For user certificates, each organization attains certificates from an approved, shared service provider, as required by OMB policy.
For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.
This control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations, for example, application-specific time services.
This is a PKI server requirement. Application servers do not produce, control, and distribute cryptographic keys.
|