Capacity
CCI-002470
Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.
2
Rule
Severity: Medium
Only Allow DoD PKI-established CAs
1
Rule
Severity: Medium
The A10 Networks ADC being used for TLS encryption and decryption using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certificate Authorities (CAs) for the establishment of protected sessions.
1
Rule
Severity: Low
Adobe Acrobat Pro DC Continuous periodic downloading of Adobe European certificates must be disabled.
1
Rule
Severity: Low
Adobe Acrobat Pro DC Continuous Periodic downloading of Adobe certificates must be disabled.
1
Rule
Severity: Low
Adobe Reader DC must disable periodical uploading of European certificates.
1
Rule
Severity: Low
Adobe Reader DC must disable periodical uploading of Adobe certificates.
1
Rule
Severity: High
Kona Site Defender providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
1
Rule
Severity: Medium
Compliance Guardian must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.
4
Rule
Severity: Medium
The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
2
Rule
Severity: Medium
The ALG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
2
Rule
Severity: Medium
The application server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: Medium
DocAve must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
2
Rule
Severity: Medium
The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DoD certificates for SSL.
1
Rule
Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DOD certificates for SSL.
1
Rule
Severity: Medium
The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
2
Rule
Severity: Medium
The Central Log Server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: High
Citrix Linux Virtual Delivery Agent must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: High
Citrix Receiver must implement DoD-approved encryption.
1
Rule
Severity: Medium
Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
1
Rule
Severity: Medium
Docker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
2
Rule
Severity: Medium
If the DNS server is using SIG(0), the DNS server implementation must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected transactions.
1
Rule
Severity: Medium
The DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
1
Rule
Severity: Medium
The MQ Appliance messaging server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected (messaging) sessions.
2
Rule
Severity: Medium
The WebSphere Liberty Server must use DoD-issued/signed certificates.
1
Rule
Severity: Medium
DB2 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1
Rule
Severity: Medium
The WebSphere Application Server personal certificates in all keystores must be issued by an approved DoD CA.
1
Rule
Severity: Medium
The Ivanti MobileIron Core server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
2
Rule
Severity: Medium
The ISEC7 EMM Suite must allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
2
Rule
Severity: Medium
The Sentry providing mobile device authentication intermediary services using PKI-based mobile device authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
2
Rule
Severity: Medium
JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must only allow the use of an approved DoD PKI-established certificate authorities for verification of the establishment of protected transactions.
1
Rule
Severity: High
Nutanix AOS must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
1
Rule
Severity: Medium
OHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1
Rule
Severity: Medium
OHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1
Rule
Severity: Medium
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1
Rule
Severity: Medium
OHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1
Rule
Severity: Medium
OHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1
Rule
Severity: Medium
OHS must use wallets that have only DoD certificate authorities defined.
1
Rule
Severity: High
Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.
2
Rule
Severity: Medium
Splunk Enterprise must only allow the use of DoD-approved certificate authorities for cryptographic functions.
1
Rule
Severity: Medium
If reverse proxy is used for validating and restricting certs from external entities, and this function is required by the SSP, Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
2
Rule
Severity: Medium
The Tanium Server certificate must be signed by a DoD Certificate Authority.
2
Rule
Severity: Medium
The Tanium Server certificate must be signed by a DOD Certificate Authority.
2
Rule
Severity: Medium
The Tanium Server certificate must be signed by a DoD certificate authority (CA).
2
Rule
Severity: Medium
The UEM Agent must only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server.
2
Rule
Severity: Medium
The UEM Agent must perform the following functions: Import the certificates to be used for authentication of UEM Agent communications.
2
Rule
Severity: Medium
The UEM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
2
Rule
Severity: Medium
The UEM server must be configured to use X.509v3 certificates for code signing for system software updates.
2
Rule
Severity: Medium
The UEM server must be configured to use X.509v3 certificates for code signing for integrity verification.
1
Rule
Severity: Medium
The UEM Server must provide digitally signed policy updates to UEM Agent.
1
Rule
Severity: Medium
The Horizon Connection Server must be configured with a DoD-issued TLS certificate.
2
Rule
Severity: Medium
The Apache web server must use cryptography to protect the integrity of remote sessions.
2
Rule
Severity: Medium
Certificates in the trust store must be issued/signed by an approved CA.
1
Rule
Severity: Medium
The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
3
Rule
Severity: Medium
The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
3
Rule
Severity: Medium
The macOS system must set smart card certificate trust to moderate.
3
Rule
Severity: Medium
The macOS system must issue or obtain public key certificates from an approved service provider.
1
Rule
Severity: Medium
The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
2
Rule
Severity: Medium
The Ubuntu operating system must use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
3
Rule
Severity: Medium
PostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2
Rule
Severity: Medium
The EDB Postgres Advanced Server must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2
Rule
Severity: Medium
The DBMS must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2
Rule
Severity: Medium
All IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority.
2
Rule
Severity: Medium
The operating system must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured to only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.
2
Rule
Severity: Medium
The HPE 3PAR OS syslog-sec-client must be configured to perform mutual TLS authentication using a CA-signed client certificate.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured to only use DOD PKI established certificate authorities for authentication in the establishment of protected sessions to the operating system with an External Key Manager.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured to perform mutual TLS authentication using a CA-signed client certificate when communicating with an External Key Manager.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured to only use DOD PKI established certificate authorities for authentication in the establishment of protected sessions to the operating system with a centralized account management server.
2
Rule
Severity: Medium
AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: Medium
All digital certificates in use must have a valid path to a trusted Certification authority.
2
Rule
Severity: Medium
MarkLogic Server must only accept end-entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2
Rule
Severity: Medium
MariaDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2
Rule
Severity: Medium
MongoDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2
Rule
Severity: Medium
A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.
2
Rule
Severity: Medium
The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
4
Rule
Severity: Medium
The DoD Root CA certificates must be installed in the Trusted Root Store.
4
Rule
Severity: Medium
The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
6
Rule
Severity: Medium
The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
2
Rule
Severity: Medium
Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
2
Rule
Severity: Medium
Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
2
Rule
Severity: Medium
Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
2
Rule
Severity: Medium
Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
2
Rule
Severity: Medium
Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
2
Rule
Severity: Medium
Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2
Rule
Severity: Medium
The Palo Alto Networks security platform being used for TLS/SSL decryption using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certificate Authorities (CAs) for the establishment of protected sessions.
2
Rule
Severity: Medium
Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
2
Rule
Severity: Medium
Redis Enterprise DBMS must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2
Rule
Severity: Medium
The VMM must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
4
Rule
Severity: Medium
The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
1
Rule
Severity: Medium
The web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
6
Rule
Severity: Medium
WebSphere MQ channel security is not implemented in accordance with security requirements.
1
Rule
Severity: Medium
The EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2
Rule
Severity: Medium
The Windows DNS Server must use an approved DOD PKI certificate authority.
1
Rule
Severity: Low
The F5 BIG-IP appliance APM Access Policies that grant access to web application resources must allow only client certificates that have the User Persona Name (UPN) value in the User Persona Client Certificates.
1
Rule
Severity: Medium
The F5 BIG-IP appliance providing user authentication intermediary services must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must use DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: Medium
PostgreSQL must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1
Rule
Severity: Medium
The Dragos Platform must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: High
The F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must only allow the use of DOD-approved PKI certificate authorities when using PKI.
1
Rule
Severity: Medium
All digital certificates in use must have a valid path to a trusted certification authority (CA).
1
Rule
Severity: Medium
The ISEC7 SPHERE must allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: Medium
The Ivanti EPMM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: Medium
MongoDB must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2
Rule
Severity: Medium
Splunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.
1
Rule
Severity: Medium
The VPN Gateway providing authentication intermediary services must only accept end entity certificates (user or machine) issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of VPN sessions.
1
Rule
Severity: Medium
The web server must only accept client certificates (user and machine) issued by DOD PKI or DOD-approved PKI Certificate Authorities (CAs).
1
Rule
Severity: High
The UEM server must provide digitally signed policies and policy updates to the UEM agent.
1
Rule
Severity: High
The UEM server must sign policies and policy updates using a private key associated with [selection: an X509 certificate, a public key provisioned to the agent trusted by the agent] for policy verification.
1
Rule
Severity: High
The UEM server, for each unique policy managed, must validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent] associated with a policy signing key uniquely associated with the policy.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules