The BIG-IP APM module must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.

From F5 BIG-IP Access Policy Manager 11.x Security Technical Implementation Guide

Part of SRG-NET-000347-ALG-000104

Associated with: CCI-002010

SV-74487r1_rule The BIG-IP APM module must electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.

Vulnerability discussion

Inappropriate access may be granted to unauthorized users if federal agency PIV credentials are not electronically verified.PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.This requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).

Check content

If the BIG-IP APM module does not provide user authentication intermediary services to non-organizational users, this is not applicable. Verify the BIG-IP APM module is configured as follows: Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles. Click "Edit..." in the "Access Policy" column for an Access Profile used to identify and authenticate non-organizational users. Verify the Access Profile is configured to electronically verify Personal Identity Verification (PIV) credentials from other federal agencies. If the BIG-IP APM module is not configured to electronically verify Personal Identity Verification (PIV) credentials from other federal agencies, this is a finding.

Fix text

If the BIG-IP APM module provides user authentication intermediary services to non-organizational users, configure a profile in the BIG-IP APM module to electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer