The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) Cloud Service to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-259871	SRG-NET-000580	SRG-NET-000580-CLD-000075	SV-259871r1056199_rule	2024-12-20	1

Description
To provide assurances that certificates are validated by the correct responders, the Mission Owner must ensure they are using a valid DOD OCSP responder for remote system DOD Common Access Card (CAC) two-factor authentication of DOD privileged users to systems instantiated within the cloud service environment. When a Mission Owner is responsible for authenticating entities and/or identifying a hosted DOD information system, the Mission Owner must configure CAC/PKI for remote access for privileged users at all Impact Levels. CAC/PKI access is required for nonprivileged users of access to Impact Levels 4–6. Impact Level 6: When an on-premises, use NSS PKI. Enforce the use of a physical token referred to as the CNSS NSS Hardware Token for the authentication of DOD Mission Owner and CSP privileged and nonprivileged end users. When implementing NSS PKI, use NSS OCSP or CRL resources for checking revocation of NSS certificates and NSS Certificate Authorities and follow CNSS/NSA instructions for the management and protection of cryptographic keys. CNSS-issued PKI server certificates will be used to identify the CSP's DOD customer ordering/service management portals and SaaS applications and services contracted by and dedicated to DOD use.

Description

To provide assurances that certificates are validated by the correct responders, the Mission Owner must ensure they are using a valid DOD OCSP responder for remote system DOD Common Access Card (CAC) two-factor authentication of DOD privileged users to systems instantiated within the cloud service environment. When a Mission Owner is responsible for authenticating entities and/or identifying a hosted DOD information system, the Mission Owner must configure CAC/PKI for remote access for privileged users at all Impact Levels. CAC/PKI access is required for nonprivileged users of access to Impact Levels 4–6. Impact Level 6: When an on-premises, use NSS PKI. Enforce the use of a physical token referred to as the CNSS NSS Hardware Token for the authentication of DOD Mission Owner and CSP privileged and nonprivileged end users. When implementing NSS PKI, use NSS OCSP or CRL resources for checking revocation of NSS certificates and NSS Certificate Authorities and follow CNSS/NSA instructions for the management and protection of cryptographic keys. CNSS-issued PKI server certificates will be used to identify the CSP's DOD customer ordering/service management portals and SaaS applications and services contracted by and dedicated to DOD use.

ℹ️ Check
This applies to all Impact Levels. If this is a Software as a Service (SaaS) implementation, this is not a finding. Verify that a DOD-approved OCSP responder or CRL is used to validate certificates used for PKI-based authentication. If the cloud IaaS/PaaS is not configured to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication, this is a finding.

✔️ Fix
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication. Configure the system to implement the following access policy: - Configure CAC/PKI for remote access for privileged users at all Impact Levels. CAC/PKI access is required for nonprivileged users of access to Impact Levels 4–6. - Impact Level 6: When an on-premises, use NSS PKI. Enforce the use of a physical token referred to as the CNSS NSS Hardware Token for the authentication of DOD Mission Owner and CSP privileged and nonprivileged end users. When implementing NSS PKI, use NSS OCSP or CRL resources for checking revocation of NSS certificates and NSS Certificate Authorities and must follow CNSS/NSA instructions for the management and protection of cryptographic keys. CNSS-issued PKI server certificates will be used to identify the CSP’s DOD customer ordering/service management portals and SaaS applications and services contracted by and dedicated to DOD use.

✔️ Fix

This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication. Configure the system to implement the following access policy: - Configure CAC/PKI for remote access for privileged users at all Impact Levels. CAC/PKI access is required for nonprivileged users of access to Impact Levels 4–6. - Impact Level 6: When an on-premises, use NSS PKI. Enforce the use of a physical token referred to as the CNSS NSS Hardware Token for the authentication of DOD Mission Owner and CSP privileged and nonprivileged end users. When implementing NSS PKI, use NSS OCSP or CRL resources for checking revocation of NSS certificates and NSS Certificate Authorities and must follow CNSS/NSA instructions for the management and protection of cryptographic keys. CNSS-issued PKI server certificates will be used to identify the CSP’s DOD customer ordering/service management portals and SaaS applications and services contracted by and dedicated to DOD use.