OpenControls Logo

STIG Viewer

The API must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-274559SRG-APP-000148-API-000255SV-274559r1143592_ruleCCI-000764medium
Description
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. This is typically accomplished via the use of a user store, which is either local (OS-based) or centralized (LDAP) in nature. However, DODI 8520.03 now requires that applications use an approved DOD enterprise (E-ICAM) solution whenever the ICAM solution addresses information system needs. Where the ICAM solution has been evaluated and found to not meet the needs of information system owners, information system owners must reevaluate decisions to use locally managed solutions and transition to DOD enterprise ICAM solutions to the maximum extent possible as the enterprise ICAM solutions mature.
STIGDate
Application Programming Interface (API) Security Requirements Guide2025-09-24

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
IA-2
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.5.1
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.2
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000764
1.00
  • DISA · V1R1 · disa_xccdf · related

Details

Check Text (C-274559r1143592_chk)

Review the API documentation and interview the API administrator to determine access methods to the API. Attempt to access the API and confirm that an approved DOD enterprise ICAM solution is required for an external client to establish initial access to the API. Authentication of subsequent calls to the API may be accomplished using a time-limited credential such as an API key or JWT. If the API does not use an approved DOD enterprise ICAM solution for external clients to establish initial access, this is a finding.

Fix Text (F-78565r1142488_fix)

Configure the API to use an approved DOD enterprise ICAM solution.