-224772CAT IIThe ISEC7 SPHERE must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms.ISEC7 Sphere Security Technical Implementation Guide V-224786CAT IIThe ISEC7 SPHERE must configure Enable HTTPS to use HTTP over SSL in Apache Tomcat.ISEC7 Sphere Security Technical Implementation Guide V-224792CAT IISSL must be enabled on Apache Tomcat.ISEC7 Sphere Security Technical Implementation Guide V-224793CAT IITomcat SSL must be restricted except for ISEC7 SPHERE tasks.ISEC7 Sphere Security Technical Implementation Guide V-214195CAT IIThe Infoblox system must be configured to must protect the integrity of transmitted information.Infoblox 7.x DNS Security Technical Implementation Guide V-233923CAT IIThe Infoblox DNS service member must protect the integrity of transmitted information.Infoblox 8.x DNS Security Technical Implementation Guide V-258586CAT IThe ICS must be configured to use TLS 1.2, at a minimum.Ivanti Connect Secure VPN Security Technical Implementation Guide V-213547CAT IIJBoss must be configured to use an approved TLS version.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-241818CAT IThe Jamf Pro EMM server must connect to [Authentication Gateway Service (AGS)] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.Jamf Pro v10.x EMM Security Technical Implementation Guide V-221259CAT IExchange must provide redundancy.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221261CAT IExchange internal Receive connectors must require encryption.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-221262CAT IExchange internal Send connectors must require encryption.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-259640CAT IExchange must provide redundancy.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259641CAT IExchange internal Receive connectors must require encryption.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259642CAT IExchange internal Send connectors must require encryption.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259710CAT IThe application must protect the confidentiality and integrity of transmitted information.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-218820CAT IIIIS 10.0 web server session IDs must be sent to the client using TLS.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-218821CAT IAn IIS 10.0 web server must maintain the confidentiality of controlled information during transmission through the use of an approved Transport Layer Security (TLS) version.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-218822CAT IIThe IIS 10.0 web server must maintain the confidentiality of controlled information during transmission through the use of an approved Transport Layer Security (TLS) version.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-218769CAT IIIIS 10.0 website session IDs must be sent to the client using TLS.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-218770CAT IICookies exchanged between the IIS 10.0 website and the client must have cookie properties set to prohibit client-side scripts from reading the cookie data.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-220914CAT IIOutgoing secure channel traffic must be encrypted or signed.Microsoft Windows 10 Security Technical Implementation Guide V-220915CAT IIOutgoing secure channel traffic must be encrypted when possible.Microsoft Windows 10 Security Technical Implementation Guide V-220916CAT IIOutgoing secure channel traffic must be signed when possible.Microsoft Windows 10 Security Technical Implementation Guide V-220919CAT IIThe system must be configured to require a strong session key.Microsoft Windows 10 Security Technical Implementation Guide V-220925CAT IIThe Windows SMB client must be configured to always perform SMB packet signing.Microsoft Windows 10 Security Technical Implementation Guide V-220927CAT IIThe Windows SMB server must be configured to always perform SMB packet signing.Microsoft Windows 10 Security Technical Implementation Guide V-253364CAT IISimultaneous connections to the internet or a Windows domain must be limited.Microsoft Windows 11 Security Technical Implementation Guide V-253438CAT IIOutgoing secure channel traffic must be encrypted or signed.Microsoft Windows 11 Security Technical Implementation Guide V-253439CAT IIOutgoing secure channel traffic must be encrypted.Microsoft Windows 11 Security Technical Implementation Guide V-253440CAT IIOutgoing secure channel traffic must be signed.Microsoft Windows 11 Security Technical Implementation Guide V-253443CAT IIThe system must be configured to require a strong session key.Microsoft Windows 11 Security Technical Implementation Guide V-253449CAT IIThe Windows SMB client must be configured to always perform SMB packet signing.Microsoft Windows 11 Security Technical Implementation Guide V-253451CAT IIThe Windows SMB server must be configured to always perform SMB packet signing.Microsoft Windows 11 Security Technical Implementation Guide V-215634CAT IIThe Windows 2012 DNS Server must protect the integrity of transmitted information.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-224995CAT IIDomain controllers must require LDAP access signing.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225029CAT IIThe setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225030CAT IIThe setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225031CAT IIThe setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225034CAT IIWindows Server 2016 must be configured to require a strong session key.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225039CAT IIThe setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225040CAT IIThe setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225042CAT IIThe setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225043CAT IIThe setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205820CAT IIWindows Server 2019 domain controllers must require LDAP access signing.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205821CAT IIWindows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205822CAT IIWindows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205823CAT IIWindows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205824CAT IIWindows Server 2019 must be configured to require a strong session key.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205825CAT IIWindows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205826CAT IIWindows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205827CAT IIWindows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205828CAT IIWindows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254416CAT IIWindows Server 2022 domain controllers must require LDAP access signing.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254450CAT IIWindows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254451CAT IIWindows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254452CAT IIWindows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254455CAT IIWindows Server 2022 must be configured to require a strong session key.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254460CAT IIWindows Server 2022 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254461CAT IIWindows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254463CAT IIWindows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254464CAT IIWindows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278163CAT IIWindows Server 2025 domain controllers must require LDAP access signing.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278200CAT IIThe Windows Server 2025 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278201CAT IIWindows Server 2025 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278202CAT IIThe Windows Server 2025 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278205CAT IIWindows Server 2025 must be configured to require a strong session key.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278210CAT IIThe Windows Server 2025 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278211CAT IIThe Windows Server 2025 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278213CAT IIThe Windows Server 2025 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278214CAT IIThe Windows Server 2025 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-259397CAT IThe Windows DNS Server must protect the integrity of transmitted information.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-260908CAT IFIPS mode must be enabled.Mirantis Kubernetes Engine Security Technical Implementation Guide V-251349CAT ITunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.Network Infrastructure Policy Security Technical Implementation Guide V-251350CAT IDSAWG approval must be obtained before tunneling classified traffic outside the components local area network boundaries across a non-DISN or OCONUS DISN unclassified IP wide area network transport infrastructure.Network Infrastructure Policy Security Technical Implementation Guide V-251351CAT ITunneling of classified traffic across an unclassified IP transport network must employ cryptographic algorithms in accordance with CNSS Policy No. 15.Network Infrastructure Policy Security Technical Implementation Guide V-254229CAT IINutanix AOS must protect the confidentiality and integrity of transmitted information.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279535CAT INutanix OS must implement cryptography to protect the integrity of remote access session by setting the systemwide policy to use FIPS mode.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279627CAT INutanix OS must protect the confidentiality and integrity of communications with wireless peripherals.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221520CAT IOHS must have the LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information during transmission.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221521CAT IOHS must have the SSLFIPS directive enabled to prevent unauthorized disclosure of information during transmission.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221522CAT IOHS must have the SSLEngine, SSLProtocol, SSLWallet directives enabled and configured to prevent unauthorized disclosure of information during transmission.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221523CAT IOHS must have the SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221524CAT IIIf using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the SecureProxy directive enabled to prevent unauthorized disclosure of information during transmission.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221525CAT IIOHS must have the WLSSLWallet directive enabled to prevent unauthorized disclosure of information during transmission.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221526CAT IIIf using the WebLogic Web Server Proxy Plugin and configuring end-to-end SSL, OHS must have the WebLogicSSLVersion directive enabled to prevent unauthorized disclosure of information during transmission.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221527CAT IIIf using the WebLogic Web Server Proxy Plugin and configuring SSL termination at OHS, OHS must have the WLProxySSL directive enabled to prevent unauthorized disclosure of information during transmission.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221528CAT IIOHS must have the LoadModule ossl_module directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221529CAT IIOHS must have the SSLFIPS directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221530CAT IIOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221531CAT IIOHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221847CAT IIThe Oracle Linux operating system must be configured so that all networked systems have SSH installed.Oracle Linux 7 Security Technical Implementation Guide V-221848CAT IIThe Oracle Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.Oracle Linux 7 Security Technical Implementation Guide V-248524CAT IOL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.Oracle Linux 8 Security Technical Implementation Guide V-248842CAT IIOL 8 wireless network adapters must be disabled.Oracle Linux 8 Security Technical Implementation Guide V-248843CAT IIOL 8 Bluetooth must be disabled.Oracle Linux 8 Security Technical Implementation Guide V-248866CAT IIAll OL 8 networked systems must have SSH installed.Oracle Linux 8 Security Technical Implementation Guide V-248867CAT IIAll OL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.Oracle Linux 8 Security Technical Implementation Guide V-283446CAT IOL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.Oracle Linux 8 Security Technical Implementation Guide V-283451CAT IOL 8 must implement DOD-approved encryption in the bind package.Oracle Linux 8 Security Technical Implementation Guide V-271454CAT IOL 9 must enable FIPS mode.Oracle Linux 9 Security Technical Implementation Guide V-271482CAT IIOL 9 networked systems must have SSH installed.Oracle Linux 9 Security Technical Implementation Guide V-271483CAT IIOL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.Oracle Linux 9 Security Technical Implementation Guide V-271705CAT IIOL 9 must force a frequent session key renegotiation for SSH connections to the server.Oracle Linux 9 Security Technical Implementation Guide V-271759CAT IOL 9 must implement DOD-approved encryption in the bind package.Oracle Linux 9 Security Technical Implementation Guide V-271859CAT IIOL 9 wireless network adapters must be disabled.Oracle Linux 9 Security Technical Implementation Guide V-253548CAT IPrisma Cloud Compute must protect the confidentiality and integrity of transmitted information.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-281001CAT IIRHEL 10 must have a Secure Shell (SSH) server installed for all networked systems.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281002CAT IIRHEL 10 must, for all networked systems, have and implement Secure Shell (SSH) to protect the confidentiality and integrity of transmitted and received information.Red Hat Enterprise Linux 10 Security Technical Implementation Guide