View STIG - Cisco ISE NAC Security Technical Implementation Guide V1R5

c

The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE. This is This is required for compliance with C2C Step 1.

AC-17 - High - CCI-000068 - V-242575 - SV-242575r812732_rule

RMF Control

AC-17

Severity

High

CCI

CCI-000068

Version

CSCO-NC-000010

Vuln IDs

V-242575

Rule IDs

SV-242575r812732_rule

The agent may pass information about the endpoint to the Cisco ISE, which may be sensitive. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.

Checks: C-45850r812731_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. Verify that only TLS 1.2 is enabled. From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked. If TLS 1.0 or 1.1 is enabled, this is a finding.

Fix: F-45807r714034_fix

Configure ISE so that only TLS 1.2 is enabled: From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.

c

The Cisco ISE must enforce approved access by employing authorization policies with specific attributes; such as resource groups, device type, certificate attributes, or any other attributes that are specific to a group of endpoints, and/or mission conditions as defined in the site's Cisco ISE System Security Plan (SSP). This is required for compliance with C2C Step 4.

AC-3 - High - CCI-000213 - V-242576 - SV-242576r812734_rule

RMF Control

AC-3

Severity

High

CCI

CCI-000213

Version

CSCO-NC-000020

Vuln IDs

V-242576

Rule IDs

SV-242576r812734_rule

Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the unauthorized network access. Configuration policy sets with specific authorization policies. Policies consist of rules, where each rule consists of conditions to be met that allow differential access based on grouping of device types by common attributes. ISE requires each authorization policy to have at a minimum one condition. The default authorization policy is the only policy in which there is not a requirement for a condition, nor is it possible to assign a condition to the default authorization policy.

Checks: C-45851r812733_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.

Fix: F-45808r714037_fix

Configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. On the default authorization rule select "Deny-Access" or a result that is configured for a restricted VLAN, ACL, SGT, or any combination used to restrict the access.

c

The Cisco ISE must be configured to profile endpoints connecting to the network. This is required for compliance with C2C Step 4.

AC-3 - High - CCI-000213 - V-242577 - SV-242577r812736_rule

RMF Control

AC-3

Severity

High

CCI

CCI-000213

Version

CSCO-NC-000030

Vuln IDs

V-242577

Rule IDs

SV-242577r812736_rule

It is possible for endpoints to be manually added to an incorrect endpoint identity group. The endpoint policy can be dynamically set through profiling. If the endpoint group is statically set but the endpoint policy is set to dynamic, then it is possible to identify endpoints that may receive unintended access.

Checks: C-45852r812735_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. Verify the profiling service is configured and enabled. 1. Choose Administration >> System >> Deployment. 2. View the Deployment Nodes. Verify the following services are enabled via the check box: Policy Service Enable Session Services Enable Profiling Services If the Cisco ISE profiling service is not configured and enabled, this is a finding.

Fix: F-45809r714040_fix

Configure the profiling service to provide a contextual inventory of all the endpoints that are using your network resources in any Cisco ISE-enabled network. 1. Choose Administration >> System >> Deployment. 2. Choose a Cisco ISE node that assumes the Policy Service persona. 3. Click "Edit" in the Deployment Nodes page. 4. On the "General Settings" tab, check the "Policy Service" check box. 5. Perform the following tasks: - Check the "Enable Session Services" check box. - Check the "Enable Profiling Services" check box to run the profiling service. 6. Click "Save" to save the node configuration.

c

The Cisco ISE must verify host-based firewall software is running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.

AC-3 - High - CCI-000213 - V-242578 - SV-242578r812738_rule

RMF Control

AC-3

Severity

High

CCI

CCI-000213

Version

CSCO-NC-000040

Vuln IDs

V-242578

Rule IDs

SV-242578r812738_rule

Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security requirements. If the remote endpoints are allowed to connect to the organization's network without passing minimum-security controls, they become a threat to the entire network.

Checks: C-45853r812737_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. If host-based firewall is not required by the NAC SSP, this is not a finding. Verify that the posture policy will verify that a host-based firewall is running. 1. Navigate to Work Center >> Posture >> Posture Policy. 2. Review the enabled posture policies analyzing all the conditions. 3. Review the requirements listed on polices that the posture required clients will use. 4. Navigate to Work Center >> Posture >> Policy Elements. 5. Review the requirements applied in the posture policy to ensure there is one with a firewall condition applied. 6. Review the firewall condition ensuring it is configured to verify that the client firewall is enabled. If there is not a firewall condition tied to a requirement that is applied to an applicable posture policy, this is a finding.

Fix: F-45810r803520_fix

If required by the sites' NAC SSP, configure the posture policy to verify that a host-based firewall is running. 1. Navigate to Work Centers >> Posture >> Policy Elements. 2. Create Firewall Condition. a. Expand "Conditions" on the left of the page. b. Choose "Firewall Condition". c. Choose "Add". d. Define a Name. e. Select the applicable Compliance Module. f. Select the Operating System. g. Select the vendor of firewall. h. Check "enable". i. Select the desired product/products. j. Choose "Save". 3. Create Firewall Remediation. a. Expand "Remediation's" on the left of the page. b. Choose "Firewall". c. Choose "Add". d. Define a Name. e. Select the Operating System. f. Select the applicable Compliance Module. g. Select the Remediation Type. h. Define the interval between retries. i. Define Retry Count. j. Select the desired Vendor Name. k. Check "Remediation Option is to enable the Firewall". l. Select the Product Name. m. Choose "Submit". 4. Create Requirements. a. Choose "Requirements" on the left of the page. b. Choose the drop-down located next to "Edit" on the right side of the page where the requirement is to be inserted. c. Choose "Insert new Requirement". d. Define a Name. e. Select the Operating System. f. Select the applicable Compliance Module. g. Select the Posture Type. h. Select the Condition previously configured. i. Select the Remediation Action previously configured and type in a message to display. j. Choose "Done". k. Choose "Save". 5. Edit the Posture Policy. a. Navigate to Work Centers >> Posture >> Posture Policy. b. Find the Posture Policy that will be applied to the posture required endpoints. c. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. d. Choose "Done". e. Choose "Save".

c

The Cisco ISE must verify anti-malware software is installed and up to date on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.

AC-3 - High - CCI-000213 - V-242579 - SV-242579r812740_rule

RMF Control

AC-3

Severity

High

CCI

CCI-000213

Version

CSCO-NC-000050

Vuln IDs

V-242579

Rule IDs

SV-242579r812740_rule

New viruses and malware are consistently being discovered. If the host-based security software is not current then it will not be able to defend against exploits that have been previously discovered.

Checks: C-45854r812739_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. Verify that the posture policy will verify that anti-malware software is installed and up to date. If not required by the NAC SSP, this is not a finding. 1. Navigate to Work Center >> Posture >> Posture Policy. 2. Look over the enabled posture policies analyzing all the conditions. 3. Review the requirements listed on polices that the posture required clients will use. 4. Navigate to Work Center >> Posture >> Policy Elements. 5. Review the requirements applied in the posture policy to ensure there are with anti-malware conditions applied. 6. Review the anti-malware conditions ensuring one is configured to verify that the software is installed, and one is configured to make sure the software is up to date. If this requirement is meet by another system or application, this is not applicable. If there is not a firewall condition tied to a requirement that is applied to an applicable posture policy, this is a finding.

Fix: F-45811r803523_fix

If required by the NAC SSP, configure the posture policy to verify that an anti-malware software is up to date. 1. Navigate to Work Centers >> Posture >> Policy Elements. 2. Create Anti-Malware Condition. a. Expand "Conditions" on the left of the page. b. Choose "Anti-Malware". c. Choose "Add". d. Define a Name. e. Select the Operating System. f. Select the vendor. g. Check "Definition". h. Check "Check against latest AV definition file version if available. Otherwise check against latest definition file date." or "Allow virus definition file to be (<1) days older than the current system date." i. Select the desired product/products. j. Choose "Submit". 3. Create Anti-Malware Remediation. a. Expand "Remediation's" on the left of the page. b. Choose "Anti-Malware". c. Choose "Add". d. Define a Name. e. Select the Operating System. f. Select the Remediation Type. g. Define the interval between retries. h. Define Retry Count. i. Select the desired Vendor Name. j. Check "Remediation Option is to enable the Firewall". k. Select the Product Name. l. Choose "Submit". 4. Edit the Posture Policy. a. Navigate to Work Centers >> Posture >> Posture Policy. b. Find the Posture Policy that will be applied to the posture required endpoints. c. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. d. Choose "Done". e. Choose "Save". Note: If any other Definition option is used, the Posture Updates must be updated (Navigate to Work Centers >> Posture >> Settings >> Software Updates >> Posture Updates). Configure the posture policy to verify that an anti-malware software is installed. 1. Navigate to Work Centers >> Posture >> Policy Elements. 2. Create Anti-Malware Condition. a. Expand "Conditions" on the left of the page. b. Choose "Anti-Malware". c. Choose "Add". d. Define a Name. e. Select the Operating System. f. Select the vendor. g. Check "Installation". h. Select the desired product/products. i. Choose "Submit". 3. Create Anti-Malware Remediation. a. Expand "Remediation's" on the left of the page. b. Choose "Anti-Malware". c. Choose "Add". d. Define a Name. e. Select the Operating System. f. Select the Remediation Type. g. Define the interval between retries. h. Define Retry Count. i. Select the desired Vendor Name. j. Check "Remediation Option is to enable the Firewall". k. Select the Product Name. l. Choose "Submit". 4. Edit the Posture Policy. a. Navigate to Work Centers >> Posture >> Posture Policy. b. Find the Posture Policy that will be applied to the posture required endpoints. c. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. d. Choose "Done". e. Choose "Save".

c

The Cisco ISE must verify host-based IDS/IPS software is authorized and running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. This is required for compliance with C2C Step 4.

AC-3 - High - CCI-000213 - V-242580 - SV-242580r864173_rule

RMF Control

AC-3

Severity

High

CCI

CCI-000213

Version

CSCO-NC-000060

Vuln IDs

V-242580

Rule IDs

SV-242580r864173_rule

Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security requirements. If the remote endpoints are allowed to connect to the organization's network without passing minimum-security controls, they become a threat to the entire network.

Checks: C-45855r812741_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the posture policy will verify that a host-based IPS is running. 1. Navigate to Work Center >> Posture >> Posture Policy. 2. Look over the enabled posture policies analyzing all the conditions. 3. Review the requirements listed on polices that the posture required clients will use. 4. Navigate to Work Centers >> Posture >> Policy Elements. 5. Review the requirements applied in the posture policy to ensure there is one with a firewall condition applied. 6. Review the firewall condition ensuring it is configured to verify that the client firewall is enabled. If there is not a firewall condition tied to a requirement that is applied to an applicable posture policy, this is a finding.

Fix: F-45812r803526_fix

If required by the NAC SSP, configure the posture policy to verify that a host-based IPS is running. 1. Navigate to Work Centers >> Posture >> Policy Elements. 2. Create Host Intrusion Prevention Condition. a. Expand "Conditions" on the left of the page. b. Choose "Firewall Condition". c. Choose "Add". d. Define a Name. e. Select the applicable Compliance Module. f. Select the Operating System. g. Select "McAfee" for the vendor of firewall. h. Check "enable". i. Select "McAfee Host Intrusion Prevention" in the product list. j. Choose "Save". 3. Create Requirements. a. Choose "Requirements" on the left of the page. b. Choose the drop-down located next to "Edit" on the right side of the page where the requirement is to be inserted. c. Choose "Insert new Requirement". d. Define a Name. e. Select the Operating System. f. Select the applicable Compliance Module. g. Select the Posture Type. h. Select the Condition previously configured. i. Select the Remediation Action of "Message Text Only" and type in a message to display. j. Choose "Done". k. Choose "Save". 4. Edit the Posture Policy. a. Navigate to Work Centers >> Posture >> Posture Policy. b. Find the Posture Policy that will be applied to the posture required endpoints. c. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. d. Choose "Done". e. Choose "Save".

b

For endpoints that require automated remediation, the Cisco ISE must be configured to redirect endpoints to a logically separate VLAN for remediation services. This is required for compliance with C2C Step 4.

AC-3 - Medium - CCI-000213 - V-242581 - SV-242581r812744_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

CSCO-NC-000070

Vuln IDs

V-242581

Rule IDs

SV-242581r812744_rule

Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users. This isolation prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized. Unauthenticated devices must not be allowed to connect to remediation services.

Checks: C-45856r812743_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the authorization policies for "Posture NonCompliant" have a result that will assign the remediation VLAN. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. 4. Scan for Authorization policies with "Posture NonCompliant" condition. 5. Verify the result assigned to the authorization policy will assign the remediation VLAN. If the result is the remediation VLAN, this is not a finding. If posture is not mandated by the Information System Security Manager (ISSM), this is not a finding.

Fix: F-45813r803529_fix

If required by the NAC SSP, configure the "Posture NonCompliant" authorization policy so that the result that will assign the remediation VLAN. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. 4. Create an authorization policy for "Posture NonCompliant". 5. Assign the remediation VLAN result.

a

The Cisco ISE must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. This is required for compliance with C2C Step 3.

AC-3 - Low - CCI-000213 - V-242582 - SV-242582r812746_rule

RMF Control

AC-3

Severity

Low

CCI

CCI-000213

Version

CSCO-NC-000080

Vuln IDs

V-242582

Rule IDs

SV-242582r812746_rule

Notification will let the user know that installation is in progress and may take a while. This notice may deter the user from disconnecting and retrying the connection before the remediation is completed. Premature disconnections may increase network demand and frustrate the user. Note: This policy does not require remediation to be performed by the Cisco ISE, but will apply if remediation services are used.

Checks: C-45857r812745_chk

If DoD is not at C2C Step 3 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that each requirement used has a message to display. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Make a note of each "Requirement" tied to an enabled Posture Policy. 3. Navigate to Work Centers >> Posture >> Policy Elements >> Requirements. 4. Verify that each requirement noted has a message in the "Message Shown to Agent User" box. If a requirement that is used does not have a message, this is a finding.

Fix: F-45814r803532_fix

If required by the NAC SSP, configure a message prior to remediation: 1. Navigate to Work Centers >> Posture >> Policy Elements >> Requirements. 2. On the requirements under "Remediation Actions", define a message in the "Message Shown to Agent User". 3. Choose "Done". 4. Choose "Save".

b

The Cisco ISE must be configured so that all endpoints that are allowed to bypass policy assessment are approved by the Information System Security Manager (ISSM) and documented in the System Security Plan (SSP). This is This is required for compliance with C2C Step 1.

AC-3 - Medium - CCI-000213 - V-242583 - SV-242583r812748_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

CSCO-NC-000090

Vuln IDs

V-242583

Rule IDs

SV-242583r812748_rule

Connections that bypass established security controls should be only in cases of administrative need. These procedures and use cases must be approved by the Information System Security Manager (ISSM).

Checks: C-45858r812747_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Review the posture policy to ensure mandated endpoints are being assed and if there are exceptions to the policy that they are documented and approved by the ISSM. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Examine the enabled Posture Policies to determine if the endpoints that are mandated to be assessed will use the required policies. 3. If there is an endpoint type that should be assessed and there is a condition or conditions exempting a sub group of that endpoint type, verify that the sub group is documented and approved by the ISSM. If the policy will not be applied to required endpoints or if exempted endpoints are not approved and documented, this is a finding.

Fix: F-45815r803535_fix

If required by the NAC SSP, configure the posture policy to assess mandated endpoints. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Choose the drop-down located next to "Edit" on the right side of the page where you want the new policy inserted. 3. Choose "Insert new policy". 4. Define a Name. 5. Select the applicable Identity Groups. 6. Select the applicable Operating Systems configured in the requirement previously created. 7. Select the Compliance Module configured in the requirement previously created. 8. Select the Posture Type configured in the requirement previously created. 9. Select Other Conditions if used. 10. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. 11. Choose "Done". 12. Choose "Save". Note: For exceptions, a condition can be made to "Not Equal" or "Not Contains" a pattern to exempt devices from the policy.

b

The Cisco ISE must send an alert to the Information System Security Manager (ISSM) and System Administrator (SA), at a minimum, when security issues are found that put the network at risk. This is required for compliance with C2C Step 2.

AC-3 - Medium - CCI-000213 - V-242584 - SV-242584r812750_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

CSCO-NC-000100

Vuln IDs

V-242584

Rule IDs

SV-242584r812750_rule

Trusted computing should require authentication and authorization of both the user's identity and the identity of the computing device. An authorized user may be accessing the network remotely from a computer that does not meet DoD standards. This may compromise user information, particularly before or after a VPN tunnel is established.

Checks: C-45859r812749_chk

If DoD is not at C2C Step 2 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that an alarm will be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the "AAA Audit", "Failed Attempts", and "Posture and Client Provisioning Audit" have LogCollector set as a target at a minimum. If the Posture and Client Provisioning Audit logging category is not configured to send to the LogCollector and/or another logging target, this is a finding.

Fix: F-45816r803538_fix

If required by the NAC SSP, configure an alarm to be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Configure the "AAA Audit", "Failed Attempts", and "Posture and Client Provisioning Audit" categories to have the Targets field to have LogCollector selected at a minimum. If the environment has an additional SYSLOG server, it can be selected here as well.

b

When endpoints fail the policy assessment, the Cisco ISE must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. This is required for compliance with C2C Step 3.

AC-3 - Medium - CCI-000213 - V-242585 - SV-242585r812752_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

CSCO-NC-000110

Vuln IDs

V-242585

Rule IDs

SV-242585r812752_rule

Failing the NAC assessment means that an unauthorized machine has attempted to access the secure network. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.

Checks: C-45860r812751_chk

If DoD is not at C2C Step 3 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that each requirement used has a message to display. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Make a note of each "Requirement" tied to an enabled Posture Policy. 3. Navigate to Work Centers >> Posture >> Policy Elements >> Requirements. 4. Verify that each requirement noted has a message in the "Message Shown to Agent User" box. If a requirement that is used does not have a message, this is a finding.

Fix: F-45817r803541_fix

If required by the NAC SSP, configure a message prior to remediation. 1. Navigate to Work Centers >> Posture >> Policy Elements >> Requirements. 2. On the requirements under "Remediation Actions" define a message in the "Message Shown to Agent User". 3. Choose "Done". 4. Choose "Save".

b

The Cisco ISE must place client machines on the blacklist and terminate the agent connection when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 4.

AC-3 - Medium - CCI-000213 - V-242586 - SV-242586r812754_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

CSCO-NC-000120

Vuln IDs

V-242586

Rule IDs

SV-242586r812754_rule

Since the Cisco ISE devices and servers should have no legitimate reason for communicating with other devices outside of the assessment solution, any direct communication with unrelated hosts would be suspect traffic.

Checks: C-45861r812753_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that blacklisted devices will be denied access or quarantined. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the "Authorization Policy – Global Exceptions". 4. Verify that a rule with the condition "Session-ANCPolicy EQUALS <Configured ANC Policy>", or "IdentityGroup-Name EQUALS Endpoint Identity Group:Blacklist" is present with a result that will deny access or quarantine the endpoint. If the enforcement is completed in the Authorization Policy versus the Global Exceptions, then each policy set must contain a policy for blacklisted endpoints. If there is not an authorization policy for Blacklist endpoints, this is a finding. If the authorization policy does not restrict or deny the access of blacklisted endpoints, this is a finding.

