Forescout Network Access Control STIG Version Comparison

There are 6 differences between versions v2 r1 (July 24, 2024) (the "left" version) and v2 r3 (Jan. 30, 2025) (the "right" version).

Check FORE-NC-000080 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

Forescout must send an alert to the Information System Security Manager (ISSM) and System Administrator (SA), at a minimum, when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 2.

Check Content

If DoD is not at C2C Step 2 or higher, this is not a finding. Verify Forescout performs device authentication before policy assessment is performed. If device authentication is not completed prior to the NAC check, this is a finding.

Discussion

Requiring authentication and authorization of both the user's identity and the identity of the computing device is essential to ensuring a non-authorized person or device has entered the network.

Fix

Log on to the Forescout UI. 1. Locate the Authentication & Authorization policy. 2. Ensure the Authentication & Authorization policy happens prior to any NAC check.