diff --git a/components/tftp.yml b/components/tftp.yml
index 010963f92963..918a53f398b6 100644
--- a/components/tftp.yml
+++ b/components/tftp.yml
@@ -7,3 +7,4 @@ rules:
 - package_tftp_removed
 - service_tftp_disabled
 - tftpd_uses_secure_mode
+- tftp_uses_secure_mode_systemd
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
index 2954814b97cf..d302a4a001e0 100644
--- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
+++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -239,10 +239,9 @@ controls:
             - enable_authselect
             - no_host_based_files
             - no_user_host_based_files
-            - tftpd_uses_secure_mode
             - display_login_attempts
             - installed_OS_is_vendor_supported
             - selinux_all_devicefiles_labeled
             - xwindows_remove_packages
-
+            - tftp_uses_secure_mode_systemd
         status: automated
diff --git a/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml b/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml
new file mode 100644
index 000000000000..27eeb539c637
--- /dev/null
+++ b/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Ensure tftp Daemon Uses Secure Mode Using systemd'
+
+description: |-
+    If running the Trivial File Transfer Protocol (TFTP) service is necessary,
+    it should be configured to change its root directory at startup. To do so,
+    find the path for the <tt>tftp</tt> systemd service:
+    <pre>$ sudo systemctl show tftp | grep ExecStart=
+    ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e
+    </pre>
+
+    and ensure the <tt>ExecStart</tt> line on that file includes the <tt>-s</tt> option with a subdirectory:
+    <pre>ExecStart=/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}</pre>
+
+rationale: |-
+    Using the <tt>-s</tt> option causes the TFTP service to only serve files from the
+    given directory. Serving files from an intentionally-specified directory
+    reduces the risk of sharing files which should remain private.
+
+severity: medium
+
+ocil: |-
+    Use <tt>sudo systemctl edit tftp</tt> to adjust the <tt>ExecStart</tt> to
+    be <tt>/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}</tt>
+
+
+ocil_clause: 'the ExecStart property of tftp does not contain correctly set -s flag'
+
+platform: package[tftp-server]
+
+warnings:
+    general: |-
+        A remedation is not currently available due limits of the checking engine.
+
+
+identifiers:
+    cce@rhel10: CCE-86495-9
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 2925bbf3376b..6216a1d0d5cf 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -65,7 +65,6 @@ CCE-86484-3
 CCE-86492-6
 CCE-86493-4
 CCE-86494-2
-CCE-86495-9
 CCE-86496-7
 CCE-86497-5
 CCE-86498-3