Fix: F-45818r803544_fix

If required by the NAC SSP, configure an Adaptive Network Control (ANC) policy to deny blacklisted devices access or make an authorization policy for the blacklist endpoint identity group. 1. Navigate to Operations >> Adaptive Network Control >> Policy List. 2. Choose "Add". 3. Give the policy a name. 4. Select the desired ANC Action (QUARANTINE or RE_AUTHENTICATE are the recommended actions for this). 5. Choose "Submit". 6. Configure the authorization policy to enforce the ANC policy. Note: If the blacklist Identity group is use vs and ANC policy, then a Change of Authorization (CoA) will need to be triggered. 7. Navigate to Work Centers >> Network Access >> Policy Sets. 8. Choose ">" on any policy set. 9. Expand "Authorization Policy – Global Exceptions". 10. Click on Actions Gear below to location the new Authorization Policy will be inserted (If there is not an existing policy, click on the "+" icon and skip the next step.) 11. Choose "Insert new role above". 12. Click on the name of the policy and define a desirable name. 13. Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio. 14. Choose "New" under the editor. 15. Choose "Click to add an attribute". 16. Under Dictionary select Session in the drop-down. 17. Under Attribute select "ANCPolicy". 18. Ensure "Equals" is selected as the operator. 19. Select the desired ANC Policy in the drop-down menu. 20. Choose "Use". 21. Name the rule accordingly. 22. Select the desired result. 23. Choose "Save". If the Blacklist Endpoint Identity Group will be used, follow these: 1. Configure the authorization policy to enforce the ANC policy. 2. Navigate to Work Centers >> Network Access >> Policy Sets. 3. Choose ">" on any policy set. 4. Expand "Authorization Policy – Global Exceptions". 5. Click on Actions Gear below to location the new Authorization Policy will be inserted (If there is not an existing policy, click on the "+" icon and skip the next step.) 6. Choose "Insert new role above". 7. Click on the name of the policy and define a desirable name. 8. Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio. 9. Choose "New" under the editor. 10. Choose "Click to add an attribute". 11. Under Dictionary select "IdentityGroup" in the drop-down menu. 12. Under Attribute select "Name". 13. Ensure "Equals" is selected as the operator. 14. Select "Endpoint Identity Groups:Blacklist" in the drop-down menu. 15. Choose "Use". 16. Name the rule accordingly. 17. Select the desired result. 18. Choose "Save". Note: If the blacklist identity group is used versus an ANC policy, then a Change of Authorization (CoA) will need to be triggered.

b

The Cisco ISE must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. This is required for compliance with C2C Step 2.

AC-3 - Medium - CCI-000213 - V-242587 - SV-242587r812756_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

CSCO-NC-000130

Vuln IDs

V-242587

Rule IDs

SV-242587r812756_rule

Devices not compliant with DoD secure configuration policies are vulnerable to attack. Allowing these systems to connect presents a danger to the enclave. This requirement gives the option to configure for automated remediation and/or manual remediation. Detailed record must be passed to the remediation server for action. Alternatively, the details can be passed in a notice to the user for action. The device status will be updated on the network access server/authentication server so that further access attempts are denied. The Cisco ISE should have policy assessment mechanisms with granular control to distinguish between access restrictions based on the criticality of the software or setting failure. Configure reminders to be sent to the user and the SA periodically or at a minimum, each time a policy assessment is performed. This can be done via the Cisco ISE or any notification system. The failure must also be used to update the HBSS agent.

Checks: C-45862r812755_chk

If DoD is not at C2C Step 2 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify the authorization policy will prevent intra-remediation VLAN communication. 1. Navigate to Policy >> Policy Elements >> Results. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Verify that a rule with the condition "Session-PostureStatus EQUALS NonCompliant" or an authorization policy for remediation is present making a note of the authorization profile. 5. Navigate to Policy >> Policy Elements >> Results >> Authorization >> Authorization Profiles >> Authorization profile noted above. 6. Ensure the result that is used will result in lateral traffic for that VLAN will be restricted by a private VLAN, dACL, ACL, SGT, or any combination. 7. If a private VLAN is used, review the switch configuration to confirm it is a private VLAN. If there is not an authorization policy for NonCompliant clients or remediation, this is a finding. If the authorization policy does not prevent intra-remediation VLAN communication, this is a finding.

Fix: F-45819r803547_fix

If required by the NAC SSP, configure the remediation authorization policy to prevent intra-remediation VLAN communication. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Locate the authorization policy with the "Session-PostureStatus EQUALS NonCompliant" or authorization policy for remediation access. 5. Configure the result to block intra-VLAN communication (Private VLAN, dACL, ACL, or SGT). 6. Choose "Save".

b

The Cisco ISE must deny or restrict access for endpoints that fail required posture checks. This is required for compliance with C2C Step 4.

AC-3 - Medium - CCI-002179 - V-242588 - SV-242588r855852_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002179

Version

CSCO-NC-000140

Vuln IDs

V-242588

Rule IDs

SV-242588r855852_rule

Devices, which do not meet minimum-security configuration requirements, pose a risk to the DoD network and information assets. Endpoint devices must be disconnected or given limited access as designated by the approval authority and system owner if the device fails the authentication or security assessment. The user will be presented with a limited portal, which does not include access options for sensitive resources. Required security checks must implement DoD policy requirements.

Checks: C-45863r812757_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the Policy Set will enforce the posture assessment. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Verify that the Attribute of PostureStatus of NonCompliant is configured in the policy. 5. Make a note of the result/results on the NonCompliant Policy. 6. Navigate to Policy >> Policy >> Elements >> Results >> Authorization. 7. Expand Authorization. 8. Choose Authorization Profiles. 9. View the Standard Authorization Profile/Profiles noted above to ensure that a remediation VLAN, Access Control List, Scalable Group Tag, or any combination of these are used to restrict access. If there is not a "NonCompliant" authorization rule or the result is not restrictive, this is a finding.

Fix: F-45820r803550_fix

If required by the NAC SSP, configure the Policy Set to enforce the posture assessment. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Click on Actions Gear below to location the new Authorization Policy will be inserted. 5. Choose "Insert new role above" or if there is an Authorization Policy made for the device type that that posture will be applied to choose "Duplicate above". 6. Click on the name of the policy and define a desirable name. 7. Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio. 8. Choose "New" under the editor. 9. Choose "Click to add an attribute". 10. Under Dictionary select Session in the drop-down. 11. Under Attribute select PostureStatus. 12. Ensure "Equals" is selected as the operator. 13. Select Compliant in the drop-down. 14. Choose "New". 15. Add a condition to flag the device type that should be postured. 16. Choose "Use". 17. Name the rule accordingly. 18. Select the desired result. 19. Click on Actions Gear on the Authorization Policy just created. 20. Select Duplicate below in the drop-down menu. 21. Click on the conditions of the copy. 22. Change the PostureStatus variable form "Compliant" to "NonCompliant". 23. Choose "Use". 24. Name the rule accordingly. 25. Select a result that is used for remediation access, which should be a result that is configured for a remediation VLAN, Access Control List, Scalable Group Tag, or any combination of these that are used to restrict access. 26. Choose "Save". Note: There are several ways this can be configured to meet the requirement. This is just an example. The main thing is to have a "Compliant" and a "NonCompliant" rule using the PostureStatus conditions.

b

The Cisco ISE must generate a log record when an endpoint fails authentication. This is This is required for compliance with C2C Step 1.

AU-12 - Medium - CCI-000172 - V-242589 - SV-242589r812760_rule

RMF Control

AU-12

Severity

Medium

CCI

CCI-000172

Version

CSCO-NC-000150

Vuln IDs

V-242589

Rule IDs

SV-242589r812760_rule

Failing the Cisco ISE assessment means that an unauthorized machine has attempted to access the secure network. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-45864r812759_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that a log will be generated and sent when an Endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Failed Attempts has LogCollector set as a target at a minimum. If the Failed Attempts logging category is not configured to send to the LogCollector and/or another logging target, this is a finding.

