Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Application Server Security Requirements Guide
SRG-APP-000148
SRG-APP-000148
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-APP-000148
1 Rule
The application server must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate users (or processes acting on behalf of organizational users).
Medium Severity
To ensure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store, which is either local (OS-based) or centralized (LDAP). However, DoDI 8520.03 now requires that applications use an approved DOD enterprise (E-ICAM) solution whenever the ICAM solution addresses information system needs. Where the ICAM solution has been evaluated and found to not meet the needs of information system owners, information system owners must reevaluate decisions to use locally managed solutions and transition to DOD enterprise ICAM solutions to the maximum extent possible as the enterprise ICAM solutions mature.