STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 6 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

ForeScout CounterACT NDM Security Technical Implementation Guide

Version

V1R2

Release Date

Jun 17, 2024

SCAP Benchmark ID

ForeScout_CounterACT_NDM_STIG

Total Checks

39

Tags

other
CAT I: 4CAT II: 29CAT III: 6

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (39)

V-255624MEDIUMCounterACT must terminate all network connections associated with an Enterprise Manager Console session upon Exit, or session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements.V-255625MEDIUMCounterACT must terminate all network connections associated with an SSH connection session upon Exit, session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements.V-255626MEDIUMCounterACT must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media.V-255627MEDIUMCounterACT must restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrators role or to other roles or individuals.V-255628MEDIUMCounterACT must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).V-255629MEDIUMCounterACT must enable Threat Protection notifications to alert security personnel to Cyber events detected by a CounterACT IAW CJCSM 6510.01B.V-255630LOWCounterACT must generate audit log events for a locally developed list of auditable events.V-255631MEDIUMCounterACT must enforce access restrictions associated with changes to the system components.V-255632MEDIUMAdministrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort).V-255633MEDIUMCounterACT must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.V-255634LOWCounterACT must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.V-255635MEDIUMCounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider.V-255636MEDIUMCounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider.V-255637MEDIUMFor the local account, CounterACT must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-255638LOWCounterACT must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.V-255639LOWCounterACT must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.V-255640MEDIUMIf any logs are stored locally which are not sent to the centralized audit server, CounterACT must back up audit records at least every seven days onto a different system or system component than the system or component being audited.V-255641MEDIUMCounterACT must limit privileges to change the software resident within software libraries.V-255642HIGHCounterACT must disable all unnecessary and/or nonsecure plugins.V-255643MEDIUMIn the event the authentication server is unavailable, one local account must be created for use as the account of last resort.V-255644MEDIUMCounterACT must enforce a minimum 15-character password length.V-255645MEDIUMCounterACT must prohibit password reuse for a minimum of five generations.V-255646MEDIUMCounterACT must enforce password complexity by requiring that at least one numeric character be used.V-255647MEDIUMCounterACT must enforce password complexity by requiring that at least one special character be used.V-255648MEDIUMCounterACT must enforce a 60-day maximum password lifetime restriction.V-255649MEDIUMCounterACT must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.V-255650MEDIUMCounterACT must compare internal information systems clocks at least every 24 hours with an authoritative time server.V-255651MEDIUMCounterACT must be configured to synchronize internal information system clocks with the organizations primary and secondary NTP servers.V-255652MEDIUMCounterACT must authenticate any endpoint used for network management before establishing a local, remote, and/or network connection using cryptographically based bidirectional authentication.V-255653HIGHCounterACT must authenticate SNMPv3 endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.V-255654HIGHCounterACT appliances performing maintenance functions must restrict use of these functions to authorized personal only.V-255655MEDIUMCounterACT must sent audit logs to a centralized audit server (i.e., syslog server).V-255656MEDIUMCounterACT must employ automated mechanisms to centrally apply authentication settings.V-255657LOWCounterACT must limit the number of concurrent sessions to an organization-defined number for each administrator account type.V-255658LOWThe network device must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.V-255659MEDIUMIf multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one upper-case character be used.V-255660MEDIUMIf multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one lower-case character be used.V-255661MEDIUMThe network device must terminate shared/group account credentials when members leave the group.V-265636HIGHThe version of ForeScout CounterAct must be a supported version.