| V-271916 | | The Cisco ACI must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generate... |
| V-271917 | | The Cisco ACI must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-271918 | | The Cisco ACI must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device. | Display of the DOD-approved use notification before granting access to the Cisco ACI ensures privacy and security notification verbiage used is consis... |
| V-271919 | | The Cisco ACI must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-271921 | | The Cisco ACI must conduct backups of the configuration weekly or at an organization-defined frequency and store on a separate device. | Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation con... |
| V-271922 | | The Cisco ACI must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | After the Cisco ACI is initialized, it uses the self-signed certificate as the SSL certificate for HTTPS. This self-signed certificate is neither appr... |
| V-271923 | | The Cisco ACI must use DOD-approved Network Time Protocol (NTP) sources that use authentication that is cryptographically based. | If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to Ci... |
| V-271929 | | The Cisco ACI must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local da... |
| V-271932 | | The Cisco ACI must be configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. | Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and... |
| V-271933 | | The Cisco ACI must audit the enforcement actions used to restrict access associated with changes to the device. | Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attack... |
| V-271935 | | The Cisco ACI must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | To ensure Cisco ACIs have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capaci... |
| V-271936 | | The Cisco ACI must implement replay-resistant authentication mechanisms for network access to privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. authentication sessions between the authenticator and the applicati... |
| V-271939 | | The Cisco ACI must automatically audit account creation. | Upon gaining access to a Cisco ACI, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish... |
| V-271944 | | The Cisco ACI must generate log records for a locally developed list of auditable events. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack... |
| V-271958 | | The Cisco ACI must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters, for password-based authentication. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords ... |
| V-271960 | | The Cisco ACI must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-271971 | | The Cisco ACI must be configured to synchronize system clocks within and between systems or system components. | Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication proc... |
| V-271972 | | The Cisco ACI must be configured to disable the auxiliary USB port. | Disable the USB port in those environments where physical access to the devices is not strictly controlled, or in environments where this extra layer ... |
| V-271975 | | The Cisco ACI must limit the number of concurrent sessions to one for each administrator account. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of al... |
| V-271920 | | The Cisco ACI must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-271924 | | The Cisco Application Policy Infrastructure Controller (APIC) must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important... |
| V-271926 | | The Cisco ACI must be running an operating system release that is currently supported by the vendor. | Cisco ACIs running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities.... |
| V-271927 | | The Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users. | Successful identification and authentication must not automatically give an entity full access to a Cisco ACI or security domain. The lack of authoriz... |
| V-271931 | | The Cisco ACI must be configured to send log data to a central log server for log retention and forwarding alerts to the administrators and the information system security officer (ISSO). | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stor... |
| V-271966 | | The Cisco ACI must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module. | Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore, cannot be relied on to provide confidential... |
| V-271969 | | Cisco ACI SSH sessions must be terminated after five minutes of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
