STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-5 (2) — Authenticator Management

CCI-000187

Definition

For public key-based authentication, map the authenticated identity to the account of the individual or group.

Parent Control

IA-5 (2)Authenticator ManagementIdentification and Authentication

Linked STIG Checks (112)

V-204678CAT IIAAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication.AAA Services Security Requirements Guide V-274060CAT IIAmazon Linux 2023 must map the authenticated identity to the user or group account for PKI-based authentication.Amazon Linux 2023 Security Technical Implementation Guide V-268177CAT IINixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.Anduril NixOS Security Technical Implementation Guide V-252527CAT IThe macOS system must use multifactor authentication for local access to privileged and non-privileged accounts.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257233CAT IThe macOS system must use multifactor authentication for local access to privileged and nonprivileged accounts.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259546CAT IIThe macOS system must allow smart card authentication.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268543CAT IIThe macOS system must allow smart card authentication.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277151CAT IIThe macOS system must allow smart card authentication.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204951CAT IIThe ALG providing PKI-based user authentication intermediary services must map authenticated identities to the user account.Application Layer Gateway Security Requirements Guide V-222552CAT IIThe application must map the authenticated identity to the individual user or group account for PKI-based authentication.Application Security and Development Security Technical Implementation Guide V-204756CAT IIThe application server must map the authenticated identity to the individual user or group account for PKI-based authentication.Application Server Security Requirements Guide V-237322CAT IThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-256844CAT ICompliance Guardian must use multifactor authentication for network access to privileged accounts.AvePoint Compliance Guardian Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-237367CAT IIThe CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.CA API Gateway ALG Security Technical Implementation Guide V-219316CAT IThe Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238201CAT IThe Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274857CAT IUbuntu 20.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260579CAT IUbuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274865CAT IIUbuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270736CAT IUbuntu 24.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206480CAT IIIThe Central Log Server must map the authenticated identity to the individual user or group account for PKI-based authentication.Central Log Server Security Requirements Guide V-271927CAT IThe Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users.Cisco ACI NDM Security Technical Implementation Guide V-239965CAT IIThe Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access.Cisco ASA VPN Security Technical Implementation Guide V-239969CAT IIThe Cisco ASA remote access VPN server must be configured to map the distinguished name (DN) from the client’s certificate to entries in the authentication server to determine authorization to access the network.Cisco ASA VPN Security Technical Implementation Guide V-269411CAT IIAlmaLinux OS 9 must map the authenticated identity to the user or group account for PKI-based authentication.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233101CAT IIThe container platform must map the authenticated identity to the individual user or group account for PKI-based authentication.Container Platform Security Requirements Guide V-233615CAT IIPostgreSQL must map the PKI-authenticated identity to an associated user account.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261895CAT IIPostgreSQL must map the PKI-authenticated identity to an associated user account.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206560CAT IIThe DBMS must map the PKI-authenticated identity to an associated user account.Database Security Requirements Guide V-269787CAT IThe Dell OS10 Switch, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.Dell OS10 Switch NDM Security Technical Implementation Guide V-271034CAT IIDragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.Dragos Platform 2.x Security Technical Implementation Guide V-259251CAT IIThe DBMS must map the PKI-authenticated identity to an associated user account.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-215722CAT IIThe BIG-IP APM module must map the authenticated identity to the user account for PKI-based authentication to virtual servers.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-215763CAT IIThe BIG-IP Core implementation providing PKI-based, user authentication intermediary services must be configured to map the authenticated identity to the user account for PKI-based authentication to virtual servers.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266152CAT IThe F5 BIG-IP appliance providing user authentication intermediary services must uniquely identify and authenticate users using redundant authentication servers and multifactor authentication (MFA).F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266085CAT IThe F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-278403CAT IINGINX must only allow using DOD approved certificate authorities for PKI.F5 NGINX Security Technical Implementation Guide V-203624CAT IIThe operating system must map the authenticated identity to the user or group account for PKI-based authentication.General Purpose Operating System Security Requirements Guide V-230171CAT IIThe HP FlexFabric Switch must map the authenticated identity to the user account for PKI-based authentication.HP FlexFabric Switch NDM Security Technical Implementation Guide V-255286CAT IThe HPE 3PAR OS must map the authenticated identity to the user account for PKI-based authentication.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-283425CAT IThe HPE Alletra Storage ArcusOS device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide V-266929CAT IAOS must be configured to use DOD public key infrastructure (PKI) as multifactor authentication (MFA) for interactive logins.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-266994CAT IIThe Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-266995CAT IIThe VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-268235CAT IThe HYCU virtual appliance must be configured to use DOD-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for PKI-based authentication.HYCU Protege Security Technical Implementation Guide V-65227CAT IIThe DataPower Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.IBM DataPower ALG Security Technical Implementation Guide V-65103CAT IIThe DataPower Gateway must map the authenticated identity to the user account for PKI-based authentication.IBM DataPower Network Device Management Security Technical Implementation Guide V-255799CAT IIThe MQ Appliance messaging server must map the authenticated identity to the individual messaging user or group account for PKI-based authentication.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255747CAT IIWebGUI access to the MQ Appliance network device must map the authenticated identity to the user account for PKI-based authentication.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-250335CAT IMultifactor authentication for network access to privileged accounts must be used.IBM WebSphere Liberty Server Security Technical Implementation Guide V-250338CAT IIThe WebSphere Liberty Server must use DoD-issued/signed certificates.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255865CAT IIThe WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255868CAT IIThe WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255874CAT IIThe WebSphere Application Server must use signer for DoD-issued certificates.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223568CAT IIIBM z/OS must use ICSF or SAF Key Rings for key management.IBM z/OS ACF2 Security Technical Implementation Guide V-223811CAT IIIBM z/OS, for PKI-based authentication, must use the ICSF or ESM for key management.IBM z/OS RACF Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-251028CAT IIThe Sentry providing PKI-based mobile device authentication intermediary services must map authenticated identities to the mobile device account.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251028CAT IIThe Sentry providing PKI-based mobile device authentication intermediary services must map authenticated identities to the mobile device account.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-250994CAT ISentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.Ivanti Sentry 9.x NDM Security Technical Implementation Guide V-205507CAT IIThe Mainframe Product must map the authenticated identity to the individual user or group account for PKI-based authentication.Mainframe Product Security Requirements Guide V-253701CAT IIMariaDB must map PKI ID to an associated user account.MariaDB Enterprise 10.x Security Technical Implementation Guide V-255336CAT IIAzure SQL Database must map the PKI-authenticated identity to an associated user account.Microsoft Azure SQL Database Security Technical Implementation Guide V-276248CAT IIAzure SQL Managed Instance must map the PKI-authenticated identity to an associated user account.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-260909CAT IIMKE must be configured to integrate with an Enterprise Identity Provider.Mirantis Kubernetes Engine Security Technical Implementation Guide V-221173CAT IIMongoDB must map the PKI-authenticated identity to an associated user account.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252161CAT IIMongoDB must map the PKI-authenticated identity to an associated user account.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265920CAT IIMongoDB must map the PKI-authenticated identity to an associated user account.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279352CAT IIMongoDB must map the PKI-authenticated identity to an associated user account.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-251547CAT IIFirefox must be configured to ask which certificate to present to a website when a certificate is required.Mozilla Firefox Security Technical Implementation Guide V-246940CAT IONTAP must be configured to use an authentication server to provide multifactor authentication.NetApp ONTAP DSC 9.x Security Technical Implementation Guide V-237781CAT IThe network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.Network Device Management Security Requirements Guide V-254111CAT IINutanix AOS must accept Personal Identity Verification (PIV) credentials to access the management interface.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-279434CAT INutanix AOS must use multifactor authentication for access to privileged and nonprivileged accounts by enabling common access card (CAC) authentication.Nutanix Acropolis Application Server Security Technical Implementation Guide V-219776CAT IIThe DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account.Oracle Database 11.2g Security Technical Implementation Guide V-219777CAT IIProcesses (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS.Oracle Database 11.2g Security Technical Implementation Guide V-270567CAT IIOracle Database must map the authenticated identity to the user account using public key infrastructure (PKI)-based authentication.Oracle Database 19c Security Technical Implementation Guide V-248685CAT IIOL 8 must map the authenticated identity to the user or group account for PKI-based authentication.Oracle Linux 8 Security Technical Implementation Guide V-271606CAT IIOL 9 must map the authenticated identity to the user or group account for PKI-based authentication.Oracle Linux 9 Security Technical Implementation Guide V-235136CAT IIThe MySQL Database Server 8.0 must map the PKI-authenticated identity to an associated user account.Oracle MySQL 8.0 Security Technical Implementation Guide V-235974CAT IIOracle WebLogic must map the PKI-based authentication identity to the user account.Oracle WebLogic Server 12c Security Technical Implementation Guide V-253539CAT IIPrisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-214149CAT IIPostgreSQL must map the PKI-authenticated identity to an associated user account.PostgreSQL 9.x Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-256905CAT IIAutomation Controller must be configured to use an enterprise user management system.Red Hat Ansible Automation Controller Application Server Security Technical Implementation Guide V-281330CAT IIRHEL 10 must map the authenticated identity to the user or group account for public key infrastructure (PKI)-based authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230355CAT IIRHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258132CAT IIRHEL 9 must map the authenticated identity to the user or group account for PKI-based authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251227CAT IIRedis Enterprise DBMS must map the PKI-authenticated identity to an associated user account.Redis Enterprise 6.x Security Technical Implementation Guide V-275452CAT IThe Riverbed NetIM must enable and configure user audit logging.Riverbed NetIM NDM Security Technical Implementation Guide V-256079CAT IThe Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.Riverbed NetProfiler Security Technical Implementation Guide V-254094CAT IInnoslate must map the authenticated identity to the individual user or group account for PKI-based authentication.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-261397CAT IISLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217301CAT IIThe SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-279166CAT IIThe ALG providing user authentication intermediary services must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).Symantec Edge SWG ALG Security Technical Implementation Guide V-279251CAT IThe Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Symantec Edge SWG NDM Security Technical Implementation Guide V-94295CAT IISymantec ProxySG, when configured for reverse proxy/WAF services and providing PKI-based user authentication intermediary services, must map the client certificate to the authentication server store.Symantec ProxySG ALG Security Technical Implementation Guide V-241005CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.0 Security Technical Implementation Guide V-234066CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.3 Security Technical Implementation Guide V-254915CAT IIThe Tanium application must be configured for LDAP user/group synchronization to map the authenticated identity to the individual user or group account for PKI-based authentication.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253782CAT IIThe Tanium application must be configured for LDAP user/group synchronization to map the authenticated identity to the individual user or group account for PKI-based authentication.Tanium 7.x Security Technical Implementation Guide V-252950CAT IITOSS must map the authenticated identity to the user or group account for PKI-based authentication.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282444CAT IITOSS 5 must map the authenticated identity to the user or group account for PKI-based authentication.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234381CAT IIThe UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication.Unified Endpoint Management Server Security Requirements Guide V-251789CAT IThe NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.VMware NSX-T Manager NDM Security Technical Implementation Guide V-207371CAT IIThe VMM must map the authenticated identity to the user or group account for PKI-based authentication.Virtual Machine Manager Security Requirements Guide V-207216CAT IIThe Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.Virtual Private Network (VPN) Security Requirements Guide V-207217CAT IIThe VPN Gateway must map the authenticated identity to the user account for PKI-based authentication.Virtual Private Network (VPN) Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide