STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Cisco Secure Network Analytics (SNA) Security Technical Implementation Guide

V-284940

CAT II (Medium)

The Cisco SNA appliance must be configured to implement certificate revocation checking to support path discovery and validation for public key-based authentication.

Rule ID

SV-284940r1212209_rule

STIG

Cisco Secure Network Analytics (SNA) Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-004068

Discussion

Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses like OCSP. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.

Check Content

Verify the Cisco SNA appliance is configured to implement certificate revocation checking to support path discovery and validation.

Navigate to SNA Dashboard >> Configure >> Central Management >> Inventory >> Actions... >> Network Services >> Audit Log Destination (Syslog Over TLS).

Verify "Certificate Revocation" set to "Hard Fail" for servers.

Note that other forms of public key authentication (inter-device HTTPS, SAML, etc.) automatically perform certificate checking without additional configuration.

If the Cisco SNA appliance is not configured to implement certificate revocation checking to support path discovery and validation, this is a finding.

Fix Text

Configure the Cisco SNA appliance to implement certificate revocation checking to support path discovery and validation using certificate revocation lists (CRLs), or Online Certificate Status Protocol (OCSP).

Navigate to SNA Dashboard >> Configure >> Central Management >> Inventory >> Actions... >> Network Services >> Audit Log Destination (Syslog Over TLS) >> Actions... >> Edit. 

Select "Hard Fail" for "Certificate Revocation".

Note: Other forms of public key authentication (inter-device HTTPS, SAML, etc.) automatically perform certificate checking without additional configuration.