Network devices configured to provide remote access services (e.g., RAS, VPN gateways, and NAC appliances) will be PK-enabled (as required by DoDD 8520) and will have the capability to generate certificate-signing requests and use DoD-approved PKI digital certificates when available.

Part of SRC-NET-040 Network devices - PKE

Associated with IA controls: ECSC-1

SV-23841r2_rule Network devices configured to provide remote access services (e.g., RAS, VPN gateways, and NAC appliances) will be PK-enabled (as required by DoDD 8520) and will have the capability to generate certificate-signing requests and use DoD-approved PKI digital certificates when available.

Vulnerability discussion

Network devices, RAS, and VPN gateways will not use proprietary digital certificates or self-signed mechanisms. These certificates are often generated by the manufacturer and are similar to default passwords. Additionally, DoD requires use of DoD-PKI rather than proprietary certificate structures.

Check content

View the vendor documentation or device configuration to verify that the device is capable of generating certificate-signing requests and using DoD-approved PKI digital certificates when available.

Fix text

Ensure all devices which provide remote access services are capable of generating certificate-signing requests and using DoD-approved PKI digital certificates when available.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.