V-282768

Discussion

Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B]. Approved external authenticators meet or exceed the minimum federal governmentwide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.

Check Content

Sites must document external authenticators being used and that they are NIST compliant.

The following command will verify that Kerberos is functional and produce the list of signing hosts:

$ sudo klist -ekt /etc/krb5.keytab

If external authenticators are being use that are not documented and are not NIST compliant, this is a finding.