The BIG-IP APM module must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-60057	F5BI-AP-000207	SV-74487r1_rule		Medium

Description
Inappropriate access may be granted to unauthorized users if federal agency PIV credentials are not electronically verified. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).

Description

Inappropriate access may be granted to unauthorized users if federal agency PIV credentials are not electronically verified. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).

STIG	Date
F5 BIG-IP Access Policy Manager 11.x Security Technical Implementation Guide	2015-06-02

Details

Check Text ( C-60737r1_chk )
If the BIG-IP APM module does not provide user authentication intermediary services to non-organizational users, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used to identify and authenticate non-organizational users. Verify the Access Profile is configured to electronically verify Personal Identity Verification (PIV) credentials from other federal agencies. If the BIG-IP APM module is not configured to electronically verify Personal Identity Verification (PIV) credentials from other federal agencies, this is a finding.

Check Text ( C-60737r1_chk )

If the BIG-IP APM module does not provide user authentication intermediary services to non-organizational users, this is not applicable.

Verify the BIG-IP APM module is configured as follows:

Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles.

Click "Edit..." in the "Access Policy" column for an Access Profile used to identify and authenticate non-organizational users.

Verify the Access Profile is configured to electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.

If the BIG-IP APM module is not configured to electronically verify Personal Identity Verification (PIV) credentials from other federal agencies, this is a finding.

Fix Text (F-65467r1_fix)
If the BIG-IP APM module provides user authentication intermediary services to non-organizational users, configure a profile in the BIG-IP APM module to electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.