CCI-002009

The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies.

Implementation Guidance

The information system performing hardware token-based authentication must be configured to accept DoD-approved external PKI PIV credentials to authenticate federal agency users in accordance with DoDI 8520.02 and DoDI 8520.03. The information system must be configured to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. The current list of DoD-approved external PKIs and acceptable Object Identifiers (OIDs) for each approved external PKI is available at http://iase.disa.mil/pki-pke/interoperability. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2009.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept DoD-approved external PKI PIV credentials in accordance with DoDI 8520.02 and DoDI 8520.03. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved external PKI PIV credentials that assert an approved Certificate Policy OID and reject credentials issued off of DoD-approved external PKIs that do not assert an approved OID. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2009.

Compelling Evidence

1.) Signed and dated SOP/TTP documenting configuration of the information system performing hardware token-based authentication to accept DoD-approved external PKI PIV credentials to authenticate federal agency users in accordance with DoDI 8520.02 and DoDI 8520.03. 2.) Signed and dated SOP/TTP documenting the configuration of the information system to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. 3.) Applicable STIG/SRG checks

The controls below (if any) were marked by NIST as being related to CCI-002009.