Check: SRG-NET-000580-CLD-000070
Cloud Computing Mission Owner SRG:
SRG-NET-000580-CLD-000070
(in version v1 r0.1)
Title
The Mission Owner of the IaaS/PaaS must implement an encrypted, FIPS 140-2/3 compliant path between the implemented systems/applications and the DOD OCSP responders. (Cat II impact)
Discussion
The Mission Owner must use identity services, to include an Online Certificate Status Protocol (OCSP) responder, for remote system DOD Common Access Card (CAC) two-factor authentication of DOD privileged (all Impact levels) and/or nonprivileged users (Impact levels 4–6) to systems instantiated within the cloud service environment.
Check Content
Applies to all impact levels. Verify that a FIPS 140-2/3 compliant communication protocol is configured for communication between the implemented systems/applications and the DOD OCSP responders. If the cloud IaaS/PaaS does not implement a secure (encrypted) connection or path between the implemented systems/applications and the DOD OCSP responders, this is a finding.
Fix Text
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to implement an encrypted path that is FIPS 140-3 compliant between the implemented systems/applications and the DOD OCSP responders.
Additional Identifiers
Rule ID: SRG-NET-000580-CLD-000070_rule
Vulnerability ID: SRG-NET-000580-CLD-000070
Group Title: SRG-NET-000580-CLD-000070
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000185 |
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |