CCI-002470
Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.
The A10 Networks ADC being used for TLS encryption and decryption using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certificate Authorities (CAs) for the establishment of protected sessions.
1 rule found Severity: Medium
Adobe Acrobat Pro DC Continuous periodic downloading of Adobe European certificates must be disabled.
1 rule found Severity: Low
1 rule found Severity: Low
1 rule found Severity: Low
Kona Site Defender providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
1 rule found Severity: High
Compliance Guardian must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
DocAve must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DoD certificates for SSL.
1 rule found Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DOD certificates for SSL.
1 rule found Severity: Medium
The CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
1 rule found Severity: Medium
Citrix Linux Virtual Delivery Agent must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: High
Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
1 rule found Severity: Medium
Docker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
1 rule found Severity: Medium
The DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
1 rule found Severity: Medium
The MQ Appliance messaging server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected (messaging) sessions.
1 rule found Severity: Medium
DB2 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1 rule found Severity: Medium
The WebSphere Application Server personal certificates in all keystores must be issued by an approved DoD CA.
1 rule found Severity: Medium
The Ivanti MobileIron Core server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The ISEC7 EMM Suite must allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The Sentry providing mobile device authentication intermediary services using PKI-based mobile device authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
2 rules found Severity: Medium
The Windows 2012 DNS Server must only allow the use of an approved DoD PKI-established certificate authorities for verification of the establishment of protected transactions.
1 rule found Severity: Medium
1 rule found Severity: High
OHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1 rule found Severity: Medium
OHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1 rule found Severity: Medium
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1 rule found Severity: Medium
OHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1 rule found Severity: Medium
OHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1 rule found Severity: Medium
1 rule found Severity: Medium
Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.
1 rule found Severity: High
If reverse proxy is used for validating and restricting certs from external entities, and this function is required by the SSP, Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
1 rule found Severity: Medium
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
MongoDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2 rules found Severity: Medium
PostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
2 rules found Severity: Medium
The EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1 rule found Severity: Medium
The F5 BIG-IP appliance APM Access Policies that grant access to web application resources must allow only client certificates that have the User Persona Name (UPN) value in the User Persona Client Certificates.
1 rule found Severity: Low
The F5 BIG-IP appliance providing user authentication intermediary services must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
1 rule found Severity: Medium
1 rule found Severity: Medium
The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The Ubuntu operating system must use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
PostgreSQL must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1 rule found Severity: Medium
If the DNS server is using SIG(0), the DNS server implementation must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected transactions.
1 rule found Severity: Medium
The F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.
1 rule found Severity: High
The EDB Postgres Advanced Server must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1 rule found Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must only allow the use of DOD-approved PKI certificate authorities when using PKI.
1 rule found Severity: Medium
The HPE 3PAR OS must be configured to only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.
1 rule found Severity: Medium
The HPE 3PAR OS syslog-sec-client must be configured to perform mutual TLS authentication using a CA-signed client certificate.
1 rule found Severity: Medium
The HPE 3PAR OS must be configured to only use DOD PKI established certificate authorities for authentication in the establishment of protected sessions to the operating system with an External Key Manager.
1 rule found Severity: Medium
The HPE 3PAR OS must be configured to perform mutual TLS authentication using a CA-signed client certificate when communicating with an External Key Manager.
1 rule found Severity: Medium
The HPE 3PAR OS must be configured to only use DOD PKI established certificate authorities for authentication in the establishment of protected sessions to the operating system with a centralized account management server.
1 rule found Severity: Medium
AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The ISEC7 SPHERE must allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The Ivanti EPMM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
MarkLogic Server must only accept end-entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1 rule found Severity: Medium
MongoDB must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1 rule found Severity: Medium
A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.
1 rule found Severity: Medium
The IIS 10.0 website must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
1 rule found Severity: Medium
The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
2 rules found Severity: Medium
The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
3 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
The MySQL Database Server 8.0 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1 rule found Severity: Medium
Redis Enterprise DBMS must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1 rule found Severity: Medium
Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
Splunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.
2 rules found Severity: Medium
1 rule found Severity: Medium
The web server must only accept client certificates (user and machine) issued by DOD PKI or DOD-approved PKI Certificate Authorities (CAs).
1 rule found Severity: Medium
NixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
2 rules found Severity: Medium
The Apache web server must only accept client certificates issued by DOD PKI or DoD-approved PKI Certification Authorities (CAs).
1 rule found Severity: Medium
2 rules found Severity: Medium
The application server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The ALG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.
1 rule found Severity: Medium
The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
Ubuntu 22.04 LTS must use DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The Central Log Server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
AlmaLinux OS 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.
1 rule found Severity: Medium
The DBMS must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1 rule found Severity: Medium
The Dragos Platform must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The operating system must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.
1 rule found Severity: Medium
All IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority.
1 rule found Severity: Medium
1 rule found Severity: Medium
All IBM z/OS digital certificates in use must have a valid path to a trusted Certification Authority (CA).
1 rule found Severity: Medium
The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
MariaDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
1 rule found Severity: Medium
Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
1 rule found Severity: Medium
Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
1 rule found Severity: Medium
Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
1 rule found Severity: Medium
Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
1 rule found Severity: Medium
Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
1 rule found Severity: Medium
Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
1 rule found Severity: Medium
The Palo Alto Networks security platform being used for TLS/SSL decryption using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certificate Authorities (CAs) for the establishment of protected sessions.
1 rule found Severity: Medium
The UEM Agent must only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server.
1 rule found Severity: Medium
The UEM Agent must perform the following functions: Import the certificates to be used for authentication of UEM Agent communications.
1 rule found Severity: Medium
The UEM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The UEM server must be configured to use X.509v3 certificates for code signing for system software updates.
1 rule found Severity: Medium
The UEM server must be configured to use X.509v3 certificates for code signing for integrity verification.
1 rule found Severity: Medium
1 rule found Severity: High
The UEM server must sign policies and policy updates using a private key associated with [selection: an X509 certificate, a public key provisioned to the agent trusted by the agent] for policy verification.
1 rule found Severity: High
The UEM server, for each unique policy managed, must validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent] associated with a policy signing key uniquely associated with the policy.
1 rule found Severity: High
The VMM must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
3 rules found Severity: Medium
The VPN Gateway providing authentication intermediary services must only accept end entity certificates (user or machine) issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of VPN sessions.
1 rule found Severity: Medium