Navigate

CCI-000186

CCI-000186 Definition

The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Information systems must not have access to users’ private keys. The cryptographic container in which the private keys are stored (e.g. smart card or software module) implements access controls and protections to ensure that only the authorized user can activate the private key. DoD users agree to protect their PKI credentials in accordance with the DD-2842 agreement that is executed for each credential. They are reminded of these responsibilities in annual IA training. The private key identifying the information system must be stored in a cryptographic container that is FIPS 140-2 validated. Only authorized information system operators should have access to activation data (e.g. password or PIN) for the private key.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the information system does not contain any users’ private keys. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to store its own private key in a FIPS 140-2 validated cryptographic module.

Compelling Evidence

1.) Signed and dated SOP/TTP, referencing section on private key access 2.) Applicable STIG/SRG checks

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000186.

Control	Description
IA-5 (2)	The information system, for PKI-based authentication: IA-5 (2)(a): Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; IA-5 (2)(b): Enforces authorized access to the corresponding private key; IA-5 (2)(c): Maps the authenticated identity to the account of the individual or group; and IA-5 (2)(d): Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Control

Description

IA-5 (2)

The information system, for PKI-based authentication:

IA-5 (2)(a): Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;

IA-5 (2)(b): Enforces authorized access to the corresponding private key;

IA-5 (2)(c): Maps the authenticated identity to the account of the individual or group; and

IA-5 (2)(d): Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.