STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Forescout Network Access Control Security Technical Implementation Guide

V-233337

CAT II (Medium)

Forescout must perform continuous detection and tracking of endpoint devices attached to the network. This is required for compliance with C2C Step 1.

Rule ID

SV-233337r811425_rule

STIG

Forescout Network Access Control Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-000366

Discussion

Continuous scanning capabilities on the NAC provide visibility of devices that are connected to the switch ports. The NAC continuously scans networks and monitors the activity of managed and unmanaged devices, which can be personally owned or rogue endpoints. Because many of today's small devices do not include agents, an agentless discovery is often combined to cover more types of equipment.

Check Content

If DoD is not at C2C Step 1 or higher, this is not a finding.

Verify the NAC performs continuous detection and tracking of endpoint devices attached to the network.

1. Log on to the Forescout UI.
2. Go to Tools >> Options >> Appliance >> IP Assignment.
3. Check that all IP addresses that should be managed are within the IP Assignments as required by the SSP.

If the NAC does not perform continuous detection and tracking of endpoint devices attached to the network, this is a finding.

Fix Text

Log on to the Forescout UI.

1. Go to Tools >> Options >> Appliance >> IP Assignment.
2. Enter all IP addresses to be managed in the IP Assignment to enable the continuous monitoring capabilities of Forescout.