Capacity
CCI-000185
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.
6
Rule
Severity: Medium
SSSD Has a Correct Trust Anchor
3
Rule
Severity: Medium
Configure Smart Card Certificate Authority Validation
1
Rule
Severity: Medium
The A10 Networks ADC when used for TLS encryption and decryption must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
2
Rule
Severity: High
AAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication.
2
Rule
Severity: High
AAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication.
6
Rule
Severity: Medium
The Apache web server must perform RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
The ALG that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
The application server must perform RFC 5280-compliant certification path validation.
2
Rule
Severity: High
The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: High
The Central Log Server, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1
Rule
Severity: Medium
Docker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA).
1
Rule
Severity: High
When connecting with endpoints, Forescout must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation. This is required for compliance with C2C Step 1.
1
Rule
Severity: Medium
The HP FlexFabric Switch, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1
Rule
Severity: Medium
The DataPower Gateway that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
WebGUI access to the MQ Appliance network device, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: Medium
All digital certificates in use must have a valid path to a trusted Certification authority.
2
Rule
Severity: Medium
When using PKI-based authentication for user access, the ISEC7 EMM Suite must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: Medium
The Sentry that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.
2
Rule
Severity: Medium
The Mainframe Product, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1
Rule
Severity: Medium
Firefox must have the DOD root certificates installed.
4
Rule
Severity: Medium
Online revocation checks must be performed.
2
Rule
Severity: Medium
Missing Root Certificates warning must be enforced.
3
Rule
Severity: Medium
Retrieving of CRL data must be set for online action.
2
Rule
Severity: Medium
Warning about invalid signatures must be enforced.
2
Rule
Severity: High
ONTAP must be configured to use an authentication server to provide multifactor authentication.
2
Rule
Severity: High
The network device must be configured to use DoD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.
1
Rule
Severity: High
Nutanix AOS must perform RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
OHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
OHS must use FIPS modules to perform RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
OHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
OHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation.
1
Rule
Severity: Medium
OHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation.
1
Rule
Severity: Medium
OHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol.
1
Rule
Severity: Medium
Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
1
Rule
Severity: Medium
The Riverbed Optimization System (RiOS) that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
1
Rule
Severity: High
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1
Rule
Severity: High
Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.
2
Rule
Severity: Low
Samsung Android must [not accept the certificate] when it cannot establish a connection to determine the validity of a certificate.
10
Rule
Severity: Low
Samsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.
6
Rule
Severity: Medium
The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.
2
Rule
Severity: High
The Tanium Operating System (TanOS) must use a FIPS-validated cryptographic module to provision digital signatures.
2
Rule
Severity: Medium
The UEM Agent must not install policies if the policy-signing certificate is deemed invalid.
2
Rule
Severity: Medium
When using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: Medium
When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate.
2
Rule
Severity: Medium
The UEM server must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
The Horizon Connection Server must perform full path validation on server-to-server TLS connection certificates.
1
Rule
Severity: Medium
The Horizon Connection Server must validate client and administrator certificates.
2
Rule
Severity: Medium
The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: Medium
The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
DoD root CA certificates must be installed in Tomcat trust store.
4
Rule
Severity: High
The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
3
Rule
Severity: Medium
The macOS system must set smart card certificate trust to moderate.
3
Rule
Severity: Medium
The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
3
Rule
Severity: Medium
PostgreSQL, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.
2
Rule
Severity: Medium
The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
The container platform must validate certificates used for Transport Layer Security (TLS) functions by performing an RFC 5280-compliant certification path validation.
3
Rule
Severity: Medium
The EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
The DBMS, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
IBM z/OS must not use Expired Digital Certificates.
2
Rule
Severity: Medium
All IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority.
2
Rule
Severity: Medium
The operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: Medium
For PKI-based authentication, SSMC must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: Medium
The SSMC web server must perform RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.
2
Rule
Severity: Medium
Expired IBM z/OS digital certificates must not be used.
2
Rule
Severity: Medium
Expired digital certificates must not be used.
2
Rule
Severity: Medium
The ICS, when utilizing PKI-based authentication, must be configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: High
The ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.
2
Rule
Severity: Medium
MarkLogic Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
MariaDB, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
3
Rule
Severity: High
If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords.
