Cisco ISE NDM Security Technical Implementation Guide

  • Version/Release: V2R1
  • Published: 2024-06-10
  • Released: 2024-07-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
a
The Cisco ISE must limit the number of CLI sessions to one and organization-defined number for the GUI.
AC-10 - Low - CCI-000054 - V-242607 - SV-242607r960735_rule
RMF Control
AC-10
Severity
Low
CCI
CCI-000054
Version
CSCO-NM-000010
Vuln IDs
  • V-242607
Rule IDs
  • SV-242607r960735_rule
Device management includes the ability to control the number of management sessions that manage a device. Limiting the number of allowed sessions is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for administrative access. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH and HTTPS sessions.
Checks: C-45882r822783_chk

Review the concurrent sessions to ensure the CLI and GUI have the correct number of sessions defined. From web Admin portal: 1. Choose Administration >> System >>Admin Access >> Settings >> Access. 2. Verify the "Maximum Concurrent Sessions" under "GUI" Sessions is set to the organization-defined number. 3. Verify the "Maximum Concurrent Sessions" under "CLI" Sessions is set to one. If the CLI is not set to limit the maximum number of sessions to one or the GUI is not set to limit the maximum number of sessions to the organization-defined number, then this is a finding.

Fix: F-45839r822786_fix

Configure the concurrent sessions for the CLI and GUI. From web admin portal: 1. Choose Administration >> System >>Admin Access >> Settings >> Access. 2. Configure the "Maximum Concurrent Sessions" under "GUI" to be the organization-defined number. 3. Configure the "Maximum Concurrent Sessions" under "CLI" to be one.

b
The Cisco ISE must change the password for the local CLI and web-based account when members who have access to the password leave the role and are no longer authorized access.
- Medium - CCI-004045 - V-242608 - SV-242608r997479_rule
RMF Control
Severity
Medium
CCI
CCI-004045
Version
CSCO-NM-000020
Vuln IDs
  • V-242608
Rule IDs
  • SV-242608r997479_rule
If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. Cisco ISE introduces a Generate Password option on the user and administrator creation page to generate instant password adhering to Cisco ISE password policies. This helps the users or administrators to use the password generated by Cisco ISE than spending time in thinking of a safe password to be configured.
Checks: C-45883r714132_chk

Verify by viewing site SSP to view that there is a procedure that requires password change with administrators leave the group. If Cisco ISE does not change the password for the local CLI and web-based account when members who have access to the password leave the role and are no longer authorized access, this is a finding.

Fix: F-45840r714133_fix

Generate Automatic Password for Users and Administrators (or generate using other encryption method). Navigate to Administrators—Administration >> System >> Admin Access >> Administrators >> Admin Users. Select the CLI and the web Admin users and select the option to generate the password. Document the generated password and secure it for emergency use as an Account of Last Resort. Do not share with other Admins unless necessary.

b
For the local web-based account of last resort, the Cisco ISE must automatically audit account creation.
AC-2 - Medium - CCI-000018 - V-242609 - SV-242609r960777_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
CSCO-NM-000030
Vuln IDs
  • V-242609
Rule IDs
  • SV-242609r960777_rule
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.
Checks: C-45884r714135_chk

Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target. If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.

Fix: F-45841r714136_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".

b
For the local web-based account of last resort and the default local CLI account, the Cisco ISE must automatically audit account modification.
AC-2 - Medium - CCI-001403 - V-242610 - SV-242610r960780_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
CSCO-NM-000040
Vuln IDs
  • V-242610
Rule IDs
  • SV-242610r960780_rule
Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. Account management by a designated authority ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. If modifications to management accounts are not audited, reconciliation of account management procedures cannot be tracked.
Checks: C-45885r714138_chk

Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target. If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.

Fix: F-45842r714139_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".

b
For the local web-based account of last resort, the Cisco ISE must automatically audit account disabling actions.
AC-2 - Medium - CCI-001404 - V-242611 - SV-242611r960783_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001404
Version
CSCO-NM-000050
Vuln IDs
  • V-242611
Rule IDs
  • SV-242611r960783_rule
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account disabling actions will support account management procedures. When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.
Checks: C-45886r714141_chk

Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target. If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.

Fix: F-45843r714142_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".

b
For the local account of last resort, the Cisco ISE must automatically audit account removal actions.
AC-2 - Medium - CCI-001405 - V-242612 - SV-242612r960786_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001405
Version
CSCO-NM-000060
Vuln IDs
  • V-242612
Rule IDs
  • SV-242612r960786_rule
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.
Checks: C-45887r714144_chk

Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target. If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.

Fix: F-45844r714145_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".

a
The Cisco ISE must automatically audit account enabling actions.
AC-2 - Low - CCI-002130 - V-242613 - SV-242613r961290_rule
RMF Control
AC-2
Severity
Low
CCI
CCI-002130
Version
CSCO-NM-000070
Vuln IDs
  • V-242613
Rule IDs
  • SV-242613r961290_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Checks: C-45888r714147_chk

Verify logging categories for Administrative and Operational Audit has been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit has been set to INFO and the Targets field has been set to the syslog target. If the Administrative and Operational Audit logging category is not configured for INFO severity level and send to the central syslog server, this is a finding.

Fix: F-45845r714148_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".

b
The Cisco ISE must be configured with only one local web-based account to be used as the account of last resort in the event the authentication server is unavailable.
AC-2 - Medium - CCI-001358 - V-242614 - SV-242614r960969_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001358
Version
CSCO-NM-000080
Vuln IDs
  • V-242614
Rule IDs
  • SV-242614r960969_rule
Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions. Accounts necessary for authorized system functions are permitted, but must be secured to prevent use for local login and remote exploitation. These accounts should either be disabled for login for non-system functions and/or use a compliant authenticator (Example RSA SecureID token).
Checks: C-45889r714150_chk

View the local admin users. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >>View. 2. Verify there are only two local accounts are defined. Both must be in the Super User group. These users must be the web-based Account of Last Resort and the default CLI admin user. If the Cisco ISE has unauthorized local users defined, this is a finding.

Fix: F-45846r714151_fix

Create a local web-based administrator. ONLY one web-based admin account should exist on the local device. The default CLI account is also local and cannot be removed. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >> Add. 2. From the drop-down, choose Create an Admin User. 3. Enter the admin name and other information. 4. Add the Super User group. 5. Click "Submit".

c
The Cisco ISE must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
AC-6 - High - CCI-002235 - V-242615 - SV-242615r961353_rule
RMF Control
AC-6
Severity
High
CCI
CCI-002235
Version
CSCO-NM-000090
Vuln IDs
  • V-242615
Rule IDs
  • SV-242615r961353_rule
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations.
Checks: C-45890r803574_chk

Verify that only administrator accounts are located in administrative groups. From the web Admin portal: 1. Navigate to Administration >> System >> Admin Access >> Authorization >> Permissions >> Policy. 2. Verify non-administrative users are located in read only or limited access admin groups. If non-adminstrative accounts are in administrative admin groups, this is a finding.

Fix: F-45847r803575_fix

Configure Role Based Access Control to ensure only administrator accounts have admin or super admin rights. From web Admin portal: 1. Navigate to Administration >> System >> Admin Access >> Authorization >> Permissions > Policy. 2. Take note of admin account groups. 3. Navigate to Administration >> System >> Admin Access >> Administrators >> Admin Users. 4. Ensure only admin accounts are placed within admin groups. Note: If Active Directory is in use for external authentication, verify from AD that only administrative users are in the security group used for ISE admins.

b
The Cisco ISE must audit the execution of privileged functions.
AC-16 - Medium - CCI-002264 - V-242616 - SV-242616r961362_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-002264
Version
CSCO-NM-000100
Vuln IDs
  • V-242616
Rule IDs
  • SV-242616r961362_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Checks: C-45891r864183_chk

Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.

Fix: F-45848r864184_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".

b
The Cisco ISE must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.
AC-7 - Medium - CCI-000044 - V-242617 - SV-242617r960840_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
CSCO-NM-000110
Vuln IDs
  • V-242617
Rule IDs
  • SV-242617r960840_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. If the administrator enters an incorrect password three times, the Admin portal locks the account, adds a log entry in the Server Administrator Logins report, and suspends the credentials until it is reset.
Checks: C-45892r822784_chk

Verify ISE will disable accounts for at least 15 minutes after a maximum of three consecutive invalid logon attempts. From web admin portal: 1. Choose Administration >> System >> Admin Access >> Authentication >> Lock/Suspend Settings. 2. Verify the "Take action after [ ] failed attempts" setting is set to a value of 3 or lower. 3. Verify the "Suspend account for [ ] minutes" setting is selected and set to be 15 minutes or higher If the lockout for admin accounts is not configured to lock the account after a maximum of three incorrect passwords are attempted, this is a finding. If the lockout for admin accounts is not configured to lock the account for a minimum of 15 minutes, this is a finding.

Fix: F-45849r822785_fix

Configure ISE to disable accounts for at least 15 minutes after a maximum of three consecutive invalid logon attempts. From web admin portal: 1. Choose Administration >> System >> Admin Access >> Authentication >> Lock/Suspend Settings. 2. Configure the "Take action after [ ] failed attempts" setting to be set to a value of 3 or lower. 3. Check the "Suspend account for [ ] minutes" setting and set to be 15 minutes or higher. 4. Click Save. Note: This setting will propagate to the ADE-OS applying the settings for the CLI accounts as well.

b
For the local account of last resort, the Cisco ISE must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
AC-8 - Medium - CCI-000048 - V-242618 - SV-242618r960843_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
CSCO-NM-000120
Vuln IDs
  • V-242618
Rule IDs
  • SV-242618r960843_rule
Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users, such as when directly logging in to the device.
Checks: C-45893r714162_chk

Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DTM-08-060. In the configuration, view the "banner login" configuration. If such a banner is not presented, this is a finding.

Fix: F-45850r714163_fix

Configure the administrative sessions login banner to display when users access the web or CLI interface that appears before and after an administrator logs in. By default, these login banners are disabled. 1. From the web management tool, click on Administration >> System >> Admin Access >> Settings >> Access >> Session. 2. To display the banner message before an administrator logs in, check the Pre-login banner check box and enter the message in the text box. 3. To display the banner message after an administrator logs in, check the Post-login banner check box and enter your message in the text box. 4. Click "Save".

b
The Cisco ISE must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
AU-10 - Medium - CCI-000166 - V-242619 - SV-242619r960864_rule
RMF Control
AU-10
Severity
Medium
CCI
CCI-000166
Version
CSCO-NM-000130
Vuln IDs
  • V-242619
Rule IDs
  • SV-242619r960864_rule
This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration management process. All configuration changes to the network device are logged, and administrators authenticate with two-factor authentication before gaining administrative access. Together, these processes will ensure the administrators can be held accountable for the configuration changes they implement. To meet this requirement, the network device must log administrator access and activity.
Checks: C-45894r714165_chk

To view remote logging targets, complete the following steps: 1. From the ISE Administration Interface, choose Administration >> System >> Logging >> Remote Logging Targets. 2. The Remote Logging Targets page appears with a list of existing logging targets. If a remote logging target is not configured, this is a finding.

Fix: F-45851r714166_fix

Create a secure syslog remote logging target and direct logging to that site's central syslog or events server. To create an external logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click "Add". 3. Configure the following fields: - Name - Enter the name of the new target. - Target Type - By default it is set to Syslog. The value of this field cannot be changed. - Description - Enter a brief description of the new target. - IP Address - Enter the IP address of the destination machine where you want to store the logs. - Port - Enter the port number of the destination machine. - Facility Code - Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7. - Maximum Length - Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes. 4. Click "Save". Go to the Logging Targets page and verify the creation of the new target. To edit a remote logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click the radio button next to the logging target name that you want to edit and click "Edit". 3. Modify the following field values on the Log Collection page as needed: - Name - Target Type - Description - IP Address - Port - Facility Code - Maximum Length 4. Click "Save". The updating of the selected Log Collector is completed.

b
The Cisco ISE must generate audit records when successful attempts to access privileges occur.
AU-12 - Medium - CCI-000172 - V-242620 - SV-242620r960885_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CSCO-NM-000140
Vuln IDs
  • V-242620
Rule IDs
  • SV-242620r960885_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-45895r864186_chk

Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.

Fix: F-45852r864187_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".

b
The Cisco ISE must generate audit records when successful attempts to modify administrator privileges occur.
AU-12 - Medium - CCI-000172 - V-242621 - SV-242621r961800_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CSCO-NM-000150
Vuln IDs
  • V-242621
Rule IDs
  • SV-242621r961800_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-45896r864222_chk

Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.

Fix: F-45853r864223_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".

b
The Cisco ISE must generate audit records when successful attempts to delete administrator privileges occur.
AU-12 - Medium - CCI-000172 - V-242622 - SV-242622r961812_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CSCO-NM-000160
Vuln IDs
  • V-242622
Rule IDs
  • SV-242622r961812_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-45897r864189_chk

Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.

Fix: F-45854r864190_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".

b
The Cisco ISE must generate audit records when successful logon attempts occur.
AU-12 - Medium - CCI-000172 - V-242623 - SV-242623r961824_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CSCO-NM-000170
Vuln IDs
  • V-242623
Rule IDs
  • SV-242623r961824_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-45898r864192_chk

Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.

Fix: F-45855r864193_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".

b
The Cisco ISE must generate audit records for privileged activities or other system-level access.
AU-12 - Medium - CCI-000172 - V-242624 - SV-242624r961827_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CSCO-NM-000180
Vuln IDs
  • V-242624
Rule IDs
  • SV-242624r961827_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-45899r864195_chk

Verify logging categories have been configured to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify both the Administrative and Operational Audit and the AAA Audit logging categories have been set to the syslog target. If the Administrative and Operational Audit (INFO severity) and the AAA Audit logging category is not configured to send to the central syslog server, this is a finding.

Fix: F-45856r864196_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category. However, this logging category has INFO as the default log severity level and cannot be changed. 5. Click "Save".

b
The Cisco ISE must generate audit records when concurrent logons from different workstations occur.
AU-12 - Medium - CCI-000172 - V-242625 - SV-242625r961833_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
CSCO-NM-000190
Vuln IDs
  • V-242625
Rule IDs
  • SV-242625r961833_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Checks: C-45900r944972_chk

Verify logging categories have been configured. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Verify the Administrative and Operational Audit logs are set to INFO severity category. If the Administrative and Operational Audit are not set to the INFO severity category, this is a finding.

Fix: F-45857r944973_fix

Enable logging categories for Cisco ISE. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Click "Save".

b
The Cisco ISE must limit audit record storage capacity for all locally stored logs.
AU-4 - Medium - CCI-001849 - V-242626 - SV-242626r961392_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001849
Version
CSCO-NM-000200
Vuln IDs
  • V-242626
Rule IDs
  • SV-242626r961392_rule
In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.
Checks: C-45901r714186_chk

Examine the local log purge setting. show logging internal or Choose Administration >> System >> Logging >> Local Log Settings >> Local Log Storage Period. If local logs are set to purge after a locally established period, this is not a finding.

Fix: F-45858r714187_fix

Configure syslog purge settings. Use the following process to delete local logs after a certain period of time. This is set based on the local environment and size of the implementation. 1. Choose Administration >> System >> Logging >> Local Log Settings. 2. In the Local Log Storage Period field, enter the maximum number of days to keep the log entries in the configuration source. 3. Click "Delete Logs Now" to delete the existing log files at any time before the expiration of the storage period. 4. Click "Save". Note: The system is designed to delete logs if the size of the localStore folder reaches 97 GB, regardless of the configured Local Log Storage Period.

b
The Cisco ISE must configure a remote syslog where audit records are stored on a centralized logging target that is different from the system being audited.
AU-4 - Medium - CCI-001851 - V-242627 - SV-242627r961860_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
CSCO-NM-000210
Vuln IDs
  • V-242627
Rule IDs
  • SV-242627r961860_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Storing audit logs to a different system than that being audited is a common process in information systems with limited audit storage capacity.
Checks: C-45902r714189_chk

To view remote logging targets, complete the following steps: 1. From the ISE Administration Interface, choose Administration >> System >> Logging >> Remote Logging Targets. 2. The Remote Logging Targets page appears with a list of existing logging targets. If a remote logging target is not configured, this is a finding.

Fix: F-45859r714190_fix

Create a Remote Logging Target and direct logging to that target. To create an external logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click "Add". 3. Configure the following fields. - Name - Enter the name of the new target - Target Type - By default it is set to Syslog. The value of this field cannot be changed. - Description - Enter a brief description of the new target. - IP Address - Enter the IP address of the destination machine where you want to store the logs. - Port - Enter the port number of the destination machine. - Facility Code - Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7. - Maximum Length - Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes. 4. Click "Save". Go to the Logging Targets page and verify the creation of the new target. To edit a remote logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click the radio button next to the logging target name that you want to edit and click "Edit". 3. Modify the following field values on the Log Collection page as needed. - Name - Target Type - Description - IP Address - Port - Facility Code - Maximum Length 4. Click "Save". The updating of the selected Log Collector is completed.

b
The Cisco ISE must send an alarm to one or more individuals when the monitoring collector process has an error or failure.
AU-5 - Medium - CCI-001858 - V-242628 - SV-242628r961401_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001858
Version
CSCO-NM-000220
Vuln IDs
  • V-242628
Rule IDs
  • SV-242628r961401_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without an alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Cisco ISE provides system alarms which notify the administrator when critical system condition occurs. Alarms are displayed in the Alarm dashlet. Administrators can configured the dashlet to receive notification of alarms through e-mail and/or syslog messages. SNMP alerts may also be used to fulfill this requirement.
Checks: C-45903r714192_chk

Verify the Cisco ISE notifies one or more individuals when the monitoring collector process is unable to persist the audit logs generated from the policy service nodes. 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Verify that "Enable" is selected. 4. Select "Enter Multiple Emails Separated with Comma". 5. Verify one or more email addresses are configured. If "Log Collector Error" alarm type is not enabled or email addresses are not configured to receive the alert, this is a finding.

Fix: F-45860r714193_fix

Configure Cisco ISE to notify one or more individuals when the monitoring collector process is unable to persist the audit logs generated from the policy service nodes. 1. Choose Administration >> System >> Settings >> Alarm Settings. 2. Select "Log Collector Error" from the list of default alarms and click "Edit". 3. Select "Enable". 4. Select "Enter Multiple Emails Separated with Comma". 5. Configure email addresses of individuals to be notified. 6. Click "Submit".

b
The Cisco ISE must be configured to synchronize internal information system clocks using redundant authoritative time sources.
CM-6 - Medium - CCI-000366 - V-242629 - SV-242629r997481_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CSCO-NM-000230
Vuln IDs
  • V-242629
Rule IDs
  • SV-242629r997481_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-45904r714195_chk

1. View the status of the Network Translation Protocol (NTP) associations. show ntp 2. Verify a primary and secondary ntp server address is configured. If the Cisco ISE is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.

Fix: F-45861r997480_fix

1. Choose Administration >> System >> Settings >> System Time. 2. Enter unique IP addresses (IPv4/IPv6/FQDN) for the NTP servers. 3. Check the "Only allow authenticated NTP servers" check box to restrict Cisco ISE to use only authenticated NTP servers to keep system and network time. DOD requires NTP authentication where available, so configure the NTP server using private keys. Click the NTP Authentication Keys tab and specify one or more authentication keys if any of the servers specified requires authentication via an authentication key, as follows: 4. Click "Add". 5. Enter the necessary Key ID and Key Value. Specify whether the key in question is trusted by activating or deactivating the Trusted Key option, and click "OK". The Key ID field supports numeric values between 1 and 65535 and the Key Value field supports up to 15 alphanumeric characters. 6. Return to the NTP Server Configuration tab after entering the NTP Server Authentication Keys. 7. Click "Save".

b
The Cisco ISE must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC).
AU-8 - Medium - CCI-001890 - V-242630 - SV-242630r961443_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
CSCO-NM-000240
Vuln IDs
  • V-242630
Rule IDs
  • SV-242630r961443_rule
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT).
Checks: C-45905r714198_chk

1. View the clock setting. show clock 2. Verify the clock is set to use UTC. If the Cisco ISE does not use UTC, this is a finding.

Fix: F-45862r714199_fix

Change the clock to UTC using the CLI. clock timezone UTC

b
The Cisco ISE must enforce access restrictions associated with changes to the firmware, OS, and hardware components.
CM-5 - Medium - CCI-000345 - V-242632 - SV-242632r961863_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-000345
Version
CSCO-NM-000260
Vuln IDs
  • V-242632
Rule IDs
  • SV-242632r961863_rule
Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters. RBAC policies determine if an administrator can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an administrator based on the admin group, by using RBAC policies. When administrators log in to the Admin portal, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated. RBAC policies map admin groups to menu access and data access permissions. For example, you can prevent Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which that network administrator is associated.
Checks: C-45907r714204_chk

Determine if groups with access such as Helpdesk Admin, Network Device Admin, SuperAdmin, and System Admin (at a minimum) are assigned unauthorized users. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups. 2. Review the users for the groups with edit access such as Helpdesk Admin, Network Device Admin, SuperAdmin, and System Admin at a minimum. If the Cisco ISE does not enforce access restrictions associated with changes to the firmware, OS, and hardware components, this is a finding.

Fix: F-45864r714205_fix

1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups. 2. Review the users for the groups with edit access such as Helpdesk Admin, Network Device Admin, SuperAdmin, and System Admin at a minimum. 3. To delete users from the admin group, check the check box corresponding to the user that you want to delete, and click "Remove". 4. Click "Submit".

b
The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.
CM-6 - Medium - CCI-000366 - V-242633 - SV-242633r997485_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CSCO-NM-000270
Vuln IDs
  • V-242633
Rule IDs
  • SV-242633r997485_rule
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Cisco ISE can connect with external identity sources such as Active Directory, LDAP, RADIUS Token, and RSA SecurID servers to obtain user information for authentication and authorization. External identity sources also include certificate authentication profiles needed for certificate-based authentications. Configure external authentication to a central AAA identity source. For accounts defined in the external identity, create a password policy for the external administrator account stores. Then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy. In addition to providing authentication via an external identity store, the network may also require the use of a Common Access Card (CAC) authentication device. To configure external authentication: - Configure password-based authentication using an external identity store. - Create an external administrator group. - Configure menu access and data access permissions for the external administrator group. - Create an RBAC policy for external administrator authentication.
Checks: C-45908r714207_chk

Verify an external authentication identity source is configured. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups. 2. View the External Group configuration. If the Cisco ISE is not configured to use an external authentication server to authenticate administrators prior to granting administrative access, this is a finding.

Fix: F-45865r997484_fix

Configure external authentication to a central AAA identity source. Configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP. 1. Choose Administration >> System >> Admin Access >> Authentication. 2. On the Authentication Method tab, select Password Based and choose one of the external identity sources that was previously configured (for example, the Active Directory instance that was created). 3. Configure any other specific password policy settings for administrators who authenticate using an external identity store. 4. Click "Save". Create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that was entered upon login. Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. Specify that attribute as one of the policy elements when it is time to configure the RBAC policy for this external administrator authentication method. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups. 2. Click "Add". 3. Enter a name and optional description. 4. Choose the "External" radio button. 5. From the External Groups drop-down list box, choose the Active Directory group to map for this external administrator group. Click the "+" sign to map additional Active Directory groups to this external administrator group. 6. Click "Save". Configure menu access and data access permissions that can be assigned to the external administrator group. 1. Choose Administration >> System >> Admin Access >> Permissions. 2. Click one of the following: - Menu Access - All administrators who belong to the external administrator group can be granted permission at the menu or submenu level. The menu access permission determines the menus or submenus that they can access. - Data Access - All administrators who belong to the external administrator group can be granted permission at the data level. The data access permission determines the data that they can access. 3. Specify menu access or data access permissions for the external administrator group. 4. Click "Save". In order to configure Cisco ISE to authenticate the administrator using an external identity store and to specify custom menu and data access permissions at the same time, configure a new RBAC policy. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization. 1. Choose Administration >> System >> Admin Access >> Authorization >> Policy. 2. Specify the rule name, external administrator group, and permissions. Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure the administrator in question is associated with the correct external administrator group. 3. Click "Save".

b
The Cisco ISE must be running an operating system release that is currently supported by the vendor.
CM-6 - Medium - CCI-000366 - V-242634 - SV-242634r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CSCO-NM-000280
Vuln IDs
  • V-242634
Rule IDs
  • SV-242634r961863_rule
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. The recommended best practice is for the organization to implement a patch management process for Junos OS. The process should involve testing and verification of the authenticity of vendor-provided updated. These files are then placed into a repository which is protected by access, confidentiality, and integrity control. System administrators can then initiate firmware/software updates by pointing the device to this repository. There is no need for the device to perform additional certificate verification.
Checks: C-45909r714210_chk

To display information about the software version, type the following at the CLI: show version View details about the installed version of Cisco ADE-OS software running in the Cisco ISE server and also the Cisco ISE version. If the Cisco ISE is not running an operating system release that is currently supported by the vendor, this is a finding.

Fix: F-45866r714211_fix

Install the latest approved update of the CISCO ADE-OS software. 1. Click the "Upgrade" tab in the Admin portal. 2. Click "Proceed". The Review Checklist window appears. Read the instructions carefully. 3. Check the "I have reviewed the checklist" check box, and click "Continue".

b
The Cisco ISE must generate log records for a locally developed list of auditable events.
AU-12 - Medium - CCI-000169 - V-242636 - SV-242636r961863_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
CSCO-NM-000300
Vuln IDs
  • V-242636
Rule IDs
  • SV-242636r961863_rule
Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis. In Cisco ISE a logging category is a bundle of message codes that describe a function, a flow, or a use case. In Cisco ISE, each log is associated with a message code that is bundled with the logging categories according to the log message content. Logging categories help describe the content of the messages that they contain. Logging categories promote logging configuration. Each category has a name, target, and severity level that you can set, as per your application requirement. Cisco ISE provides predefined logging categories for services, such as Posture, Profiler, Guest, AAA (authentication, authorization, and accounting), and so on, to which you can assign log targets.
Checks: C-45911r714216_chk

View the SSP syslog requirements. View the logging categories for Cisco ISE to verify the logging categories that pertain to the corresponding locally developed list of auditable events are enabled, configured, and being sent to the remote syslog target. 1. Log in to the Admin portal. 2. Choose Administration >> System >> Logging >> Logging Categories. 3. Click the radio button next to the desired logging category that pertains to the local list of auditable events and then click "Edit". 4. Choose the Log Severity Level drop-down list. 5. In the Targets field, move the secure syslog remote logging target to the Selected box. 6. Click "Save". 7. Repeat this procedure to enable all locally logging categories that pertain to the local list of auditable events. If the Cisco ISE does not generate log records for a locally developed list of auditable events, this is a finding.

