Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6127 | APP3280 | SV-6127r1_rule | IATS-1 IATS-2 | Medium |
Description |
---|
Non PK-enabled applications can allow unauthorized persons or entities to intercept information. A PK-enabled application gives assurance of the user accessing the application. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-04-03 |
Check Text ( C-2938r1_chk ) |
---|
This check is not applicable where application users are determined to have authorized access to the application and are not eligible to receive a CAC/DoD PKI certificate (e.g., retirees, dependents, etc.), as defined by DoDI 8520.2. 1) Ask the application representative if an application is PK-enabled. If the answer is no, this a finding. If the application is in a production environment, the application representative should be able to login to the application with a CAC. If the application resides on the SIPRNet, or in a test environment, the application representative may only have test certificates and should be able to login to the application with a soft certificate. Note: The certificates for this check do not need to be DoD approved certificates. 2) If the application representative cannot log in to the application with either soft certificates or certificates from a CAC, it is a finding. Ask the application representative where the certificate store is for the application and verify there are the correct test or production certificates for user authentication. Make certain a certificate is required for user authentication. Ask the application representative to temporarily remove the certificate from the certificate store and authenticate to the application. For web application using Internet Explorer from the Tools Menu Select “Internet Options” Select “Content” tab Select “Certificates” Select “Remove” Other applications certificate stores will have similar features. 3) If the application representative can login to the application without either soft certificates or certificates stored on a CAC or another authentication mechanism, this is a CAT I finding for check APP3460. This finding should not be recorded for this check. 4) Ask the application representative to demonstrate encryption is being used for authentication. If the application representative cannot demonstrate encryption is being used, it is a finding. |
Fix Text (F-17017r1_fix) |
---|
Modify the application to use certificate based authentication. |