Rule ID
SV-251560r1067559_rule
Version
V6R7
CCIs
The DOD root certificates will ensure that the trust chain is established for server certificates issued from the DOD Certificate Authority (CA).
Type "about:preferences#privacy" in the browser window. Scroll down to the bottom and select "View Certificates...". In the Certificate Manager window, select the "Authorities" tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entries for DOD Root CA 3, DOD Root CA 4, and DOD Root CA 5. If there are entries for DOD Root CA 3, DOD Root CA 4, and DOD Root CA 5, select them individually. Click "View". Verify the issuer name is "US Government". If there are no entries for the appropriate DOD root certificates, this is a finding. If other AO-approved certificates are used, this is not a finding. If SIPRNet-specific certificates are used, this is not a finding. Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store. This is not a finding. It can also be set via the policy Certificates >> ImportEnterpriseRoots, which can be verified via "about:policies".
Install the DOD root certificates. Other AO-approved certificates may also be used. Certificates designed for SIPRNet may be used as appropriate. On Windows, import certificates from the operating system by using Certificates >> Import Enterprise Roots (Certificates) via policy or Group Policy Object (GPO).