STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-5 (2) — Authenticator Management

CCI-001991

Definition

The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Parent Control

IA-5 (2)Authenticator ManagementIdentification and Authentication

Linked STIG Checks (31)

V-279078CAT IIFor PKI-based authentication, ColdFusion must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Adobe ColdFusion Security Technical Implementation Guide V-252477CAT IIThe macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257183CAT IIThe macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-222553CAT IIThe application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Application Security and Development Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-256842CAT IICompliance Guardian must provide automated mechanisms for supporting account management functions.AvePoint Compliance Guardian Security Technical Implementation Guide V-237396CAT IIThe CA API Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.CA API Gateway ALG Security Technical Implementation Guide V-219315CAT IIThe Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238233CAT IIThe Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260578CAT IIUbuntu 22.04 LTS for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-235780CAT IILDAP integration in Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-271034CAT IIDragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.Dragos Platform 2.x Security Technical Implementation Guide V-260050CAT IIThe F5 BIG-IP appliance must be configured to deny access when revocation data is unavailable using OCSP.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-215784CAT IIThe BIG-IP Core implementation must be configured to deny-by-default all PKI-based authentication to virtual servers supporting path discovery and validation if unable to access revocation information via the network.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266154CAT IIThe F5 BIG-IP appliance providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-215293CAT IIAIX must setup SSH daemon to disable revoked public keys.IBM AIX 7.x Security Technical Implementation Guide V-65265CAT IIThe DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.IBM DataPower ALG Security Technical Implementation Guide V-215608CAT IIThe Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-259371CAT IIThe Windows DNS Server must implement a local cache of revocation data for PKI authentication.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-254111CAT IINutanix AOS must accept Personal Identity Verification (PIV) credentials to access the management interface.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-248531CAT IIOL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Oracle Linux 8 Security Technical Implementation Guide V-253539CAT IIPrisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-258131CAT IIRHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-254093CAT IInnoslate must use multifactor authentication for network access to privileged and non-privileged accounts.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-261401CAT IISLEM 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217302CAT IIThe SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-94297CAT IISymantec ProxySG providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Symantec ProxySG ALG Security Technical Implementation Guide V-252912CAT IITOSS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-256333CAT IIThe vCenter Server must enable revocation checking for certificate-based authentication.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258919CAT IIThe vCenter Server must enable revocation checking for certificate-based authentication.VMware vSphere 8.0 vCenter Security Technical Implementation Guide