Skip to content
ATO Pathways
  Log In

CCI-000187

For public key-based authentication, map the authenticated identity to the account of the individual or group.

Logo
1

Rule

Severity: Medium
Enable Certificate Verification
Logo
7

Rule

Severity: Medium
Enable Certmap in SSSD
Logo
3

Rule

Severity: Medium
Enable Smart Card Logins in PAM
Logo
1

Rule

Severity: Low
Verify that 'use_mappers' is set to 'pwent' in PAM
Logo
2

Rule

Severity: Medium
AAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication.
Logo
1

Rule

Severity: High
Compliance Guardian must use multifactor authentication for network access to privileged accounts.
Logo
2

Rule

Severity: Medium
The ALG providing PKI-based user authentication intermediary services must map authenticated identities to the user account.
Logo
2

Rule

Severity: Medium
The application server must map the authenticated identity to the individual user or group account for PKI-based authentication.
Logo
2

Rule

Severity: Medium
The application must map the authenticated identity to the individual user or group account for PKI-based authentication.
Logo
1

Rule

Severity: Medium
The CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.
Logo
2

Rule

Severity: Low
The Central Log Server must map the authenticated identity to the individual user or group account for PKI-based authentication.
Logo
1

Rule

Severity: Medium
The HP FlexFabric Switch must map the authenticated identity to the user account for PKI-based authentication.
Logo
1

Rule

Severity: Medium
The DataPower Gateway must map the authenticated identity to the user account for PKI-based authentication.
Logo
1

Rule

Severity: Medium
The DataPower Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.
Logo
1

Rule

Severity: Medium
The MQ Appliance messaging server must map the authenticated identity to the individual messaging user or group account for PKI-based authentication.
Logo
2

Rule

Severity: High
Multifactor authentication for network access to privileged accounts must be used.
Logo
2

Rule

Severity: Medium
The WebSphere Liberty Server must use DoD-issued/signed certificates.
Logo
1

Rule

Severity: Medium
WebGUI access to the MQ Appliance network device must map the authenticated identity to the user account for PKI-based authentication.
Logo
1

Rule

Severity: Medium
The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.
Logo
1

Rule

Severity: Medium
The WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection.
Logo
1

Rule

Severity: Medium
The WebSphere Application Server must use signer for DoD-issued certificates.
Logo
1

Rule

Severity: High
MobileIron Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
Logo
2

Rule

Severity: Medium
The Sentry providing PKI-based mobile device authentication intermediary services must map authenticated identities to the mobile device account.
Logo
2

Rule

Severity: Medium
The Mainframe Product must map the authenticated identity to the individual user or group account for PKI-based authentication.
Logo
1

Rule

Severity: Medium
Firefox must be configured to ask which certificate to present to a website when a certificate is required.
Logo
2

Rule

Severity: Medium
Azure SQL Database must map the PKI-authenticated identity to an associated user account.
Logo
2

Rule

Severity: High
ONTAP must be configured to use an authentication server to provide multifactor authentication.
Logo
2

Rule

Severity: High
The network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
Logo
1

Rule

Severity: Medium
Nutanix AOS must accept Personal Identity Verification (PIV) credentials to access the management interface.
Logo
1

Rule

Severity: Medium
Oracle WebLogic must map the PKI-based authentication identity to the user account.
Logo
2

Rule

Severity: Medium
Prisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication.
Logo
2

Rule

Severity: High
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
Logo
1

Rule

Severity: High
Innoslate must map the authenticated identity to the individual user or group account for PKI-based authentication.
Logo
1

Rule

Severity: Medium
Symantec ProxySG, when configured for reverse proxy/WAF services and providing PKI-based user authentication intermediary services, must map the client certificate to the authentication server store.
Logo
2

Rule

Severity: Medium
Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
Logo
4

Rule

Severity: Medium
The Tanium application must be configured for LDAP user/group synchronization to map the authenticated identity to the individual user or group account for PKI-based authentication.
Logo
2

