Title

The application server must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate users (or processes acting on behalf of organizational users). (Cat II impact)

Discussion

To ensure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store, which is either local (OS-based) or centralized (LDAP). However, DoDI 8520.03 now requires that applications use an approved DOD enterprise (E-ICAM) solution whenever the ICAM solution addresses information system needs. Where the ICAM solution has been evaluated and found to not meet the needs of information system owners, information system owners must reevaluate decisions to use locally managed solutions and transition to DOD enterprise ICAM solutions to the maximum extent possible as the enterprise ICAM solutions mature.

Check Content

Review application server documentation and configuration settings to determine if the application server is using an approved enterprise ICAM solution to authenticate organizational users and processes running on the users' behalf. If an approved enterprise ICAM solution is not being used, this is a finding. Note: If the site is currently using an enterprise solution (AAA Server) and has documented their plans to move to an approved enterprise ICAM solution, the severity of this control can be reduced to a CAT III.

Fix Text

Configure the application server to use an approved enterprise ICAM solution to uniquely identify and authenticate users and processes acting on behalf of organizational users.

Additional Identifiers

Rule ID: SV-204745r1051118_rule

Vulnerability ID: V-204745

Group Title: SRG-APP-000148

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.