Title

The organization must not use DoD-issued software certificates for Non-enterprise activated CMDs. (Cat I impact)

Discussion

If DoD issued certificates are utilized, the device may be able to connect to sites/systems that are otherwise prohibited without the certificate. Non-enterprise activated CMDs are not authorized to access DoD information. In addition, the certificate store will not be protected with AES encryption or be FIPS validated. DoD PKI certificates would be at risk of being compromised.

Check Content

Review the organization's published implementation guidance on the use of non-enterprise activated CMDs to determine if DoD software certificates are prohibited from being utilized on the devices. If DoD software certificates are not prohibited, this is a finding.

Fix Text

Publish the organization’s implementation guidance prohibiting the use of DoD-issued software certificates on non-enterprise activated CMDs.

Additional Identifiers

Rule ID:

Vulnerability ID: V-35976

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.