STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-2 (6) — Identification and Authentication (Organizational Users)

CCI-004046

Definition

Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Parent Control

IA-2 (6)Identification and Authentication (Organizational Users)Identification and Authentication

Linked STIG Checks (100)

V-274034CAT IIAmazon Linux 2023 must have the pcsc-lite package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274036CAT IIAmazon Linux 2023 must have the opensc package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274037CAT IIAmazon Linux 2023 must have the openssl-pkcs11 package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274059CAT IIAmazon Linux 2023 must enable certificate-based smart card authentication.Amazon Linux 2023 Security Technical Implementation Guide V-274061CAT IIAmazon Linux 2023 must implement certificate status checking for multifactor authentication.Amazon Linux 2023 Security Technical Implementation Guide V-274181CAT IIAmazon Linux 2023 must ensure the pcscd service is active.Amazon Linux 2023 Security Technical Implementation Guide V-268177CAT IINixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.Anduril NixOS Security Technical Implementation Guide V-222993CAT IIMultifactor certificate-based tokens (CAC) must be used when accessing the management interface.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-268477CAT IThe macOS system must disable password authentication for SSH.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268542CAT IIThe macOS system must enforce smart card authentication.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277084CAT IThe macOS system must disable password authentication for SSH.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277150CAT IIThe macOS system must enforce smart card authentication.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204998CAT IIThe ALG providing user authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Application Layer Gateway Security Requirements Guide V-204999CAT IIThe ALG providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.Application Layer Gateway Security Requirements Guide V-263551CAT IIThe application server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Application Server Security Requirements Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-238230CAT IIThe Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274853CAT IIUbuntu 20.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274854CAT IIUbuntu 20.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260573CAT IIUbuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274864CAT IIUbuntu 22.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274866CAT IIUbuntu 22.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270662CAT IIUbuntu 24.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270663CAT IIUbuntu 24.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206464CAT IIThe Central Log Server must be configured to use multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.Central Log Server Security Requirements Guide V-242633CAT IIThe Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.Cisco ISE NDM Security Technical Implementation Guide V-269368CAT IIAlmaLinux OS 9 must have the opensc package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269369CAT IIThe pcscd socket on AlmaLinux OS 9 must be active.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269370CAT IIAlmaLinux OS 9 must have the pcsc-lite package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269371CAT IIAlmaLinux OS 9 must implement certificate status checking for multifactor authentication.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269372CAT IIAlmaLinux OS 9 must enable certificate based smart card authentication.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269373CAT IIAlmaLinux OS 9 must have the openssl-pkcs11 package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-263589CAT IIThe container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Container Platform Security Requirements Guide V-263608CAT IIThe DBMS must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Database Security Requirements Guide V-269779CAT IThe Dell OS10 Switch must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.Dell OS10 Switch NDM Security Technical Implementation Guide V-263630CAT IIThe DNS server implementation must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Domain Name System (DNS) Security Requirements Guide V-230952CAT IIForescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Forescout Network Device Management Security Technical Implementation Guide V-203727CAT IIThe operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.General Purpose Operating System Security Requirements Guide V-268237CAT IThe HYCU virtual appliance must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.HYCU Protege Security Technical Implementation Guide V-215436CAT IIThe AIX operating system must use Multi Factor Authentication.IBM AIX 7.x Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-251031CAT IIThe Sentry providing mobile device authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-253941CAT IThe Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-223206CAT IIThe Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-263673CAT IIThe Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Mainframe Product Security Requirements Guide V-270233CAT IMicrosoft Entra ID must be configured to use multifactor authentication (MFA).Microsoft Entra ID Security Technical Implementation Guide V-278162CAT IIWindows Server 2025 Active Directory (AD) user accounts, including administrators, must be configured to require the use of a common access card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.Microsoft Windows Server 2025 Security Technical Implementation Guide V-264294CAT IIThe network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Network Device Management Security Requirements Guide V-279434CAT INutanix AOS must use multifactor authentication for access to privileged and nonprivileged accounts by enabling common access card (CAC) authentication.Nutanix Acropolis Application Server Security Technical Implementation Guide V-279439CAT IINutanix AOS must use multifactor authentication (MFA) for access to privileged and nonprivileged accounts by enabling client authentication.Nutanix Acropolis Application Server Security Technical Implementation Guide V-273193CAT IThe Okta Admin Console application must be configured to use multifactor authentication.