Checklist Summary:

The Cisco Application Centric Infrastructure (ACI) Security Technical Implementation Guide (STIG) provides technical security configuration and assessment controls for Cisco ACI fabric and components. The ACI fabric appears as a single switch, capable of bridging and routing; thus, guidance consists of a package of three STIGs that together ensure the secure implementation of management, control, and data planes of the switch. The DOD enterprise consists of hundreds of physical and virtual endpoints, requiring a complex set of policies and configurations. The ACI can be leveraged to provide centralized data center management, simplify policy distribution, and integrate analytics and forensic applications across the infrastructure. The ACI can also segment the architecture and distribute external routes from a border leaf to other leaf switches. This approach allows the data center network to grow without the risk of creating a failure domain that is too large. The STIGs’ primary scope is the management of network traffic within the data center, the associated functions of application-centric policies, and the automation of application connectivity. In addition to the layer 2 switching functions, layer 3 connectivity to external networks through the L3Out configuration is also assessed. However, acting as a traditional perimeter or edge router is out of scope. Custom applications that can be installed from various vendors to extend functionality are also out of scope. ACI consists of three key components: the Application Policy Infrastructure Controller (APIC), the leaf switches, and the spine switches. The APIC is a centralized controller that manages all aspects of the ACI fabric. It is a software-defined networking (SDN) solution that provides a policy-based software controller that centralizes access to all fabric information. The APIC interacts with leaf and spine switches to push configurations and enforce application policies. It also creates a fabric-based architecture that can support single-site or multi-site topologies, including multi-cloud and multi-tenant deployment models. ACI uses Multi-Protocol Border Gateway Protocol (MP-BGP) with VPNv4 in the ACI infra-Virtual Routing and Forwarding (VRF) to distribute external routes from a border leaf to other leaf switches. All traffic in the ACI fabric is normalized as Virtual Extensible LAN (VXLAN) packets. VXLAN decouples layer 2 domains from the underlying layer 3 network infrastructure. The spine-leaf network framework can be implemented as a two- or three-tier architecture using physical switches and/or virtual switches that combine into a virtual fabric using policies controlled by one or more APICs. Each leaf switch connects to one or more spine switches forming a mesh. • Leaf switches: These devices have ports connected to classic Ethernet devices, such as servers, firewalls, and router ports. Leaf switches are at the edge of the fabric. The leaf switches are responsible for routing or bridging tenant packets and applying network policies. • Spine switches: These devices interconnect leaf switches. They can also be used to build a Cisco ACI Multi-Pod fabric by connecting a Cisco ACI pod to an IP network or to a supported WAN device. Spine switches store all the endpoints-to-virtual tunnel endpoint (VTEP) mapping entries (spine switch proxies).

Checklist Role:

• Database Management System

Known Issues:

Not provided.

Target Audience:

Parties within the DOD and federal government’s computing environments can obtain the applicable STIG from the DOD Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DOD Certificates can obtain the STIG from https://public.cyber.mil/.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

Department of Defense Instruction (DODI) 8500.01

Comments/Warnings/Miscellaneous:

DISA accepts no liability for the consequences of applying specific configuration settings made on the basis of the SRGs/STIGs. It must be noted that the configuration settings specified should be evaluated in a local, representative test environment before implementation in a production environment, especially within large user populations. The extensive variety of environments makes it impossible to test these configuration settings for all potential software configurations. For some production environments, failure to test before implementation may lead to a loss of required functionality. Evaluating the risks and benefits to a system’s particular circumstances and requirements is the system owner’s responsibility. The evaluated risks resulting from not applying specified configuration settings must be approved by the responsible AO. Furthermore, DISA implies no warranty that the application of all specified configurations will make a system 100 percent secure. Security guidance is provided for the DOD. While other agencies and organizations are free to use it, care must be given to ensure that all applicable security guidance is applied at both the device hardening level and the architectural level due to the fact that some settings may not be configurable in environments outside the DOD architecture.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

[email protected]

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Created New Checklist - 07/21/2025

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 07/21/2025