Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6128 | APP3290 | SV-6128r1_rule | IATS-1 IATS-2 | Medium |
Description |
---|
Using unapproved PKI certificates could allow access by non-DoD and unauthorized users. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-2940r1_chk ) |
---|
Policy: The designer and IAO will ensure PK-enabled applications are designed and implemented to use approved credentials authorized under the DoD PKI program. The IAO will ensure the PK-enabled applications are configured to honor only approved DoD PKI certificates. If the application is not PK-enabled, this check is not applicable. If the application resides on the SIPRNet and PKI infrastructure is unavailable, this check is not applicable. Ask whether the application utilizes PKI certificates other than DoD PKI and External Certification Authority (ECA) certificates. Verify the certificate used in authentication in APP3280. Internet Explorer can be used to view certificate information: Select “Tools” Select “Internet Options” Select “Content” tab Select “Certificates” Select the certificate used for authentication: Click “View” Select “Details” tab Select “Issuer” If the application utilizes PKI certificates other than DoD PKI and ECA certificates, this is a finding. |
Fix Text (F-17018r1_fix) |
---|
Configure the application to use approved DoD PKI certificates. |