TickYouOff
Sign in
Back
🔒

Cisco IOS XE Switch STIG (Y26M01)

Hard 23 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist helps administrators implement the Cisco IOS XE Switch STIG (Y26M01) to harden Catalyst switches and meet DISA compliance requirements. It’s designed for network engineers and security teams responsible for IOS XE devices (9200/9300/9400, 3650/3850/9000 series). Follow the steps to inventory devices, apply recommended configurations, test changes, and document compliance.

Source: https://ncp.nist.gov/checklist/1309

Progress
0 / 23
  1. Download STIG package from DoD Cyber Exchange — Get the XCCDF/STIG from https://cyber.mil/ (public.cyber.mil if no CAC).
  2. Review STIG summary and scope — Read the STIG overview to determine coverage and modules (L2S, RTR, NDM).
  3. Inventory Cisco IOS XE switches in scope — List device hostnames, models, IOS XE versions, and locations.
  4. Verify device model and IOS XE version — Confirm each device model and software match STIG applicability.
  5. Identify applicable STIG modules (L2S, RTR, NDM) — Map each device to the relevant STIG module(s) before changes.
  6. Schedule maintenance window for changes — Coordinate downtime, notify stakeholders, and prepare rollback plans.
  7. Backup current device configurations — Export running/startup configs and save device images before making changes.
  8. Configure secure management — Apply STIG management hardening (authentication, encryption, access control).
  9. Enable SSH and disable Telnet — Require SSH v2 for remote management and remove Telnet access.
  10. Configure AAA with TACACS+/RADIUS and role-based access — Use centralized auth and least-privilege roles for administrative access.
  11. Disable HTTP server and enable HTTPS where needed — Turn off insecure HTTP; enable HTTPS with valid certs if web UI required.
  12. Disable unused services and interfaces — Shut down unused ports and disable unnecessary protocols (CDP, LLDP if not used).
  13. Implement time sync and logging (NTP, syslog) — Configure reliable NTP sources and forward logs to a secure syslog server.
  14. Apply and verify strong password and account policies — Enforce complexity, aging, and lockout policies as per STIG guidance.
  15. Configure ACLs to restrict management access — Limit SSH/HTTPS and SNMP access to trusted admin networks only.
  16. Enable secure boot and firmware verification — Turn on image integrity checks and secure boot features where supported.
  17. Apply STIG-recommended configurations and hardening — Implement specific settings from the XCCDF/STIG package for each device.
  18. Test configurations in a lab or pilot group — Validate functionality and rollback procedures before wide deployment.
  19. Deploy configurations to production during maintenance — Apply changes during the approved window and monitor for issues.
  20. Perform vulnerability scan and compliance check — Use automated tools to verify STIG compliance and detect CVEs.
  21. Document compliance evidence and exceptions — Collect configs, scans, test results, and document any accepted deviations.
  22. Submit comments or change requests to DISA via email — Send feedback or proposed revisions to [email protected].
  23. Schedule regular patching and monitoring — Plan ongoing updates, log reviews, and periodic STIG revalidation.
Sign in to save
📝 My Notes