This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
NIST 800-53 (r4) Supplemental Guidance:
Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6.
References:
OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.
38North Guidance:
Meets Minimum Requirement:
IA-5(2).a.1 - Validates certifications by constructing a certification path to an accepted trust anchor.
IA-5(2).a.2 - Validates certifications by verifying a certification path to an accepted trust anchor.
IA-5(2).a.3 - Includes checking certificate status information when constructing and verifying the certification path.
IA-5(2).b - Enforces authorized access to the corresponding private key.
IA-5(2).c - Maps the authenticated identity to the account of the individual or group.
Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
Best Practice:
Use TLS 1.2 or higher and utilize a trusted certificate authority (CA) like Symantec or Verisign.
If PIV/CAC cards are utilized within the environment then ensure certificates utilized are from a trusted CA like Symantec or Verisign etc.
Ensure that certificate statuses are being verified by being checked against revocation lists.
SSH tools should use user keys or PKI certificates to authenticate a connection.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots demonstrating MFA hardware tokens can be enabled for PKI-based authentication into the environment or application being offered.
Screenshots of email notifications or other communication when users are given their username and instructions for logging into their account.
CSP Implementation Tips: TBD