Firepower Management Center Configuration Guide, Version 6.2.1

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: May 25, 2019

Chapter: Security Certifications Compliance

Security Certifications Compliance
Security Certifications Compliance Modes
Security Certifications Compliance Characteristics
Security Certifications Compliance Recommendations
Enable Security Certifications Compliance

Security Certifications Compliance

The following topics describe how to configure your system to comply with security certifications standards:

Security Certifications Compliance Modes

Your organization might be required to use only equipment and software complying with security standards established by the U.S. Department of Defense and global certification organizations. The following security certifications standards are supported:

Common Criteria (CC): a global standard established by the international Common Criteria Recognition Arrangement, defining properties for security products

Unified Capabilities Approved Products List (UCAPL): a list of products meeting security requirements established by the U.S. Defense Information Systems Agency (DISA)

Note

The U.S. Government has changed the name of the Unified Capabilities Approved Products List (UCAPL) to the Department of Defense Information Network Approved Products List (DODIN APL). References to UCAPL in this documentation and the FMC web interface can be interpreted as references to DODIN APL.

Federal Information Processing Standards (FIPS) 140: a requirements specification for encryption modules

You can enable security certifications compliance in CC mode or UCAPL mode. Enabling security certifications compliance does not guarantee strict compliance with all requirements of the security mode selected. For more information on hardening procedures, refer to the guidelines for this product provided by the certifying entity.

Caution

After you enable this setting, you cannot disable it. If you need to take an appliance out of CC or UCAPL mode, you must reimage.

Security Certifications Compliance Characteristics

The following table describes behavior changes when you enable CC or UCAPL mode. (Restrictions on login accounts refers to command line or shell access, not web interface access. )


System Change	CC Mode	UCAPL Mode
FIPS compliance is enabled.	Yes	Yes
The system does not allow remote storage for backups or reports.	Yes	Yes
The system starts an additional system audit daemon.	No	Yes
The system boot loader is secured.	No	Yes
The system applies additional security to login accounts.	No	Yes
The system disables the reboot key sequence Ctrl-Alt-Del.	No	Yes
The system enforces a maximum of ten simultaneous login sessions.	No	Yes
The system does not support exporting event data using eStreamer.	Yes	Yes
The system applies more stringent safeguards for login accounts: Passwords must be at least fifteen alphanumeric characters of mixed case and must include at least one numeric character. Passwords cannot be a word that appears in a dictionary or include consecutive repeating characters. The system locks out a user after three failed login attempts in a row. In this case, the password must be reset by an administrator. The system stores password history.	No	Yes

Security Certifications Compliance Recommendations

Cisco recommends that you observe the following best practices when using a system with security certifications compliance enabled:

To enable security certifications compliance in your deployment, enable it first on the Firepower Management Center, then enable it in the same mode on all managed devices.

Caution

The Firepower Management Center will not receive event data from a managed device unless both are operating in the same security certifications compliance mode.

For all users, enable password strength checking and set the minimum password length to the value required by the certifying agency.
If you are using Firepower Management Centers in a high-availability configuration, configure them both to use the same security certifications compliance mode.
Do not configure the system to use any of the following features:
- Email reports, alerts, or data pruning notifications.
- Nmap Scan, Cisco IOS Null Route, Set Attribute Value, or ISE EPS remediations.
- Remote storage for backups or reports.
- Third-party client access to the system database.
- External notifications or alerts transmitted via email (SMTP), SNMP trap, or syslog.
- Audit log messages transmitted to an HTTP server or to a syslog server without using SSL certificates to secure the channel between the appliance and the server.
- Exporting event data to an external client using eStreamer.
Do not enable external authentication using LDAP or RADIUS in deployments using CC mode.
Do not enable CACs in deployments using CC mode.
Disable access to the Firepower Management Center and managed devices via the Firepower REST API in deployments using CC or UCAPL mode.
Enable CACs in deployments using UCAPL mode.

Note

The Firepower System does not support CC or UCAPL mode for classic devices in stacks or high availability pairs.

Enable Security Certifications Compliance

This configuration applies to either a Firepower Management Center or a Classic managed device:

For the Firepower Management Center, this configuration is part of the system configuration.
For a managed device, you apply this configuration from the FMC as part of a platform settings policy.

In either case, the configuration does not take effect until you save your system configuration changes or deploy the shared platform settings policy.

Caution

After you enable this setting, you cannot disable it. If you need to take the appliance out of CC or UCAPL mode, you must reimage.

Before you begin

We recommend you register all devices that you plan to be part of your deployment to the FMC before enabling security certifications compliance on any appliances.
You must be an Admin user to perform this task.

Procedure

Step 1

Depending on whether you are configuring an FMC or a managed device:

FMC: Choose System > Configuration.
Classic device: Choose Devices > Platform Settings and create or edit a Firepower policy.

Step 2

Click UCAPL/CC Compliance.

Note

Appliances reboot when you enable UCAPL or CC compliance. The FMC reboots when you save the system configuration; managed devices reboot when you deploy configuration changes.

Step 3

To permanently enable security certifications compliance on the appliance, you have two choices:

To enable security certifications compliance in Common Criteria mode, choose CC from the drop-down list.
To enable security certifications compliance in Unified Capabilities Approved Products List mode, choose UCAPL from the drop-down list.

Step 4

Click Save.

What to do next

If you have not already, apply Control and Protection licenses to all Classic devices in your deployment.
Establish additional configuration changes as described in the guidelines for this product provided by the certifying entity.
Deploy configuration changes; see Deploy Configuration Changes.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)