STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-5 (2) — Authenticator Management

CCI-000186

Definition

For public key-based authentication, enforce authorized access to the corresponding private key.

Parent Control

IA-5 (2)Authenticator ManagementIdentification and Authentication

Linked STIG Checks (122)

V-204677CAT IIAAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication.AAA Services Security Requirements Guide V-279063CAT IIColdFusion must be configured to use only DOD-approved keystores and truststores containing certificates issued by a DOD Public Key Infrastructure (PKI) Certificate Authority (CA), and all keystore and truststore files must be protected by file system permissions that prevent unauthorized access or modification.Adobe ColdFusion Security Technical Implementation Guide V-274064CAT IIAmazon Linux 2023, for PKI-based authentication, must enforce authorized access to the corresponding private key.Amazon Linux 2023 Security Technical Implementation Guide V-268125CAT IINixOS must enforce authorized access to the corresponding private key for PKI-based authentication.Anduril NixOS Security Technical Implementation Guide V-214246CAT IIThe Apache web server must be configured to use a specified IP address and port.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214287CAT IIOnly authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214371CAT IIOnly authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-222931CAT IDefault password for keystore must be changed.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222967CAT IIKeystore file must be protected.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-252477CAT IIThe macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257183CAT IIThe macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259477CAT IThe macOS system must disable password authentication for SSH.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259545CAT IIThe macOS system must enforce smart card authentication.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268477CAT IThe macOS system must disable password authentication for SSH.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268542CAT IIThe macOS system must enforce smart card authentication.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277084CAT IThe macOS system must disable password authentication for SSH.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277150CAT IIThe macOS system must enforce smart card authentication.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222551CAT IThe application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.Application Security and Development Security Technical Implementation Guide V-204755CAT IIOnly authenticated system administrators or the designated PKI Sponsor for the application server must have access to the web servers private key.Application Server Security Requirements Guide V-237322CAT IThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-272372CAT IIThe BIND 9.x server private key corresponding to the zone-signing key (ZSK) pair must be the only DNSSEC key kept on a name server that supports dynamic updates.BIND 9.x Security Technical Implementation Guide V-272373CAT IIThe BIND 9.x server signature generation using the key signing key (KSK) must be done offline, using the KSK-private key stored offline.BIND 9.x Security Technical Implementation Guide V-272375CAT IIThe read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.BIND 9.x Security Technical Implementation Guide V-272376CAT IIA unique TSIG key used by a BIND 9.x server must be generated for each pair of communicating hosts.BIND 9.x Security Technical Implementation Guide V-272377CAT IIThe TSIG keys used with the BIND 9.x implementation must be owned by a privileged account.BIND 9.x Security Technical Implementation Guide V-272378CAT IIThe TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.BIND 9.x Security Technical Implementation Guide V-206479CAT IThe Central Log Server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.Central Log Server Security Requirements Guide V-269410CAT IIFor PKI-based authentication, AlmaLinux OS 9 must enforce authorized access to the corresponding private key.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233602CAT IPostgreSQL must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261894CAT IPostgreSQL must enforce authorized access to all PKI private keys stored/used by PostgreSQL.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206559CAT IThe DBMS must enforce authorized access to all PKI private keys stored/utilized by the DBMS.Database Security Requirements Guide V-235822CAT IIThe certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235823CAT IIDocker Enterprise Swarm manager must be run in auto-lock mode.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235824CAT IIDocker Enterprise secret management commands must be used for managing secrets in a Swarm cluster.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-205170CAT IIThe DNS server implementation, when using PKI-based authentication, must enforce authorized access to the corresponding private key.Domain Name System (DNS) Security Requirements Guide V-205171CAT IIThe key file must be owned by the account under which the name server software is run.Domain Name System (DNS) Security Requirements Guide V-205172CAT IIRead/Write access to the key file must be restricted to the account that runs the name server software only.Domain Name System (DNS) Security Requirements Guide V-205173CAT IIOnly the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.Domain Name System (DNS) Security Requirements Guide V-205174CAT IISignature generation using the KSK must be done off-line, using the KSK-private stored off-line.Domain Name System (DNS) Security Requirements Guide V-271034CAT IIDragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.Dragos Platform 2.x Security Technical Implementation Guide V-224170CAT IThe EDB Postgres Advanced Server must enforce authorized access to all PKI private keys stored/utilized by the EDB Postgres Advanced Server.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213600CAT IThe EDB Postgres Advanced Server must enforce authorized access to all PKI private keys stored/utilized by the EDB Postgres Advanced Server.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259250CAT IThe EDB Postgres Advanced Server must enforce authorized access to all PKI private keys stored/used by the EDB Postgres Advanced Server.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-278392CAT IINGINX, when using PKI-based authentication, must enforce authorized access to the corresponding private key.F5 NGINX Security Technical Implementation Guide V-203623CAT IIThe operating system, for PKI-based authentication, must enforce authorized access to the corresponding private key.General Purpose Operating System Security Requirements Guide V-255264CAT IISSMC web server application, libraries, and configuration files must only be accessible to privileged users.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-215321CAT IIAIX SSH private host key files must have mode 0600 or less permissive.IBM AIX 7.x Security Technical Implementation Guide V-255873CAT IThe WebSphere Application Server default keystore passwords must be changed.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223568CAT IIIBM z/OS must use ICSF or SAF Key Rings for key management.IBM z/OS ACF2 Security Technical Implementation Guide V-223883CAT IIIBM z/OS for PKI-based authentication must use ICSF or the ESM to store keys.IBM z/OS TSS Security Technical Implementation Guide V-237910CAT IIThe IBM z/VM TCP/IP Key database for LDAP or SSL server must be created with the proper permissions.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-214165CAT IIOnly the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.Infoblox 7.x DNS Security Technical Implementation Guide V-214166CAT IISignature generation using the KSK must be done off-line, using the KSK-private stored off-line.Infoblox 7.x DNS Security Technical Implementation Guide V-233902CAT IIInfoblox systems that communicate with non-Grid DNS service members must use a unique Transaction Signature (TSIG).Infoblox 8.x DNS Security Technical Implementation Guide V-233903CAT IThe Infoblox Grid Master must be configured as a stealth (hidden) domain DNS service member to protect the Key Signing Key (KSK) residing on it.Infoblox 8.x DNS Security Technical Implementation Guide V-233904CAT IThe Infoblox Grid Master must be configured as a stealth (hidden) domain DNS service member in order to protect the Zone Signing Key (ZSK) residing on it.Infoblox 8.x DNS Security Technical Implementation Guide V-213534CAT IIThe JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-213968CAT ISQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server.MS SQL Server 2016 Instance Security Technical Implementation Guide V-205506CAT IIThe Mainframe Product, when using PKI-based authentication, must enforce authorized access to the corresponding private key.Mainframe Product Security Requirements Guide V-253700CAT IMariaDB must enforce authorized access to all PKI private keys stored/used by the DBMS.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220367CAT IMarkLogic Server must enforce authorized access to all PKI private keys stored/utilized by the DBMS.MarkLogic Server v9 Security Technical Implementation Guide V-225226CAT IIEncryption keys used for the .NET Strong Name Membership Condition must be protected.Microsoft DotNet Framework 4.0 Security Technical Implementation Guide V-271314CAT ISQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic operations for encryption, hashing, and signing.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-215604CAT IIThe Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-215605CAT IIThe Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-215606CAT IIThe Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-215607CAT IIThe private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-225058CAT IIUsers must be required to enter a password to access private keys stored on the computer.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205651CAT IIWindows Server 2019 users must be required to enter a password to access private keys stored on the computer.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254479CAT IIWindows Server 2022 users must be required to enter a password to access private keys stored on the computer.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278229CAT IIWindows Server 2025 users must be required to enter a password to access private keys stored on the computer.Microsoft Windows Server 2025 Security Technical Implementation Guide V-259367CAT IIThe Windows DNS Server must be configured to enforce authorized access to the corresponding private key.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-259368CAT IIThe Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-259370CAT IIThe private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-259410CAT IIA unique Transaction Signature (TSIG) key must be generated for each pair of communicating hosts.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-221172CAT IMongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252160CAT IMongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265919CAT IMongoDB must enforce authorized access to all PKI private keys stored/used by MongoDB.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279351CAT IMongoDB must enforce authorized access to all PKI private keys stored/used by the DBMS.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-219747CAT IThe DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.Oracle Database 11.2g Security Technical Implementation Guide V-220263CAT IThe DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.Oracle Database 12c Security Technical Implementation Guide V-270566CAT IOracle Database, when using public key infrastructure (PKI)-based authentication, must enforce authorized access to the corresponding private key.Oracle Database 19c Security Technical Implementation Guide V-248532CAT IIOL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.Oracle Linux 8 Security Technical Implementation Guide V-271605CAT IIOL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.Oracle Linux 9 Security Technical Implementation Guide V-235135CAT IThe MySQL Database Server 8.0 must enforce authorized access to all PKI private keys stored/utilized by the MySQL Database Server 8.0.Oracle MySQL 8.0 Security Technical Implementation Guide V-214136CAT IPostgreSQL must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL.PostgreSQL 9.x Security Technical Implementation Guide V-281326CAT IIRHEL 10 must, for PKI-based authentication, enforce authorized access to the corresponding private key.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230230CAT IIRHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258127CAT IIRHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-251226CAT IRedis Enterprise DBMS must enforce authorized access to all PKI private keys stored/used by Redis Enterprise DBMS.Redis Enterprise 6.x Security Technical Implementation Guide V-73077CAT IIAccess to the SDN management and orchestration systems must be authenticated using a FIPS-approved message authentication code algorithm.SDN Using NV Security Technical Implementation Guide V-73083CAT IISouthbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must be authenticated using a FIPS-approved message authentication code algorithm.SDN Using NV Security Technical Implementation Guide V-73087CAT IISouthbound API management plane traffic for configuring SDN parameters on physical network elements must be authenticated using DOD PKI certificate-based authentication.SDN Using NV Security Technical Implementation Guide V-254093CAT IInnoslate must use multifactor authentication for network access to privileged and non-privileged accounts.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-261342CAT IISLEM 5, for PKI-based authentication, must enforce authorized access to the corresponding private key.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-241032CAT IThe Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.Tanium 7.0 Security Technical Implementation Guide V-234093CAT IThe Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.Tanium 7.3 Security Technical Implementation Guide V-252913CAT IITOSS, for PKI-based authentication, must enforce authorized access to the corresponding private key.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282443CAT IITOSS 5, for public key infrastructure (PKI)-based authentication, must enforce authorized access to the corresponding private key.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234240CAT IIThe UEM Agent must use managed endpoint device key storage for all persistent secret and private keys.Unified Endpoint Management Agent Security Requirements Guide V-234380CAT IIThe UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.Unified Endpoint Management Server Security Requirements Guide V-240064CAT IIHAProxys private key must have access restricted.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240249CAT IILighttpd must have private key access restricted.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240805CAT IItc Server ALL must only allow authenticated system administrators to have access to the keystore.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240941CAT IThe vAMI private key must only be accessible to authenticated system administrators or the designated PKI Sponsor.VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide V-241658CAT IItc Server ALL must only allow authenticated system administrators to have access to the keystore.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241659CAT IItc Server ALL must only allow authenticated system administrators to have access to the truststore.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256661CAT IIVAMI must protect the keystore from unauthorized access.VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256602CAT IVMware Postgres must enforce authorized access to all public key infrastructure (PKI) private keys.VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-256741CAT IIThe Envoy private key file must be protected from unauthorized access.VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide V-259162CAT IIThe vCenter Envoy service private key file must be protected from unauthorized access.VMware vSphere 8.0 vCenter Appliance Envoy Security Technical Implementation Guide V-259147CAT IIThe vCenter VAMI service must restrict access to the web server's private key.VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide V-259177CAT IThe vCenter PostgreSQL service must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL.VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-207370CAT IIThe VMM, for PKI-based authentication, must enforce authorized access to the corresponding private key.Virtual Machine Manager Security Requirements Guide V-207215CAT IIThe site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key.Virtual Private Network (VPN) Security Requirements Guide V-206389CAT IIOnly authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web servers private key.Web Server Security Requirements Guide V-73699CAT IIUsers must be required to enter a password to access private keys stored on the computer.Windows Server 2016 Security Technical Implementation Guide V-73699CAT IIUsers must be required to enter a password to access private keys stored on the computer.Windows Server 2016 Security Technical Implementation Guide V-93493CAT IIWindows Server 2019 users must be required to enter a password to access private keys stored on the computer.Windows Server 2019 Security Technical Implementation Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide