Navigate

CCI-001991

CCI-001991 Definition

The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

The information system must be configured to locally cache revocation data to support path discovery and validation in case of inability to access revocation information via the network. The information system may meet this requirement by locally caching certificate revocation lists (CRLs), Online Certificate Status Protocol (OCSP) responses, or a combination thereof. Cached revocation data must include revocation information from all PKIs serving known or anticipated users of the information system. Cached data must be refreshed with a frequency shorter than the life of the data (e.g. if a CRL is valid for 7 days, a new CRL must be retrieved and cached more frequently than every 7 days) to ensure that cached data is valid and not expired. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1991.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to locally cache revocation data (CRLs and/or OCSP responses) to support path discovery and validation in case of inability to access revocation information via the network. The organization conducting the inspection/assessment examines the information system to ensure that revocation data is cached for all PKIs serving known or anticipated users of the information system. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured a process for the information system to refresh cached revocation data prior to the data’s expiration. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1991.

Compelling Evidence

1.) Signed and dated SOP/TTP configuring the information system to locally cache revocation data to support path discovery and validation in case of inability to access revocation information via the network. 2.) Applicable STIG/SRG checks

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001991.

Control	Description
IA-5 (2)	The information system, for PKI-based authentication: IA-5 (2)(a): Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; IA-5 (2)(b): Enforces authorized access to the corresponding private key; IA-5 (2)(c): Maps the authenticated identity to the account of the individual or group; and IA-5 (2)(d): Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Control

Description

IA-5 (2)

The information system, for PKI-based authentication:

IA-5 (2)(a): Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;

IA-5 (2)(b): Enforces authorized access to the corresponding private key;

IA-5 (2)(c): Maps the authenticated identity to the account of the individual or group; and

IA-5 (2)(d): Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.