Fix: F-45868r714217_fix

Enable logging categories for Cisco ISE to send auditable events to the remote syslog target. 1. Log in to the Admin portal. 2. Choose Administration >> System >> Logging >> Logging Categories. 3. Click the radio button next to the desired logging category that pertains to the local list of auditable events and then click "Edit". 4. Choose the Log Severity Level drop-down list. 5. In the Targets field, move the syslog remote logging target to the Selected box. 6. Click "Save". 7. Repeat this procedure to enable all locally logging categories that pertain to the local list of auditable events.

b
The Cisco ISE must be configured to conduct backups of system level information contained in the information system when changes occur.
CM-6 - Medium - CCI-000366 - V-242637 - SV-242637r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CSCO-NM-000320
Vuln IDs
  • V-242637
Rule IDs
  • SV-242637r961863_rule
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups. The Cisco ISE uses the CLI backup command to backup of system level information. However, the best practice is to use configuration backup products such as Tivoli, NCM, and FCM. Configuration for the backup is accomplished on the backup device, not on the Cisco. These products can be configured to either backup all files or just the rollback files which are saved each time a commit is executed. Save changes made to the running configuration to the startup configurations these changes will not be lost when the system is restarted.
Checks: C-45912r803577_chk

Navigate to Administration >> System >> Backup and Restore. Ensure that configuration data backups are scheduled for weekly intervals or in accordance with the site's SSP. If backups of the confiuration data are not made when when changes occur or in accordance with the site's SSP, this is a finding.

Fix: F-45869r803578_fix

Navigate to Administration >> System >> Backup and Restore. 1. Select the "Schedule" option next to configuration Data Backup. 2. Ensure a weekly scheduled backup is configured (or in accordance with the site's SSP).

a
The Cisco ISE must conduct backups of information system documentation, including security-related configuration files when changes occur or weekly, whichever is sooner.
CM-6 - Low - CCI-000366 - V-242638 - SV-242638r961863_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
CSCO-NM-000330
Vuln IDs
  • V-242638
Rule IDs
  • SV-242638r961863_rule
Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information was not backed up and a system failure was to occur, the security settings would be difficult to reconfigure quickly and accurately. Maintaining a backup of information system and security-related documentation provides for a quicker recovery time when system outages occur. This control requires the network device to support the organizational central backup process for user account information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.
Checks: C-45913r714222_chk

1. Review the SSP to see the site's network device backup policy. Check the Cisco ISE backup log to verify regular backups are being performed. show backup history 2. Determine if there is a recent history of backups. Verify if the backup history shows either weekly backups or periodic backups. If the Cisco ISE is not configured to conduct backups of system-level information contained in the information system when changes occur, this is a finding.

Fix: F-45870r714223_fix

Save changes to the Cisco ISE configuration files data and place the backup in a repository by using the backup command in EXEC mode on the CLI. backup [{backup-name} repository {repository-name} ise-config encryption-key hash| plain {encryption-key name}]

b
The Cisco ISE must use DoD-approved PKI rather than proprietary or self-signed device certificates.
CM-6 - Medium - CCI-000366 - V-242639 - SV-242639r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
CSCO-NM-000340
Vuln IDs
  • V-242639
Rule IDs
  • SV-242639r961863_rule
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs. The Cisco ISE generates a key-pair and a CSR. The CSR is sent to the approved CA, who signs it and returns it as a certificate. That certificate is then installed. The process to obtain a device PKI certificate requires the generation of a Certificate Signing Request (CSR), submission of the CSR to a CA, approval of the request by an RA, and retrieval of the issued certificate from the CA.
Checks: C-45914r714225_chk

Choose Administration >> System >> Certificates >> System Certificates. 1. The System Certificates page appears and provides information for the local certificates. 2. Select a certificate and choose "View" to display the certificate details. If the Cisco ISE does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Fix: F-45871r714226_fix

Replace the self-signed certificate with a CA-signed certificates for greater security. To obtain a CA-signed certificate: A. Generate a certificate signing request (CSR) to obtain a CA-signed certificate for the nodes in your deployment. 1. Choose Administration >> System >> Certificates >> Certificate Signing Requests. 2. Enter the values for generating a CSR. Examples: RSA: Request security pki generate-key-pair certificate-id <cert name>> type rsa size <512 | 1024 | 2048 | 4096>> ECDSA: Request security pki generate-key-pair certificate-id <cert_name>> type ecdsa size <256 | 384>> 3. Click "Generate" to generate the CSR. 4. Click "Export" to open the CSR in a Notepad. 5. Copy all the text from "-----BEGIN CERTIFICATE REQUEST-----" through "-----END CERTIFICATE REQUEST-----." 6. Paste the contents of the CSR into the certificate request. Generate a new key-pair from a DoD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil/ website for procedures for NIPRNet and SIPRNet. 7. Download the signed certificate. B. Import the Root Certificates to the Trusted Certificate Store: Administration >> System >> Certificates >> Trusted Certificates C. Bind the CA-Signed Certificate to the CSR. 1. Choose Administration >> System >> Certificates >> Certificate Signing Requests. Check the check box next to the node for which you are binding the CSR with the CA-signed certificate. 2. Click "Bind". 3. Click "Browse" to choose the CA-signed certificate. 4. Specify a Friendly Name for the certificate. 5. Check the "Validate Certificate Extensions" check box if you want Cisco ISE to validate certificate extensions. 6. Check the service for which this certificate will be used in the Usage area. This information is auto populated if you have enabled the Usage option while generating the CSR. If you do not want to specify the usage at the time of binding the certificate, uncheck the Usage option. You can edit the certificate later and specify the usage. 7. Click "Submit". If you have chosen to use this certificate for Cisco ISE internode communication, the application server on the Cisco ISE node is restarted.

c
The Cisco ISE must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
CM-7 - High - CCI-000382 - V-242640 - SV-242640r960966_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000382
Version
CSCO-NM-000350
Vuln IDs
  • V-242640
Rule IDs
  • SV-242640r960966_rule
Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.
Checks: C-45915r714228_chk

If an SNMP stanza does not exist, this is not a finding. 1. Use the command line interface to view the current SNMP configuration. show startup-config 2. Search for the keyword SNMP. If versions earlier than SNMPv3 are enabled, this is a finding. If SNMPv3 is not configured to meet DoD requirements, this is a finding.

Fix: F-45872r714229_fix

If SNMP is used by the organization, then SNMP is configured at the command line interface. To disable SNMPv1 and SNMPv2c if enabled type the remove the group with the following command. no snmp-server group <community> v1 To enable the SNMPv3 server on Cisco ISE, use the snmp-server enable command in global configuration mode. 1. snmp-server enable 2. snmp-server user <username> v3 hash <auth-password> <priv-password> 3. snmp-server host {ip-address | hostname} trap version 3 username engine_ID hash <auth-password> <priv-password>

c
The Cisco ISE must be configured to disable Wireless Setup for production systems.
CM-7 - High - CCI-000382 - V-242641 - SV-242641r960966_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000382
Version
CSCO-NM-000360
Vuln IDs
  • V-242641
Rule IDs
  • SV-242641r960966_rule
ISE Wireless Setup is beta software so is not authorized for use in DoD. Wireless Setup is disabled by default after fresh installation of Cisco ISE. If you upgrade ISE from a previous version, the Wireless Setup menu does not appear. Wireless Setup requires ports 9103 and 9104 to be open. To close those ports, use the CLI to disable Wireless Setup. You can enable Wireless Setup in the ISE CLI with the command application configure ise, picking the option to enable Wireless Setup.
Checks: C-45916r822758_chk

If wireless setup is not availabe in this version of the product, this is not applicable. Verify Wi-Fi setup has been disabled on a device after initial setup and the device has been placed on the production network. Show application status Wi-Fi setup. If wireless setup is not disabled, this is a finding.

