Security Certifications Compliance Characteristics

The following table describes behavior changes when you enable CC or UCAPL mode. (Restrictions on login accounts refers to command line access, not web interface access. )

System Change

Secure Firewall Management Center

Classic Managed Devices

Secure Firewall Threat Defense

CC Mode

UCAPL Mode

CC Mode

UCAPL Mode

CC Mode

UCAPL Mode

FIPS compliance is enabled.

Yes

Yes

Yes

Yes

Yes

Yes

The system does not allow remote storage for backups or reports.

Yes

Yes

The system starts an additional system audit daemon.

No

Yes

No

Yes

No

No

The system boot loader is secured.

No

Yes

No

Yes

No

No

The system applies additional security to login accounts.

No

Yes

No

Yes

No

No

The system disables the reboot key sequence Ctrl+Alt+Del.

No

Yes

No

Yes

No

No

The system enforces a maximum of ten simultaneous login sessions.

No

Yes

No

Yes

No

No

Passwords must be at least 15 characters long, and must consist of alphanumeric characters of mixed case and must include at least one numeric character.

No

Yes

No

Yes

No

No

The minimum required password length for the local admin user can be configured using the local device CLI.

No

No

No

No

Yes

Yes

Passwords cannot be a word that appears in a dictionary or include consecutive repeating characters.

No

Yes

No

Yes

No

No

The system locks out users other than admin after three failed login attempts in a row. In this case, the password must be reset by an administrator.

No

Yes

No

Yes

No

No

The system stores password history by default.

No

Yes

No

Yes

No

No

The admin user can be locked out after a maximum number of failed login attempts configurable through the web interface.

Yes

Yes

Yes

Yes

The admin user can be locked out after a maximum number of failed login attempts configurable through the local appliance CLI.

No

No

Yes, regardless of security certifications compliance enablement.

Yes, regardless of security certifications compliance enablement.

Yes

Yes

The system automtically rekeys an SSH session with an appliance:

  • After a key has been in use for one hour of session activity

  • After a key has been used to transmit 1 GB of data over the connection

Yes

Yes

Yes

Yes

Yes

Yes

The system performs a file system integrity check (FSIC) at boot-time. If the FSIC fails, Secure Firewall software does not start, remote SSH access is disabled, and you can access the appliance only via local console. If this happens, contact Cisco TAC.

Yes

Yes

Yes

Yes

Yes

Yes