Fix: F-45821r803553_fix

If required by the NAC SSP, configure a log to be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Configure the "Failed Attempts" category and the Targets field to have LogCollector selected at a minimum. This is the default setting. If the environment has an additional SYSLOG server, it can be selected here as well.

b

The Cisco ISE must generate a log record when the client machine fails posture assessment because required security software is missing or has been deleted. This is This is required for compliance with C2C Step 1.

AU-12 - Medium - CCI-000172 - V-242590 - SV-242590r812762_rule

RMF Control

AU-12

Severity

Medium

CCI

CCI-000172

Version

CSCO-NC-000160

Vuln IDs

V-242590

Rule IDs

SV-242590r812762_rule

Failing the Cisco ISE assessment means an unauthorized machine has attempted to access the secure network. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Log records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-45865r812761_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that a log will be generated and sent when an Endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Posture and Client Provisioning Audit has LogCollector set as a target at a minimum. If the Posture and Client Provisioning Audit logging category is not configured to send to the LogCollector and/or another logging target, this is a finding.

Fix: F-45822r803556_fix

If required by the NAC SSP, configure a log to be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Configure the "Posture and Client Provisioning Audit" category and the Targets field to have LogCollector selected at a minimum. This is the default setting. If the environment has an additional SYSLOG server, it can be selected here as well.

b

The Cisco ISE must send an alert to the system administrator, at a minimum, when endpoints fail the policy assessment checks for organization-defined infractions. This is required for compliance with C2C Step 3.

AU-12 - Medium - CCI-000172 - V-242591 - SV-242591r812764_rule

RMF Control

AU-12

Severity

Medium

CCI

CCI-000172

Version

CSCO-NC-000170

Vuln IDs

V-242591

Rule IDs

SV-242591r812764_rule

Failing the Cisco ISE assessment, means that an unauthorized machine has attempted to access the secure network. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Log records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-45866r812763_chk

If DoD is not at C2C Step 3 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that an alarm will be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Posture and Client Provisioning Audit has LogCollector set as a target at a minimum. If the Posture and Client Provisioning Audit logging category is not configured to send to the LogCollector and/or another logging target, this is a finding.

Fix: F-45823r803559_fix

If required by the NAC SSP, configure an alarm to be generated and sent when an endpoint has a change in posture status. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Configure the "Posture and Client Provisioning Audit" category and the Targets field needs to have LogCollector selected at a minimum. This is the default setting. If the environment has an additional SYSLOG server, it can be selected here as well.

b

The Cisco ISE must be configured to log records onto a centralized events server. This is This is required for compliance with C2C Step 1.

AU-3 - Medium - CCI-001844 - V-242592 - SV-242592r855853_rule

RMF Control

AU-3

Severity

Medium

CCI

CCI-001844

Version

CSCO-NC-000180

Vuln IDs

V-242592

Rule IDs

SV-242592r855853_rule

Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The DoD requires centralized management of all network component audit record content. Since audit failure detection is required, a connection-oriented protocol must be configured for communication with the centralized events server. This requirement does not apply to audit logs generated on behalf of the device itself (management).

Checks: C-45867r812765_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. To view remote logging targets, complete the following steps: 1. From the ISE Administration Interface, choose Administration >> System >> Logging >> Remote Logging Targets. 2. The Remote Logging Targets page appears with a list of existing logging targets. If a remote logging target is not configured, this is a finding.

Fix: F-45824r714085_fix

Create a Remote Logging Target and direct logging to that target. To create an external logging target, complete the following steps. 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click "Add". 3. Configure the following fields. - Name - Enter the name of the new target - Target Type - By default it is set to Syslog. The value of this field cannot be changed. - Description - Enter a brief description of the new target. - IP Address - Enter the IP address of the destination machine where you want to store the logs. - Port - Enter the port number of the destination machine. - Facility Code - Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7. - Maximum Length - Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes. 4. Click "Save". Go to the Logging Targets page and verify the creation of the new target. To edit a remote logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click the radio button next to the logging target name that you want to edit and click "Edit". 3. Modify the following field values on the Log Collection page as needed. - Name - Target Type - Description - IP Address - Port - Facility Code - Maximum Length 4. Click "Save". The updating of the selected Log Collector is completed.

b

The Cisco ISE must off-load log records onto a different system. This is required for compliance with C2C Step 1.

AU-4 - Medium - CCI-001851 - V-242593 - SV-242593r855854_rule

RMF Control

AU-4

Severity

Medium

CCI

CCI-001851

Version

CSCO-NC-000190

Vuln IDs

V-242593

Rule IDs

SV-242593r855854_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. This does not apply to audit logs generated on behalf of the device itself (management).

Checks: C-45868r812767_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. Navigate to Administration >> System >> Backup and Restore. Ensure that operational data backups are scheduled. If operational backups are not scheduled, this is a finding.

Fix: F-45825r714088_fix

From the Web Admin portal: 1. Navigate to Administration >> System >> Backup and Restore. 2. Select the "Schedule" option next to Operational Data Backup. 3. Configure operational data backup at a desired frequency.

b

The Cisco ISE must generate a critical alert to be sent to the ISSO and SA (at a minimum) in the event of an audit processing failure. This is required for compliance with C2C Step 1.

AU-5 - Medium - CCI-001858 - V-242594 - SV-242594r855855_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-001858

Version

CSCO-NC-000200

Vuln IDs

V-242594

Rule IDs

SV-242594r855855_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without an alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Cisco ISE provides system alarms which notify the administrator when critical system condition occurs. Alarms are displayed in the Alarm dashlet. Administrators can configured the dashlet to receive notification of alarms through e-mail and/or syslog messages.

Checks: C-45869r812769_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. Verify the Cisco ISE will notify one or more individuals when there is a Log Collection Error. From the Web Admin portal: 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Verify that "Enable" is selected. 4. Select "Enter Multiple Emails Separated with Comma". 5. Verify one or more email addresses are configured. If "Log Collector Error" alarm type is not enabled or email addresses are not configured to receive the alert, this is a finding.

Fix: F-45826r714091_fix

Configure Cisco ISE to notify one or more individuals when there is a Log Collection Error. From the Web Admin portal: 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Select "Enable". 4. Select "Enter Multiple Emails Separated with Comma". 5. Configure email addresses of individuals and organizational accounts to be notified. 6. Click "Submit".

b

The Cisco ISE must provide an alert to, at a minimum, the SA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. This is required for compliance with C2C Step 1.

AU-5 - Medium - CCI-001858 - V-242595 - SV-242595r855856_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-001858

Version

CSCO-NC-000210

Vuln IDs

V-242595

Rule IDs

SV-242595r855856_rule

Without an alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). This does not apply to audit logs generated on behalf of the device itself (management).

Checks: C-45870r812771_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. Verify the Cisco ISE will notify one or more individuals when there is a Log Collection Error. From the Web Admin portal: 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Verify that "Enable" is selected. 4. Select "Enter Multiple Emails Separated with Comma". 5. Verify one or more email addresses are configured. If "Log Collector Error" alarm type is not enabled or email addresses are not configured to receive the alert, this is a finding.

