STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.

DISA Rule

SV-222584r508029_rule

Vulnerability Number

V-222584

Group Title

SRG-APP-000427

Rule Version

APSC-DV-002300

Severity

CAT II

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

Configure the application to utilize DoD-approved PKI established CAs when verifying DoD-signed certificates.

Check Contents

Review the application documentation and interview the application administrator to identify certificate location.

Internet Explorer can be used to view certificate information:

Select “Tools”
Select “Internet Options”
Select “Content” tab
Select “Certificates”
Select the certificate used for authentication:

Click “View”
Select “Details” tab
Select “Issuer”

If the application utilizes PKI certificates other than DoD-approved PKI and ECA certificates, this is a finding.

Vulnerability Number

V-222584

Documentable

False

Rule Version

APSC-DV-002300

Severity Override Guidance

Review the application documentation and interview the application administrator to identify certificate location.

Internet Explorer can be used to view certificate information:

Select “Tools”
Select “Internet Options”
Select “Content” tab
Select “Certificates”
Select the certificate used for authentication:

Click “View”
Select “Details” tab
Select “Issuer”

If the application utilizes PKI certificates other than DoD-approved PKI and ECA certificates, this is a finding.

Check Content Reference

M

Target Key

4093

Comments