STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco ACI NDM Security Technical Implementation Guide

V-271972

CAT II (Medium)

The Cisco ACI must be configured to disable the auxiliary USB port.

Rule ID

SV-271972r1114185_rule

STIG

Cisco ACI NDM Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000382

Discussion

Disable the USB port in those environments where physical access to the devices is not strictly controlled, or in environments where this extra layer of protection is required. Cisco Nexus 9000 switches running Cisco ACI code have the USB port enabled by default. When the USB port is enabled, switches will try to boot from the USB drive first. This may be a security risk in case a malicious actor has physical access to the switch, given they could power-cycle the device to try to boot the switch from a USB image that contains malicious code. Even if this is not a common scenario considering that most organizations have physical access security guidelines in place, Cisco ACI release 5.2(3) introduced the option to disable the USB port using a specific switch policy.

Check Content

Verify the USB port is disabled:
1. Navigate to Fabric >> Access Policies >> Policies >> Switch >> USB Configuration >> default.
2. Verify the "Disable USB Port" box is checked.

If the USB port is not disabled, this is a finding.

Fix Text

Disable the USB port on all switches within the Cisco ACI fabric:
1. Navigate to Fabric >> Access Policies >> Policies >> Switch >> USB Configuration >> default.
2. Check the "Disable USB Port" box; this will disable the USB port on all switches within the Cisco ACI fabric.