CCI-002010
CCI-002010 Definition
| Status | |
| Type | CheckType.technical |
Master Assessment Datasheet
Implementation Guidance
The information system performing hardware token-based authentication must be configured to validate DoD-approved external PKI PIV credentials to authenticate federal agency users in accordance with RFC 5280. The information system must be configured to perform a revocation check as part of the certificate validation process. Revocation checking may be performed using certificate revocation lists (CRLs) published by the issuing PKI or Online Certificate Status Protocol (OCSP) services. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2010.
Validation Procedures
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to validate DoD-approved external PKI PIV credentials in accordance with RFC 5280. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to perform a revocation check as part of the certificate validation process. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2010.
Compelling Evidence
1.) Signed and dated SOP/TTP documentation configuring the information system to validate DoD-approved external PKI PIV credentials in accordance with RFC 5280. 2.) Provide SOP/TTP documentation configuring the information system to perform a revocation check as part of the certificate validation process. 3.) Applicable STIG/SRG checks.