800-53|SC-17

Title

PUBLIC KEY INFRASTRUCTURE CERTIFICATES

Description

The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.

Supplemental

For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application'specific time services.

Reference Item Details

Related: SC-12

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.4 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
1.2.4 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
1.2.4 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
1.2.4 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - CertificatesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - CertificatesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - CertificatesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - CertificatesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect GatewaysPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect GatewaysPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect GatewaysPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect GatewaysPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect PortalsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect PortalsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect PortalsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect PortalsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
1.10 Ensure Web Tier ELB have the latest SSL Security Policies configuredamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
1.13 Ensure App Tier ELB have the latest SSL Security Policies configuredamazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
8.3 Ensure that the Certificate used for Decryption is TrustedPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
8.3 Ensure that the Certificate used for Decryption is TrustedPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
8.3 Ensure that the Certificate used for Decryption is TrustedPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
8.3 Ensure that the Certificate used for Decryption is TrustedPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
ARST-ND-000840 - The Arista network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.AristaDISA STIG Arista MLS EOS 4.2x NDM v2r1
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Set Smartcard Certificate Trust to HighUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Set Smartcard Certificate Trust to HighUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Set Smartcard Certificate Trust to HighUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
CASA-ND-001370 - The Cisco ASA must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.CiscoDISA STIG Cisco ASA NDM v2r2
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Set Smartcard Certificate Trust to HighUnixNIST macOS Catalina v1.5.0 - All Profiles
CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.CiscoDISA STIG Cisco IOS Router NDM v3r2
CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.CiscoDISA STIG Cisco IOS XE Router NDM v3r2
CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.CiscoDISA STIG Cisco IOS-XR Router NDM v3r2
CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.CiscoDISA STIG Cisco IOS Switch NDM v3r2
CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.CiscoDISA STIG Cisco IOS XE Switch NDM v3r2
CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.CiscoDISA STIG Cisco NX-OS Switch NDM v3r2