STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Okta Identity as a Service (IDaaS) Security Technical Implementation Guide

Version

V1R2

Release Date

Nov 19, 2025

SCAP Benchmark ID

Okta_IDaaS_STIG

Total Checks

29

Tags

other
CAT I: 3CAT II: 26CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (29)

V-273186MEDIUMOkta must log out a session after a 15-minute period of inactivity.V-273187MEDIUMThe Okta Admin Console must log out a session after a 15-minute period of inactivity.V-273188MEDIUMOkta must automatically disable accounts after a 35-day period of account inactivity.V-273189MEDIUMOkta must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.V-273190MEDIUMThe Okta Dashboard application must be configured to allow authentication only via non-phishable authenticators.V-273191MEDIUMThe Okta Admin Console application must be configured to allow authentication only via non-phishable authenticators.V-273192MEDIUMOkta must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the application.V-273193HIGHThe Okta Admin Console application must be configured to use multifactor authentication.V-273194HIGHThe Okta Dashboard application must be configured to use multifactor authentication.V-273195MEDIUMOkta must enforce a minimum 15-character password length.V-273196MEDIUMOkta must enforce password complexity by requiring that at least one uppercase character be used.V-273197MEDIUMOkta must enforce password complexity by requiring that at least one lowercase character be used.V-273198MEDIUMOkta must enforce password complexity by requiring that at least one numeric character be used.V-273199MEDIUMOkta must enforce password complexity by requiring that at least one special character be used.V-273200MEDIUMOkta must enforce 24 hours/one day as the minimum password lifetime.V-273201MEDIUMOkta must enforce a 60-day maximum password lifetime restriction.V-273202HIGHOkta must off-load audit records onto a central log server.V-273203MEDIUMOkta must be configured to limit the global session lifetime to 18 hours.V-273204MEDIUMOkta must be configured to accept Personal Identity Verification (PIV) credentials.V-273205MEDIUMThe Okta Verify application must be configured to connect only to FIPS-compliant devices.V-273206MEDIUMOkta must be configured to disable persistent global session cookies.V-273207MEDIUMOkta must be configured to use only DOD-approved certificate authorities.V-273208MEDIUMOkta must validate passwords against a list of commonly used, expected, or compromised passwords.V-273209MEDIUMOkta must prohibit password reuse for a minimum of five generations.V-279689MEDIUMOkta API tokens must be configured with Network Zones to restrict authorization from known networks.V-279690MEDIUMOkta API tokens must be created under new dedicated user accounts.V-279691MEDIUMThe Okta Global Session policy must be configured to allow or deny IP based access in accordance with the Access Control policy for Okta.V-279692MEDIUMOkta must be configured with Network Zones defined to block anonymized proxies according to organizationally defined policy.V-279693MEDIUMFor each application integrated with Okta, network zones must be defined in its authentication policy.