Fix: F-45827r714094_fix

Configure Cisco ISE to notify one or more individuals when there is a Log Collection Error. From the Web Admin portal: 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Select "Enable". 4. Select "Enter Multiple Emails Separated with Comma". 5. Configure email addresses of individuals and organizational accounts to be notified. 6. Click "Submit".

b

The Cisco ISE must be configured with a secondary log server in case the primary log is unreachable. This is required for compliance with C2C Step 1.

AU-5 - Medium - CCI-001861 - V-242596 - SV-242596r855857_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-001861

Version

CSCO-NC-000220

Vuln IDs

V-242596

Rule IDs

SV-242596r855857_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.

Checks: C-45871r812773_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. Review the configured Remote Logging Targets to ensure there are, at a minimum, two configured. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Targets. 2. Verify that "LogCollector" and "LogCollector2" or an additional target is defined along with being enabled. If there are not two separate logging targets defined, this is a finding. Note: "ProfilerRadiusProbe" or any other target with a "127.0.0.1" address does not count as being a "Remote" Logging Target.

Fix: F-45828r714097_fix

Configure Remote Logging Targets. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Targets. 2. Select "Secure Syslog" or "TCP Syslog" in the Target Type drop-down. 3. Configure a desired name. 4. Configure the Host/IP address. 5. Check the box for "Buffer Messages When Server Down". 6. If "Secure Syslog" is used, select a CA certificate to use to define what system certificate to use to secure this connection. 7. Choose "Submit". Note: "LogCollector" and "LogCollector2" represent the monitoring (MnT) nodes defined in the deployment. If there is a primary and a secondary MnT node, then nothing more is needed. Note: "ProfilerRadiusProbe" or any other target with a "127.0.0.1" address does not count as being a "Remote" Logging Target.

b

The Cisco ISE must generate a critical alert to be sent to the ISSO and SA (at a minimum) if it is unable to communicate with the central event log. This is required for compliance with C2C Step 1.

AU-5 - Medium - CCI-000139 - V-242597 - SV-242597r812776_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-000139

Version

CSCO-NC-000230

Vuln IDs

V-242597

Rule IDs

SV-242597r812776_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where log records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Checks: C-45872r812775_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. Verify that a log will be generated and sent when a Logging Target becomes unavailable. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify that Internal Operations Diagnostics has "LogCollector" and "LogCollector2" set. If there are a minimum of two logging targets selected for Internal Operations Diagnostics, this is not a finding.

Fix: F-45829r714100_fix

Configure a log to be generated and sent when a Logging Target becomes unavailable. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Configure the "Internal Operations Diagnostics" category Targets field to have "LogCollector" and "LogCollector2". If the environment has an additional SYSLOG server, it can be selected here as well. Note: "LogCollector" and "LogCollector2" are not configured for this category by default. These logs will be viewable at Operations >> Reports >> Reports >> Diagnostics >> System Diagnostic.

b

The Cisco ISE must continue to queue traffic log records locally when communication with the central log server is lost and there is an audit archival failure. This is required for compliance with C2C Step 1.

AU-5 - Medium - CCI-000140 - V-242598 - SV-242598r812778_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-000140

Version

CSCO-NC-000240

Vuln IDs

V-242598

Rule IDs

SV-242598r812778_rule

It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode. In accordance with DoD policy, the traffic log must be sent to a central audit server. When logging functions are lost, system processing cannot be shut down because NAC availability is an overriding concern given the role of the firewall in the enterprise. The system should either be configured to log events to an alternative server or queue log records locally. Upon restoration of the connection to the central log server, action should be taken to synchronize the local log data with the central audit server. If the central audit server uses User Datagram Protocol (UDP) communications instead of a connection-oriented protocol such as TCP, a method for detecting a lost connection must be implemented.

Checks: C-45873r812777_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. Verify that logging targets are configured to buffer syslog messages when the server is down. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Select remote targets and verify that "Buffer Messages When Server Down" box is checked. Note: If "LogCollector" and "LogCollector2" are configured for UDP and ISE Messaging service is configured, this is not a finding. Verify that ISE Messaging Service is enabled. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Log Settings. 2. Verify that "Use ISE Messaging Service for UDP Syslogs delivery to MnT" box is checked. If messages are not buffered for remote syslog servers, this is a finding.

Fix: F-45830r714103_fix

Configure the logging targets to buffer syslog messages when the server is down. Navigate to Administration >> System >> Logging >> Remote Logging Targets. 1. Select "Secure Syslog" or "TCP Syslog" in the Target Type drop-down menu. 2. Configure a desired name. 3. Configure the Host/IP address. 4. Check the box for "Buffer Messages When Server Down". 5. If "Secure Syslog" is used, select a CA certificate to use to define what system certificate to use to secure this connection. 6. Choose "Submit". And/or: Enable ISE Messaging Service. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Log Settings. 2. Check "Use "ISE Messaging Service" for UDP Syslogs delivery to MnT". 3. Choose "Save". Note: ISE Messaging Service will encrypt and buffer messages destined to the Monitoring (MnT) nodes. The logging targets of "LogCollector" and "LogCollector2" are the primary and secondary MnT nodes respectively.

b

The Cisco ISE must perform continuous detection and tracking of endpoint devices attached to the network. This is required for compliance with C2C Step 1.

CM-6 - Medium - CCI-000366 - V-242599 - SV-242599r812780_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

CSCO-NC-000250

Vuln IDs

V-242599

Rule IDs

SV-242599r812780_rule

Continuous scanning capabilities on the Cisco ISE provide visibility of devices that are connected to the switch ports. The Cisco ISE continuously scans networks and monitors the activity of managed and unmanaged devices, which can be personally owned or rogue endpoints. Because many of today's small devices do not include agents, an agentless discovery is often combined to cover more types of equipment.

Checks: C-45874r812779_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Review the posture settings to ensure Continuous Monitoring Interval is enabled and a value configured. From the Web Admin portal: 1. Choose Work Centers >> Posture >> Settings >> Posture General Settings. 2. Verify that "Continuous Monitoring Interval" is enabled and an interval configured. If "Continuous Monitoring Interval" is not enabled with an interval defined, this is a finding.

Fix: F-45831r803562_fix

If required by the NAC SSP, configure the posture settings to enable Continuous Monitoring Interval. From the Web Admin portal: 1. Choose Work Centers >> Posture >> Settings >> Posture General Settings. 2. Check "Continuous Monitoring Interval" and define an interval to enable continuous monitoring. 3. Choose "Save".

b

The Cisco ISE must deny network connection for endpoints that cannot be authenticated using an approved method. This is required for compliance with C2C Step 4.