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-273194CAT IThe Okta Dashboard application must be configured to use multifactor authentication.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-221658CAT IIThe Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.Oracle Linux 7 Security Technical Implementation Guide V-221895CAT IIThe Oracle Linux operating system must have the required packages for multifactor authentication installed.Oracle Linux 7 Security Technical Implementation Guide V-221896CAT IIThe Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).Oracle Linux 7 Security Technical Implementation Guide V-221897CAT IIThe Oracle Linux operating system must implement certificate status checking for PKI authentication.Oracle Linux 7 Security Technical Implementation Guide V-248586CAT IIIOL 8 must have the package required for multifactor authentication installed.Oracle Linux 8 Security Technical Implementation Guide V-248587CAT IIOL 8 must implement certificate status checking for multifactor authentication.Oracle Linux 8 Security Technical Implementation Guide V-271491CAT IIOL 9 must have the openssl-pkcs11 package installed.Oracle Linux 9 Security Technical Implementation Guide V-271493CAT IIOL 9 must have the SSSD package installed.Oracle Linux 9 Security Technical Implementation Guide V-271494CAT IIOL 9 must use the SSSD package for multifactor authentication services.Oracle Linux 9 Security Technical Implementation Guide V-271514CAT IIOL 9 must have the pcsc-lite package installed.Oracle Linux 9 Security Technical Implementation Guide V-271515CAT IIOL 9 must have the opensc package installed.Oracle Linux 9 Security Technical Implementation Guide V-271516CAT IIOL 9 must be configured so that the pcscd service is active.Oracle Linux 9 Security Technical Implementation Guide V-271607CAT IIOL 9 must enable certificate-based smart card authentication.Oracle Linux 9 Security Technical Implementation Guide V-271608CAT IIOL 9 must implement certificate status checking for multifactor authentication (MFA).Oracle Linux 9 Security Technical Implementation Guide V-280972CAT IIRHEL 10 must have the "pcsc-lite" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280973CAT IIRHEL 10 must have the "pcscd" service set to active.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280974CAT IIRHEL 10 must have the "pcsc-lite-ccid" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280975CAT IIRHEL 10 must have the "opensc" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281005CAT IIRHEL 10 must have the "pkcs11-provider" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281324CAT IIRHEL 10 must enable certificate-based smart card authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281325CAT IIRHEL 10 must implement certificate status checking for multifactor authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230273CAT IIRHEL 8 must have the packages required for multifactor authentication installed.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230274CAT IIRHEL 8 must implement certificate status checking for multifactor authentication.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257838CAT IIRHEL 9 must have the openssl-pkcs11 package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258122CAT IIRHEL 9 must enable certificate based smart card authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258123CAT IIRHEL 9 must implement certificate status checking for multifactor authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258124CAT IIRHEL 9 must have the pcsc-lite package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258125CAT IIThe pcscd service on RHEL 9 must be active.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258126CAT IIRHEL 9 must have the opensc package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-275461CAT IThe Riverbed NetIM must be configured to use an authentication server configured for multifactor authentication (MFA) using DOD PKI for the purpose of authenticating users prior to granting administrative access.Riverbed NetIM NDM Security Technical Implementation Guide V-256093CAT IThe Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.Riverbed NetProfiler Security Technical Implementation Guide V-217299CAT IIThe SUSE operating system must have the packages required for multifactor authentication to be installed.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217300CAT IIThe SUSE operating system must implement certificate status checking for multifactor authentication.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217301CAT IIThe SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-279167CAT IIThe Edge SWG must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Symantec Edge SWG ALG Security Technical Implementation Guide V-279251CAT IThe Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Symantec Edge SWG NDM Security Technical Implementation Guide V-253821CAT IMultifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.Tanium 7.x Security Technical Implementation Guide V-253828CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-252932CAT IITOSS must have the packages required for multifactor authentication installed.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282591CAT IITOSS 5 must have the pcsc-lite package installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282592CAT IITOSS 5 must have the opensc package installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234361CAT IIThe UEM server must be configured to use DOD PKI for multifactor authentication. This requirement is included in SRG-APP-000149.Unified Endpoint Management Server Security Requirements Guide V-207480CAT IIThe VMM must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.Virtual Machine Manager Security Requirements Guide V-207210CAT IIThe VPN Client must implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Virtual Private Network (VPN) Security Requirements Guide V-264343CAT IIThe web server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Web Server Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide