STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Forescout Network Device Management Security Technical Implementation Guide

V-230959

CAT I (High)

Forescout must use DOD-approved PKI rather than proprietary or self-signed device certificates.

Rule ID

SV-230959r1043177_rule

STIG

Forescout Network Device Management Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000382

Discussion

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs. Forescout generates a key-pair and a Certificate Signing Request (CSR). The CSR is sent to the approved certificate authority (CA), who signs it and returns it as a certificate. That certificate is then installed. The process to obtain a device PKI certificate requires the generation of a CSR, submission of the CSR to a CA, approval of the request by an RA, and retrieval of the issued certificate from the CA.

Check Content

Navigate to Tools >> Options >> Certificates >> Trusted Certificates.

1. The System Certificates page appears and provides information for the local certificates.
2. Select a certificate to display the certificate details.

If Forescout does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Fix Text

Replace the self-signed certificate with a CA-signed certificates for greater security. To obtain a CA-signed certificate:

Generate a certificate signing request (CSR) to obtain a CA-signed certificate for the nodes in your deployment.
1. Navigate to Tools >> Options >> Certificates >> System Certificates.
2. On the right of the screen click "Generate CSR".
3. Enter the values for generating a CSR.
- Key Length – <select an approved key length from the drop down list>
- Signature Algorithm – <select an approved algorithm from the drop down list>
Examples:
RSA: rsa size <512 | 1024 | 2048 | 4096>>
ECDSA: size <256 | 384>>
- Key Usages – < Checking all items that apply Client Authentication, Server Authentication and Email Signing>
- Validity – <years>
4. Click "Next".

To import the required trusted CA certificates by completing the following procedures:
1. Login to the console.
2. Navigate to Tools >>  Options >> Certificates >> Trusted Certificates.
3. Click "Add".
4. Specify the Certificate file.
5. Ensure "Enable trusting this certificate" is checked.
6. Click "Next".
7. Click "Next" after reviewing the certificate data.
8. Ensure "All subsystems" is selected, and then click "Next".
9. Ensure "All Forescout devices" is selected, and then click "Finish".
10. Click "Apply".