STIGs Search Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 3 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Forescout Network Access Control Security Technical Implementation Guide

Version

V2R4

Release Date

Jun 12, 2025

SCAP Benchmark ID

FS_NAC_STIG

Total Checks

26

Tags

network

CAT I: 7CAT II: 19CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (26)

V-233309HIGHForescout must enforce approved access by employing admissions assessment filters that include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in Forescout System Security Plan (SSP). This is required for compliance with C2C Step 4.V-233310HIGHEndpoint policy assessment must proceed after the endpoint attempting access has been identified using an approved identification method such as IP address. This is required for compliance with C2C Step 2.V-233311HIGHFor endpoints that require automated remediation, Forescout must be configured to logically separate endpoints from the trusted network traffic during remediation. This is required for compliance with C2C Step 4.V-233312HIGHIf a device requesting access fails Forescout policy assessment, Forescout must communicate with other components and the switch to either terminate the session or isolate the device from the trusted network for remediation. This is required for compliance with C2C Step 3.V-233313MEDIUMForescout must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. This is required for compliance with C2C Step 3.V-233314HIGHForescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the information system security manager (ISSM) and documented in the System Security Plan (SSP). This is required for compliance with C2C Step 1.V-233317MEDIUMWhen devices fail the policy assessment, Forescout must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. This is required for compliance with C2C Step 3.V-233318HIGHForescout must place client machines on a blacklist or terminate network communications on devices when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 4.V-233319MEDIUMForescout must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. This is required for compliance with C2C Step 2.V-233320MEDIUMForescout must enforce the revocation of endpoint access authorizations when devices are removed from an authorization group. This is required for compliance with C2C Step 4.V-233321MEDIUMForescout must enforce the revocation of endpoint access authorizations at the next compliance assessment interval based on changes to the compliance assessment security policy. This is required for compliance with C2C Step 4.V-233322MEDIUMForescout must deny or restrict access for endpoints that fail critical endpoint security checks. This is required for compliance with C2C Step 4.V-233324MEDIUMForescout must off-load log records onto a different system. This is required for compliance with C2C Step 1.V-233325MEDIUMForescout must generate a critical alert to be sent to the Information System Security Officer (ISSO) and Systems Administrator (SA) (at a minimum) in the event of an audit processing failure. This is required for compliance with C2C Step 1.V-233326MEDIUMForescout must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. This is required for compliance with C2C Step 4.V-233327MEDIUMForescout must be configured to apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Authentication Bypass (MAB). This is required for compliance with C2C Step 4.V-233328MEDIUMForescout must reveal error messages only to the Information System Security Officer (ISSO), Information System Security Manager (ISSM), and System Administrator (SA). This is required for compliance with C2C Step 1.V-233329MEDIUMForescout must configure TCP for the syslog protocol to allow for detection by the central event server if communications is lost. This is required for compliance with C2C Step 1.V-233330MEDIUMForescout switch module must only allow a maximum of one registered MAC address per access port. This is required for compliance with C2C Step 4.V-233331MEDIUMFor TLS connections, Forescout must automatically terminate the session when a client certificate is requested and the client does not have a suitable certificate. This is required for compliance with C2C Step 1.V-233332MEDIUMForescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment. This is required for compliance with C2C Step 1.V-233334MEDIUMCommunications between Forescout endpoint agent and the switch must transmit access authorization information via a protected path using a cryptographic mechanism. This is required for compliance with C2C Step 1.V-233337MEDIUMForescout must perform continuous detection and tracking of endpoint devices attached to the network. This is required for compliance with C2C Step 1.V-233338MEDIUMForescout must deny network connection for endpoints that cannot be authenticated using an approved method. This is required for compliance with C2C Step 4.V-233339MEDIUMForescout must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the endpoint device. This is required for compliance with C2C Step 1.V-233340HIGHWhen connecting with endpoints, Forescout must be configured to use FIPS 140-2/3 validated algorithms for encryption processes and communications. This is required for compliance with C2C Step 1.