Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
IATS-1 Token and Certificate Standards
Overview
Identification and authentication is accomplished using the DoD PKI Class 3 certificate and hardware security token (when available).
| MAC / CONF | Impact | Subject Area |
|---|---|---|
| MACIII | Medium | Identification and Authentication |
Details
| Threat |
|---|
| DoD PKI and KMI software Tokens are required to counter the following threats: · Logical attack · Control of access · Unanticipated interactions · Cryptographic functions · Miscellaneous threats |
| Guidance |
|---|
| 1. The DoD will provide for a certificate management infrastructure yielding a capability to verify the identity, authority and integrity involved in each transaction. 2. The system administrators shall protect the workstations and the cryptographic module from unauthorized access or modification via the following at a minimum: · Access control list · Configuration management · Physical protection 3. The system administrators shall ensure that all applications should be Common Criteria evaluated and Joint Interoperability Testing Command certified. 4. The system administrators shall configure workstations with the appropriate security technical implementation guidance and implement the IAVA process into configuration management practices in accordance with the security policy. |
References
- Department of Defense (DoD) Public Key Infrastructure (PKI) Token Protection Profile (Medium Robustness), Version 2, Release 1 of the “Common Criteria” International Standard 15408
- Smart Card Security User Group Smart Card Protection Profile (SCSUG-SCPP) Draft Version 2
- DISA IAVA Process Handbook, Version 2, Relase 1, 11 June 2002
- FIPS 140-2 Level 2, FIPS 140-2 Level 3