STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-5 (2) — Authenticator Management

CCI-004068

Definition

For public key-based authentication, implement a local cache of revocation data to support path discovery and validation.

Parent Control

IA-5 (2)Authenticator ManagementIdentification and Authentication

Linked STIG Checks (60)

V-263538CAT IIFor public key-based authentication, AAA Services must be configured to implement a local cache of revocation data to support path discovery and validation.AAA Services Security Requirements Guide V-274063CAT IIAmazon Linux 2023, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Amazon Linux 2023 Security Technical Implementation Guide V-268179CAT IIFor PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Anduril NixOS Security Technical Implementation Guide V-268471CAT IIThe macOS system must set smart card certificate trust to moderate.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277078CAT IIThe macOS system must set smart card certificate trust to moderate.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-205001CAT IIThe ALG providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Application Layer Gateway Security Requirements Guide V-222553CAT IIThe application, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Application Security and Development Security Technical Implementation Guide V-204805CAT IIThe application server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Application Server Security Requirements Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-238233CAT IIThe Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260578CAT IIUbuntu 22.04 LTS for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270738CAT IIUbuntu 24.04 LTS for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-263581CAT IIThe Central Log Server must for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.Central Log Server Security Requirements Guide V-268314CAT IThe Cisco ASA must be configured to not accept certificates that have been revoked when using PKI for authentication.Cisco ASA VPN Security Technical Implementation Guide V-242633CAT IIThe Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.Cisco ISE NDM Security Technical Implementation Guide V-269412CAT IIAlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233201CAT IIThe container platform, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Container Platform Security Requirements Guide V-263617CAT IIThe DBMS must, for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.Database Security Requirements Guide V-205205CAT IIThe DNS server implementation, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Domain Name System (DNS) Security Requirements Guide V-263641CAT IIThe DNS server implementation must, for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.Domain Name System (DNS) Security Requirements Guide V-278391CAT IINGINX must be configured to use a Certificate Revocation List (CRL) for certificate path validation and revocation. (Online Certificate Status Protocol [OCSP] is the preferred configuration.)F5 NGINX Security Technical Implementation Guide V-278406CAT IINGINX must be configured to use Online Certificate Status Protocol (OCSP) for certificate path validation and revocation. (OCSP is the preferred configuration.)F5 NGINX Security Technical Implementation Guide V-230952CAT IIForescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Forescout Network Device Management Security Technical Implementation Guide V-203734CAT IIThe operating system, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.General Purpose Operating System Security Requirements Guide V-268313CAT IAOS, when used as a VPN Gateway, must not accept certificates that have been revoked when using PKI for authentication.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-252198CAT IIThe HPE Nimble must obtain its public key certificates from an appropriate certificate policy through an approved service provider.HPE Nimble Storage Array NDM Security Technical Implementation Guide V-215293CAT IIAIX must setup SSH daemon to disable revoked public keys.IBM AIX 7.x Security Technical Implementation Guide V-258620CAT IThe ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.Ivanti Connect Secure NDM Security Technical Implementation Guide V-253941CAT IThe Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-223206CAT IIThe Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-223207CAT IIThe Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-263682CAT IIThe Mainframe Product must for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.Mainframe Product Security Requirements Guide V-259371CAT IIThe Windows DNS Server must implement a local cache of revocation data for PKI authentication.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-260938CAT IIDocker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.Mirantis Kubernetes Engine Security Technical Implementation Guide V-279409CAT IIMongoDB must, for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-264303CAT IIThe network device must be configured to implement certificate revocation checking to support path discovery and validation for public key-based authentication.Network Device Management Security Requirements Guide V-279434CAT INutanix AOS must use multifactor authentication for access to privileged and nonprivileged accounts by enabling common access card (CAC) authentication.Nutanix Acropolis Application Server Security Technical Implementation Guide V-248531CAT IIOL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Oracle Linux 8 Security Technical Implementation Guide V-271604CAT IIOL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Oracle Linux 9 Security Technical Implementation Guide V-228667CAT IIThe Palo Alto Networks security platform must accept and verify Personal Identity Verification (PIV) credentials.Palo Alto Networks NDM Security Technical Implementation Guide V-253539CAT IIPrisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-281329CAT IIRHEL 10 must, for PKI-based authentication, validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-258131CAT IIRHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-256094CAT IIThe Riverbed NetProfiler must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.Riverbed NetProfiler Security Technical Implementation Guide V-217302CAT IIThe SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-279217CAT IIThe Edge SWG using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Symantec Edge SWG ALG Security Technical Implementation Guide V-279277CAT IIThe Edge SWG must be configured to implement a local cache of revocation data to support path discovery and validation for public key-based authentication.Symantec Edge SWG NDM Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-252912CAT IITOSS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282442CAT IITOSS 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234544CAT IIThe UEM server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Unified Endpoint Management Server Security Requirements Guide V-258919CAT IIThe vCenter Server must enable revocation checking for certificate-based authentication.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207487CAT IIThe VMM, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Virtual Machine Manager Security Requirements Guide V-264331CAT IIThe VPN Gateway must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.Virtual Private Network (VPN) Security Requirements Guide V-264332CAT IIThe VPN Gateway must configure OCSP to ensure revoked user certificates are prohibited from establishing an allowed session.Virtual Private Network (VPN) Security Requirements Guide V-264333CAT IIThe VPN Gateway must configure OCSP to ensure revoked machine certificates are prohibited from establishing an allowed session.Virtual Private Network (VPN) Security Requirements Guide V-264354CAT IIThe web server must, for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.Web Server Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide