UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IATS-2 Token and Certificate Standards


Overview

Identification and authentication is accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product.

MAC / CONF Impact Subject Area
MACI
MACII
Medium Identification and Authentication

Details

Threat
DoD PKI hardware tokens will be used to support automation and enhance security without jeopardizing user mobility.  DoD PKI hardware tokens will provide a “medium” level of robustness and security strength applicable to “unclassified mission critical” operations.  There are a number of potential threats and vulnerabilities on the Token, to include the following:
 
  · Physical attacks
  · Logical attacks
  · Attacks associated with control of access to the Token
  · Attacks associated with unanticipated interactions with the Token
  · Attacks associated with the Token’s Cryptographic Functions
  · Attacks associated with monitoring information of the Token
  · Attacks associated with miscellaneous threats to the Token; and
  · Attacks associate with the operating environment of the Token
 
The DoD PKI hardware token should be an enhanced COTS product, based on token standards, and interoperable with any commercial and DoD PKI applications.

Guidance
1. The DoD will provide for a certificate management infrastructure yielding a capability to verify the identity, authority and integrity involved in each transaction.
2.     The system administrators shall protect the workstations and the cryptographic module from unauthorized access or modification via the following at a minimum:
  · Access control list
  · Configuration management
  · Physical protection
3. The system administrators shall ensure that all applications should be Common Criteria evaluated and Joint Interoperability Testing Command certified.
4. The system administrators shall configure workstations with the appropriate security technical implementation guidance and implement the IAVA process into configuration management practices in accordance with the security policy.

References

  • Department of Defense (DoD) Public Key Infrastructure (PKI) Token Protection Profile (Medium Robustness), Version 2, Release 1 of the “Common Criteria” International Standard 15408
  • Smart Card Security User Group Smart Card Protection Profile (SCSUG-SCPP) Draft Version 2.0
  • DISA IAVA Process Handbook, Version 2, Release 1, 11 June 2002
  • FIPS 140-2 Level 2, FIPS 140-2 Level 3