Fix: F-45873r714232_fix

Use the application configure command in EXEC mode to disable wireless setup. application configure disable Wi-Fi setup

b
For accounts using password authentication, the Cisco ISE must implement replay-resistant authentication mechanisms for network access to privileged accounts.
IA-2 - Medium - CCI-001941 - V-242642 - SV-242642r960993_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001941
Version
CSCO-NM-000370
Vuln IDs
  • V-242642
Rule IDs
  • SV-242642r960993_rule
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Checks: C-45917r864201_chk

Navigate to Administration &gt;&gt; System &gt;&gt; Settings &gt;&gt; FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but password authentication is configured to use FIPS 140-2/3 validated replay-resistant authentication mechanism for network access to privileged accounts , this can be lowered to a CAT 3 finding.

Fix: F-45874r864202_fix

Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 3 if the alternative manual configuration is used to configure individual protocols.

b
The Cisco ISE must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).
IA-3 - Medium - CCI-001967 - V-242643 - SV-242643r961506_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
CSCO-NM-000380
Vuln IDs
  • V-242643
Rule IDs
  • SV-242643r961506_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.
Checks: C-45918r864204_chk

Navigate to Administration &gt;&gt; System &gt;&gt; Settings &gt;&gt; FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured so that SNMP messages are authenticated using a FIPS 140-2/3 validated HMAC, this can be lowered to a CAT 3 finding.

Fix: F-45875r864205_fix

Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 3 if the alternative manual configuration is used to configure SNMP messages to authenticate using a FIPS-140-2/3 validated HMAC.

b
The Cisco ISE must authenticate Network Time Protocol sources using authentication that is cryptographically based.
IA-3 - Medium - CCI-001967 - V-242644 - SV-242644r961506_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
CSCO-NM-000390
Vuln IDs
  • V-242644
Rule IDs
  • SV-242644r961506_rule
If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source.
Checks: C-45919r714240_chk

1. View the status of the Network Translation Protocol (NTP) associations. show ntp 2. Verify a primary and secondary ntp server address is configured. If the Cisco ISE is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.

Fix: F-45876r714241_fix

1. Choose Administration >> System >> Settings >> System Time. 2. Enter unique IP addresses (IPv4/IPv6/FQDN) for the NTP servers. 3. Check the "Only allow authenticated NTP servers" check box if you want to restrict Cisco ISE to use only authenticated NTP servers to keep system and network time. DoD requires NTP authentication where available, so configure the NTP server using private keys. Click the "NTP Authentication Keys" tab and specify one or more authentication keys if any of the servers that you specify requires authentication via an authentication key, as follows: 4. Click "Add". 5. Enter the necessary Key ID and Key Value. Specify whether the key in question is trusted by activating or deactivating the Trusted Key option, and click "OK". The Key ID field supports numeric values between 1 and 65535, and the Key Value field supports up to 15 alphanumeric characters. 6. Return to the NTP Server Configuration tab when finished entering the NTP Server Authentication Keys. 7. Click "Save".

b
For accounts using password authentication, the Cisco ISE must enforce a minimum 15-character password length.
- Medium - CCI-004066 - V-242645 - SV-242645r997486_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
CSCO-NM-000400
Vuln IDs
  • V-242645
Rule IDs
  • SV-242645r997486_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-45920r714243_chk

Verify the min-password length is set to 15. Show password policy If the Cisco ISE password policy is not configured to require a minimum 15-character password length, this is a finding.

Fix: F-45877r714244_fix

Configure the password policy. password-policy min-password-length 15

b
For accounts using password authentication, the Cisco ISE must enforce password complexity by requiring that at least one uppercase character be used.
- Medium - CCI-004066 - V-242646 - SV-242646r997488_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
CSCO-NM-000410
Vuln IDs
  • V-242646
Rule IDs
  • SV-242646r997488_rule
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-45921r997487_chk

Verify that at least one uppercase letter is required. Show password policy If the Cisco ISE password policy is not configured to require at least one uppercase character, this is a finding.

Fix: F-45878r714247_fix

Configure the password policy. password-policy upper-case required 1

b
For accounts using password authentication, the Cisco ISE must enforce password complexity by requiring that at least one lowercase character be used.
- Medium - CCI-004066 - V-242647 - SV-242647r997490_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
CSCO-NM-000420
Vuln IDs
  • V-242647
Rule IDs
  • SV-242647r997490_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-45922r997489_chk

Verify that at least one lowercase letter is required. Show password policy If the Cisco ISE password policy is not configured to require at least one lowercase character, this is a finding.

Fix: F-45879r714250_fix

Configure the password policy. password-policy lower-case required 1

b
For accounts using password authentication, the Cisco ISE must enforce password complexity by requiring that at least one digit be used.
- Medium - CCI-004066 - V-242648 - SV-242648r997491_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
CSCO-NM-000430
Vuln IDs
  • V-242648
Rule IDs
  • SV-242648r997491_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-45923r714252_chk

Verify that at least one digit is required. Show password policy If the Cisco ISE password policy is not configured to require at least one digit, this is a finding.

Fix: F-45880r714253_fix

Configure the password policy. password-policy digit-required 1

b
For accounts using password authentication, the Cisco ISE must enforce password complexity by requiring that at least one special character be used.
- Medium - CCI-004066 - V-242649 - SV-242649r997492_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
CSCO-NM-000440
Vuln IDs
  • V-242649
Rule IDs
  • SV-242649r997492_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.
Checks: C-45924r714255_chk

Verify that at least one special character is required. Show password policy If the Cisco ISE password policy is not configured to require at least one special character, this is a finding.

Fix: F-45881r714256_fix

Configure the password policy. password-policy special-required 1

c
For accounts using password authentication, the Cisco ISE must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
IA-5 - High - CCI-000197 - V-242651 - SV-242651r961029_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
CSCO-NM-000460
Vuln IDs
  • V-242651
Rule IDs
  • SV-242651r961029_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. The information system must specify the hash algorithm used for authenticating passwords. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should not be configured to use SHA-1 for integrity of remote access sessions. This requirement applies to all accounts, including authentication server, AAA, and local accounts such as the root account and the account of last resort.
Checks: C-45926r916079_chk

Navigate to Administration &gt;&gt; System &gt;&gt; Settings &gt;&gt; FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure the password authentication process to use a FIPS 140-2/140-3 validated SHA-2 (or greater), this can be lowered to a CAT 2 finding.

