The cloud service offering (CSO) must be configured to use DOD public key infrastructure (PKI) to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

Description

<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Identity Federation requirements to enable Common Access Card (CAC) authentication of nonprivileged DOD users to cloud-hosted DOD (e.g., Infrastructure as a Service [IaaS] and Platform as a Service [PaaS]) or Software as a Service (SaaS) provided systems and services is the responsibility of the CSO, procuring DOD Component, or Program Office. Mission Owners may choose to use the cloud service providers (CSP's) CAC services (based on Level), use a DOD federated offering, or install a virtual Directory Service. For Impact Levels 2–5, the CSPs must have either a DOD PKI certificate or a DOD-approved External Certification Authority (ECA) medium-assurance PKI Certificate for each person who needs to communicate with DOD via encrypted email and for admin accounts. CSPs serving Level 6 systems will already have SIPRNet tokens/NSS PKI certificates for their system administrators by virtue of the connection to SIPRNet. Satisfies: SRG-OS-000104,SRG-OS-000377</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>