Title

All wireless PDA clients used for remote access to a DoD network must have a VPN capability that supports CAC authentication. (Cat II impact)

Discussion

If an adversary can bypass a VPN’s authentication controls, then the adversary can compromise DoD data transmitted over the VPN and conduct further attacks on DoD networks. CAC authentication greatly mitigates this risk by providing strong two-factor authentication.

Check Content

Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Verify the VPN client supports CAC authentication to the DoD network (recommend asking the site wireless device administrator to demo this capability). Mark as a finding if CAC authentication is not supported.

Fix Text

Comply with requirement.

Additional Identifiers

Rule ID: SV-31706r1_rule

Vulnerability ID: V-19898

Group Title: Remote access VPN - CAC authentication

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.