Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment. This is required for compliance with C2C Step 1.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-233332	FORE-NC-000270	SV-233332r811414_rule	CCI-000068	medium
Description
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
STIG			Date
Forescout Network Access Control Security Technical Implementation Guide			2025-06-12

Related Frameworks

3 paths across 3 frameworks

NIST 800-531 mapping

AC-17(2)

1.00

DISA · V2R4 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1711 mapping

3.1.13

1.00

DISA · V2R4 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000068

1.00

DISA · V2R4 · disa_xccdf · related

Details

Check Text (C-233332r811414_chk)

If DoD is not at C2C Step 1 or higher, this is not a finding. Verify Forescout is configured to a list of DoD-approved certificate types and CAs. Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate. For TLS connections, if Forescout is not configured to use TLS 1.2 at a minimum, this is a finding.

Fix Text (F-36492r803481_fix)

Configure the SecureConnector to ensure the minimum supported TLS version is set to TLS 1.2. Log on to the Forescout UI. 1. Select Tools >> Options >> Certificates. 2. Check the Ongoing TLS Sessions section, view the Re-verify TLS Sessions. 3. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click "Apply". 4. Next, select the HPS Inspection Engine >> SecureConnector. 5. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2.