diff --git a/components/tftp.yml b/components/tftp.yml
index 010963f9296..918a53f398b 100644
--- a/components/tftp.yml
+++ b/components/tftp.yml
@@ -7,3 +7,4 @@ rules:
- package_tftp_removed
- service_tftp_disabled
- tftpd_uses_secure_mode
+- tftp_uses_secure_mode_systemd
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
index 84d8ca01f9f..7ad5581ae3e 100644
--- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
+++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -239,11 +239,10 @@ controls:
- enable_authselect
- no_host_based_files
- no_user_host_based_files
- - tftpd_uses_secure_mode
- display_login_attempts
- installed_OS_is_vendor_supported
- selinux_all_devicefiles_labeled
- xwindows_remove_packages
- chrony_set_nts
-
+ - tftp_uses_secure_mode_systemd
status: automated
diff --git a/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml b/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml
new file mode 100644
index 00000000000..7b490bd123b
--- /dev/null
+++ b/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+title: 'Ensure tftp systemd Service Uses Secure Mode'
+
+description: |-
+ If running the Trivial File Transfer Protocol (TFTP) service is necessary,
+ it should be configured to change its root directory at startup. To do so,
+ find the path for the tftp systemd service:
+ $ sudo systemctl show tftp | grep ExecStart=
+ ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e
+
+
+ and ensure the ExecStart line on that file includes the -s option with a subdirectory:
+ ExecStart=/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}
+
+rationale: |-
+ Using the -s option causes the TFTP service to only serve files from the
+ given directory. Serving files from an intentionally-specified directory
+ reduces the risk of sharing files which should remain private.
+
+severity: medium
+
+ocil: |-
+ Use udo systemctl show tftp to verify that tftp service is using secure mode.
+ $ sudo systemctl show tftp | grep ExecStart=
+ ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e
+
+
+ and ensure the ExecStart line on that file includes the -s option with a subdirectory:
+ ExecStart=/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}
+
+
+ocil_clause: 'the ExecStart property of tftp does not contain correctly set -s flag'
+
+platform: package[tftp-server]
+
+warnings:
+ - general: |-
+ An OVAL check is not currently available since ExecStart cannot be checked with OVAL since it is not exposed via dbus.
+ Currently, a remedation is not available for this rule.
+
+
+identifiers:
+ cce@rhel10: CCE-86495-9
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 46626ff8f93..33debb230d4 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -64,7 +64,6 @@ CCE-86484-3
CCE-86492-6
CCE-86493-4
CCE-86494-2
-CCE-86495-9
CCE-86496-7
CCE-86497-5
CCE-86498-3