The cloud service offering (CSO) must be configured to use DOD public key infrastructure (PKI) to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259875	SRG-OS-000104-CLD-000065	SV-259875r958482_rule		Medium

Description
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Identity Federation requirements to enable Common Access Card (CAC) authentication of nonprivileged DOD users to cloud-hosted DOD (e.g., Infrastructure as a Service [IaaS] and Platform as a Service [PaaS]) or Software as a Service (SaaS) provided systems and services is the responsibility of the CSO, procuring DOD Component, or Program Office. Mission Owners may choose to use the cloud service providers (CSP's) CAC services (based on Level), use a DOD federated offering, or install a virtual Directory Service. For Impact Levels 2–5, the CSPs must have either a DOD PKI certificate or a DOD-approved External Certification Authority (ECA) medium-assurance PKI Certificate for each person who needs to communicate with DOD via encrypted email and for admin accounts. CSPs serving Level 6 systems will already have SIPRNet tokens/NSS PKI certificates for their system administrators by virtue of the connection to SIPRNet. Satisfies: SRG-OS-000104,SRG-OS-000377

Description

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Identity Federation requirements to enable Common Access Card (CAC) authentication of nonprivileged DOD users to cloud-hosted DOD (e.g., Infrastructure as a Service [IaaS] and Platform as a Service [PaaS]) or Software as a Service (SaaS) provided systems and services is the responsibility of the CSO, procuring DOD Component, or Program Office. Mission Owners may choose to use the cloud service providers (CSP's) CAC services (based on Level), use a DOD federated offering, or install a virtual Directory Service. For Impact Levels 2–5, the CSPs must have either a DOD PKI certificate or a DOD-approved External Certification Authority (ECA) medium-assurance PKI Certificate for each person who needs to communicate with DOD via encrypted email and for admin accounts. CSPs serving Level 6 systems will already have SIPRNet tokens/NSS PKI certificates for their system administrators by virtue of the connection to SIPRNet. Satisfies: SRG-OS-000104,SRG-OS-000377

STIG	Date
Cloud Computing Mission Owner Operating System Security Requirements Guide	2024-06-13

Details

Check Text ( C-63606r945611_chk )
This is not applicable for Impact Level 2 public clouds with nonprivileged user access to publicly releasable information unless the information owner requires authenticated access. Verify the CSO is configured to use DOD PKI to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). If the CSO does not use DOD PKI to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.

Check Text ( C-63606r945611_chk )

This is not applicable for Impact Level 2 public clouds with nonprivileged user access to publicly releasable information unless the information owner requires authenticated access.

Verify the CSO is configured to use DOD PKI to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

If the CSO does not use DOD PKI to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.

Fix Text (F-63513r945612_fix)
This applies to Impact Level 4/5/6. FedRAMP Moderate, High. Mission Owners may choose to use the CSP's CAC services (based on level), use a DOD federated offering, or install a virtual Directory Service.