The organizations DAA must approve the use of software PKI certificates on enterprise-activated CMDs prior to provisioning CMDs with DoD PKI digital certificates.

From Mobile Policy Security Requirements Guide

Part of SRG-MPOL-064

Associated with: CCI-000083

SV-47298r1_rule The organizations DAA must approve the use of software PKI certificates on enterprise-activated CMDs prior to provisioning CMDs with DoD PKI digital certificates.

Vulnerability discussion

S/MIME provides the user with the ability to digitally sign and encrypt email messages, to verify the digital signatures on received messages, and to decrypt messages received from others if those messages are encrypted. Digital signatures provide strong cryptographic assurance of the authenticity and integrity of the signed message, including attachments. This capability protects against the insertion of malicious mobile code and social engineering attacks in which an adversary masquerades as a known user, as well as other exploits. Encryption provides confidentiality for sensitive information, which is particularly valuable when messages are sent to or received from users external to DoD messaging infrastructure, as such messages would otherwise travel in the clear over the public Internet. The use of software certificates adds additional risk of compromise to the user's digital certificates and to the DoD PKI infrastructure.

Check content

Verify the DAA has approved the use of software certificates only until approved CAC readers are available and can be purchased and fielded by the site. Software certificates are only permissible when smart card readers are unavailable and only permissible until they are available. If user software certificates are used on site managed CMDs instead of the CAC, verify the DAA has approved their use (in a letter, memo, site security plan, etc.) and that a DoD approved CAC reader is not available for the CMD. If the site uses software certificates on site managed CMDs and the DAA has not approved their use, this is a finding.

Fix text

Obtain DAA approval for the use of software certificates or purchase approved CAC readers for enterprise-activated CMDs.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer