STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to CA API Gateway NDM Security Technical Implementation Guide

V-255505

CAT II (Medium)

In the event the authentication server is unavailable, there must be one local account of last resort.

Rule ID

SV-255505r960969_rule

STIG

CA API Gateway NDM Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001358, CCI-002111

Discussion

Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use in an emergency, such as when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is also referred to as the account of last resort since the emergency administration account is strictly intended to be used only as a last resort and immediate administrative access is absolutely necessary. The number of emergency administration accounts is restricted to at least one, but no more than operationally required as determined by the ISSO. The emergency administration account logon credentials must be stored in a sealed envelope and kept in a safe.

Check Content

Verify the "root" (or its equivalent, renamed account) is listed in the password configuration files.

If the "root" account is not listed in the password configuration files, this is a finding.

Fix Text

Configure the "root" account as the local account of last resort. 

Disable the "ssgconfig" account by destroying its password and making the login shell "/sbin/nologin".