800-53|SC-17

Title

PUBLIC KEY INFRASTRUCTURE CERTIFICATES

Description

The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.

Supplemental

For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application'specific time services.

Reference Item Details

Related: SC-12

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.4 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
1.2.4 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
1.2.4 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
1.2.4 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - CertificatesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - CertificatesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - CertificatesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - CertificatesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect GatewaysPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect GatewaysPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect GatewaysPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect GatewaysPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect PortalsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect PortalsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect PortalsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect PortalsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.10 Ensure Web Tier ELB have the latest SSL Security Policies configuredamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
1.13 Ensure App Tier ELB have the latest SSL Security Policies configuredamazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
8.3 Ensure that the Certificate used for Decryption is TrustedPalo_AltoCIS Palo Alto Firewall 6 Benchmark L2 v1.0.0
8.3 Ensure that the Certificate used for Decryption is TrustedPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
8.3 Ensure that the Certificate used for Decryption is TrustedPalo_AltoCIS Palo Alto Firewall 7 Benchmark L2 v1.0.0
8.3 Ensure that the Certificate used for Decryption is TrustedPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Set Smartcard Certificate Trust to HighUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Set Smartcard Certificate Trust to HighUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Set Smartcard Certificate Trust to HighUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
CASA-ND-001370 - The Cisco ASA must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.CiscoDISA STIG Cisco ASA NDM v1r1
Catalina - Issue or Obtain Public Key Certificates from an Approved Service ProviderUnixNIST macOS Catalina v1.5.0 - All Profiles
CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - crypto pki trustpointCiscoDISA STIG Cisco IOS XE Router NDM v2r5
CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - crypto pki trustpointCiscoDISA STIG Cisco IOS Router NDM v2r4
CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - crypto pki trustpointCiscoDISA STIG Cisco IOS-XR Router NDM v2r2
CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - enrollmentCiscoDISA STIG Cisco IOS-XR Router NDM v2r2
CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - enrollmentCiscoDISA STIG Cisco IOS Router NDM v2r4
CISC-ND-001440 - The Cisco router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - enrollmentCiscoDISA STIG Cisco IOS XE Router NDM v2r5
CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - crypto pki trustpointCiscoDISA STIG Cisco NX-OS Switch NDM v2r3
CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - crypto pki trustpointCiscoDISA STIG Cisco IOS Switch NDM v2r4
CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - crypto pki trustpointCiscoDISA STIG Cisco IOS XE Switch NDM v2r3
CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - enrollmentCiscoDISA STIG Cisco NX-OS Switch NDM v2r3
CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - enrollmentCiscoDISA STIG Cisco IOS XE Switch NDM v2r3
CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - enrollmentCiscoDISA STIG Cisco IOS Switch NDM v2r4
CISC-ND-001440 - The Cisco switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider - show crypto ca certificatesCiscoDISA STIG Cisco NX-OS Switch NDM v2r3