TickYouOff
Sign in
Back
🔒

Cisco NX OS Switch STIG Checklist

Hard 18 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist helps IT and security teams apply the Cisco NX OS Switch STIG (Y26M01) to Nexus switches. It guides you through download, testing, configuration, scanning, and documentation steps to achieve DISA STIG compliance.

Source: https://ncp.nist.gov/checklist/1311

Progress
0 / 18
  1. Download Cisco NX-OS Switch STIG package — Get XCCDF and STIG docs from cyber.mil or public.cyber.mil.
  2. Review STIG overview, scope, and components — Identify L2S, RTR, and NDM sections relevant to your devices.
  3. Inventory NX-OS devices and map roles — Record model, NX-OS version, location, and management IP.
  4. Backup current device configurations — Store backups in encrypted, access-controlled repository.
  5. Export running-config to secure storage — Capture running-configs before changes.
  6. Save boot-config and verify backups — Save startup-config and confirm restore works.
  7. Test STIG changes in lab environment — Validate configuration and service impacts before production.
  8. Schedule maintenance window and notify stakeholders — Communicate outages and rollback plan to affected teams.
  9. Apply STIG baseline configuration to devices — Push the validated baseline per STIG guidance.
  10. Disable unused services and interfaces — Shut down unused ports and turn off unnecessary daemons.
  11. Configure AAA and secure management access — Enable TACACS+/RADIUS, SSH only, and role-based access control.
  12. Enforce strong SNMP and logging settings — Use SNMPv3, secure community strings, and centralized logging.
  13. Set NTP and timezone, and restrict NTP sources — Configure authoritative NTP servers and ACLs for NTP traffic.
  14. Apply latest NX-OS firmware and security patches — Verify compatibility and staging before production upgrade.
  15. Run DISA STIG compliance scan and generate report — Use XCCDF/OVAL or DISA tools to produce compliance findings.
  16. Remediate any remaining findings and re-scan — Address high-severity findings first, then verify fixes.
  17. Document deviations, exception waivers, and approvals — Record risk acceptance and approval references for audits.
  18. Submit comments or change requests to DISA — Email DISA with feedback: [email protected].
Sign in to save
📝 My Notes