STIGQter: STIG Summary: Network Device Management Security Requirements Guide Version: 4 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Network Device Management Security Requirements Guide Version: 4 Release: 1 Benchmark Date: 23 Apr 2021:SV-237780r663939_rule
V-237780
SRG-APP-000175
SRG-APP-000175-NDM-000262
CAT I
10
Configure the network device to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL sources.
Verify the network device is configured to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL resources. If the network device is not configured to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL sources, this is a finding.
Note: This requirement may be not applicable if the network device is not configured to use DoD PKI as multi-factor authentication for interactive logins. In that scenario, this requirement should be included as part of the business case and discussion with the AO who is required to accept the risk of the alternative solution. However, if alternative DoD or AO approved solutions are employed which still rely on some form of PKI (digital certificates), this requirement should be tailored to configure certificate validation of the accepted solution. An example may be the reinforcement of a list of explicitly allowed, unique per user, session certificates that are both configured on the devices and documented with the ISSO and ISSM (implying that all other certificates are also explicitly forbidden).
V-237780
False
SRG-APP-000175-NDM-000262
Verify the network device is configured to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL resources. If the network device is not configured to validate certificates used for PKI-based authentication using DoD approved OCSP or CRL sources, this is a finding.
Note: This requirement may be not applicable if the network device is not configured to use DoD PKI as multi-factor authentication for interactive logins. In that scenario, this requirement should be included as part of the business case and discussion with the AO who is required to accept the risk of the alternative solution. However, if alternative DoD or AO approved solutions are employed which still rely on some form of PKI (digital certificates), this requirement should be tailored to configure certificate validation of the accepted solution. An example may be the reinforcement of a list of explicitly allowed, unique per user, session certificates that are both configured on the devices and documented with the ISSO and ISSM (implying that all other certificates are also explicitly forbidden).
M
2890