IA-3 - Medium - CCI-000778 - V-242600 - SV-242600r812782_rule

RMF Control

IA-3

Severity

Medium

CCI

CCI-000778

Version

CSCO-NC-000260

Vuln IDs

V-242600

Rule IDs

SV-242600r812782_rule

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Identification failure does not need to result in connection termination or preclude compliance assessment. This is particularly true for unmanaged systems or when the Cisco ISE is performing network discovery.

Checks: C-45875r812781_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.

Fix: F-45832r714109_fix

Configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. On the default authorization rule, select "Deny-Access" or a result that is configured for a restricted VLAN, ACL, SGT, or any combination of these used to restrict the access.

b

The Cisco ISE must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. This is required for compliance with C2C Step 4.

IA-3 - Medium - CCI-001958 - V-242601 - SV-242601r855858_rule

RMF Control

IA-3

Severity

Medium

CCI

CCI-001958

Version

CSCO-NC-000270

Vuln IDs

V-242601

Rule IDs

SV-242601r855858_rule

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. However, failure to authenticate an endpoint does not need to result in connection termination or preclude compliance assessment. This is particularly true for unmanaged systems or when the Cisco ISE is performing network discovery. Authentication methods for NAC on access switches are MAC Authentication Bypass (MAB), or 802.1x.

Checks: C-45876r812783_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify that the authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. If the default authorization policy within each policy set has "deny-access" or restricted access, this is not a finding.

Fix: F-45833r803565_fix

If required by the NAC SSP, configure each policy set so that authorization policies have either "deny-access" or restricted access on their default authorization policy set. 1. Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the desired policy set. 3. Expand Authorization Policy. On the default authorization rule, select "Deny-Access" or a result that is configured for a restricted VLAN, Access Control List, Scalable Group Tag, or any combination of these used to restrict access.

b

The Cisco ISE must be configured to dynamically apply restricted access of endpoints that are granted access using MAC Authentication Bypass (MAB). This is required for compliance with C2C Step 4.

IA-3 - Medium - CCI-001958 - V-242602 - SV-242602r855859_rule

RMF Control

IA-3

Severity

Medium

CCI

CCI-001958

Version

CSCO-NC-000280

Vuln IDs

V-242602

Rule IDs

SV-242602r855859_rule

MAB can be defeated by spoofing the MAC address of a valid device. MAB enables port-based access control using the MAC address of the endpoint. A MAB-enabled port can be dynamically enabled or disabled based on the MAC address of the device that connects to it. NPE devices that can support PKI or an allowed authentication type must use PKI. MAB may be used for NPE that cannot support an approved device authentication. Non-entity endpoints include IoT devices, VOIP phone, and printer.

Checks: C-45877r812785_chk

If DoD is not at C2C Step 4 or higher, this is not a finding. Verify that the authorization policies for devices granted access via MAB will have restricted access. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Make a note of the result/results on each authorization policy for MAB. 5. Navigate to Policy >> Policy Elements >> Results >> Authorization. 6. Expand "Authorization". 7. Choose "Authorization Profiles". 8. View the Standard Authorization Profile/Profiles noted above to ensure that a restricted VLAN, Access Control List, Scalable Group Tag, or any combination of these is used to restrict access. If a VLAN is the only thing being applied to the session and the VLAN has an ACL on the layer 3 interface, this is not a finding. If there is not a restriction on an MAB authorization policy, this is a finding.

Fix: F-45834r714115_fix

Configure the authorization policies for devices granted access via MAB to have restricted access. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the "Authorization Policy". 4. Add a restricted VLAN, Access Control List, Scalable Group Tag, or any combination of these that are used to restrict access under results. 5. Repeat this for each authorization policy that devices connecting via MAB will use. 6. Choose "Save".

b

Before establishing a connection with a Network Time Protocol (NTP) server, the Cisco ISE must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server. This is required for compliance with C2C Step 1.

IA-3 - Medium - CCI-001967 - V-242603 - SV-242603r878130_rule

RMF Control

IA-3

Severity

Medium

CCI

CCI-001967

Version

CSCO-NC-000290

Vuln IDs

V-242603

Rule IDs

SV-242603r878130_rule

If the NTP server is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source. Currently, AES block cipher algorithm is approved for use in DoD for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption). NTP devices use MD5 authentication keys. The MD5 algorithm is not specified in either the FIPS or NIST recommendation. However, MD5 is preferred to no authentication at all. The trusted-key statement permits authenticating NTP servers. The product must be configured to support separate keys for each NTP server. Severs should have a PKI device certificate involved for use in the device authentication process.

Checks: C-45878r812787_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. Verify NTP setting to ensure NTP will be authenticated. From the CLI: 1. Type "show running-config | in ntp". 2. Verify that each defined NTP server has a key on the same line defining the server and make a note of the key number. 3. Verify that each NTP Key number used is created. If there is an NTP source without an NTP key defined and it is a domain controller, this is not a finding as Windows server does not support NTP keys. If there are any other NTP sources that do not use a defined key, this is a finding. Note: Each ISE node must be individually checked as NTP settings are local to each appliance. Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.

Fix: F-45835r714118_fix

Configure the NTP server to be authenticated. From the CLI: 1. Type "configure terminal". 2. Define an NTP authentication key "ntp authentication-key <KEY Number> md5 plain <NTP KEY>. 3. Define an NTP server and associate it with the configured NTP key "ntp server <IP> key <KEY Number>". 4. Type "exit" and press enter. 5. Type "write memory" and press "Enter". If a domain controller is used for NTP, then a key cannot be used as Windows servers do not support NTP keys. Note: Each ISE node must be individually checked as NTP settings are local to each appliance. Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.

b

Before establishing a local, remote, and/or network connection with any endpoint device, the Cisco ISE must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the endpoint device. This is required for compliance with C2C Step 1.

IA-3 - Medium - CCI-001967 - V-242604 - SV-242604r855861_rule

RMF Control

IA-3

Severity

Medium

CCI

CCI-001967

Version

CSCO-NC-000300

Vuln IDs

V-242604

Rule IDs

SV-242604r855861_rule

Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DoD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm. Because of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability.

Checks: C-45879r812789_chk

If DoD is not at C2C Step 1 or higher, this is not a finding. From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked. If TLS 1.0 or 1.1 is enabled, this is a finding.

Fix: F-45836r714121_fix

From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.

c

The Cisco ISE must enforce posture status assessment for posture required clients defined in the NAC System Security Plan (SSP). This is required for compliance with C2C Step 3.

CM-6 - High - CCI-000366 - V-242605 - SV-242605r944370_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

CSCO-NC-000310

Vuln IDs

V-242605

Rule IDs

SV-242605r944370_rule

Posture assessments can reduce the risk that clients impose on networks by restricting or preventing access of noncompliant clients. If the posture assessment is not enforced, then access of clients not complying is not restricted allowing the risk of vulnerabilities being exposed. Though the configuration is out of scope, one of the ways to allow posturing with Cisco AnyConnect Secure Mobility Client is to enable http redirect on the network switch so that AnyConnect can connect to ISE's Client Provisioning Portal (call home). Every effort must be taken to configure this function without the need to require the command 'ip http server' on the switch (see V-220534 in the Network Infrastructure STIG). If deemed operationally necessary, the site must obtain AO approval and document the variation from V-220534, risk mitigations, and the mission need that makes the service necessary. If the service is operationally necessary to meet C2C compliance for posture assessment and a vendor-provided alternative is not available, then it is, by definition, a necessary service. Thus, V-220534 is not a finding as it states that "If a particular capability is used, then it must be documented and approved."

