Details
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.
DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Solution
Configure the Cisco switch to synchronize its clock with redundant authoritative time sources as shown in the example below:
SW2(config)#ntp server x.x.x.x
SW2(config)#ntp server y.y.y.y
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability, Configuration Management.This control applies to the following type of system Cisco.
References
- 800-53|AU-8(2)
- 800-53|CM-6b.
- CAT|II
- CCI|CCI-000366
- CCI|CCI-001893
- Rule-ID|SV-220601r521267_rule
- STIG-ID|CISC-ND-001030
- STIG-Legacy|SV-110431
- STIG-Legacy|V-101327
- Vuln-ID|V-220601