STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-2 (6) — Identification and Authentication (Organizational Users)

CCI-004047

Definition

Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements.

Parent Control

IA-2 (6)Identification and Authentication (Organizational Users)Identification and Authentication

Linked STIG Checks (61)

V-274059CAT IIAmazon Linux 2023 must enable certificate-based smart card authentication.Amazon Linux 2023 Security Technical Implementation Guide V-268177CAT IINixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.Anduril NixOS Security Technical Implementation Guide V-222993CAT IIMultifactor certificate-based tokens (CAC) must be used when accessing the management interface.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-268542CAT IIThe macOS system must enforce smart card authentication.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268544CAT IIThe macOS system must enforce multifactor authentication for login.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268545CAT IIThe macOS system must enforce multifactor authentication for the su command.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268546CAT IIThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277150CAT IIThe macOS system must enforce smart card authentication.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277152CAT IIThe macOS system must enforce multifactor authentication for login.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277153CAT IIThe macOS system must enforce multifactor authentication for the su command.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277154CAT IIThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-263552CAT IIThe application server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.Application Server Security Requirements Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-274853CAT IIUbuntu 20.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274854CAT IIUbuntu 20.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260573CAT IIUbuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260575CAT IIUbuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274864CAT IIUbuntu 22.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274866CAT IIUbuntu 22.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270662CAT IIUbuntu 24.04 LTS must have the "SSSD" package installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270663CAT IIUbuntu 24.04 LTS must use the "SSSD" package for multifactor authentication services.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-263573CAT IIThe Central Log Server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.Central Log Server Security Requirements Guide V-242633CAT IIThe Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.Cisco ISE NDM Security Technical Implementation Guide V-269372CAT IIAlmaLinux OS 9 must enable certificate based smart card authentication.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-263590CAT IIThe container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.Container Platform Security Requirements Guide V-263609CAT IIThe DBMS must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.Database Security Requirements Guide V-269779CAT IThe Dell OS10 Switch must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.Dell OS10 Switch NDM Security Technical Implementation Guide V-263631CAT IIThe DNS server implementation must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.Domain Name System (DNS) Security Requirements Guide V-230952CAT IIForescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Forescout Network Device Management Security Technical Implementation Guide V-263652CAT IIThe operating system must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.General Purpose Operating System Security Requirements Guide V-268237CAT IThe HYCU virtual appliance must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.HYCU Protege Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-253941CAT IThe Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-223206CAT IIThe Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-263674CAT IIThe Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.Mainframe Product Security Requirements Guide V-278162CAT IIWindows Server 2025 Active Directory (AD) user accounts, including administrators, must be configured to require the use of a common access card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.Microsoft Windows Server 2025 Security Technical Implementation Guide V-264295CAT IIThe network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.Network Device Management Security Requirements Guide V-279439CAT IINutanix AOS must use multifactor authentication (MFA) for access to privileged and nonprivileged accounts by enabling client authentication.Nutanix Acropolis Application Server Security Technical Implementation Guide V-248586CAT IIIOL 8 must have the package required for multifactor authentication installed.Oracle Linux 8 Security Technical Implementation Guide V-248587CAT IIOL 8 must implement certificate status checking for multifactor authentication.Oracle Linux 8 Security Technical Implementation Guide V-248702CAT IIOL 8 must implement multifactor authentication for access to interactive accounts.Oracle Linux 8 Security Technical Implementation Guide V-271493CAT IIOL 9 must have the SSSD package installed.Oracle Linux 9 Security Technical Implementation Guide V-271494CAT IIOL 9 must use the SSSD package for multifactor authentication services.Oracle Linux 9 Security Technical Implementation Guide V-281325CAT IIRHEL 10 must implement certificate status checking for multifactor authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-258122CAT IIRHEL 9 must enable certificate based smart card authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-275461CAT IThe Riverbed NetIM must be configured to use an authentication server configured for multifactor authentication (MFA) using DOD PKI for the purpose of authenticating users prior to granting administrative access.Riverbed NetIM NDM Security Technical Implementation Guide V-256093CAT IThe Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.Riverbed NetProfiler Security Technical Implementation Guide V-221605CAT IISplunk Enterprise must use an SSO proxy service, F5 device, or SAML implementation to accept the DOD common access card (CAC) or other smart card credential for identity management, personal authentication, and multifactor authentication.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251692CAT ISplunk Enterprise must accept the DOD CAC or other PKI credential for identity management and personal authentication.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-279251CAT IThe Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Symantec Edge SWG NDM Security Technical Implementation Guide V-254897CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254847CAT IThe Tanium Operating System (TanOS) must use multifactor authentication for network access to privileged accounts.Tanium 7.x Operating System on TanOS Security Technical Implementation Guide V-254848CAT IIThe Tanium Operating System (TanOS) must use multifactor authentication for network access to nonprivileged accounts.Tanium 7.x Operating System on TanOS Security Technical Implementation Guide V-253821CAT IMultifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.Tanium 7.x Security Technical Implementation Guide V-253828CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-252952CAT IITOSS must use multifactor authentication for network and local access to privileged and nonprivileged accounts.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-264317CAT IIThe VMM must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.Virtual Machine Manager Security Requirements Guide V-264344CAT IIThe web server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.Web Server Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide