STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cloud Computing Mission Owner Network Security Requirements Guide

V-259871

CAT I (High)

The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) Cloud Service to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication.

Rule ID

SV-259871r1056199_rule

STIG

Cloud Computing Mission Owner Network Security Requirements Guide

Version

V1R2

CCIs

CCI-000185

Discussion

To provide assurances that certificates are validated by the correct responders, the Mission Owner must ensure they are using a valid DOD OCSP responder for remote system DOD Common Access Card (CAC) two-factor authentication of DOD privileged users to systems instantiated within the cloud service environment. When a Mission Owner is responsible for authenticating entities and/or identifying a hosted DOD information system, the Mission Owner must configure CAC/PKI for remote access for privileged users at all Impact Levels. CAC/PKI access is required for nonprivileged users of access to Impact Levels 4–6. Impact Level 6: When an on-premises, use NSS PKI. Enforce the use of a physical token referred to as the CNSS NSS Hardware Token for the authentication of DOD Mission Owner and CSP privileged and nonprivileged end users. When implementing NSS PKI, use NSS OCSP or CRL resources for checking revocation of NSS certificates and NSS Certificate Authorities and follow CNSS/NSA instructions for the management and protection of cryptographic keys. CNSS-issued PKI server certificates will be used to identify the CSP's DOD customer ordering/service management portals and SaaS applications and services contracted by and dedicated to DOD use.

Check Content

This applies to all Impact Levels.

If this is a Software as a Service (SaaS) implementation, this is not a finding.

Verify that a DOD-approved OCSP responder or CRL is used to validate certificates used for PKI-based authentication.

If the cloud IaaS/PaaS is not configured to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication, this is a finding.

Fix Text

This applies to all Impact Levels.
FedRAMP Moderate, High.

Configure the IaaS/PaaS to use DOD-approved OCSP responder or CRL to validate certificates used for PKI-based authentication.

Configure the system to implement the following access policy:
- Configure CAC/PKI for remote access for privileged users at all Impact Levels. CAC/PKI access is required for nonprivileged users of access to Impact Levels 4–6.

- Impact Level 6: When an on-premises, use NSS PKI. Enforce the use of a physical token referred to as the CNSS NSS Hardware Token for the authentication of DOD Mission Owner and CSP privileged and nonprivileged end users. When implementing NSS PKI, use NSS OCSP or CRL resources for checking revocation of NSS certificates and NSS Certificate Authorities and must follow CNSS/NSA instructions for the management and protection of cryptographic keys. CNSS-issued PKI server certificates will be used to identify the CSP’s DOD customer ordering/service management portals and SaaS applications and services contracted by and dedicated to DOD use.