TickYouOff
Sign in
Back
🔒

Nutanix Acropolis STIG (Y26M01) Implementation Checklist

Medium 20 items · 1 day
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist helps administrators and security teams implement the Nutanix Acropolis STIG (Y26M01) controls for Nutanix clusters and components. It’s intended for system owners, engineers, and auditors working in DoD or federal environments who need a practical sequence of steps to test, apply, and document STIG settings.

Source: https://ncp.nist.gov/checklist/1325

Progress
0 / 20
  1. Download the Nutanix Acropolis STIG (Y26M01) — Get the official STIG from DoD Cyber Exchange or public.cyber.mil if no CAC.
  2. Inventory Nutanix components and versions (AOS, AHV, CVM, Prism, Files) — Record exact versions and CPE identifiers for each component.
  3. Identify applicable CPE targets and map STIG rules — Match STIG controls to relevant components (AOS, AHV, CVM, Prism, Files).
  4. Deploy a representative test environment — Mirror production topology to validate changes safely.
  5. Backup current cluster configuration and data — Export configs and snapshots so you can rollback if needed.
  6. Apply STIG settings in the test environment — Implement recommended configuration changes from the STIG in test first.
  7. Review and document functional impacts after testing — Note features affected and test application behavior for each change.
  8. Obtain Authorizing Official (AO) approval for accepted deviations — Record formally any risk acceptance for settings you cannot implement.
  9. Patch AOS, AHV, Prism, and CVMs to supported versions — Apply vendor patches to remediate vulnerabilities and meet STIG baselines.
  10. Harden CVM and Prism access controls — Lock down management plane access, credentials, and admin interfaces.
  11. Restrict SSH access to CVMs to approved management IPs — Use ACLs or firewall rules to limit admin SSH access.
  12. Enable role-based access control and MFA in Prism — Assign least-privilege roles and require multifactor authentication.
  13. Disable unused services and close unnecessary ports on AHV and CVM — Turn off services not required for operation to reduce attack surface.
  14. Enable and centralize logging and monitoring — Forward logs to Prism Central or a SIEM for retention and alerting.
  15. Configure secure networking (microsegmentation, VLANs, firewall rules) — Use segmentation to isolate management, storage, and tenant traffic.
  16. Encrypt data at rest and in transit — Enable available storage and network encryption features per STIG.
  17. Run vulnerability scans and check for CVEs against mapped CPEs — Use vulnerability scanners and vendor advisories to identify issues.
  18. Document configuration changes and create a rollback plan — Keep change records, test rollback steps, and store backups securely.
  19. Schedule regular STIG compliance audits and patch cycles — Define cadence for re-audit, patching, and reporting requirements.
  20. Maintain STIG sources and operational contacts — Record DoD STIG URLs, contact emails, and support points for quick reference.
Sign in to save
📝 My Notes