CCI-002016

Implementation Guidance

The information system performing hardware token-based authentication must be configured to validate DoD-approved external PKI PIV-I credentials in accordance with RFC 5280. The information system must be configured to perform a revocation check as part of the certificate validation process. Revocation checking may be performed using certificate revocation lists (CRLs) published by the issuing PKI or Online Certificate Status Protocol (OCSP) services. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2016.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to validate DoD-approved external PKI PIV-I credentials in accordance with RFC 5280. The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to perform a revocation check as part of the certificate validation process. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2016.

Compelling Evidence

1.) Signed and dated SOP/TTP for configuring the information system performing hardware token-based authentication to validate DoD-approved external PKI PIV-I credentials in accordance with RFC 5280. 2.) Signed and dated SOP/TTP demonstrating the configuration of the information system performs a revocation check as part of the certificate validation process.