| VCSA-80-000009 The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-80-000023 The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user. | ACCESS CONTROL |
| VCSA-80-000024 The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before logon. | ACCESS CONTROL |
| VCSA-80-000034 The vCenter Server must produce audit records containing information to establish what type of events occurred. | AUDIT AND ACCOUNTABILITY |
| VCSA-80-000057 vCenter Server plugins must be verified. | CONFIGURATION MANAGEMENT |
| VCSA-80-000059 The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users. | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000060 The vCenter Server must require multifactor authentication. | AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000069 The vCenter Server passwords must be at least 15 characters in length. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000070 The vCenter Server must prohibit password reuse for a minimum of five generations. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000071 The vCenter Server passwords must contain at least one uppercase character. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000072 The vCenter Server passwords must contain at least one lowercase character. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000073 The vCenter Server passwords must contain at least one numeric character. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000074 The vCenter Server passwords must contain at least one special character. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000077 The vCenter Server must enable FIPS-validated cryptography. | IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-80-000079 The vCenter Server must enforce a 90-day maximum password lifetime restriction. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000080 The vCenter Server must enable revocation checking for certificate-based authentication. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000089 The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity. | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-80-000095 The vCenter Server user roles must be verified. | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-80-000110 The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC). | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-80-000123 The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action. | ACCESS CONTROL |
| VCSA-80-000145 The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes. | ACCESS CONTROL |
| VCSA-80-000148 The vCenter Server must be configured to send logs to a central log server. | AUDIT AND ACCOUNTABILITY |
| VCSA-80-000150 The vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| VCSA-80-000158 The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server. | AUDIT AND ACCOUNTABILITY |
| VCSA-80-000195 The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority. | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-80-000196 The vCenter Server must enable data at rest encryption for vSAN. | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-80-000248 The vCenter Server must disable the Customer Experience Improvement Program (CEIP). | CONFIGURATION MANAGEMENT |
| VCSA-80-000253 The vCenter server must enforce SNMPv3 security features where SNMP is required. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000265 The vCenter server must disable SNMPv1/2 receivers. | IDENTIFICATION AND AUTHENTICATION |
| VCSA-80-000266 The vCenter Server must require an administrator to unlock an account locked due to excessive login failures. | ACCESS CONTROL |
| VCSA-80-000267 The vCenter Server must disable the distributed virtual switch health check. | CONFIGURATION MANAGEMENT |
| VCSA-80-000268 The vCenter Server must set the distributed port group Forged Transmits policy to "Reject". | CONFIGURATION MANAGEMENT |
| VCSA-80-000269 The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject". | CONFIGURATION MANAGEMENT |
| VCSA-80-000270 The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject". | CONFIGURATION MANAGEMENT |
| VCSA-80-000271 The vCenter Server must only send NetFlow traffic to authorized collectors. | CONFIGURATION MANAGEMENT |
| VCSA-80-000272 The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN). | CONFIGURATION MANAGEMENT |
| VCSA-80-000273 The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized. | CONFIGURATION MANAGEMENT |
| VCSA-80-000274 The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches. | CONFIGURATION MANAGEMENT |
| VCSA-80-000275 The vCenter Server must configure the "vpxuser" auto-password to be changed every 30 days. | CONFIGURATION MANAGEMENT |
| VCSA-80-000276 The vCenter Server must configure the "vpxuser" password to meet length policy. | CONFIGURATION MANAGEMENT |
| VCSA-80-000277 The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery. | CONFIGURATION MANAGEMENT |
| VCSA-80-000278 The vCenter Server must use unique service accounts when applications connect to vCenter. | CONFIGURATION MANAGEMENT |
| VCSA-80-000279 The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic. | CONFIGURATION MANAGEMENT |
| VCSA-80-000280 The vCenter server must be configured to send events to a central log server. | AUDIT AND ACCOUNTABILITY |
| VCSA-80-000281 The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server. | CONFIGURATION MANAGEMENT |
| VCSA-80-000282 The vCenter Server must configure the vSAN Datastore name to a unique name. | CONFIGURATION MANAGEMENT |
| VCSA-80-000283 The vCenter Server must disable Username/Password and Windows Integrated Authentication. | CONFIGURATION MANAGEMENT |
| VCSA-80-000284 The vCenter Server must restrict access to the default roles with cryptographic permissions. | CONFIGURATION MANAGEMENT |
| VCSA-80-000285 The vCenter Server must restrict access to cryptographic permissions. | CONFIGURATION MANAGEMENT |
| VCSA-80-000286 The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets. | CONFIGURATION MANAGEMENT |
