| 1.1.4 Set an Export Password | CIS HPE Aruba Networking CX Switch v1.0.1 Optional Security Recommendations | ArubaOS | IDENTIFICATION AND AUTHENTICATION |
| 2.2.1.1 Set 'ntp authenticate' | CIS Cisco IOS XR 7.x v1.0.1 L2 | Cisco | AUDIT AND ACCOUNTABILITY |
| 2.3.1.1 Set 'ntp authenticate' | CIS Cisco IOS XE 16.x v2.2.0 L2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-L2-000020 - The Cisco switch must uniquely identify and authenticate all network-connected endpoint devices before establishing any connection. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-L2-000110 - The Cisco switch must have Spanning Tree Protocol (STP) Loop Guard enabled. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000120 - The Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000130 - The Cisco switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000140 - The Cisco switch must have IP Source Guard enabled on all user-facing or untrusted access switch ports. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000150 - The Cisco switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000170 - The Cisco switch must have IGMP or MLD Snooping configured on all VLANs. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-L2-000190 - The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-L2-000200 - The Cisco switch must have all trunk links enabled statically. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-L2-000230 - The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-L2-000270 - The Cisco switch must not have any switchports assigned to the native VLAN. | DISA Cisco IOS Switch L2S STIG v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-000010 - The Cisco switch must be configured to limit the number of concurrent management sessions to an organization-defined number. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | ACCESS CONTROL |
| CISC-ND-000090 - The Cisco switch must be configured to automatically audit account creation. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | ACCESS CONTROL |
| CISC-ND-000110 - The Cisco switch must be configured to automatically audit account disabling actions. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | ACCESS CONTROL |
| CISC-ND-000160 - The Cisco switch must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | ACCESS CONTROL |
| CISC-ND-000210 - The Cisco device must be configured to audit all administrator activity. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| CISC-ND-000280 - The Cisco switch must produce audit records containing information to establish when (date and time) the events occurred. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000290 - The Cisco switch must produce audit records containing information to establish where the events occurred. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000380 - The Cisco switch must be configured to protect audit information from unauthorized modification. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000390 - The Cisco switch must be configured to protect audit information from unauthorized deletion. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-ND-000460 - The Cisco switch must be configured to limit privileges to change the software resident within software libraries. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-ND-000470 - The Cisco switch must be configured to prohibit the use of all unnecessary and non-secure functions and services. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-ND-000720 - The Cisco switch must be configured to terminate all network connections associated with device management after five minutes of inactivity. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-000880 - The Cisco switch must be configured to automatically audit account enabling actions. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | ACCESS CONTROL |
| CISC-ND-001200 - The Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | IDENTIFICATION AND AUTHENTICATION, MAINTENANCE |
| CISC-ND-001370 - The Cisco switch must be configured to use at least two authentication servers to authenticate users prior to granting administrative access. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-ND-001410 - The Cisco switch must be configured to support organizational requirements to conduct backups of the configuration when changes occur. | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING |
| CISC-ND-001450 - The Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). | DISA Cisco IOS Switch NDM STIG v3r7 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000060 - The Cisco switch must be configured to have all inactive Layer 3 interfaces disabled. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000150 - The Cisco switch must be configured to have gratuitous ARP disabled on all external interfaces. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000180 - The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000200 - The Cisco switch must be configured to log all packets that have been dropped at interfaces via an access control list (ACL). | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000210 - The Cisco switch must be configured to produce audit records containing information to establish where the events occurred. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000220 - The Cisco switch must be configured to produce audit records containing information to establish the source of the events. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | AUDIT AND ACCOUNTABILITY |
| CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000250 - The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000270 - The Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000380 - The Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000394 - The Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000397 - The Cisco perimeter switch must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-RT-000740 - The Cisco PE switch must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000800 - The Cisco multicast switch must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000860 - The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000870 - The Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000880 - The Cisco multicast Designated switch (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports. | DISA Cisco IOS Switch RTR STIG v3r3 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
