TickYouOff
Sign in
Back
🔒

Cisco IOS XE Router STIG (Y26M01) — Compliance Checklist

Hard 22 items · 2 hours
testuser's avatar
testuser Published 2 months ago
Security

This checklist translates the Cisco IOS XE Router STIG (Y26M01) into actionable steps to harden and validate IOS XE routers. It’s for network engineers, sysadmins, and security teams responsible for DISA STIG compliance and operational device security.

Source: https://ncp.nist.gov/checklist/786

Progress
0 / 22
  1. Download latest STIG and SCAP content — Get DISA XCCDF/SCAP content and the IOS XE RTR/NDM STIG package.
  2. Review README and STIG change history — Read README and change logs for tool-specific instructions and updates.
  3. Inventory affected IOS XE devices — List device models, hostnames, IPs, and administrative owners.
  4. Verify device firmware and IOS XE version — Record current images and note required security patches.
  5. Schedule maintenance window — Coordinate downtime with stakeholders before changes.
  6. Backup device configurations — Save configs offline and to a versioned repository before changes.
  7. Apply IOS XE security patches and updates — Install vendor-recommended security fixes and reboot if required.
  8. Disable unused services — Turn off services like HTTP, finger, and others not required.
  9. Configure secure management — Harden how administrators access and manage the device.
  10. Enable SSH v2 and restrict management protocols — Ensure SSH v2 is configured and limit protocol exposure.
  11. Disable Telnet and HTTP management interfaces — Remove insecure remote management methods and use secure alternatives.
  12. Configure AAA and centralized authentication — Use TACACS+/RADIUS for admin authentication and accounting.
  13. Enforce strong password and account policies — Set complexity, expiration, lockout, and remove default accounts.
  14. Configure logging and forward to remote syslog — Enable logging, set levels, and send logs to a centralized collector.
  15. Configure NTP and secure time synchronization — Point to trusted NTP servers and restrict NTP access.
  16. Harden SNMP (use SNMPv3 and limit access) — Disable SNMP v1/v2, enable v3 with auth/privacy, and restrict hosts.
  17. Implement management-plane ACLs and limit admin access — Restrict administrative interfaces to management subnets only.
  18. Run automated STIG scan (SCC/XCCDF/SCAP) — Use DISA-provided SCAP/XCCDF content or SCC tools for scanning.
  19. Review scan results and remediate findings — Prioritize and track remediation for high-severity findings.
  20. Document configuration changes and approvals — Record change tickets, approvals, and configuration diffs.
  21. Archive configs, STIG artifacts, and reports — Store scans, STIG files, and backups for audit retention.
  22. Subscribe to DISA updates and send comments to DISA email — Monitor DISA releases and send feedback to [email protected].
Sign in to save
📝 My Notes