Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-60055 | F5BI-AP-000205 | SV-74485r1_rule | Medium |
Description |
---|
Access may be denied to authorized users if federal agency PIV credentials are not accepted. Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management). |
STIG | Date |
---|---|
F5 BIG-IP Access Policy Manager 11.x Security Technical Implementation Guide | 2015-06-02 |
Check Text ( C-60735r1_chk ) |
---|
If the BIG-IP APM module does not provide user authentication intermediary services to non-organizational users, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used to identify and authenticate users from other federal agencies. Verify the Access Profile is configured to accept Personal Identity Verification (PIV) credentials from other federal agencies. If the BIG-IP APM module is not configured to accept Personal Identity Verification (PIV) credentials from other federal agencies, this is a finding. |
Fix Text (F-65465r1_fix) |
---|
If the BIG-IP APM module provides user authentication intermediary services to non-organizational users, configure a profile in the BIG-IP APM module to accept Personal Identity Verification (PIV) credentials from those federal agencies. |