CCI-001953

Install the opensc Package For Multifactor Authentication

Install Smart Card Packages For Multifactor Authentication

Configure Smart Card Certificate Status Checking

Configure PAM in SSSD Services

Enable Smart Card Logins in PAM

Compliance Guardian must use multifactor authentication for network access to privileged accounts.

The application server must accept Personal Identity Verification (PIV) credentials to access the management interface.

The application must accept Personal Identity Verification (PIV) credentials.

The Central Log Server must be configured to accept the DoD CAC credential to support identity management and personal authentication.

Citrix Receiver must accept Personal Identity Verification (PIV) credentials.

Citrix StoreFront server must accept Personal Identity Verification (PIV) credentials.

LDAP integration in Docker Enterprise must be configured.

SAML integration must be enabled in Docker Enterprise.

The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.

WebGUI access to the MQ Appliance network device must accept Personal Identity Verification (PIV) credentials.

The ISEC7 EMM Suite must accept Personal Identity Verification (PIV) credentials.

The Mainframe Product must accept Personal Identity Verification (PIV) credentials.

Exchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.

Nutanix AOS must accept Personal Identity Verification (PIV) credentials to access the management interface.

Prisma Cloud Compute local accounts must enforce strong password requirements.

Prisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication.

Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.

Splunk Enterprise must use an SSO proxy service, F5 device, or SAML implementation to accept the DoD CAC or other smart card credential for identity management, personal authentication, and multifactor authentication.

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The Tanium application must accept Personal Identity Verification (PIV) credentials.

Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The VPN Gateway must accept the Common Access Card (CAC) credential.

Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.

The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.

The macOS system must enforce smart card authentication.

The macOS system must allow smart card authentication.

The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.

The Cisco VPN remote access server must be configured to accept Common Access Card (CAC) credential credentials.

The container platform must be configured to use multi-factor authentication for user authentication.

The operating system must accept Personal Identity Verification (PIV) credentials.

The AIX operating system must accept and verify Personal Identity Verification (PIV) credentials.

Exchange Outlook Anywhere clients must use NTLM authentication to access email.

The Oracle Linux operating system must have the required packages for multifactor authentication installed.

The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

The Oracle Linux operating system must implement certificate status checking for PKI authentication.

OL 8 must accept Personal Identity Verification (PIV) credentials.

The Palo Alto Networks security platform must accept and verify Personal Identity Verification (PIV) credentials.

Automation Controller must be configured to use an enterprise user management system.

OpenShift must use FIPS validated LDAP or OpenIDConnect.

RHEL 8 must accept Personal Identity Verification (PIV) credentials.

The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.

The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.

The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.

RHEL 9 must have the openssl-pkcs11 package installed.

The SUSE operating system must have the packages required for multifactor authentication to be installed.

The SUSE operating system must implement certificate status checking for multifactor authentication.

The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

RHEL 9 must have the opensc package installed.

Splunk Enterprise must accept the DoD CAC or other PKI credential for identity management and personal authentication.

The VMM must accept Personal Identity Verification (PIV) credentials.

The vCenter Server must require multifactor authentication.

Ubuntu 22.04 LTS must accept personal identity verification (PIV) credentials.

Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.

The ISEC7 SPHERE must accept Personal Identity Verification (PIV) credentials.

MKE must be configured to integrate with an Enterprise Identity Provider.

SLEM 5 must have the packages required for multifactor authentication to be installed.

SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

SLEM 5 must implement certificate status checking for multifactor authentication.

Splunk Enterprise must use an SSO proxy service, F5 device, or SAML implementation to accept the DOD common access card (CAC) or other smart card credential for identity management, personal authentication, and multifactor authentication.

Splunk Enterprise must accept the DOD CAC or other PKI credential for identity management and personal authentication.

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

TOSS must accept Personal Identity Verification (PIV) credentials.