STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Cisco ISE must be configured so that all endpoints that are allowed to bypass policy assessment are approved by the Information System Security Manager (ISSM) and documented in the System Security Plan (SSP).

DISA Rule

SV-242583r714059_rule

Vulnerability Number

V-242583

Group Title

SRG-NET-000015-NAC-000080

Rule Version

CSCO-NC-000090

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Configure the posture policy to assess mandated endpoints.

1. Navigate to Work Centers >> Posture >> Posture Policy.
2. Choose the drop-down located next to "Edit" on the right side of the page where you want the new policy inserted.
3. Choose "Insert new policy".
4. Define a Name.
5. Select the applicable Identity Groups.
6. Select the applicable Operating Systems configured in the requirement previously created.
7. Select the Compliance Module configured in the requirement previously created.
8. Select the Posture Type configured in the requirement previously created.
9. Select Other Conditions if used.
10. Select the Requirement ensuring there is a green check box to the left of the name indicating it is a mandatory requirement.
11. Choose "Done".
12. Choose "Save".

Note: For exceptions, a condition can be made to "Not Equal" or "Not Contains" a pattern to exempt devices from the policy.

Check Contents

Review the posture policy to ensure mandated endpoints are being assed and if there are exceptions to the policy that they are documented and approved by the ISSM.

1. Navigate to Work Centers >> Posture >> Posture Policy.
2. Examine the enabled Posture Policies to determine if the endpoints that are mandated to be assessed will use the required policies.
3. If there is an endpoint type that should be assessed and there is a condition or conditions exempting a sub group of that endpoint type, verify that the sub group is documented and approved by the ISSM.

If the policy will not be applied to required endpoints or if exempted endpoints are not approved and documented, this is a finding.

Vulnerability Number

V-242583

Documentable

False

Rule Version

CSCO-NC-000090

Severity Override Guidance

Review the posture policy to ensure mandated endpoints are being assed and if there are exceptions to the policy that they are documented and approved by the ISSM.

1. Navigate to Work Centers >> Posture >> Posture Policy.
2. Examine the enabled Posture Policies to determine if the endpoints that are mandated to be assessed will use the required policies.
3. If there is an endpoint type that should be assessed and there is a condition or conditions exempting a sub group of that endpoint type, verify that the sub group is documented and approved by the ISSM.

If the policy will not be applied to required endpoints or if exempted endpoints are not approved and documented, this is a finding.

Check Content Reference

M

Target Key

5383

Comments