The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform to use certificate path validation to ensure revoked user credentials are prohibited from establishing a user or machine session.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-259870 | SRG-NET-000580 | SRG-NET-000580-CLD-000070 | SV-259870r1056198_rule | 2024-12-20 | 1 |
| Description |
|---|
| A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses. |
| ℹ️ Check |
|---|
| This applies to all Impact Levels. If this is a Software as a Service (SaaS) implementation, this is not a finding. Verify that certificate path validation is implemented to ensure revoked user and/or machine credentials are prohibited from establishing a user or machine session. If the cloud IaaS/PaaS is not configured to use OCSP or CRLDP to ensure revoked credentials are prohibited from establishing an allowed session, this is a finding. |
| ✔️ Fix |
|---|
| This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to use OCSP or CRLDP to ensure revoked credentials are prohibited from establishing an allowed session. This requirement applies to the use of both user and machine credentials. |