2
Rule
Severity: Medium
Digital signatures assigned to strongly named assemblies must be verified.
2
Rule
Severity: Medium
The Trust Providers Software Publishing State must be set to 0x23C00.
2
Rule
Severity: Medium
Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.
2
Rule
Severity: Medium
.NET must be configured to validate strong names on full-trust assemblies.
1
Rule
Severity: Low
Check for publishers certificate revocation must be enforced.
1
Rule
Severity: Low
Checking for server certificate revocation must be enforced.
1
Rule
Severity: Medium
The IIS 10.0 web server must perform RFC 5280-compliant certification path validation.
3
Rule
Severity: Medium
Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online.
6
Rule
Severity: Medium
The DoD Root CA certificates must be installed in the Trusted Root Store.
4
Rule
Severity: Medium
The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
4
Rule
Severity: Medium
The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
4
Rule
Severity: Medium
The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
2
Rule
Severity: Medium
Domain controllers must have a PKI server certificate.
2
Rule
Severity: High
Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
2
Rule
Severity: High
PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
2
Rule
Severity: Medium
Windows Server 2019 domain controllers must have a PKI server certificate.
2
Rule
Severity: High
Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
2
Rule
Severity: High
Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).
2
Rule
Severity: Medium
Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
2
Rule
Severity: Medium
Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
2
Rule
Severity: Medium
Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
2
Rule
Severity: Medium
Windows Server 2022 domain controllers must have a PKI server certificate.
2
Rule
Severity: High
Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
2
Rule
Severity: High
Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).
2
Rule
Severity: Medium
Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
2
Rule
Severity: Medium
Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
2
Rule
Severity: Medium
Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
3
Rule
Severity: Medium
The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
2
Rule
Severity: Medium
OL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: Medium
The MySQL Database Server 8.0, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
The Palo Alto Networks security platform that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
Redis Enterprise DBMS, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
2
Rule
Severity: Medium
RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
4
Rule
Severity: Medium
The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: Medium
RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2
Rule
Severity: Medium
The VMM, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
4
Rule
Severity: Medium
The vCenter Server must enable revocation checking for certificate-based authentication.
2
Rule
Severity: Medium
The web server must perform RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must configure OCSP to ensure revoked user credentials are prohibited from establishing an allowed session.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must configure OCSP to ensure revoked machine credentials are prohibited from establishing an allowed session.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to validate certificates used for TLS functions for connections to virtual servers by constructing a certification path (which includes status information) to an accepted trust anchor.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must configure OCSP to ensure revoked credentials are prohibited from establishing an allowed session.
1
Rule
Severity: Medium
DOD root CA certificates must be installed in Tomcat trust store.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1
Rule
Severity: Medium
PostgreSQL, when using PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
1
Rule
Severity: Medium
The Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must implement an encrypted, FIPS 140-2/3 compliant path between the implemented systems/applications and the DOD Online Certificate Status Protocol (OCSP) responders.
1
Rule
Severity: Medium
The Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must use valid DOD Online Certificate Status Protocol (OCSP) responders.
1
Rule
Severity: Medium
The Dragos Platform must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: Medium
Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.
1
Rule
Severity: High
The F5 BIG-IP appliance must configure certification path validation to ensure revoked machine credentials are prohibited from establishing an allowed session.
1
Rule
Severity: High
The F5 BIG-IP appliance must configure certificate path validation to ensure revoked user credentials are prohibited from establishing an allowed session.
1
Rule
Severity: High
The F5 BIG-IP appliance must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.
1
Rule
Severity: Medium
When using PKI, the Enterprise Voice, Video, and Messaging Session Manager must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
1
Rule
Severity: High
When connecting with endpoints, Forescout must be configured to use FIPS 140-2/3 validated algorithms for encryption processes and communications. This is required for compliance with C2C Step 1.
1
Rule
Severity: Medium
All digital certificates in use must have a valid path to a trusted certification authority (CA).
1
Rule
Severity: Medium
When using PKI-based authentication for user access, the ISEC7 SPHERE must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1
Rule
Severity: Medium
MKE's self-signed certificates must be replaced with DOD trusted, signed certificates.
1
Rule
Severity: High
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
1
Rule
Severity: Medium
SLEM 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1
Rule
Severity: Medium
TOSS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules