Forescout must enforce the revocation of endpoint access authorizations at the next compliance assessment interval based on changes to the compliance assessment security policy. This is required for compliance with C2C Step 4.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-233321	FORE-NC-000130	SV-233321r997496_rule		Medium

Description
This requirement gives the option to configure for automated remediation and/or manual remediation. A detailed record must be passed to the remediation server for action. Alternatively, the details can be passed in a notice to the user for action. The device status will be updated on the network access server/authentication server so that further access attempts are denied. The NAC must have policy assessment mechanisms with granular control to distinguish between access restrictions based on the criticality of the software or setting failure.

Description

This requirement gives the option to configure for automated remediation and/or manual remediation. A detailed record must be passed to the remediation server for action. Alternatively, the details can be passed in a notice to the user for action. The device status will be updated on the network access server/authentication server so that further access attempts are denied. The NAC must have policy assessment mechanisms with granular control to distinguish between access restrictions based on the criticality of the software or setting failure.

STIG	Date
Forescout Network Access Control Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-36516r997495_chk )
If DOD is not at C2C Step 4 or higher, this is not a finding. Verify Forescout admission policy has been configured to revoke access to endpoints that have not met or are removed from the authorized group. If Forescout is not configured with an admissions policy that enforces the revocation of endpoint access authorizations based on when devices are removed from an authorization group, this is a finding.

Check Text ( C-36516r997495_chk )

If DOD is not at C2C Step 4 or higher, this is not a finding.

Verify Forescout admission policy has been configured to revoke access to endpoints that have not met or are removed from the authorized group.

If Forescout is not configured with an admissions policy that enforces the revocation of endpoint access authorizations based on when devices are removed from an authorization group, this is a finding.

Fix Text (F-36481r803464_fix)
Use the Forescout Administrator UI to configure the authorization policy to configured to perform a control action on any devices that have not met authorization requirement or are no longer authorized. 1. Log on to the Forescout UI. 2. From the Policy tab, check that the authorization policy has a Block Action enabled on any devices that have not met or are removed from the authorized group.