Fix: F-45883r916317_fix

Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/140-3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. Note: Configuring FIPS mode is the required DOD configuration. However, this requirement can be lowered to a CAT 2 if the alternative manual configuration is used to configure the password authentication process to use a FIPS 140-2/140-3 validated SHA-2 (or greater).

b
The Cisco ISE must prohibit the use of cached authenticators after an organization-defined time period.
IA-5 - Medium - CCI-002007 - V-242652 - SV-242652r961521_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002007
Version
CSCO-NM-000470
Vuln IDs
  • V-242652
Rule IDs
  • SV-242652r961521_rule
Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out-of-date, the validity of the authentication information may be questionable. The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.
Checks: C-45927r714264_chk

View the SSP for the required value. Navigate to Administration &gt;&gt; System &gt;&gt; Admin Access &gt;&gt; Authentication &gt;&gt; Password Policy. Verify the SSP required value matches the "Password cached for" field. If the Cisco ISE does not prohibit the use of cached authenticators after an organization-defined time period, this is a finding.

Fix: F-45884r714265_fix

Navigate to Administration >> System >> Admin Access >> Authentication >> Password Policy. Set the "Password cached for" field to the organization-defined value available in the SSP.

c
The Cisco ISE must use FIPS-validated SHA-2 (or greater) to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
IA-7 - High - CCI-000803 - V-242653 - SV-242653r961050_rule
RMF Control
IA-7
Severity
High
CCI
CCI-000803
Version
CSCO-NM-000480
Vuln IDs
  • V-242653
Rule IDs
  • SV-242653r961050_rule
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the Internet) or an internal network. Note: Although allowed by SP800-131Ar1 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. To protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. Applications also include HMAC, KDFs, Random Bit Generation, and hash-only applications (e.g., hashing passwords and use for compute a checksum). For digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use only, but this is discouraged by DoD. Separate requirements for configuring applications and protocols used by each product (e.g., SNMPv3, SSH, NTP, and other protocols and applications that require server/client authentication) are required to implement this requirement.
Checks: C-45928r864210_chk

Navigate to Administration &gt;&gt; System &gt;&gt; Settings &gt;&gt; FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure SHA-2 (or greater) to protect the integrity of HMAC, KDFs, Random Bit Generation, and hash-only applications, this can be lowered to a CAT 2 finding.

Fix: F-45885r864211_fix

Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 2 if the alternative manual configuration is used to configure SHA-2 or higher hash function to protect the integrity of HMAC, KDFs, Random Bit Generation, and hash-only applications.

b
The Cisco ISE must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
MA-4 - Medium - CCI-002890 - V-242654 - SV-242654r961554_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-002890
Version
CSCO-NM-000490
Vuln IDs
  • V-242654
Rule IDs
  • SV-242654r961554_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Separate requirements for configuring applications and protocols used by each application (e.g., SNMPv3, SSHv2, NTP, HTTPS, and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes Layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers.
Checks: C-45929r864213_chk

Navigate to Administration &gt;&gt; System &gt;&gt; Settings &gt;&gt; FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure to configure a FIPS 140-2/3 validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communication, this can be lowered to a CAT 3 finding.

Fix: F-45886r864214_fix

Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 3 if the alternative manual configuration is used to configure a FIPS 140-2/3 validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.

c
The Cisco ISE must verify the checksum value of any software download, including install files (ISO or OVA), patch files, and upgrade bundles.
MA-4 - High - CCI-002890 - V-242655 - SV-242655r961554_rule
RMF Control
MA-4
Severity
High
CCI
CCI-002890
Version
CSCO-NM-000500
Vuln IDs
  • V-242655
Rule IDs
  • SV-242655r961554_rule
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Separate requirements for configuring applications and protocols used by each application (e.g., SNMPv3, SSHv2, NTP, HTTPS, and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes Layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers.
Checks: C-45930r714273_chk

Verify the SSP requires a process for verifying the checksum for software download and install ISO files. If a local documented process does not require that the checksum value of any software download be verified, this is a finding.

Fix: F-45887r714274_fix

Go to the DoD repository or Cisco download page. Hover over the download link and a small window will pop up. This window will contain information about that particular download. The information includes the MD5 and SHA512 checksum value of that file. From the Cisco ISE command line interface (CLI), enter application upgrade prepare command. This command copies the upgrade bundle to the local repository "upgrade" that you created in the previous step and lists the MD5 and SHA256 checksum. If the checksum matches the value found from the source repository, proceed with the update.

c
The Cisco ISE must be configured to implement cryptographic mechanisms using a FIPS 140-2 validated algorithm to protect the confidentiality of remote maintenance sessions.
MA-4 - High - CCI-003123 - V-242656 - SV-242656r961557_rule
RMF Control
MA-4
Severity
High
CCI
CCI-003123
Version
CSCO-NM-000510
Vuln IDs
  • V-242656
Rule IDs
  • SV-242656r961557_rule
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.
Checks: C-45931r864216_chk

Navigate to Administration &gt;&gt; System &gt;&gt; Settings &gt;&gt; FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure to configure configure a FIPS 140-2/3 validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications, this can be lowered to a CAT 2 finding.

Fix: F-45888r864217_fix

Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 2 if the alternative manual configuration is used to configure a FIPS 140-2/3 validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.

c
The Cisco ISE must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - High - CCI-001133 - V-242657 - SV-242657r961068_rule
RMF Control
SC-10
Severity
High
CCI
CCI-001133
Version
CSCO-NM-000520
Vuln IDs
  • V-242657
Rule IDs
  • SV-242657r961068_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
Checks: C-45932r944327_chk

From the CLI EXEC mode, type show terminal. From the GUI, navigate to Administration &gt;&gt; System &gt;&gt; Admin Access &gt;&gt; Settings &gt;&gt; Session. View the session timeout setting. If the terminal and administration setting is not set to six minutes or less, this is a finding.

Fix: F-45889r944328_fix

Configure Session Timeout for Administrators. 1. Choose Administration >> System >> Admin Access >> Settings >> Session >> Session Timeout. 2. Type "6". 3. Click "Save".

b
The Cisco ISE must generate unique session identifiers using a FIPS 140-2 approved Random Number Generator (RNG) using DRGB.
SC-23 - Medium - CCI-001188 - V-242658 - SV-242658r961119_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001188
Version
CSCO-NM-000530
Vuln IDs
  • V-242658
Rule IDs
  • SV-242658r961119_rule
Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. SP 800-131A makes clear that RNGs specified in FIPS 186-2, ANS X9.31-1998 and ANS X9.62-1998 will be disallowed after 2015. Only SP 800-90A based random number generators will continue to be approved. NIST SP 800-90A- Recommendation for Random Number Generation using Deterministic Random Bit Generators was published in January 2012. This requirement is applicable to devices that use a web interface for device management.
Checks: C-45933r864225_chk

Navigate to Administration &gt;&gt; System &gt;&gt; Settings &gt;&gt; FIPS Mode. Verify FIPS Mode is enabled. If FIPS Mode is enabled, this is not a finding. If FIPS mode is not configured, but the Cisco ISE is configured using an alternative manual method to configure the system to use a FIPS 140-2 approved Random Number Generator (RNG) using DRGB to generate unique session identifiers, this can be lowered to a CAT 3 finding.

