UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure applications requiring user authentication are PK-enabled and are designed and implemented to support hardware tokens (e.g., CAC for NIPRNet).


Overview

Finding ID Version Rule ID IA Controls Severity
V-6127 APP3280 SV-6127r1_rule IATS-1 IATS-2 Medium
Description
Non PK-enabled applications can allow unauthorized persons or entities to intercept information. A PK-enabled application gives assurance of the user accessing the application.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-2938r1_chk )
This check is not applicable where application users are determined to have authorized access to the application and are not eligible to receive a CAC/DoD PKI certificate (e.g., retirees, dependents, etc.), as defined by DoDI 8520.2.

1) Ask the application representative if an application is PK-enabled. If the answer is no, this a finding.

If the application is in a production environment, the application representative should be able to login to the application with a CAC.

If the application resides on the SIPRNet, or in a test environment, the application representative may only have test certificates and should be able to login to the application with a soft certificate.
Note: The certificates for this check do not need to be DoD approved certificates.

2) If the application representative cannot log in to the application with either soft certificates or certificates from a CAC, it is a finding.

Ask the application representative where the certificate store is for the application and verify there are the correct test or production certificates for user authentication. Make certain a certificate is required for user authentication. Ask the application representative to temporarily remove the certificate from the certificate store and authenticate to the application.

For web application using Internet Explorer from the Tools Menu Select “Internet Options”
Select “Content” tab
Select “Certificates”
Select “Remove”
Other applications certificate stores will have similar features.

3) If the application representative can login to the application without either soft certificates or certificates stored on a CAC or another authentication mechanism, this is a CAT I finding for check APP3460. This finding should not be recorded for this check.

4) Ask the application representative to demonstrate encryption is being used for authentication. If the application representative cannot demonstrate encryption is being used, it is a finding.
Fix Text (F-17017r1_fix)
Modify the application to use certificate based authentication.