STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

STIGs updated 13 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Cisco ASA NDM Security Technical Implementation Guide

Version

V2R4

Release Date

Dec 8, 2025

SCAP Benchmark ID

Cisco_ASA_NDM_STIG

Total Checks

47

Tags

network

CAT I: 7CAT II: 40CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (47)

V-239896MEDIUMThe Cisco ASA must be configured to limit the number of concurrent management sessions to an organization-defined number.V-239897MEDIUMThe Cisco ASA must be configured to automatically audit account creation.V-239898MEDIUMThe Cisco ASA must be configured to automatically audit account modification.V-239899MEDIUMThe Cisco ASA must be configured to automatically audit account-disabling actions.V-239900MEDIUMThe Cisco ASA must be configured to automatically audit account removal actions.V-239901MEDIUMThe Cisco ASA must be configured to enforce approved authorizations for controlling the flow of management information within the Cisco ASA based on information flow control policies.V-239902MEDIUMThe Cisco ASA must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.V-239903MEDIUMThe Cisco ASA must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.V-239904MEDIUMThe Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur.V-239905MEDIUMThe Cisco ASA must be configured to produce audit log records containing sufficient information to establish what type of event occurred.V-239906MEDIUMThe Cisco ASA must be configured to produce audit records containing information to establish when (date and time) the events occurred.V-239907MEDIUMThe Cisco ASA must be configured to produce audit records containing information to establish where the events occurred.V-239908MEDIUMThe Cisco ASA must be configured to produce audit log records containing information to establish the source of events.V-239909MEDIUMThe Cisco ASA must be configured to produce audit records that contain information to establish the outcome of the event.V-239910MEDIUMThe Cisco ASA must be configured to generate audit records containing the full-text recording of privileged commands.V-239911HIGHThe Cisco ASA must be configured to prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services.V-239912MEDIUMThe Cisco ASA must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.V-239913MEDIUMThe Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.V-239914MEDIUMThe Cisco ASA must be configured to enforce a minimum 15-character password length.V-239915MEDIUMThe Cisco ASA must be configured to enforce password complexity by requiring that at least one uppercase character be used.V-239916MEDIUMThe Cisco ASA must be configured to enforce password complexity by requiring that at least one lowercase character be used.V-239917MEDIUMThe Cisco ASA must be configured to enforce password complexity by requiring that at least one numeric character be used.V-239918MEDIUMThe Cisco ASA must be configured to enforce password complexity by requiring that at least one special character be used.V-239919MEDIUMThe Cisco ASA must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.V-239920HIGHThe Cisco ASA must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.V-239921MEDIUMThe Cisco ASA must be configured to audit the execution of privileged functions.V-239922MEDIUMThe Cisco ASA must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-239923MEDIUMThe Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts.V-239924MEDIUMThe Cisco ASA must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.V-239925MEDIUMThe Cisco ASA must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.V-239927MEDIUMThe Cisco ASA must be configured to authenticate Simple Network Management Protocol (SNMP) messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).V-239928MEDIUMThe Cisco ASA must be configured to encrypt Simple Network Management Protocol (SNMP) messages using a FIPS 140-2 approved algorithm.V-239929MEDIUMThe Cisco ASA must be configured to authenticate Network Time Protocol (NTP) sources using authentication with FIPS-compliant algorithms.V-239930HIGHThe Cisco ASA must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of non-local maintenance and diagnostic communications.V-239931HIGHThe Cisco ASA must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.V-239932MEDIUMThe Cisco ASA must be configured to protect against known types of denial-of-service (DoS) attacks by enabling the Threat Detection feature.V-239933MEDIUMThe Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to modify administrator privileges occur.V-239934MEDIUMThe Cisco ASA must be configured to generate audit records when successful/unsuccessful attempts to delete administrator privileges occur.V-239935MEDIUMThe Cisco ASA must be configured to generate audit records when successful/unsuccessful logon attempts occur.V-239936MEDIUMThe Cisco ASA must be configured to generate audit records for privileged activities or other system-level access.V-239937MEDIUMThe Cisco ASA must be configured to generate audit records showing starting and ending time for administrator access to the system.V-239938MEDIUMThe Cisco ASA must be configured to generate audit records when concurrent logons from different workstations occur.V-239940HIGHThe Cisco ASA must be configured to use at least two authentication servers to authenticate users prior to granting administrative access.V-239941MEDIUMThe Cisco ASA must be configured to conduct backups of system-level information contained in the information system when changes occur.V-239942MEDIUMThe Cisco ASA must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.V-239943HIGHThe Cisco ASA must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to organization-defined personnel and/or the firewall administrator.V-239944HIGHThe Cisco ASA must be running an operating system release that is currently supported by Cisco Systems.