The fabric switches must use DoD-approved PKI rather than proprietary or self-signed device certificates.
An XCCDF Rule
Description
<VulnDiscussion>DOD PKI supplies better protection from malicious attacks than userid/password authentication and should be used anytime it is feasible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts>Failure to develop a plan for the coordinated correction of these vulnerabilities across the SAN could lead to a denial of service caused by a disruption or failure of the SAN.</PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>Network Security Officer</Responsibility><IAControls></IAControls>
- ID
- SV-6768r2_rule
- Severity
- Low
- Updated
Remediation - Manual Procedure
Generate a new key-pair from a DoD-approved certificate issuer. Sites must consult the PKI/PKI pages on the http://iase.disa.mil/ website for procedures for NIPRNet and SIPRNet.