STIGQter: STIG Summary: Forescout Network Access Control Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Forescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the Information System Security Manager (ISSM) and documented in the System Security Plan (SSP).

DISA Rule

SV-233314r615869_rule

Vulnerability Number

V-233314

Group Title

SRG-NET-000015-NAC-000080

Rule Version

FORE-NC-000060

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Forescout allows exception by User Names or individual MAC or IP addresses. DoD requires the best practice of using a group and applying policy to the group.

Create a group based on the exemptions in the SSP.

1. In the filters pane under Groups, right-click the group editor. Pick or create an exemption group.
2. Add a name, then add the scope based on IP range or Subnet, or add based on MAC Address.
3. Click "OK", and then "OK" again. Click "Yes" for "Are you sure?".

Create a policy that uses the exemption group.

1. In the Views pane, click "Authentication & Authorization".
2. Select an existing policy and Edit the Scope to add the Exemptions Group.
3. In Exceptions type, select "Group".
4. In the Policy screen, select the exceptions group created in the prior step, click "OK" several times, and then click "Apply".

Check Contents

If traffic is not allowed to bypass the NAC policy, this is not a finding.

Verify a policy exists that uses the exemption group configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the ISSM and documented in the SSP.

1. In the filters pane under Groups, right-click the group editor. Pick the group indicated as compliance by the site representative.
2. Click "Scope" and review the Exemptions Group.

If remediation is being performed, ensure the ISSM has approved any bypass procedure configured in the NAC.

If Forescout is not configured to approve all instances where traffic is allowed to bypass the NAC as approved by the ISSM, this is a finding.

Vulnerability Number

V-233314

Documentable

False

Rule Version

FORE-NC-000060

Severity Override Guidance

If traffic is not allowed to bypass the NAC policy, this is not a finding.

Verify a policy exists that uses the exemption group configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the ISSM and documented in the SSP.

1. In the filters pane under Groups, right-click the group editor. Pick the group indicated as compliance by the site representative.
2. Click "Scope" and review the Exemptions Group.

If remediation is being performed, ensure the ISSM has approved any bypass procedure configured in the NAC.

If Forescout is not configured to approve all instances where traffic is allowed to bypass the NAC as approved by the ISSM, this is a finding.

Check Content Reference

M

Target Key

5250

Comments