800-53|IA-2(8)

Title

NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT

Description

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

Supplemental

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

Reference Item Details

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 VCSA-80-000009VMwareCIS VMware vSphere 8.0 vCenter STIG v1.0.0 CAT II
1.8.1 Enable FIPS ModeCiscoCIS Cisco NX-OS v1.2.0 L2
1.10 CISC-ND-000530CiscoCIS Cisco IOS XR Router NDM STIG v1.0.0 CAT II
1.14 CISC-ND-000530CiscoCIS Cisco NX OS Switch NDM STIG v1.1.0 CAT II
1.33 CISC-ND-001200CiscoCIS Cisco IOS Switch NDM STIG v1.1.0 CAT I
1.33 CISC-ND-001200CiscoCIS Cisco IOS XE Switch NDM STIG v1.1.0 CAT I
1.45 AZLX-23-001180UnixCIS Amazon Linux 2023 STIG v1.0.0 CAT I
1.46 AZLX-23-001185UnixCIS Amazon Linux 2023 STIG v1.0.0 CAT I
1.57 APPL-26-001150UnixCIS Apple macOS 26 Tahoe STIG v1.0.0 CAT I
1.59 APPL-14-001150UnixCIS Apple macOS 14 Sonoma STIG v1.0.0 CAT I
1.123 APPL-26-003020UnixCIS Apple macOS 26 Tahoe STIG v1.0.0 CAT II
1.124 APPL-14-003020UnixCIS Apple macOS 14 Sonoma STIG v1.0.0 CAT II
1.124 APPL-26-003030UnixCIS Apple macOS 26 Tahoe STIG v1.0.0 CAT II
1.125 APPL-14-003030UnixCIS Apple macOS 14 Sonoma STIG v1.0.0 CAT II
1.125 APPL-26-003050UnixCIS Apple macOS 26 Tahoe STIG v1.0.0 CAT II
1.126 APPL-14-003050UnixCIS Apple macOS 14 Sonoma STIG v1.0.0 CAT II
1.126 APPL-26-003051UnixCIS Apple macOS 26 Tahoe STIG v1.0.0 CAT II
1.127 APPL-14-003051UnixCIS Apple macOS 14 Sonoma STIG v1.0.0 CAT II
1.127 APPL-26-003052UnixCIS Apple macOS 26 Tahoe STIG v1.0.0 CAT II
1.128 APPL-14-003052UnixCIS Apple macOS 14 Sonoma STIG v1.0.0 CAT II
1.130 SOL-11.1-050240UnixCIS Solaris 11 X86 STIG v1.0.0 CAT II
1.132 SOL-11.1-050240UnixCIS Solaris 11 SPARC STIG v1.0.0 CAT II
1.147 WN16-DC-000020WindowsCIS Microsoft Windows Server 2016 STIG v4.0.0 DC CAT II
1.148 WN16-DC-000030WindowsCIS Microsoft Windows Server 2016 STIG v4.0.0 DC CAT II
1.148 WN22-DC-000020WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.149 WN16-DC-000040WindowsCIS Microsoft Windows Server 2016 STIG v4.0.0 DC CAT II
1.149 WN19-DC-000030WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.149 WN22-DC-000030WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.150 WN16-DC-000050WindowsCIS Microsoft Windows Server 2016 STIG v4.0.0 DC CAT II
1.150 WN19-DC-000040WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.150 WN22-DC-000040WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.151 WN16-DC-000060WindowsCIS Microsoft Windows Server 2016 STIG v4.0.0 DC CAT II
1.151 WN19-DC-000050WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.151 WN22-DC-000050WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.152 WN19-DC-000060WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.152 WN22-DC-000060WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.175 OL09-00-000940UnixCIS Oracle Linux 9 STIG v1.0.0 CAT II
1.269 ALMA-09-034340UnixCIS Cloud Linux AlmaLinux OS 9 STIG v1.0.0 CAT II
1.339 RHEL-09-611160UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.UnixDISA IBM AIX 7.x STIG v3r2
ALMA-09-034340 - AlmaLinux OS 9 must use the CAC smart card driver.UnixDISA Cloud Linux AlmaLinux OS 9 STIG v1r6
AOSX-13-000570 - The macOS system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.UnixDISA STIG Apple Mac OSX 10.13 v2r5
APPL-11-000011 - The macOS system must disable the SSHD service.UnixDISA STIG Apple macOS 11 v1r8
APPL-11-000011 - The macOS system must disable the SSHD service.UnixDISA STIG Apple macOS 11 v1r5
APPL-14-001150 - The macOS system must disable password authentication for SSH.UnixDISA Apple macOS 14 Sonoma STIG v2r4
APPL-14-003020 - The macOS system must enforce smart card authentication.UnixDISA Apple macOS 14 Sonoma STIG v2r4
APPL-14-003030 - The macOS system must allow smart card authentication.UnixDISA Apple macOS 14 Sonoma STIG v2r4
APPL-14-003050 - The macOS system must enforce multifactor authentication for logon.UnixDISA Apple macOS 14 Sonoma STIG v2r4
APPL-14-003051 - The macOS system must enforce multifactor authentication for the su command.UnixDISA Apple macOS 14 Sonoma STIG v2r4
APPL-14-003052 - The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.UnixDISA Apple macOS 14 Sonoma STIG v2r4