Fix: F-45890r864226_fix

Enable FIPS Mode in Cisco ISE to ensure FIPS 140-2/3 algorithms are used in all security functions requiring cryptographic functions. 1. Choose Administration >> System >> Settings >> FIPS Mode. 2. Choose the "Enabled" option from the FIPS Mode drop-down list. 3. Click "Save" and restart the node. NOTE: Configuring FIPS mode is the required DoD configuration. However, this requirement can be lowered to a CAT 3 if the alternative manual configuration is used to generate unique session identifiers using a FIPS 140-2 approved Random Number Generator (RNG) using DRGB.

c
The Cisco ISE must only allow authorized administrators to view or change the device configuration, system files, and other files stored.
SC-28 - High - CCI-001199 - V-242659 - SV-242659r961128_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
CSCO-NM-000540
Vuln IDs
  • V-242659
Rule IDs
  • SV-242659r961128_rule
This requirement is intended to address the confidentiality and integrity of system information at rest (e.g., network device rule sets) when it is located on a storage device within the network device or as a component of the network device. This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device. Access to device configuration, system files, and other files stored locally are restricted to administrators by design. Admin accounts must be part of an administrator group and the group has associated authorizations based on role. There are 12 pre-defined admin roles and additional groups may be added. By default, the username for a CLI admin user is admin, and the password is defined during setup. There is no default password. This CLI admin user is the default admin user, and this user account cannot be deleted. Create web administrator account as the Account of Last Resort and add to the default Super Admin group. This will allow at least one user to be able to delete other admins and perform special functions via the web management tool.
Checks: C-45934r714285_chk

View the local admin users. 1. Choose Administration &gt;&gt; System &gt;&gt; Admin Access &gt;&gt; Administrators &gt;&gt; Admin Users &gt;&gt;View. 2. Verify there are only two local accounts are defined. Both must be in the Super User group. These users must be the web-based Account of Last Resort and the default CLI admin user. If the Cisco ISE has unauthorized local users defined, this is a finding.

Fix: F-45891r720804_fix

Create a local web-based administrator. ONLY one web-based admin account should exist on the local device. The default CLI account is also local and cannot be removed. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Users >> Add. 2. From the drop-down, choose "Create an Admin User". 3. Enter the admin name and other information. 4. Add the Super User group. 5. Click "Submit".

b
The Cisco ISE must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options.
SC-5 - Medium - CCI-002385 - V-242660 - SV-242660r961620_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
CSCO-NM-000550
Vuln IDs
  • V-242660
Rule IDs
  • SV-242660r961620_rule
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. The security safeguards cannot be defined at the DoD level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).
Checks: C-45935r714288_chk

Verify the system and system-options are configured to protect against DoS attacks. If the system and system-options that limit the effects of common types of DoS attacks are not configured in compliance with DoD requirements, this is a finding.

Fix: F-45892r714289_fix

Configure the system and system-options to protect against DoS attacks. These are examples of setting that should be adjusted to limit DoS attacks. The exact values will vary based on site traffic. Use the synflood-limit to configure a TCP SYN packet rate limit. To configure the limit of TCP/UDP/ICMP packets from a source IP address, use the rate-limit command in configuration mode.

b
The Cisco ISE must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).
AU-4 - Medium - CCI-001851 - V-242661 - SV-242661r961863_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
CSCO-NM-000560
Vuln IDs
  • V-242661
Rule IDs
  • SV-242661r961863_rule
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat.
Checks: C-45936r916085_chk

To view remote logging targets, complete the following steps: 1. From the ISE Administration Interface, choose Administration &gt;&gt; System &gt;&gt; Logging &gt;&gt; Remote Logging Targets. 2. The Remote Logging Targets page appears with a list of existing logging targets. If at least two remote logging targets are not configured, this is a finding.

Fix: F-45893r916086_fix

Create at least two Remote Logging Targets and direct logging to those targets. To create an external logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click "Add". 3. Configure the following fields: - Name - Enter the name of the new target - Target Type - By default it is set to Syslog. The value of this field cannot be changed. - Description - Enter a brief description of the new target. - IP Address - Enter the IP address of the destination machine where you want to store the logs. - Port - Enter the port number of the destination machine. - Facility Code - Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7. - Maximum Length - Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes. 4. Click "Save". Go to the Logging Targets page and verify the creation of the new target. To edit a remote logging target, complete the following steps: 1. Choose Administration >> System >> Logging >> Remote Logging Targets. 2. Click the radio button next to the logging target name that you want to edit and click "Edit". 3. Modify the following field values on the Log Collection page as needed. - Name - Target Type - Description - IP Address - Port - Facility Code - Maximum Length 4. Click "Save". The updating of the selected Log Collector is completed.

b
The Cisco ISE must initiate session auditing upon startup.
AU-14 - Medium - CCI-001464 - V-242662 - SV-242662r960888_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001464
Version
CSCO-NM-000650
Vuln IDs
  • V-242662
Rule IDs
  • SV-242662r960888_rule
If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
Checks: C-45937r864219_chk

Verify logging is initiated upon system startup. Since the production may not be able to be manually started to observe this, review the logging categories setup. From the Web Admin portal: 1. Choose Administration &gt;&gt; System &gt;&gt; Logging &gt;&gt; Logging Categories. 2. Verify the Administrative and Operational Audit is configured for the INFO log severity level. 3. Verify that logging categories have been configured and have been set to the syslog target. If logging categories are not configured to send to the central syslog server, this is a finding.

Fix: F-45894r864220_fix

Enable logging categories for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat the above steps to enable the AAA Audit logging category and other logging categorized desired. However, note that for some logging categories, the default log severity level and cannot be changed. 5. Click "Save".

b
The Cisco ISE must generate audit records containing the full-text recording of privileged commands.
AU-3 - Medium - CCI-000135 - V-242663 - SV-242663r960909_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
CSCO-NM-000720
Vuln IDs
  • V-242663
Rule IDs
  • SV-242663r960909_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
Checks: C-45938r714297_chk

Verify the logging categories as required by the SSP based on mission requirements for Cisco ISE are configured. From the Web Admin portal: 1. Choose Administration &gt;&gt; System &gt;&gt; Logging &gt;&gt; Logging Categories. 2. Click the radio button for each logging category and verify it is set. Verify all categories required by the SSP are set. Verify the appropriate severity level (usually WARNING is set). If the logging category required by the SSP is not configured and sent to the central syslog server target, this is a finding.

Fix: F-45895r714298_fix

Enable the logging categories as required by the SSP based on mission requirements for Cisco ISE to send auditable events to the syslog target. From the Web Admin portal: 1. Choose Administration >> System >> Logging >> Logging Categories. 2. Click the radio button next to the Administrative and Operational Audit logging category and then click "Edit". 3. Choose INFO from the Log Severity Level drop-down list. 4. In the Targets field, move the syslog target name that is being used to the Selected box. 5. Repeat steps 2 and 3 with the selection of other category levels required based on organizational mission and SSP. 6. Click "Save".