The BIG-IP APM module must accept Personal Identity Verification (PIV) credentials from other federal agencies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-60055	F5BI-AP-000205	SV-74485r1_rule		Medium

Description
Access may be denied to authorized users if federal agency PIV credentials are not accepted. Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).

Description

Access may be denied to authorized users if federal agency PIV credentials are not accepted. Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).

STIG	Date
F5 BIG-IP Access Policy Manager 11.x Security Technical Implementation Guide	2015-06-02

Details

Check Text ( C-60735r1_chk )
If the BIG-IP APM module does not provide user authentication intermediary services to non-organizational users, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used to identify and authenticate users from other federal agencies. Verify the Access Profile is configured to accept Personal Identity Verification (PIV) credentials from other federal agencies. If the BIG-IP APM module is not configured to accept Personal Identity Verification (PIV) credentials from other federal agencies, this is a finding.

Check Text ( C-60735r1_chk )

If the BIG-IP APM module does not provide user authentication intermediary services to non-organizational users, this is not applicable.

Verify the BIG-IP APM module is configured as follows:

Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles.

Click "Edit..." in the "Access Policy" column for an Access Profile used to identify and authenticate users from other federal agencies.

Verify the Access Profile is configured to accept Personal Identity Verification (PIV) credentials from other federal agencies.

If the BIG-IP APM module is not configured to accept Personal Identity Verification (PIV) credentials from other federal agencies, this is a finding.

Fix Text (F-65465r1_fix)
If the BIG-IP APM module provides user authentication intermediary services to non-organizational users, configure a profile in the BIG-IP APM module to accept Personal Identity Verification (PIV) credentials from those federal agencies.