Rule ID
SV-266953r1039880_rule
Version
V1R1
CCIs
CCI-000366, CCI-001893
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Verify the AOS configuration with the following command: show ntp servers If at least two NTP servers are not configured, this is a finding.
Configure AOS with the following commands: configure terminal ntp authentication-key (keyid #> sha1 <plaintext key> ntp trusted-key <keyid #> ntp server <first fqdn, ipv4, or ipv6 address> key <keyid #> ntp server <second fqdn, ipv4, or ipv6 address> key <keyid #> ntp authenticate write memory