800-53|IA-5(2)(a)

Title

PKI-BASED AUTHENTICATION

Description

Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.13.2.1.3 Ensure 'Missing Root Certificates' is set to Enabled:Warning	Windows	CIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.1.3 Ensure 'Missing Root Certificates' is set to Enabled:Warning	Windows	CIS Microsoft Office Outlook 2016 v1.1.0 Level 1
2.5.14.2.1.3 Ensure 'Missing Root Certificates' is set to 'Enabled: Error'	Windows	CIS Microsoft Office Enterprise v1.1.0 L1
2.12 Set 'Indicate a missing root certificate as a(n):' to 'Enabled:Warning'	Windows	CIS MS Office Outlook 2010 v1.0.0
4.2 Set OCSP Response Policy	Unix	CIS Mozilla Firefox 102 ESR Linux L2 v1.0.0
4.2 Set OCSP Response Policy	Windows	CIS Mozilla Firefox 102 ESR Windows L2 v1.0.0
4.6 Set OCSP Response Policy	Unix	CIS Mozilla Firefox 38 ESR Linux L2 v1.0.0
4.6 Set OCSP Response Policy	Windows	CIS Mozilla Firefox 38 ESR Windows L2 v1.0.0
5.2 Set 'Check for server certificate revocation' to 'Enabled'	Windows	CIS IE 9 v1.0.0
5.2 Set 'Check for server certificate revocation' to 'Enabled'	Windows	CIS IE 11 v1.0.0
5.2 Set 'Check for server certificate revocation' to 'Enabled'	Windows	CIS IE 10 v1.1.0
5.6 Enable OCSP and CRL certificate checking - CRL	Unix	CIS Apple OSX 10.9 L2 v1.3.0
5.6 Enable OCSP and CRL certificate checking - CRLStyle	Unix	CIS Apple OSX 10.11 El Capitan L2 v1.1.0
5.6 Enable OCSP and CRL certificate checking - CRLStyle	Unix	CIS Apple OSX 10.10 Yosemite L2 v1.2.0
5.6 Enable OCSP and CRL certificate checking - OCSP	Unix	CIS Apple OSX 10.9 L2 v1.3.0
5.6 Enable OCSP and CRL certificate checking - OCSPStyle	Unix	CIS Apple OSX 10.11 El Capitan L2 v1.1.0
5.6 Enable OCSP and CRL certificate checking - OCSPStyle	Unix	CIS Apple OSX 10.10 Yosemite L2 v1.2.0
5.7 Enable OCSP and CRL certificate checking - CRLStyle	Unix	CIS Apple macOS 10.12 L2 v1.2.0
5.7 Enable OCSP and CRL certificate checking - OCSPStyle	Unix	CIS Apple macOS 10.12 L2 v1.2.0
5.25 sqlnet.ora - 'ssl_cert_revocation = REQUIRED'	Windows	CIS v1.1.0 Oracle 11g OS Windows Level 2
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - Certificate Issuer	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - ldapsslkeyf	Unix	DISA STIG AIX 7.x v2r9
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA - useSSL	Unix	DISA STIG AIX 7.x v2r9
AOSX-13-000750 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-12-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 12 v1r8
APPL-13-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 13 v1r3
APPNET0031 - Digital signatures assigned to strongly named assemblies must be verified.	Windows	DISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0046 - The Trust Providers Software Publishing State must be set to 0x23C00.	Windows	DISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0048 - Developer certificates used with the .NET Publisher Membership Condition must be approved by the IAO.	Windows	DISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0063 - .NET must be configured to validate strong names on full-trust assemblies - Wow6432Node	Windows	DISA STIG for Microsoft Dot Net Framework 4.0 v2r2
APPNET0063 - .NET must be configured to validate strong names on full-trust assemblies.	Windows	DISA STIG for Microsoft Dot Net Framework 4.0 v2r2
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyClient	Windows	DISA STIG Apache Server 2.4 Windows Site v2r1
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyDepth	Windows	DISA STIG Apache Server 2.4 Windows Site v2r1
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
CASA-VN-000120 - The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.	Cisco	DISA STIG Cisco ASA VPN v1r3
CASA-VN-000730 - The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation - ipsec-client	Cisco	DISA STIG Cisco ASA VPN v1r3
CASA-VN-000730 - The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation - ssl-client	Cisco	DISA STIG Cisco ASA VPN v1r3
Catalina - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate

Detections

Analytics

800-53|IA-5(2)(a)

Title

Description

Reference Item Details

Audit Items