| VCSA-70-000009 - The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-70-000023 - The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user. | ACCESS CONTROL |
| VCSA-70-000024 - The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before login. | ACCESS CONTROL |
| VCSA-70-000034 - The vCenter Server must produce audit records containing information to establish what type of events occurred. | AUDIT AND ACCOUNTABILITY |
| VCSA-70-000057 - vCenter Server plugins must be verified. | CONFIGURATION MANAGEMENT |
| VCSA-70-000059 - The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users. | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000060 - The vCenter Server must require multifactor authentication. | AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000069 - The vCenter Server passwords must be at least 15 characters in length. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000070 - The vCenter Server must prohibit password reuse for a minimum of five generations. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000071 - The vCenter Server passwords must contain at least one uppercase character. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000072 - The vCenter Server passwords must contain at least one lowercase character. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000073 - The vCenter Server passwords must contain at least one numeric character. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000074 - The vCenter Server passwords must contain at least one special character. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000077 - The vCenter Server must enable FIPS-validated cryptography. | IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-70-000079 - The vCenter Server must enforce a 60-day maximum password lifetime restriction. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000080 - The vCenter Server must enable revocation checking for certificate-based authentication. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000089 - The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity. | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-70-000095 - The vCenter Server users must have the correct roles assigned. | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-70-000110 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC). | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-70-000123 - The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action. | ACCESS CONTROL |
| VCSA-70-000145 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes. | ACCESS CONTROL |
| VCSA-70-000148 - The vCenter Server must be configured to send logs to a central log server. | AUDIT AND ACCOUNTABILITY |
| VCSA-70-000150 - vCenter must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| VCSA-70-000158 - The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server. | AUDIT AND ACCOUNTABILITY |
| VCSA-70-000195 - The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority. | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-70-000248 - The vCenter Server must disable the Customer Experience Improvement Program (CEIP). | CONFIGURATION MANAGEMENT |
| VCSA-70-000253 - The vCenter server must enforce SNMPv3 security features where SNMP is required. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000265 - The vCenter server must disable SNMPv1/2 receivers. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000266 - The vCenter Server must require an administrator to unlock an account locked due to excessive login failures. | ACCESS CONTROL |
| VCSA-70-000267 - The vCenter Server must disable the distributed virtual switch health check. | CONFIGURATION MANAGEMENT |
| VCSA-70-000268 - The vCenter Server must set the distributed port group Forged Transmits policy to 'Reject'. | CONFIGURATION MANAGEMENT |
| VCSA-70-000269 - The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to 'Reject'. | CONFIGURATION MANAGEMENT |
| VCSA-70-000270 - The vCenter Server must set the distributed port group Promiscuous Mode policy to 'Reject'. | CONFIGURATION MANAGEMENT |
| VCSA-70-000271 - The vCenter Server must only send NetFlow traffic to authorized collectors. | CONFIGURATION MANAGEMENT |
| VCSA-70-000272 - The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN). | CONFIGURATION MANAGEMENT |
| VCSA-70-000273 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized. | CONFIGURATION MANAGEMENT |
| VCSA-70-000274 - The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches. | CONFIGURATION MANAGEMENT |
| VCSA-70-000275 - The vCenter Server must configure the 'vpxuser' auto-password to be changed every 30 days. | CONFIGURATION MANAGEMENT |
| VCSA-70-000276 - The vCenter Server must configure the 'vpxuser' password to meet length policy. | CONFIGURATION MANAGEMENT |
| VCSA-70-000277 - The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery. | CONFIGURATION MANAGEMENT |
| VCSA-70-000278 - The vCenter Server must use unique service accounts when applications connect to vCenter. | CONFIGURATION MANAGEMENT |
| VCSA-70-000279 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic. | CONFIGURATION MANAGEMENT |
| VCSA-70-000280 - The vCenter server must be configured to send events to a central log server. | AUDIT AND ACCOUNTABILITY |
| VCSA-70-000281 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server. | CONFIGURATION MANAGEMENT |
| VCSA-70-000282 - The vCenter Server must configure the vSAN Datastore name to a unique name. | CONFIGURATION MANAGEMENT |
| VCSA-70-000283 - The vCenter Server must disable Username/Password and Windows Integrated Authentication. | CONFIGURATION MANAGEMENT |
| VCSA-70-000284 - The vCenter Server must restrict access to the default roles with cryptographic permissions. | CONFIGURATION MANAGEMENT |
| VCSA-70-000285 - The vCenter Server must restrict access to cryptographic permissions. | CONFIGURATION MANAGEMENT |
| VCSA-70-000286 - The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets. | CONFIGURATION MANAGEMENT |
| VCSA-70-000287 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s). | CONFIGURATION MANAGEMENT |
