CCI-002003
CCI-002003 Definition
| Status | |
| Type | CheckType.technical |
Master Assessment Datasheet
Implementation Guidance
The information system performing hardware token-based authentication must be configured to accept only DoD-approved PKI credentials in accordance with DoDI 8520.02 and DoDI 8520.03. For unclassified systems, DoD-approved PKI credentials include DoD PKI credentials, External Certification Authority (ECA) PKI credentials, and DoD-approved external PKI credentials. For SIPRNet, DoD-approved PKI credentials include DoD PKI credentials and NSS PKI credentials. If the information system accepts DoD-approved external PKI credentials, the information system must be configured to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. The current list of DoD-approved external PKIs and acceptable Object Identifiers (OIDs) for each approved external PKI is available at http://iase.disa.mil/pki-pke/interoperability.
Validation Procedures
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved PKI credentials in accordance with (IAW) DoDI 8520.02 and DoDI 8520.03. If the information system accepts DoD-approved external PKI credentials, the organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved external PKI credentials that assert an approved Certificate Policy OID and reject credentials issued off of DoD-approved external PKIs that do not assert an approved OID.
Compelling Evidence
1.) Signed and dated SOP/TTP documenting the information system is configured to accept only DoD-approved PKI credentials IAW DoDI 8520.02 and DoDI 8520.03.