STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 BIG-IP TMOS NDM Security Technical Implementation Guide

V-266093

CAT II (Medium)

The F5 BIG-IP appliance must prohibit the use of cached authenticators after eight hours or less.

Rule ID

SV-266093r1024899_rule

STIG

F5 BIG-IP TMOS NDM Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-002007

Discussion

Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out-of-date, the validity of the authentication information may be questionable. The organization-defined time period must be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.

Check Content

From the BIG-IP GUI:
1. System.
2. Users.
3. Authentication.
4. If "User Directory" is configured for "Remote - ClientCert LDAP", verify "OCSP Response Max Age" is configured for an organization-defined time period.
Note: The OCSP Override option must be set to "on" to view the OCSP Response Max Age value.

If the BIG-IP appliance is not configured to prohibit the use of cached authenticators after an organization-defined time period, this is a finding.

Fix Text

From the BIG-IP GUI:
1. System.
2. Users.
3. Authentication.
4. If ClientCert LDAP is used as the remote authentication type, configure "OCSP Response Max Age" for an organization-defined time period.
Note: The OCSP Override option must be set to "on" to view the OCSP Response Max Age value.