STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-5 (2) — Authenticator Management

CCI-000185

Definition

For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Parent Control

IA-5 (2)Authenticator ManagementIdentification and Authentication

Linked STIG Checks (200)

V-237038CAT IIThe A10 Networks ADC when used for TLS encryption and decryption must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.A10 Networks ADC ALG Security Technical Implementation Guide V-204675CAT IAAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication.AAA Services Security Requirements Guide V-204676CAT IAAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication.AAA Services Security Requirements Guide V-279063CAT IIColdFusion must be configured to use only DOD-approved keystores and truststores containing certificates issued by a DOD Public Key Infrastructure (PKI) Certificate Authority (CA), and all keystore and truststore files must be protected by file system permissions that prevent unauthorized access or modification.Adobe ColdFusion Security Technical Implementation Guide V-274063CAT IIAmazon Linux 2023, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Amazon Linux 2023 Security Technical Implementation Guide V-268124CAT IINixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Anduril NixOS Security Technical Implementation Guide V-214286CAT IIThe Apache web server must perform RFC 5280-compliant certification path validation.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214328CAT IIThe Apache web server must only accept client DOD-approved and RFC 5280-compliant certificates.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-222966CAT IIDOD root CA certificates must be installed in Tomcat trust store.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-252519CAT IThe macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257225CAT IThe macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259471CAT IIThe macOS system must set smart card certificate trust to moderate.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268471CAT IIThe macOS system must set smart card certificate trust to moderate.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277078CAT IIThe macOS system must set smart card certificate trust to moderate.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204950CAT IIThe ALG that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.Application Layer Gateway Security Requirements Guide V-222550CAT IThe application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Application Security and Development Security Technical Implementation Guide V-204754CAT IIThe application server must perform RFC 5280-compliant certification path validation.Application Server Security Requirements Guide V-237328CAT IIThe ArcGIS Server, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272629CAT ICylanceON-PREM must be configured to use TLS 1.2 or higher.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-272639CAT IICylanceON-PREM must be configured with a DOD issued certificate (or another authorizing official [AO]-approved certificate).Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219315CAT IIThe Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238229CAT IIThe Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274855CAT IIUbuntu 20.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260577CAT IIUbuntu 22.04 LTS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274867CAT IIUbuntu 22.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270735CAT IIUbuntu 24.04 LTS, for PKI-based authentication, SSSD must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270737CAT IIUbuntu 24.04 LTS, for PKI-based authentication, Privileged Access Management (PAM) must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206478CAT IThe Central Log Server, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Central Log Server Security Requirements Guide V-239949CAT IIThe Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.Cisco ASA VPN Security Technical Implementation Guide V-239984CAT IIThe Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.Cisco ASA VPN Security Technical Implementation Guide V-259870CAT IThe Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform to use certificate path validation to ensure revoked user credentials are prohibited from establishing a user or machine session.Cloud Computing Mission Owner Network Security Requirements Guide V-259871CAT IThe Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) Cloud Service to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication.Cloud Computing Mission Owner Network Security Requirements Guide V-269412CAT IIAlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233284CAT IIThe container platform must validate certificates used for Transport Layer Security (TLS) functions by performing an RFC 5280-compliant certification path validation.Container Platform Security Requirements Guide V-233577CAT IIPostgreSQL, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261893CAT IIPostgreSQL, when using PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206558CAT IIThe DBMS, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.Database Security Requirements Guide V-269786CAT IThe Dell OS10 Switch must be configured to use DOD-approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.Dell OS10 Switch NDM Security Technical Implementation Guide V-235871CAT IIDocker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA).Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-271034CAT IIDragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.Dragos Platform 2.x Security Technical Implementation Guide V-271049CAT IIThe Dragos Platform must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.Dragos Platform 2.x Security Technical Implementation Guide V-224169CAT IIThe EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213599CAT IIThe EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-260047CAT IIWhen using PKI, the Enterprise Voice, Video, and Messaging Session Manager must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259249CAT IIThe EDB Postgres Advanced Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-260051CAT IIThe F5 BIG-IP appliance must configure OCSP to ensure revoked user credentials are prohibited from establishing an allowed session.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-260052CAT IIThe F5 BIG-IP appliance must configure OCSP to ensure revoked machine credentials are prohibited from establishing an allowed session.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-215762CAT IIThe BIG-IP Core implementation must be configured to validate certificates used for TLS functions for connections to virtual servers by constructing a certification path (which includes status information) to an accepted trust anchor.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-260048CAT IIThe F5 BIG-IP appliance must configure OCSP to ensure revoked credentials are prohibited from establishing an allowed session.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266153CAT IThe F5 BIG-IP appliance must configure certification path validation to ensure revoked machine credentials are prohibited from establishing an allowed session.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266165CAT IThe F5 BIG-IP appliance must configure certificate path validation to ensure revoked user credentials are prohibited from establishing an allowed session.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266094CAT IThe F5 BIG-IP appliance must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-278391CAT IINGINX must be configured to use a Certificate Revocation List (CRL) for certificate path validation and revocation. (Online Certificate Status Protocol [OCSP] is the preferred configuration.)F5 NGINX Security Technical Implementation Guide V-278406CAT IINGINX must be configured to use Online Certificate Status Protocol (OCSP) for certificate path validation and revocation. (OCSP is the preferred configuration.)F5 NGINX Security Technical Implementation Guide V-233340CAT IWhen connecting with endpoints, Forescout must be configured to use FIPS 140-2/3 validated algorithms for encryption processes and communications. This is required for compliance with C2C Step 1.Forescout Network Access Control Security Technical Implementation Guide V-203622CAT IIThe operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.General Purpose Operating System Security Requirements Guide V-221579CAT IIOnline revocation checks must be performed.Google Chrome Current Windows Security Technical Implementation Guide V-230170CAT IIThe HP FlexFabric Switch, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.HP FlexFabric Switch NDM Security Technical Implementation Guide V-255245CAT IIFor PKI-based authentication, SSMC must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.HPE 3PAR SSMC Operating System Security Technical Implementation Guide V-255259CAT IIThe SSMC web server must perform RFC 5280-compliant certification path validation.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-266938CAT IAOS must be configured to use DOD-approved Online Certificate Status Protocol (OCSP) responders or Certificate Revocation Lists (CRLs) to validate certificates used for public key infrastructure (PKI)-based authentication.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-266984CAT IIAOS, when used as a VPN Gateway and using public key infrastructure (PKI)-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-268235CAT IThe HYCU virtual appliance must be configured to use DOD-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for PKI-based authentication.HYCU Protege Security Technical Implementation Guide V-215173CAT IIIf the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.IBM AIX 7.x Security Technical Implementation Guide V-65225CAT IIThe DataPower Gateway that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.IBM DataPower ALG Security Technical Implementation Guide V-255746CAT IIWebGUI access to the MQ Appliance network device, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-223420CAT IIIBM z/OS must not use Expired Digital Certificates.IBM z/OS ACF2 Security Technical Implementation Guide V-223421CAT IIAll IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority.IBM z/OS ACF2 Security Technical Implementation Guide V-223647CAT IIExpired digital certificates must not be used.IBM z/OS RACF Security Technical Implementation Guide V-223648CAT IIAll digital certificates in use must have a valid path to a trusted certification authority (CA).IBM z/OS RACF Security Technical Implementation Guide V-223871CAT IIAll IBM z/OS digital certificates in use must have a valid path to a trusted Certification Authority (CA).IBM z/OS TSS Security Technical Implementation Guide V-223872CAT IIExpired IBM z/OS digital certificates must not be used.IBM z/OS TSS Security Technical Implementation Guide V-237909CAT IIAll digital certificates in use must have a valid path to a trusted Certification authority.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-224768CAT IIWhen using PKI-based authentication for user access, the ISEC7 SPHERE must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.ISEC7 Sphere Security Technical Implementation Guide V-258620CAT IThe ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.Ivanti Connect Secure NDM Security Technical Implementation Guide V-258590CAT IIThe ICS, when utilizing PKI-based authentication, must be configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Ivanti Connect Secure VPN Security Technical Implementation Guide V-251027CAT IIThe Sentry that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251027CAT IIThe Sentry that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-241790CAT IIWhen the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.Jamf Pro v10.x EMM Security Technical Implementation Guide V-205505CAT IIThe Mainframe Product, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Mainframe Product Security Requirements Guide V-253699CAT IIMariaDB, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220366CAT IIMarkLogic Server, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.MarkLogic Server v9 Security Technical Implementation Guide V-225223CAT IIDigital signatures assigned to strongly named assemblies must be verified.Microsoft DotNet Framework 4.0 Security Technical Implementation Guide V-225224CAT IIThe Trust Providers Software Publishing State must be set to 0x23C00.Microsoft DotNet Framework 4.0 Security Technical Implementation Guide V-225225CAT IIDeveloper certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.Microsoft DotNet Framework 4.0 Security Technical Implementation Guide V-225231CAT II.NET must be configured to validate strong names on full-trust assemblies.Microsoft DotNet Framework 4.0 Security Technical Implementation Guide V-235747CAT IIOnline revocation checks must be performed.Microsoft Edge Security Technical Implementation Guide V-223016CAT IIICheck for publishers certificate revocation must be enforced.Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223078CAT IIIChecking for server certificate revocation must be enforced.Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223358CAT IIOutlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-228457CAT IIRetrieving of CRL data must be set for online action.Microsoft Outlook 2016 Security Technical Implementation Guide V-220903CAT IIThe DoD Root CA certificates must be installed in the Trusted Root Store.Microsoft Windows 10 Security Technical Implementation Guide V-220904CAT IIThe External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.Microsoft Windows 10 Security Technical Implementation Guide V-220905CAT IIThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows 10 Security Technical Implementation Guide V-220906CAT IIThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows 10 Security Technical Implementation Guide V-253427CAT IIThe DoD Root CA certificates must be installed in the Trusted Root Store.Microsoft Windows 11 Security Technical Implementation Guide V-253428CAT IIThe External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.Microsoft Windows 11 Security Technical Implementation Guide V-224991CAT IIDomain controllers must have a PKI server certificate.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224992CAT IDomain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).Microsoft Windows Server 2016 Security Technical Implementation Guide V-224993CAT IPKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).Microsoft Windows Server 2016 Security Technical Implementation Guide V-225021CAT IIThe DoD Root CA certificates must be installed in the Trusted Root Store.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225022CAT IIThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225023CAT IIThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205645CAT IIWindows Server 2019 domain controllers must have a PKI server certificate.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205646CAT IWindows Server 2019 domain controller PKI certificates must be issued by the DOD PKI or an approved External Certificate Authority (ECA).Microsoft Windows Server 2019 Security Technical Implementation Guide V-205647CAT IWindows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).Microsoft Windows Server 2019 Security Technical Implementation Guide V-205648CAT IIWindows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205649CAT IIWindows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205650CAT IIWindows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254412CAT IIWindows Server 2022 domain controllers must have a PKI server certificate.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254413CAT IWindows Server 2022 domain controller PKI certificates must be issued by the DOD PKI or an approved External Certificate Authority (ECA).Microsoft Windows Server 2022 Security Technical Implementation Guide V-254414CAT IWindows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).Microsoft Windows Server 2022 Security Technical Implementation Guide V-254442CAT IIWindows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254443CAT IIWindows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254444CAT IIWindows Server 2022 must have the US DOD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278159CAT IIWindows Server 2025 domain controllers must have a PKI server certificate.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278160CAT IWindows Server 2025 domain Controller PKI certificates must be issued by the DOD PKI or an approved External Certificate Authority (ECA).Microsoft Windows Server 2025 Security Technical Implementation Guide V-278161CAT IWindows Server 2025 PKI certificates associated with user accounts must be issued by a DOD PKI or an approved External Certificate Authority (ECA).Microsoft Windows Server 2025 Security Technical Implementation Guide V-278192CAT IIWindows Server 2025 must have the DOD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278193CAT IIWindows Server 2025 must have the DOD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278194CAT IIWindows Server 2025 must have the US DOD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260927CAT IIMKE's self-signed certificates must be replaced with DOD trusted, signed certificates.Mirantis Kubernetes Engine Security Technical Implementation Guide V-221171CAT IIf passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252139CAT IIf passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265918CAT IIf passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279350CAT IIf passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-251560CAT IIFirefox must have the DOD root certificates installed.Mozilla Firefox Security Technical Implementation Guide V-246940CAT IONTAP must be configured to use an authentication server to provide multifactor authentication.NetApp ONTAP DSC 9.x Security Technical Implementation Guide V-237780CAT IThe network device must be configured to use DoD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.Network Device Management Security Requirements Guide V-254113CAT INutanix AOS must perform RFC 5280-compliant certification path validation.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-279442CAT IINutanix AOS must perform RFC 5280-compliant certification path validation.Nutanix Acropolis Application Server Security Technical Implementation Guide V-219775CAT IIThe DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.Oracle Database 11.2g Security Technical Implementation Guide V-220291CAT IIThe DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.Oracle Database 12c Security Technical Implementation Guide V-221478CAT IIOHS must have the LoadModule ossl_module directive enabled to perform RFC 5280-compliant certification path validation.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221479CAT IIOHS must use FIPS modules to perform RFC 5280-compliant certification path validation.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221480CAT IIOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to perform RFC 5280-compliant certification path validation.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221481CAT IIOHS must have the SSLCipherSuite directive enabled to perform RFC 5280-compliant certification path validation.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221482CAT IIOHS must have the SSLVerifyClient directive set within each SSL-enabled VirtualHost directive to perform RFC 5280-compliant certification path validation.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221483CAT IIOHS must have the SSLCARevocationFile and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using single certification revocation.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221484CAT IIOHS must have SSLCARevocationPath and SSLCRLCheck directives within each SSL-enabled VirtualHost directive set to perform RFC 5280-compliant certification path validation when using multiple certification revocation.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221485CAT IIOHS must be integrated with a tool such as Oracle Access Manager to enforce a client-side certificate revocation check through the OCSP protocol.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-248531CAT IIOL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Oracle Linux 8 Security Technical Implementation Guide V-271604CAT IIOL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Oracle Linux 9 Security Technical Implementation Guide V-235134CAT IIThe MySQL Database Server 8.0, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.Oracle MySQL 8.0 Security Technical Implementation Guide V-235973CAT IIOracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.Oracle WebLogic Server 12c Security Technical Implementation Guide V-228841CAT IIThe Palo Alto Networks security platform that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.Palo Alto Networks ALG Security Technical Implementation Guide V-214111CAT IIPostgreSQL, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.PostgreSQL 9.x Security Technical Implementation Guide V-254553CAT IRancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-281329CAT IIRHEL 10 must, for PKI-based authentication, validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230229CAT IIRHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258131CAT IIRHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-251225CAT IIRedis Enterprise DBMS, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.Redis Enterprise 6.x Security Technical Implementation Guide V-238507CAT IIThe Riverbed Optimization System (RiOS) that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.Riverbed SteelHead CX v8 ALG Security Technical Implementation Guide V-254087CAT IInnoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-254093CAT IInnoslate must use multifactor authentication for network access to privileged and non-privileged accounts.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-261401CAT IISLEM 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217302CAT IIThe SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-22556CAT IIIf the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22557CAT IIIf the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate with a valid trust path to a trusted CA.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-22558CAT IIIf the system is using LDAP for authentication or account information, the system must verify the LDAP servers certificate has not been revoked.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-276553CAT IIISamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.Samsung Android 16 COBO Security Technical Implementation Guide V-276661CAT IIISamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.Samsung Android 16 COPE Security Technical Implementation Guide V-255134CAT IIISamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.Samsung Android OS 13 with Knox 3.x COBO Security Technical Implementation Guide V-255164CAT IIISamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.Samsung Android OS 13 with Knox 3.x COPE Security Technical Implementation Guide V-258653CAT IIISamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.Samsung Android OS 14 with Knox 3.x COBO Security Technical Implementation Guide V-258690CAT IIISamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.Samsung Android OS 14 with Knox 3.x COPE Security Technical Implementation Guide V-268882CAT IIISamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.Samsung Android OS 15 with Knox 3.x COBO Security Technical Implementation Guide V-268981CAT IIISamsung Android must not accept the certificate when it cannot establish a connection to determine the validity of a certificate.Samsung Android OS 15 with Knox 3.x COPE Security Technical Implementation Guide V-279166CAT IIThe ALG providing user authentication intermediary services must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).Symantec Edge SWG ALG Security Technical Implementation Guide V-279251CAT IThe Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Symantec Edge SWG NDM Security Technical Implementation Guide V-241031CAT IIThe Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.Tanium 7.0 Security Technical Implementation Guide V-234092CAT IIThe Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.Tanium 7.3 Security Technical Implementation Guide V-254914CAT IIThe Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254873CAT IThe Tanium Operating System (TanOS) must use a FIPS-validated cryptographic module to provision digital signatures.Tanium 7.x Operating System on TanOS Security Technical Implementation Guide V-253851CAT IIThe Tanium Server certificates must have Extended Key Usage entries for the serverAuth object TLS Web Server Authentication and the clientAuth object TLS Web Client Authentication.Tanium 7.x Security Technical Implementation Guide V-252912CAT IITOSS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282442CAT IITOSS 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234239CAT IIThe UEM Agent must not install policies if the policy-signing certificate is deemed invalid.Unified Endpoint Management Agent Security Requirements Guide V-234378CAT IIWhen using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Unified Endpoint Management Server Security Requirements Guide V-234379CAT IIWhen the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate.Unified Endpoint Management Server Security Requirements Guide V-234676CAT IIThe UEM server must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.Unified Endpoint Management Server Security Requirements Guide V-240063CAT IIHAProxy must perform RFC 5280-compliant certification path validation if PKI is being used.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-246891CAT IIThe Horizon Connection Server must perform full path validation on server-to-server TLS connection certificates.VMware Horizon 7.13 Connection Server Security Technical Implementation Guide V-246892CAT IIThe Horizon Connection Server must validate client and administrator certificates.VMware Horizon 7.13 Connection Server Security Technical Implementation Guide V-240804CAT IItc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-241657CAT IItc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid. If PKI is not being used, this check is Not Applicable.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256333CAT IIThe vCenter Server must enable revocation checking for certificate-based authentication.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258919CAT IIThe vCenter Server must enable revocation checking for certificate-based authentication.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207369CAT IIThe VMM, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Virtual Machine Manager Security Requirements Guide V-207214CAT IIThe VPN Gateway, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Virtual Private Network (VPN) Security Requirements Guide V-207263CAT IIThe VPN Gateway must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.Virtual Private Network (VPN) Security Requirements Guide V-206388CAT IIThe web server must perform RFC 5280-compliant certification path validation.Web Server Security Requirements Guide V-73605CAT IIThe DoD Root CA certificates must be installed in the Trusted Root Store.Windows Server 2016 Security Technical Implementation Guide V-73605CAT IIThe DoD Root CA certificates must be installed in the Trusted Root Store.Windows Server 2016 Security Technical Implementation Guide V-73607CAT IIThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Windows Server 2016 Security Technical Implementation Guide V-73607CAT IIThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Windows Server 2016 Security Technical Implementation Guide V-73609CAT IIThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Windows Server 2016 Security Technical Implementation Guide V-73609CAT IIThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Windows Server 2016 Security Technical Implementation Guide V-73611CAT IIDomain controllers must have a PKI server certificate.Windows Server 2016 Security Technical Implementation Guide