GEN009120 - The system must be configured to require the use of a CAC, PIV compliant token or Alternate Logon Token for authentication.


In accordance with CTO 07-015 PKI authentication is required. This provides stronger, two-factor authentication than using a username/password.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

NOTE: The following are exempt from this, however, they must meet all password requirements and must be documented with the IAO:

- Stand-alone systems.
- Application Accounts.
- Students or unpaid employees (such as, interns) who are not eligible to receive or not in receipt of a CAC, PIV, or ALT.
- Warfighters and support personnel located at operational tactical locations conducting wartime operations that are not collocated with RAPIDS workstations to issue CAC; are not eligible for CAC or do not have the capability to use ALT.
- Test systems that have an Interim Approval to Test (IATT) and provide protection via separate VPN, firewall, or security measures preventing access to network and system components from outside the protection boundary documented in the IATT.


Consult vendor documentation to determine the procedures necessary for configuring CAC authentication. Configure all accounts required by policy to use CAC authentication.

See Also

Item Details


References: 800-53|IA-2(4), CAT|II, CCI|CCI-000768, Group-ID|V-24347, Rule-ID|SV-30004r2_rule, STIG-ID|GEN009120, Vuln-ID|V-24347

Plugin: Unix

Control ID: 025aa00aa97d941adde972f50a13e6aed5563883a24677182b98ee731d42919d