800-53|IA-5(2)(a)

Title

PKI-BASED AUTHENTICATION

Description

Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;

Reference Item Details

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.13.2.1.3 Ensure 'Missing Root Certificates' is set to Enabled:WarningWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.1.3 Ensure 'Missing Root Certificates' is set to Enabled:WarningWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
2.5.14.2.1.3 Ensure 'Missing Root Certificates' is set to 'Enabled: Error'WindowsCIS Microsoft Office Enterprise v1.2.0 L1
2.12 Set 'Indicate a missing root certificate as a(n):' to 'Enabled:Warning'WindowsCIS MS Office Outlook 2010 v1.0.0
4.2 Set OCSP Response PolicyUnixCIS Mozilla Firefox 102 ESR Linux L2 v1.0.0
4.2 Set OCSP Response PolicyWindowsCIS Mozilla Firefox 102 ESR Windows L2 v1.0.0
4.6 Set OCSP Response PolicyWindowsCIS Mozilla Firefox 38 ESR Windows L2 v1.0.0
4.6 Set OCSP Response PolicyUnixCIS Mozilla Firefox 38 ESR Linux L2 v1.0.0
5.2 Set 'Check for server certificate revocation' to 'Enabled'WindowsCIS IE 10 v1.1.0
5.2 Set 'Check for server certificate revocation' to 'Enabled'WindowsCIS IE 11 v1.0.0
5.2 Set 'Check for server certificate revocation' to 'Enabled'WindowsCIS IE 9 v1.0.0
5.6 Enable OCSP and CRL certificate checking - CRLUnixCIS Apple OSX 10.9 L2 v1.3.0
5.6 Enable OCSP and CRL certificate checking - CRLStyleUnixCIS Apple OSX 10.11 El Capitan L2 v1.1.0
5.6 Enable OCSP and CRL certificate checking - CRLStyleUnixCIS Apple OSX 10.10 Yosemite L2 v1.2.0
5.6 Enable OCSP and CRL certificate checking - OCSPUnixCIS Apple OSX 10.9 L2 v1.3.0
5.6 Enable OCSP and CRL certificate checking - OCSPStyleUnixCIS Apple OSX 10.10 Yosemite L2 v1.2.0
5.6 Enable OCSP and CRL certificate checking - OCSPStyleUnixCIS Apple OSX 10.11 El Capitan L2 v1.1.0
5.7 Enable OCSP and CRL certificate checking - CRLStyleUnixCIS Apple macOS 10.12 L2 v1.2.0
5.7 Enable OCSP and CRL certificate checking - OCSPStyleUnixCIS Apple macOS 10.12 L2 v1.2.0
5.25 sqlnet.ora - 'ssl_cert_revocation = REQUIRED'WindowsCIS v1.1.0 Oracle 11g OS Windows Level 2
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - Certificate IssuerUnixDISA STIG AIX 7.x v2r9
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - ldapsslkeyfUnixDISA STIG AIX 7.x v2r9
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - useSSLUnixDISA STIG AIX 7.x v2r9
AOSX-13-000750 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple macOS 11 v1r8
APPL-12-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple macOS 12 v1r9
APPL-13-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.UnixDISA STIG Apple macOS 13 v1r4
APPL-14-001060 - The macOS system must set smart card certificate trust to moderate.UnixDISA Apple macOS 14 (Sonoma) STIG v2r1
APPL-15-001060 - The macOS system must set smart card certificate trust to moderate.UnixDISA Apple macOS 15 (Sequoia) STIG v1r1
APPNET0031 - Digital signatures assigned to strongly named assemblies must be verified.WindowsDISA STIG for Microsoft Dot Net Framework 4.0 v2r4
APPNET0046 - The Trust Providers Software Publishing State must be set to 0x23C00.WindowsDISA STIG for Microsoft Dot Net Framework 4.0 v2r4
APPNET0048 - Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.WindowsDISA STIG for Microsoft Dot Net Framework 4.0 v2r4
APPNET0063 - .NET must be configured to validate strong names on full-trust assemblies.WindowsDISA STIG for Microsoft Dot Net Framework 4.0 v2r4
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.UnixDISA STIG Apache Server 2.4 Unix Site v2r4
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.UnixDISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.WindowsDISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.WindowsDISA STIG Apache Server 2.4 Windows Server v3r1
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyClientWindowsDISA STIG Apache Server 2.4 Windows Site v2r1
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyDepthWindowsDISA STIG Apache Server 2.4 Windows Site v2r1
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - All Profiles
CASA-VN-000120 - The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.CiscoDISA STIG Cisco ASA VPN v2r1
CASA-VN-000730 - The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation - ipsec-clientCiscoDISA STIG Cisco ASA VPN v2r1