CCI-002015

Implementation Guidance

The information system performing hardware token-based authentication must be configured to accept DoD-approved external PKI PIV-I credentials in accordance with DoDI 8520.02, DoDI 8520.03, and DoD CIO Memorandum “Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials” dated 24 January 2013. The information system must be configured to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. The current list of DoD-approved external PKIs and acceptable Object Identifiers (OIDs) for each approved external PKI is available at http://iase.disa.mil/pki-pke/interoperability. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2015.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept DoD-approved external PKI PIV-I credentials in accordance with DoDI 8520.02, DoDI 8520.03, and DoD CIO Memorandum “Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials” dated 24 January 2013. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved external PKI PIV-I credentials that assert an approved Certificate Policy OID and reject credentials issued off of DoD-approved external PKIs that do not assert an approved OID. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2015.

Compelling Evidence

1.) Signed and dated SOP/TTP documentation that the information system performing hardware token-based authentication must be configured to accept DoD-approved external PKI PIV-I credentials in accordance with DoDI 8520.02, DoDI 8520.03, and DoD CIO Memorandum “Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials” dated 24 January 2013. 2.) Signed and dated SOP/TTP documenting that the information system to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. 3.) Applicable STIG/SRG checks.