STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 22 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to STIGs

Cisco Secure Network Analytics (SNA) Security Technical Implementation Guide

Version

V1R1

Release Date

Jul 8, 2026

SCAP Benchmark ID

Cisco_SNA_STIG

Total Checks

31

Tags

network
CAT I: 8CAT II: 23CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (31)

V-284853MEDIUMThe Cisco SNA appliance must be configured to limit the number of concurrent sessions to an organization-defined number for each administrator account.V-284862HIGHThe Cisco SNA appliance must be configured to assign appropriate user roles or access levels to authenticated users.V-284863MEDIUMThe Cisco SNA appliance must be configured to enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.V-284864MEDIUMThe Cisco SNA appliance must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.V-284865MEDIUMThe Cisco SNA appliance must be configured to display the Standard Mandatory DoW Notice and Consent Banner before granting access to the device.V-284884HIGHThe Cisco SNA appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.V-284885MEDIUMThe Cisco SNA appliance must be configured with only one local account to be used as the account of last resort if the authentication server is unavailable.V-284886HIGHThe Cisco SNA appliance must be configured to use DoW public key infrastructure (PKI) as multifactor authentication (MFA) for interactive logins.V-284887MEDIUMThe Cisco SNA appliance must be configured to enforce a minimum 15-character password length.V-284888MEDIUMThe Cisco SNA appliance must be configured to enforce password complexity by requiring that at least one uppercase character be used.V-284889MEDIUMThe Cisco SNA appliance must be configured to enforce password complexity by requiring that at least one lowercase character be used.V-284890MEDIUMThe Cisco SNA appliance must be configured to enforce password complexity by requiring that at least one numeric character be used.V-284891MEDIUMThe Cisco SNA appliance must be configured to enforce password complexity by requiring that at least one special character be used.V-284892MEDIUMThe Cisco SNA appliance must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.V-284896HIGHThe Cisco SNA appliance must use FIPS 140-3-approved algorithms for authentication to a cryptographic module.V-284897HIGHThe Cisco SNA appliance must be configured to terminate sessions after five minutes of inactivity and set an absolute session timeout value of eight hours or less for admin sessions, except to fulfill documented and validated mission requirements.V-284901MEDIUMThe Cisco SNA appliance must be configured to encrypt information at rest using a DoW-accepted algorithm to protect the confidentiality and integrity of the information.V-284910MEDIUMThe Cisco SNA appliance must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts.V-284916MEDIUMThe Cisco SNA appliance must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).V-284917MEDIUMThe Cisco SNA appliance must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.V-284919MEDIUMThe Cisco SNA appliance must install security-relevant firmware updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).V-284924MEDIUMThe Cisco SNA appliance must generate audit records for modifications of critical files on the system.V-284928MEDIUMThe Cisco SNA appliance must be configured to use HTTP/2 at a minimum.V-284931HIGHThe Cisco SNA appliance must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.V-284934MEDIUMThe Cisco SNA appliance must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.V-284935HIGHThe Cisco SNA appliance must be configured to send log data to at least one central log server for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). For boundary devices, two log servers are required.V-284936HIGHThe Cisco SNA appliance must be running an operating system release that is currently supported by the vendor.V-284937MEDIUMThe Cisco SNA appliance must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.V-284939MEDIUMThe Cisco SNA appliance must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters for password-based authentication.V-284940MEDIUMThe Cisco SNA appliance must be configured to implement certificate revocation checking to support path discovery and validation for public key-based authentication.V-284942MEDIUMThe Cisco SNA appliance must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.