The Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must implement an encrypted, FIPS 140-2/3 compliant path between the implemented systems/applications and the DOD Online Certificate Status Protocol (OCSP) responders.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259870	SRG-NET-000580-CLD-000070	SV-259870r945598_rule		Medium

Description
The Mission Owner must use identity services, including an OCSP responder, for remote system DOD Common Access Card (CAC) two-factor authentication of DOD privileged (all Impact Levels) and/or nonprivileged users (Impact Levels 4–6) to systems instantiated within the cloud service environment.

STIG	Date
Cloud Computing Mission Owner Network Security Requirements Guide	2024-06-13

Details

Check Text ( C-63601r945596_chk )
This applies to all Impact Levels. If this is a Software as a Service (SaaS) implementation, this is not a finding. Verify that a FIPS 140-2/3 compliant communication protocol is configured for communication between the implemented systems/applications and the DOD OCSP responders. If the cloud IaaS/PaaS does not implement a secure (encrypted) connection or path between the implemented systems/applications and the DOD OCSP responders, this is a finding.

Check Text ( C-63601r945596_chk )

This applies to all Impact Levels.

If this is a Software as a Service (SaaS) implementation, this is not a finding.

Verify that a FIPS 140-2/3 compliant communication protocol is configured for communication between the implemented systems/applications and the DOD OCSP responders.

If the cloud IaaS/PaaS does not implement a secure (encrypted) connection or path between the implemented systems/applications and the DOD OCSP responders, this is a finding.

Fix Text (F-63508r945597_fix)
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to implement an encrypted path that is FIPS 140-2/3 compliant between the implemented systems/applications and the DOD OCSP responders.