Documentation - V-233314

Title

Forescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the information system security manager (ISSM) and documented in the System Security Plan (SSP). This is required for compliance with C2C Step 1.

Description

<VulnDiscussion>The NAC gateway provides the policy enforcement allowing or denying the endpoint to the network. Unauthorized endpoints that bypass this control present a risk to the organization's data and network. The focus of this requirement is on identification, documentation, and approval of devices that will bypass the NAC. This is not a requirement that all traffic flow through the NAC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false...

Fix Text (Documentation Requirement)

Use the Forescout Administrator UI to configure an exception group that is defined in the SSP and ensure policy is applied to the group that allows NAC bypass. Create a group based on the exemptions in the SSP. 1. In the filters pane under Groups, right-click the group editor. Pick or create an exemption group. 2. Add a name and then add the scope based on IP range or Subnet, or based on MAC Address. 3. Click "OK" and then click "OK" again. Click "Yes" for "Are you sure?". Create a policy that uses the exemption group. 1. In the Views pane, click "Authentication & Authorization". 2. Select an existing policy and edit the Scope to add the Exemptions Group. 3. In Exceptions type, select "Group". 4. In the Policy screen, select the exceptions group created in the prior step, click "OK" se...