TOSS 5 must accept only external credentials that are NIST compliant.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-282768 | TOSS-05-000027 | SV-282768r1201307_rule | CCI-004083 | medium |
| Description | ||||
| Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B]. Approved external authenticators meet or exceed the minimum federal governmentwide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level. | ||||
| STIG | Date | |||
| Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide | 2026-04-01 | |||
Details
Check Text (C-282768r1201307_chk)
Sites must document external authenticators being used and that they are NIST compliant.
The following command will verify that Kerberos is functional and produce the list of signing hosts:
$ sudo klist -ekt /etc/krb5.keytab
If external authenticators are being use that are not documented and are not NIST compliant, this is a finding.
Fix Text (F-87234r1201306_fix)
Document all NIST-compliant external authenticators in use.