STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Programming Interface (API) Security Requirements Guide

V-274843

CAT II (Medium)

The API must refresh assertions in accordance with organization-defined identification and authentication policy.

Rule ID

SV-274843r1143888_rule

STIG

Application Programming Interface (API) Security Requirements Guide

Version

V1R1

CCIs

CCI-005160, CCI-000366

Discussion

An API must refresh assertions to maintain secure, uninterrupted access while ensuring that authentication and authorization remain valid over time. Assertions, such as JWTs or SAML tokens, often have expiration times to reduce the risk of misuse if compromised. By implementing a mechanism to refresh these assertions—typically using refresh tokens or re-authentication flows—the API can issue new assertions without requiring the user to log in repeatedly. This not only enhances user experience by supporting seamless sessions but also strengthens security by periodically re-evaluating the user's credentials and access rights. Refreshing assertions ensures that access remains both valid and aligned with any changes in user roles, permissions, or session status.

Check Content

Check if the API refreshes assertions in accordance with the organization-defined identification and authentication policy.

Review the API's handling of assertion expiration and renewal. 

Ensure the API follows the organization's defined policies for assertion lifetime, including the duration before assertions need to be refreshed or reissued. 

Check if the API requires reauthentication or uses a secure refresh mechanism, such as refresh tokens or secure revalidation processes, to generate new assertions when they expire.

Verify the process for refreshing assertions maintains security standards, including proper encryption, secure token storage, and validation of the refreshed assertions before they are issued. 

Review the API's implementation to confirm it adheres to the organization's authentication policy for refreshing, ensuring that refreshed assertions include up-to-date identity information and relevant claims, and that they are properly scoped. 

Test the API by requesting new assertions after expiration and examining whether they are refreshed securely and according to policy, ensuring compliance with the organization's standards for identity management and authentication.

If the API does not refresh assertions in accordance with organization-defined identification and authentication policy, this is a finding.

Fix Text

Build or configure  the API to refresh assertions in accordance with organization-defined identification and authentication policy.