800-53|SC-23(5)

Title

ALLOWED CERTIFICATE AUTHORITIES

Description

The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.

Supplemental

Reliance on certificate authorities (CAs) for the establishment of secure sessions includes, for example, the use of Secure Socket Layer (SSL) and/or Transport Layer Security (TLS) certificates. These certificates, after verification by the respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers.

Reference Item Details

Related: SC-13

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: SESSION AUTHENTICITY

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.18 Ensure 'Require online OCSP/CRL checks for local trust anchors' is set to 'Enabled'WindowsCIS Google Chrome L2 v3.0.0
5.3 Set 'Prevent ignoring certificate errors' to 'Enabled'WindowsCIS IE 9 v1.0.0
5.3.10 Ensure certificate status checking for PKI authentication.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.5 Set 'Prevent ignoring certificate errors' to 'Enabled'WindowsCIS IE 11 v1.0.0
5.5 Set 'Prevent ignoring certificate errors' to 'Enabled'WindowsCIS IE 10 v1.1.0
5.08 OAS - 'Oracle Wallet Trusted Certificates - Remove certificate authorities (CAs) that are not required.'UnixCIS v1.1.0 Oracle 11g OS L2
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG MS
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG MS
20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.22 Ensure 'Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority' (STIG DC only)WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.22 Ensure 'Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority' (STIG DC only)WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.22 Ensure 'Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority' (STIG DC only)WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.23 Ensure 'Domain controllers have a PKI server certificate' (STIG DC only)WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.23 Ensure 'Domain controllers have a PKI server certificate' (STIG DC only)WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.23 Ensure 'Domain controllers have a PKI server certificate' (STIG DC only)WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.53 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.54 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.54 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.68 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.68 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 STIG MS
20.69 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.69 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.69 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS
20.69 Ensure 'US DoD CCEB Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systemsWindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
AADC-CL-000990 - Adobe Acrobat Pro DC Classic periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001320 - Adobe Acrobat Pro DC Classic Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CN-000990 - Adobe Acrobat Pro DC Continuous periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-001320 - Adobe Acrobat Pro DC Continuous Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
ADBP-XI-000990 - Adobe Acrobat Pro XI periodic downloading of Adobe European certificates must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
ADBP-XI-001320 - Adobe Acrobat Pro XI Periodic downloading of Adobe certificates must be disabled.WindowsDISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
AIX7-00-001105 - AIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.UnixDISA STIG AIX 7.x v3r1
APPL-14-001060 - The macOS system must set smart card certificate trust to moderate.UnixDISA Apple macOS 14 (Sonoma) STIG v2r2
APPL-14-003001 - The macOS system must issue or obtain public key certificates from an approved service provider.UnixDISA Apple macOS 14 (Sonoma) STIG v2r2
APPL-15-001060 - The macOS system must set smart card certificate trust to moderate.UnixDISA Apple macOS 15 (Sequoia) STIG v1r1
APPL-15-003001 - The macOS system must issue or obtain public key certificates from an approved service provider.UnixDISA Apple macOS 15 (Sequoia) STIG v1r1
ARDC-CL-000330 - Adobe Reader DC must disable periodical uploading of European certificates.WindowsDISA STIG Adobe Acrobat Reader DC Classic Track v2r1
ARDC-CL-000335 - Adobe Reader DC must disable periodical uploading of Adobe certificates.WindowsDISA STIG Adobe Acrobat Reader DC Classic Track v2r1
ARDC-CN-000330 - Adobe Reader DC must disable periodical uploading of European certificates.WindowsDISA STIG Adobe Acrobat Reader DC Continuous Track v2r1
ARDC-CN-000335 - Adobe Reader DC must disable periodical uploading of Adobe certificates.WindowsDISA STIG Adobe Acrobat Reader DC Continuous Track v2r1
AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - ssl_moduleUnixDISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - SSLProtocolUnixDISA STIG Apache Server 2.4 Unix Server v3r1 Middleware