CCI-000185
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.
The A10 Networks ADC when used for TLS encryption and decryption must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
Docker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA).
1 rule found Severity: Medium
The HP FlexFabric Switch, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
The DataPower Gateway that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
WebGUI access to the MQ Appliance network device, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
1 rule found Severity: Medium
When using PKI-based authentication for user access, the ISEC7 EMM Suite must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
The Sentry that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
2 rules found Severity: Medium
1 rule found Severity: High
OHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
1 rule found Severity: Medium
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
OHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
OHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
OHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation.
1 rule found Severity: Medium
OHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation.
1 rule found Severity: Medium
OHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol.
1 rule found Severity: Medium
Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
1 rule found Severity: Medium
The Riverbed Optimization System (RiOS) that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: High
Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.
1 rule found Severity: High
Samsung Android must [not accept the certificate] when it cannot establish a connection to determine the validity of a certificate.
2 rules found Severity: Low
The Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.
5 rules found Severity: Medium
The Tanium Operating System (TanOS) must use a FIPS-validated cryptographic module to provision digital signatures.
2 rules found Severity: High
The Horizon Connection Server must perform full path validation on server-to-server TLS connection certificates.
1 rule found Severity: Medium
1 rule found Severity: Medium
The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
2 rules found Severity: High
The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2 rules found Severity: Medium
If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords.
3 rules found Severity: High
The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
2 rules found Severity: Medium
PostgreSQL, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
2 rules found Severity: Medium
Samsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.
8 rules found Severity: Low
The EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
2 rules found Severity: Medium
The F5 BIG-IP appliance must configure OCSP to ensure revoked user credentials are prohibited from establishing an allowed session.
1 rule found Severity: Medium
The F5 BIG-IP appliance must configure OCSP to ensure revoked machine credentials are prohibited from establishing an allowed session.
1 rule found Severity: Medium
The BIG-IP Core implementation must be configured to validate certificates used for TLS functions for connections to virtual servers by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
The F5 BIG-IP appliance must configure OCSP to ensure revoked credentials are prohibited from establishing an allowed session.
1 rule found Severity: Medium
PostgreSQL, when using PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.
1 rule found Severity: Medium
The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
The F5 BIG-IP appliance must configure certification path validation to ensure revoked machine credentials are prohibited from establishing an allowed session.
1 rule found Severity: High
The F5 BIG-IP appliance must configure certificate path validation to ensure revoked user credentials are prohibited from establishing an allowed session.
1 rule found Severity: High
The F5 BIG-IP appliance must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.
1 rule found Severity: High
When using PKI, the Enterprise Voice, Video, and Messaging Session Manager must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
For PKI-based authentication, SSMC must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
1 rule found Severity: Medium
If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.
1 rule found Severity: Medium
When using PKI-based authentication for user access, the ISEC7 SPHERE must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
The ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.
1 rule found Severity: High
The ICS, when utilizing PKI-based authentication, must be configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
MarkLogic Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
1 rule found Severity: Medium
3 rules found Severity: Medium
The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
2 rules found Severity: Medium
Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
1 rule found Severity: High
PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
1 rule found Severity: High
The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
2 rules found Severity: Medium
The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
2 rules found Severity: Medium
1 rule found Severity: High
The network device must be configured to use DoD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.
1 rule found Severity: High
The MySQL Database Server 8.0, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
Redis Enterprise DBMS, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
SLEM 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
TOSS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
1 rule found Severity: Medium
NixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
AAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication.
1 rule found Severity: High
AAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication.
1 rule found Severity: High
3 rules found Severity: Medium
The ALG that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
1 rule found Severity: Medium
The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: High
Ubuntu 22.04 LTS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
The Central Log Server, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: High
The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform to use certificate path validation to ensure revoked user credentials are prohibited from establishing a user or machine session.
1 rule found Severity: High
The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) Cloud Service to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication.
1 rule found Severity: High
AlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
The container platform must validate certificates used for Transport Layer Security (TLS) functions by performing an RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
The DBMS, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
The Dell OS10 Switch must be configured to use DOD-approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.
1 rule found Severity: High
Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.
1 rule found Severity: Medium
The Dragos Platform must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
When connecting with endpoints, Forescout must be configured to use FIPS 140-2/3 validated algorithms for encryption processes and communications. This is required for compliance with C2C Step 1.
1 rule found Severity: High
The operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
AOS must be configured to use DOD-approved Online Certificate Status Protocol (OCSP) responders or Certificate Revocation Lists (CRLs) to validate certificates used for public key infrastructure (PKI)-based authentication.
1 rule found Severity: High
The HYCU virtual appliance must be configured to use DOD-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for PKI-based authentication.
1 rule found Severity: High
AOS, when used as a VPN Gateway and using public key infrastructure (PKI)-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
All IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority.
1 rule found Severity: Medium
1 rule found Severity: Medium
All IBM z/OS digital certificates in use must have a valid path to a trusted Certification Authority (CA).
1 rule found Severity: Medium
The Mainframe Product, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
MariaDB, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
1 rule found Severity: Medium
Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.
1 rule found Severity: Medium
1 rule found Severity: Medium
Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
1 rule found Severity: High
Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).
1 rule found Severity: High
Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
1 rule found Severity: Medium
Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
1 rule found Severity: Medium
Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
1 rule found Severity: High
Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).
1 rule found Severity: High
Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
1 rule found Severity: Medium
Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
1 rule found Severity: Medium
Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
1 rule found Severity: Medium
OL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
The Palo Alto Networks security platform that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
1 rule found Severity: High
RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
2 rules found Severity: Medium
1 rule found Severity: Medium
The VMM, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
When using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate.
1 rule found Severity: Medium
The UEM server must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium
3 rules found Severity: Medium
The VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
The VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
1 rule found Severity: Medium