STIGQter: STIG Summary: Network Device Management Security Requirements Guide Version: 4 Release: 1 Benchmark Date: 23 Apr 2021:

The network device must be configured to use DoD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.

DISA Rule

SV-237780r663939_rule

Vulnerability Number

V-237780

Group Title

SRG-APP-000175

Rule Version

SRG-APP-000175-NDM-000262

Severity

CAT I

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

Configure the network device to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL sources.

Check Contents

Verify the network device is configured to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL resources. If the network device is not configured to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL sources, this is a finding.

Note: This requirement may be not applicable if the network device is not configured to use DoD PKI as multi-factor authentication for interactive logins. In that scenario, this requirement should be included as part of the business case and discussion with the AO who is required to accept the risk of the alternative solution. However, if alternative DoD or AO approved solutions are employed which still rely on some form of PKI (digital certificates), this requirement should be tailored to configure certificate validation of the accepted solution. An example may be the reinforcement of a list of explicitly allowed, unique per user, session certificates that are both configured on the devices and documented with the ISSO and ISSM (implying that all other certificates are also explicitly forbidden).

Vulnerability Number

V-237780

Documentable

False

Rule Version

SRG-APP-000175-NDM-000262

Severity Override Guidance

Verify the network device is configured to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL resources. If the network device is not configured to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL sources, this is a finding.

Note: This requirement may be not applicable if the network device is not configured to use DoD PKI as multi-factor authentication for interactive logins. In that scenario, this requirement should be included as part of the business case and discussion with the AO who is required to accept the risk of the alternative solution. However, if alternative DoD or AO approved solutions are employed which still rely on some form of PKI (digital certificates), this requirement should be tailored to configure certificate validation of the accepted solution. An example may be the reinforcement of a list of explicitly allowed, unique per user, session certificates that are both configured on the devices and documented with the ISSO and ISSM (implying that all other certificates are also explicitly forbidden).

Check Content Reference

M

Target Key

2890

Comments