STIGQter: STIG Summary: Cisco NX-OS Switch NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.

DISA Rule

SV-220515r604141_rule

Vulnerability Number

V-220515

Group Title

SRG-APP-000516-NDM-000344

Rule Version

CISC-ND-001440

Severity

CAT II

CCI(s)

• CCI-001159 - The organization issues public key certificates under an organization-defined certificate policy or obtains public key certificates from an approved service provider.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Ensure that certificate requests are only sent to DoD or DoD-approved service providers.

Check Contents

If PKI certificates are not implemented on the switch, this requirement is not applicable.

Step 1: Review the switch configuration to determine if a CA trust point has been configured as shown in the example below:

crypto ca trustpoint CA_X
enrollment terminal

Step 2: Verify the CA is a DoD or DoD-approved service provider by entering the following command: show crypto ca certificates

The output will list the following information for each certificate:

Trustpoint (will map to a configured trustpoint from step 1)
Common Name (CN) of the issuer
Organization (O) of the issuer
Organization Unit (OU) of the issuer
Note: Cisco NX-OS software supports only the manual cut-and-paste method for certificate enrollment
If the switch is not configured to obtain its public key certificates from a DoD or DoD-approved service provider, this is a finding.

Vulnerability Number

V-220515

Documentable

False

Rule Version

CISC-ND-001440

Severity Override Guidance

If PKI certificates are not implemented on the switch, this requirement is not applicable.

Step 1: Review the switch configuration to determine if a CA trust point has been configured as shown in the example below:

crypto ca trustpoint CA_X
enrollment terminal

Step 2: Verify the CA is a DoD or DoD-approved service provider by entering the following command: show crypto ca certificates

The output will list the following information for each certificate:

Trustpoint (will map to a configured trustpoint from step 1)
Common Name (CN) of the issuer
Organization (O) of the issuer
Organization Unit (OU) of the issuer
Note: Cisco NX-OS software supports only the manual cut-and-paste method for certificate enrollment
If the switch is not configured to obtain its public key certificates from a DoD or DoD-approved service provider, this is a finding.

Check Content Reference

M

Target Key

4066

Comments