STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

AAA Services Security Requirements Guide

Version

V2R2

Benchmark ID

AAA_Services

Total Checks

77

Tags

other

CAT I: 8CAT II: 66CAT III: 3

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (77)

V-204636MEDIUMAAA Services must be configured to provide automated account management functions.V-204637MEDIUMAAA Services must be configured to automatically remove temporary user accounts after 72 hours.V-204638MEDIUMAAA Services must be configured to automatically remove authorizations for temporary user accounts after 72 hours.V-204639MEDIUMAAA Services must be configured to automatically disable accounts after a 35-day period of account inactivity.V-204640MEDIUMAAA Services must be configured to automatically audit account creation.V-204641MEDIUMAAA Services must be configured to automatically audit account modification.V-204642MEDIUMAAA Services must be configured to automatically audit account disabling actions.V-204643MEDIUMAAA Services must be configured to automatically audit account removal actions.V-204644MEDIUMAAA Services must be configured to automatically lock user accounts after three consecutive invalid logon attempts within a 15-minute time period.V-204645MEDIUMAAA Services must be configured to audit each authentication and authorization transaction.V-204646MEDIUMAAA Services configuration audit records must identify what type of events occurred.V-204647MEDIUMAAA Services configuration audit records must identify when (date and time) the events occurred.V-204648MEDIUMAAA Services configuration audit records must identify where the events occurred.V-204649MEDIUMAAA Services configuration audit records must identify the source of the events.V-204650MEDIUMAAA Services configuration audit records must identify the outcome of the events.V-204651MEDIUMAAA Services configuration audit records must identify any individual user or process associated with the event.V-204652MEDIUMAAA Services must be configured to alert the SA and ISSO when any audit processing failure occurs.V-204655MEDIUMAAA Services must be configured to use internal system clocks to generate time stamps for audit records.V-204656MEDIUMAAA Services must be configured to disable non-essential modules.V-204657HIGHAAA Services must be configured to use secure protocols when connecting to directory services.V-204658HIGHAAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.V-204659MEDIUMAAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-204660HIGHAAA Services must be configured to uniquely identify and authenticate organizational users.V-204661MEDIUMAAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts.V-204662MEDIUMAAA Services must be configured to require multifactor authentication using Common Access Card (CAC) Personal Identity Verification (PIV) credentials for authenticating non-privileged user accounts.V-204663MEDIUMAAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection.V-204664MEDIUMAAA Services must be configured to enforce a minimum 15-character password length.V-204666MEDIUMAAA Services must be configured to enforce password complexity by requiring that at least one uppercase character be used.V-204667MEDIUMAAA Services must be configured to enforce password complexity by requiring that at least one lowercase character be used.V-204668MEDIUMAAA Services must be configured to enforce password complexity by requiring that at least one numeric character be used.V-204669MEDIUMAAA Services must be configured to enforce password complexity by requiring that at least one special character be used.V-204670MEDIUMAAA Services must be configured to require the change of at least eight of the total number of characters when passwords are changed.V-204671HIGHFor password-based authentication, AAA Services must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash.V-204672HIGHAAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module.V-204673MEDIUMAAA Services must be configured to enforce 24 hours as the minimum password lifetime.V-204674MEDIUMAAA Services must be configured to enforce a 60-day maximum password lifetime restriction.V-204675HIGHAAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication.V-204676HIGHAAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication.V-204677MEDIUMAAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication.V-204678MEDIUMAAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication.V-204679HIGHAAA Services must be configured to protect the confidentiality and integrity of all information at rest.V-204680MEDIUMAAA Services must be configured to prevent automatically removing emergency accounts.V-204681LOWAAA Services must be configured to prevent automatically disabling emergency accounts.V-204682MEDIUMAAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are created.V-204683MEDIUMAAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are modified.V-204684MEDIUMAAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account disabling actions.V-204685MEDIUMAAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account removal actions.V-204686MEDIUMAAA Services must be configured to automatically audit account enabling actions.V-204687MEDIUMAAA Services must be configured to notify system administrators (SAs) and information system security officer (ISSO) of account enabling actions.V-204689MEDIUMAAA Services must be configured to maintain locks on user accounts until released by an administrator.V-204690MEDIUMAAA Services must be configured to send audit records to a centralized audit server.V-204691MEDIUMAAA Services must be configured to use or map to Coordinated Universal Time (UTC) to record time stamps for audit records.V-204692MEDIUMAAA Services must be configured with a minimum granularity of one second to record time stamps for audit records.V-204693MEDIUMAAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection.V-204695LOWAAA Services must be configured to use at least two NTP servers to synchronize time.V-204696MEDIUMAAA Services must be configured to authenticate all NTP messages received from NTP servers and peers.V-204697LOWAAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic.V-204698MEDIUMAAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.V-204699MEDIUMAAA Services must not be configured with shared accounts.V-204700MEDIUMAAA Services used to authenticate privileged users for device management must be configured to connect to the management network.V-204701MEDIUMAAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services.V-204702MEDIUMAAA Services must be configured to use IP segments separate from production VLAN IP segments.V-204703MEDIUMAAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access.V-204704MEDIUMAAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-263527MEDIUMAAA Services must be configured to disable accounts when the accounts have expired.V-263528MEDIUMAAA Services must be configured to disable accounts when the accounts are no longer associated to a user.V-263529MEDIUMAAA Services must be configured to disable accounts when the accounts are in violation of organizational policy.V-263530MEDIUMAAA Services must be configured to automatically generate audit records of the enforcement actions.V-263531MEDIUMAAA Services must be configured to require users to be individually authenticated before granting access to the shared accounts or resources.V-263532MEDIUMFor password-based authentication, AAA Services must be configured to update the list of passwords on an organization-defined frequency.V-263533MEDIUMFor password-based authentication, AAA Services must be configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.V-263534MEDIUMFor password-based authentication, AAA Services must be configured to verify when users create or update passwords, and that the passwords are not on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).V-263535MEDIUMFor password-based authentication, AAA Services must be configured to require immediate selection of a new password upon account recovery.V-263536MEDIUMFor password-based authentication, AAA Services must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters.V-263537MEDIUMFor password-based authentication, AAA Services must be configured to employ automated tools to assist the user in selecting strong password authenticators.V-263538MEDIUMFor public key-based authentication, AAA Services must be configured to implement a local cache of revocation data to support path discovery and validation.V-263539MEDIUMAAA Services must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.