STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure NDM Security Technical Implementation Guide

V-284543

CAT I (High)

The Ivanti Policy Secure must be configured to use DoW-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for public key infrastructure (PKI)-based authentication.

Rule ID

SV-284543r1244956_rule

STIG

Ivanti Policy Secure NDM Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000185CCI-004068

Discussion

Once issued by a DoW certificate authority (CA), PKI certificates are typically valid for three years or fewer within the DoW. However, there are many reasons a certificate may become invalid before the prescribed expiration date. For example, an employee may leave or be terminated and still possess the smartcard on which the PKI certificates were stored. Another example is that a smartcard containing PKI certificates may become lost or stolen. A more serious issue could be that the CA or server which issued the PKI certificates has become compromised, thereby jeopardizing every certificate keypair that was issued by the CA. These examples of revocation use cases and many more can be researched further using internet cybersecurity resources. PKI user certificates presented as part of the identification and authentication criteria (e.g., DoW PKI as multifactor authentication [MFA]) must be checked for validity by network devices. For example, valid PKI certificates are digitally signed by a trusted DoW CA. Additionally, valid PKI certificates are not expired, and valid certificates have not been revoked by a DoW CA. Satisfies: SRG-APP-000175-NDM-000262, SRG-APP-000875-NDM-000280

Check Content

1. In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs.
2. Click each DoW client CA.
3. Verify that under "Client certificate status checking", "OCSP", "CRL", or both are checked.
Example: "Use OCSP with CRL fallback" is selected under the "Client certificate status checking" setting.

If the ICS is not configured to use DoW approved OCSP responders and/or CRLs to validate certificates used for PKI-based authentication, this is a finding.

Fix Text

1. In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs.
2. Click the first DoW client CA.
3. If OCSP only is used, under "Client certificate status checking", select "Use OCSP".
4. If CRL is used, under "Client certificate status checking", select "Use CRL" option.
Note: The recommended option is "Use OCSP with CRL fallback" option under "Client certificate status checking".
5. Repeat these steps for every other client certificate CA.