Title

The Cisco ISE must perform continuous detection and tracking of endpoint devices attached to the network. This is required for compliance with C2C Step 1. (Cat II impact)

Discussion

Continuous scanning capabilities on the Cisco ISE provide visibility of devices that are connected to the switch ports. The Cisco ISE continuously scans networks and monitors the activity of managed and unmanaged devices, which can be personally owned or rogue endpoints. Because many of today's small devices do not include agents, an agentless discovery is often combined to cover more types of equipment.

Check Content

If DoD is not at C2C Step 1 or higher, this is not a finding. If not required by the NAC SSP, this is not a finding. Review the posture settings to ensure Continuous Monitoring Interval is enabled and a value configured. From the Web Admin portal: 1. Choose Work Centers >> Posture >> Settings >> Posture General Settings. 2. Verify that "Continuous Monitoring Interval" is enabled and an interval configured. If "Continuous Monitoring Interval" is not enabled with an interval defined, this is a finding.

Fix Text

If required by the NAC SSP, configure the posture settings to enable Continuous Monitoring Interval. From the Web Admin portal: 1. Choose Work Centers >> Posture >> Settings >> Posture General Settings. 2. Check "Continuous Monitoring Interval" and define an interval to enable continuous monitoring. 3. Choose "Save".

Additional Identifiers

Rule ID: SV-242599r812780_rule

Vulnerability ID: V-242599

Group Title: SRG-NET-000512-NAC-002310

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.