STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 13 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Cisco ACI NDM Security Technical Implementation Guide

Version

V1R2

Release Date

Dec 11, 2025

SCAP Benchmark ID

Cisco_ACI_NDM_STIG

Total Checks

26

Tags

network
CAT I: 7CAT II: 19CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (26)

V-271916MEDIUMThe Cisco ACI must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).V-271917MEDIUMThe Cisco ACI must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).V-271918MEDIUMThe Cisco ACI must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device.V-271919MEDIUMThe Cisco ACI must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.V-271920HIGHThe Cisco ACI must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.V-271921MEDIUMThe Cisco ACI must conduct backups of the configuration weekly or at an organization-defined frequency and store on a separate device.V-271922MEDIUMThe Cisco ACI must obtain its public key certificates from an appropriate certificate policy through an approved service provider.V-271923MEDIUMThe Cisco ACI must use DOD-approved Network Time Protocol (NTP) sources that use authentication that is cryptographically based.V-271924HIGHThe Cisco APIC must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.V-271926HIGHThe Cisco ACI must be running an operating system release that is currently supported by the vendor.V-271927HIGHThe Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users.V-271929MEDIUMThe Cisco ACI must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.V-271931HIGHThe Cisco ACI must be configured to send log data to a central log server for log retention and forwarding alerts to the administrators and the information system security officer (ISSO).V-271932MEDIUMThe Cisco ACI must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.V-271933MEDIUMThe Cisco ACI must audit the enforcement actions used to restrict access associated with changes to the device.V-271935MEDIUMThe Cisco ACI must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-271936MEDIUMThe Cisco ACI must implement replay-resistant authentication mechanisms for network access to privileged accounts.V-271939MEDIUMThe Cisco ACI must automatically audit account creation.V-271944MEDIUMThe Cisco ACI must generate log records for a locally developed list of auditable events.V-271958MEDIUMThe Cisco ACI must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters, for password-based authentication.V-271960MEDIUMThe Cisco ACI must enforce a minimum 15-character password length.V-271966HIGHThe Cisco ACI must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.V-271969HIGHCisco ACI SSH sessions must be terminated after five minutes of inactivity.V-271971MEDIUMThe Cisco ACI must be configured to synchronize system clocks within and between systems or system components.V-271972MEDIUMThe Cisco ACI must be configured to disable the auxiliary USB port.V-271975MEDIUMThe Cisco ACI must limit the number of concurrent sessions to one for each administrator account.