Checks: C-45880r944369_chk

If DOD is not at C2C Step 3 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify the authorization policy will enforce posture assessment status for posture required clients. 1. Navigate to Work Centers >> Network Access >> Policy Sets. 2. Choose ">" on the applicable policy set. 3. Expand the Authorization Policy. 4. Verify that a rule with the condition "Session-PostureStatus EQUALS NonCompliant" is present and will apply to posture required devices by analyzing other conditions used on the same policy. 5. Ensure the result that is used for remediation access is a restricted VLAN, ACL, SGT, or any combination used to restrict the access. If there is not an authorization policy for NonCompliant clients that are posture required, this is a finding. If the authorization policy does not restrict the access of NonCompliant clients that are posture required, this is a finding.

Fix: F-45837r803568_fix

If required by the NAC SSP, configure the authorization policy to enforce posture assessment status for posture required clients. 1. Edit the Policy Set to enforce the posture assessment. 2. Navigate to Work Centers >> Network Access >> Policy Sets. 3. Choose ">" on the applicable policy set. 4. Expand the Authorization Policy. 5. Click on Actions Gear below to location where the new Authorization Policy will be inserted. 6. Choose "Insert new role above", or if there is an Authorization Policy made for the device type that posture will be applied to, choose "Duplicate above". 7. Click on the name of the policy and define a desirable name. 8 Either click on the "+" icon or click on the existing Conditions to open the Conditions Studio. 9. Choose "New" under the editor. 10. Choose "Click to add an attribute". 11. Under Dictionary, select "Session" in the drop-down menu. 12. Under Attribute, select "PostureStatus". 13. Ensure "Equals" is selected as the operator. 14. Select "Compliant" in the drop-down menu. 15. Choose "New". 16. Add a condition to flag the device type that should be postured. 17. Choose "Use". 18. Name the rule accordingly. 19. Select the desired result. 20. Click on Actions Gear on the Authorization Policy just created. 21. Select Duplicate below in the drop-down. 22. Click on the conditions of the copy. 23. Change the PostureStatus variable form "Compliant" to "NonCompliant". 24. Choose "Use". 25. Name the rule accordingly. 26. Select a result that is used for remediation access, which should be a result that is configured for a restricted VLAN, ACL, SGT, or any combination used to restrict the access. 27. Choose "Save".

c

The Cisco ISE must have a posture policy for posture required clients defined in the NAC System Security Plan (SSP). This is required for compliance with C2C Step 2.

CM-6 - High - CCI-000366 - V-242606 - SV-242606r944368_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

CSCO-NC-000320

Vuln IDs

V-242606

Rule IDs

SV-242606r944368_rule

Posture assessments can reduce the risk that clients impose on networks. The posture policy is the function that can link requirements to applicable clients. Multiple requirements can be associated with a single policy. However, multiple polices can also be applicable to the same client. The posture policy operates in such a way that all applicable policies are applied, versus the top-down first match approach.

Checks: C-45881r944367_chk

If DOD is not at C2C Step 2 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Verify the posture policy for posture required clients. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Review the enabled posture policies to ensure posture required endpoints will process requirements. If there is not an enabled policy that will be applied to posture required endpoints, this is a finding.

Fix: F-45838r803571_fix

If required by the NAC SSP, configure the posture policy for posture required clients. 1. Navigate to Work Centers >> Posture >> Posture Policy. 2. Choose the drop-down located next to "Edit" on the right side of the page where you want the new policy inserted. 3. Choose "Insert new policy". 4. Define a Name. 5. Select the applicable Identity Groups. 6. Select the applicable Operating Systems configured in the requirement previously created. 7. Select the Compliance Module configured in the requirement previously created. 8. Select the Posture Type configured in the requirement previously created. 9. Select Other Conditions if used. 10. Select the applicable Requirement or Requirements, ensuring there is a green check box to the left of the name indicating it is a mandatory requirement. 11. Choose "Done". 12. Choose "Save". Note: The user can apply multiple requirements to a single policy, or have multiple policies with a single policy with a single requirement as the posture policy operates in a "match-all" fashion.

Cisco ISE NAC Security Technical Implementation Guide

Compare

View

Checks: C-45850r812731_chk

Fix: F-45807r714034_fix

Checks: C-45851r812733_chk

Fix: F-45808r714037_fix

Checks: C-45852r812735_chk

Fix: F-45809r714040_fix

Checks: C-45853r812737_chk

Fix: F-45810r803520_fix

Checks: C-45854r812739_chk

Fix: F-45811r803523_fix

Checks: C-45855r812741_chk

Fix: F-45812r803526_fix

Checks: C-45856r812743_chk

Fix: F-45813r803529_fix

Checks: C-45857r812745_chk

Fix: F-45814r803532_fix

Checks: C-45858r812747_chk

Fix: F-45815r803535_fix

Checks: C-45859r812749_chk

Fix: F-45816r803538_fix

Checks: C-45860r812751_chk

Fix: F-45817r803541_fix

Checks: C-45861r812753_chk

Fix: F-45818r803544_fix

Checks: C-45862r812755_chk

Fix: F-45819r803547_fix

Checks: C-45863r812757_chk

Fix: F-45820r803550_fix

Checks: C-45864r812759_chk

Fix: F-45821r803553_fix

Checks: C-45865r812761_chk

Fix: F-45822r803556_fix

Checks: C-45866r812763_chk

Fix: F-45823r803559_fix

Checks: C-45867r812765_chk

Fix: F-45824r714085_fix

Checks: C-45868r812767_chk

Fix: F-45825r714088_fix

Checks: C-45869r812769_chk

Fix: F-45826r714091_fix

Checks: C-45870r812771_chk

Fix: F-45827r714094_fix

Checks: C-45871r812773_chk

Fix: F-45828r714097_fix

Checks: C-45872r812775_chk

Fix: F-45829r714100_fix

Checks: C-45873r812777_chk

Fix: F-45830r714103_fix

Checks: C-45874r812779_chk

Fix: F-45831r803562_fix

Checks: C-45875r812781_chk

Fix: F-45832r714109_fix

Checks: C-45876r812783_chk

Fix: F-45833r803565_fix

Checks: C-45877r812785_chk

Fix: F-45834r714115_fix

Checks: C-45878r812787_chk

Fix: F-45835r714118_fix

Checks: C-45879r812789_chk

Fix: F-45836r714121_fix

Checks: C-45880r944369_chk

Fix: F-45837r803568_fix

Checks: C-45881r944367_chk

Fix: F-45838r803571_fix