STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 4 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

SDN Controller Security Requirements Guide

Version

V2R2

Release Date

Aug 28, 2025

SCAP Benchmark ID

SDN_Controller_SRG

Total Checks

34

Tags

other

CAT I: 7CAT II: 27CAT III: 0

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (34)

V-206715MEDIUMThe SDN controller must be configured to enforce approved authorizations for access to system resources in accordance with applicable access control policies.V-206716MEDIUMThe SDN controller must be configured to enforce approved authorizations for controlling the flow of traffic within the network based on organization-defined information flow control policies.V-206717MEDIUMThe SDN controller must be configured to produce audit records containing information to establish what type of events occurred.V-206718MEDIUMThe SDN controller must be configured to produce audit records containing information to establish when the events occurred.V-206719MEDIUMThe SDN controller must be configured to produce audit records containing information to establish where the events occurred.V-206720MEDIUMThe SDN controller must be configured to produce audit records containing information to establish the source of the events.V-206721MEDIUMThe SDN controller must be configured to produce audit records containing information to establish the outcome of the events.V-206722MEDIUMThe SDN controller must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.V-206723MEDIUMThe SDN controller must be configured to disable non-essential capabilities.V-206724MEDIUMThe SDN controller must be configured to enforce a policy to manage bandwidth and to limit the effects of a packet-flooding Denial of Service (DoS) attack.V-206725MEDIUMThe SDN controllers must be configured as a cluster in active/active or active/passive mode to preserve any information necessary to determine cause of a system failure and to maintain network operations with least disruption to workload processes and flows.V-206726MEDIUMThe SDN controller must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by rate-limiting control-plane communications.V-206727MEDIUMThe SDN controller must be configured to only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.V-206728HIGHThe SDN controller must be configured to authenticate southbound Application Program Interface (API) control-plane messages received from SDN-enabled network elements using a FIPS-approved message authentication code algorithm.V-206729HIGHThe SDN controller must be configured to authenticate northbound Application Program Interface (API) messages received from business applications and management systems using a FIPS-approved message authentication code algorithm.V-206730HIGHThe SDN controller must be configured to encrypt all southbound Application Program Interface (API) control-plane messages using a FIPS-validated cryptographic module.V-206731HIGHThe SDN controller must be configured to encrypt all northbound Application Program Interface (API) messages using a FIPS-validated cryptographic module.V-206732HIGHThe SDN controller must be configured to authenticate received southbound Application Program Interface (API) management-plane messages using a FIPS-approved message authentication code algorithm.V-206733HIGHThe SDN controller must be configured to encrypt all southbound Application Program Interface (API) management-plane messages using a FIPS-validated cryptographic module.V-206734MEDIUMThe SDN controller must be configured to be deployed as a cluster and on separate physical hosts.V-206735MEDIUMThe SDN Controller must be configured to notify the forwarding device to either drop the packet or make an entry in the flow table for a received packet that does not match any flow table entries.V-206736MEDIUMSDN controller must be configured to forward traffic based on security requirements.V-206737MEDIUMThe SDN controller must be configured to enable multi-tenant virtual networks to be fully isolated from one another.V-206738MEDIUMThe SDN controller must be configured to separate tenant functionality from system management functionality.V-206739MEDIUMThe SDN controller must be configured to isolate security functions from non-security functions.V-206740MEDIUMThe SDN controller must be configured to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.V-206741MEDIUMThe SDN controller must be configured to notify the ISSO and ISSM of failed verification tests for organization-defined security functions.V-206742MEDIUMThe SDN controller must be configured to prohibit user installation of software without explicit privileged status.V-206743MEDIUMThe SDN controller must be configured to enforce access restrictions associated with changes to the configuration.V-206744MEDIUMThe SDN controller must be configured to audit the enforcement actions used to restrict access associated with changes to any application within the SDN framework.V-216509HIGHThe SDN controller must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-264312MEDIUMThe SDN controller must be configured to employ organization-defined controls by type of denial of service (DoS) to achieve the DoS objective.V-264313MEDIUMThe SDN controller must be configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.V-264314MEDIUMThe SDN controller must be configured to establish organization-defined alternate communications paths for system operations organizational command and control.