UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Forescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the Information System Security Manager (ISSM) and documented in the System Security Plan (SSP). This is required for compliance with C2C Step 1.


Overview

Finding ID Version Rule ID IA Controls Severity
V-233314 FORE-NC-000060 SV-233314r811377_rule High
Description
The NAC gateway provides the policy enforcement allowing or denying the endpoint to the network. Unauthorized endpoints that bypass this control present a risk to the organization's data and network.
STIG Date
Forescout Network Access Control Security Technical Implementation Guide 2021-12-17

Details

Check Text ( C-36509r811376_chk )
If DoD is not at C2C Step 1 or higher, this is not a finding.
If traffic is not allowed to bypass the NAC policy, this is not a finding.

Use the Forescout Administrator UI to verify a policy exists that uses the exemption group configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on the account or account type, as approved by the ISSM and documented in the SSP.

1. In the filters pane under Groups, right-click the group editor. Pick the group indicated as compliance by the site representative.
2. Click "Scope" and review the Exemptions Group.

If Forescout is not configured to approve all instances where traffic is allowed to bypass the NAC as approved by the ISSM, this is a finding.
Fix Text (F-36474r803459_fix)
Use the Forescout Administrator UI to configure an exception group that is defined in the SSP and ensure policy is applied to the group that allows NAC bypass.

Create a group based on the exemptions in the SSP.

1. In the filters pane under Groups, right-click the group editor. Pick or create an exemption group.
2. Add a name, then add the scope based on IP range or Subnet, or based on MAC Address.
3. Click "OK", and then "OK" again. Click "Yes" for "Are you sure?".

Create a policy that uses the exemption group.

1. In the Views pane, click "Authentication & Authorization".
2. Select an existing policy and Edit the Scope to add the Exemptions Group.
3. In Exceptions type, select "Group".
4. In the Policy screen, select the exceptions group created in the prior step, click "OK" several times, and then click "Apply".