Rule

Severity: Medium
The UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication.
Logo
1

Rule

Severity: High
The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.
Logo
2

Rule

Severity: Medium
The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.
Logo
2

Rule

Severity: Medium
The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication.
Logo
1

Rule

Severity: High
The macOS system must use multifactor authentication for local access to privileged and non-privileged accounts.
Logo
3

Rule

Severity: High
The macOS system must use multifactor authentication for local access to privileged and nonprivileged accounts.
Logo
3

Rule

Severity: Medium
The macOS system must allow smart card authentication.
Logo
3

Rule

Severity: High
The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.
Logo
4

Rule

Severity: Medium
PostgreSQL must map the PKI-authenticated identity to an associated user account.
Logo
2

Rule

Severity: Medium
The Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access.
Logo
2

Rule

Severity: Medium
The Cisco ASA remote access VPN server must be configured to map the distinguished name (DN) from the client’s certificate to entries in the authentication server to determine authorization to access the network.
Logo
2

Rule

Severity: Medium
The container platform must map the authenticated identity to the individual user or group account for PKI-based authentication.
Logo
4

Rule

Severity: Medium
The DBMS must map the PKI-authenticated identity to an associated user account.
Logo
2

Rule

Severity: Medium
The operating system must map the authenticated identity to the user or group account for PKI-based authentication.
Logo
2

Rule

Severity: High
The HPE 3PAR OS must map the authenticated identity to the user account for PKI-based authentication.
Logo
2

Rule

Severity: Medium
IBM z/OS must use ICSF or SAF Key Rings for key management.
Logo
2

Rule

Severity: Medium
IBM z/OS, for PKI-based authentication, must use the ICSF or ESM for key management.
Logo
2

Rule

Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
Logo
2

Rule

Severity: Medium
MariaDB must map PKI ID to an associated user account.
Logo
3

Rule

Severity: Medium
MongoDB must map the PKI-authenticated identity to an associated user account.
Logo
1

Rule

Severity: Medium
The DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account.
Logo
1

Rule

Severity: Medium
Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS.
Logo
2

Rule

Severity: Medium
OL 8 must map the authenticated identity to the user or group account for PKI-based authentication.
Logo
2

Rule

Severity: Medium
The MySQL Database Server 8.0 must map the PKI-authenticated identity to an associated user account.
Logo
2

Rule

Severity: Medium
Automation Controller must be configured to use an enterprise user management system.
Logo
2

Rule

Severity: Medium
Redis Enterprise DBMS must map the PKI-authenticated identity to an associated user account.
Logo
2

Rule

Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
Logo
2

Rule

Severity: Medium
RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.
Logo
4

Rule

Severity: Medium
The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
Logo
2

Rule

Severity: Medium
RHEL 9 must map the authenticated identity to the user or group account for PKI-based authentication.
Logo
2

Rule

Severity: Medium
The VMM must map the authenticated identity to the user or group account for PKI-based authentication.
Logo
1

Rule

Severity: Medium
The BIG-IP APM module must map the authenticated identity to the user account for PKI-based authentication to virtual servers.
Logo
1

Rule

Severity: Medium
The BIG-IP Core implementation providing PKI-based, user authentication intermediary services must be configured to map the authenticated identity to the user account for PKI-based authentication to virtual servers.
Logo
1

Rule

Severity: High
Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.
Logo
1

Rule

Severity: Medium
Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.
Logo
1

Rule

Severity: High
The F5 BIG-IP appliance providing user authentication intermediary services must uniquely identify and authenticate users using redundant authentication servers and multifactor authentication (MFA).
Logo
1

Rule

Severity: High
The F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.
Logo
1

Rule

Severity: High
Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
Logo
1

Rule

Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
Logo
1

Rule

Severity: Medium
Oracle Database must map the PKI-authenticated identity to an associated user account.
Logo
1

Rule

Severity: Medium
SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
Logo
1

Rule

Severity: Medium
TOSS must map the authenticated identity to the user or group account for PKI-based authentication.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules