← Back to Cloud Computing Mission Owner Network Security Requirements Guide

V-259870

CAT I (High)

The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform to use certificate path validation to ensure revoked user credentials are prohibited from establishing a user or machine session.

Rule ID

SV-259870r1056198_rule

STIG

Cloud Computing Mission Owner Network Security Requirements Guide

Version

V1R2

CCIs

CCI-000185

Discussion

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.

Check Content

This applies to all Impact Levels.

If this is a Software as a Service (SaaS) implementation, this is not a finding.

Verify that certificate path validation is implemented to ensure revoked user and/or machine credentials are prohibited from establishing a user or machine session.

If the cloud IaaS/PaaS is not configured to use OCSP or CRLDP to ensure revoked credentials are prohibited from establishing an allowed session, this is a finding.

Fix Text

This applies to all Impact Levels.
FedRAMP Moderate, High.

Configure the IaaS/PaaS to use OCSP or CRLDP to ensure revoked credentials are prohibited from establishing an allowed session. This requirement applies to the use of both user and machine credentials.