STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Palo Alto Networks NDM Security Technical Implementation Guide

V-228674

CAT II (Medium)

The Palo Alto Networks security platform must use DoD-approved PKI rather than proprietary or self-signed device certificates.

Rule ID

SV-228674r961863_rule

STIG

Palo Alto Networks NDM Security Technical Implementation Guide

Version

V3R3

CCIs

CCI-000366, CCI-001159

Discussion

DoD Instruction 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling mandates that certificates must be issued by the DoD PKI or by a DoD-approved PKI for authentication, digital signature, or encryption.

Check Content

Go to Device >> Certificate Management >> Certificates
Installed Certificates are listed in the "Device Certificates" tab.
If any of the have the name or identifier of a non-approved source in the "Issuer" field, this is a finding.

Fix Text

Obtain a Device Certificate from the DoD PKI or from a DoD-approved PKI:
Go to Device >> Certificate Management >> Certificates
Select "Import" (at the bottom of the pane). 
In the "Import Certificate" pane, complete each field.
Select "OK".