| CISC-ND-000010 - The Cisco router must be configured to limit the number of concurrent management sessions to an organization-defined number. | DISA Cisco IOS XE Router NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000090 - The Cisco router must be configured to automatically audit account creation. | DISA Cisco IOS XE Router NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000120 - The Cisco router must be configured to automatically audit account removal actions. | DISA Cisco IOS XE Router NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000140 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies. | DISA Cisco IOS XR Router NDM STIG v3r5 | Cisco | ACCESS CONTROL |
| CISC-ND-000490 - The Cisco router must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | DISA Cisco IOS XE Router NDM STIG v3r6 | Cisco | ACCESS CONTROL |
| CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts. | DISA Cisco IOS XR Router NDM STIG v3r5 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-ND-001200 - The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions. | DISA Cisco IOS XE Router NDM STIG v3r6 | Cisco | IDENTIFICATION AND AUTHENTICATION, MAINTENANCE |
| CISC-ND-001410 - The Cisco router must be configured to back up the configuration when changes occur. | DISA Cisco IOS XE Router NDM STIG v3r6 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING |
| CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider. | DISA Cisco IOS XE Router NDM STIG v3r6 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000060 - The Cisco router must be configured to have all inactive interfaces disabled. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000160 - The Cisco router must be configured to have IP directed broadcast disabled on all interfaces. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000180 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000190 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000200 - The Cisco router must be configured to log all packets that have been dropped at interfaces via ACL. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000210 - The Cisco router must be configured to produce audit records containing information to establish where the events occurred. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000236 - The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000250 - The Cisco perimeter router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000280 - The Cisco perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | ACCESS CONTROL |
| CISC-RT-000300 - The Cisco perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an Interior Gateway Protocol (IGP) peering with the NIPRNet or to other autonomous systems. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | ACCESS CONTROL |
| CISC-RT-000330 - The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000330 - The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000350 - The Cisco perimeter router must be configured to block all packets with any IP options. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000360 - The Cisco perimeter router must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000394 - The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000410 - The Cisco out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC). | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000430 - The Cisco out-of-band management (OOBM) gateway router must be configured to not redistribute routes between the management network routing domain and the managed network routing domain. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000460 - The Cisco router providing connectivity to the Network Operations Center (NOC) must be configured to forward all in-band management traffic via an IPsec tunnel. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000510 - The Cisco BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000540 - The Cisco BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | ACCESS CONTROL |
| CISC-RT-000590 - The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000630 - The Cisco PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000640 - The Cisco PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT). | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000650 - The Cisco PE router must be configured to have each VRF with the appropriate Route Distinguisher (RD). | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000660 - The Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-RT-000670 - The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate pseudowire ID for each attachment circuit. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | CONTINGENCY PLANNING |
| CISC-RT-000680 - The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000720 - The Cisco PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000740 - The Cisco PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000740 - The Cisco PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000750 - The Cisco PE router must be configured to ignore or block all packets with any IP options. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000760 - The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to provide preferred treatment for mission-critical applications. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000790 - The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000810 - The Cisco multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | ACCESS CONTROL |
| CISC-RT-000810 - The Cisco multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000820 - The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000830 - The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000840 - The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000860 - The Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000890 - The Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed. | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000890 - The Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
