CCI-004068

For public key-based authentication, AAA Services must be configured to implement a local cache of revocation data to support path discovery and validation.

The macOS system must set smart card certificate trust to moderate.

The application server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

The ALG providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

The application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.

Ubuntu 22.04 LTS for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.

The Central Log Server must for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.

The Cisco ASA must be configured to not accept certificates that have been revoked when using PKI for authentication.

The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.

The container platform, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

The DNS server implementation, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

The DBMS must, for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.

The DNS server implementation must, for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.

Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

The HPE Nimble must obtain its public key certificates from an appropriate certificate policy through an approved service provider.

The operating system, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

AIX must setup SSH daemon to disable revoked public keys.

The ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.

The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.

The Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates.

The Mainframe Product must for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.

Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.

The Windows DNS Server must implement a local cache of revocation data for PKI authentication.

The network device must be configured to implement a local cache of revocation data to support path discovery and validation for public key-based authentication.

OL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Prisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication.

The Riverbed NetProfiler must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.

The Palo Alto Networks security platform must accept and verify Personal Identity Verification (PIV) credentials.

Automation Controller must be configured to use an enterprise user management system.

OpenShift must use FIPS validated LDAP or OpenIDConnect.

RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

TOSS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

The VMM, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

The VPN Gateway must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

The VPN Gateway must configure OCSP to ensure revoked user certificates are prohibited from establishing an allowed session.

The VPN Gateway must configure OCSP to ensure revoked machine certificates are prohibited from establishing an allowed session.

The web server must, for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.

The vCenter Server must enable revocation checking for certificate-based authentication.

The UEM server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.