The Edge SWG must be configured to implement a local cache of revocation data to support path discovery and validation for public key-based authentication.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279277	SRG-APP-000875-NDM-000280	SYME-ND-000860	SV-279277r1170713_rule	2025-12-18	1

Description
Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.

Description

Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.

ℹ️ Check
1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Select the "SSL" and "OCSP" areas. If no OCSP responder is configured, this is a finding. If the OCSP responder is configured, but the "Issuer CCL" does not match the CCL in the HTTPS-console or the SSH-console x.509 CCL, this is a finding. If the "Response Cache TTL" is not set for "from OCSP response", this is a finding. If any of the "Ignore Settings" are checked, this is a finding.

ℹ️ Check

1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Select the "SSL" and "OCSP" areas. If no OCSP responder is configured, this is a finding. If the OCSP responder is configured, but the "Issuer CCL" does not match the CCL in the HTTPS-console or the SSH-console x.509 CCL, this is a finding. If the "Response Cache TTL" is not set for "from OCSP response", this is a finding. If any of the "Ignore Settings" are checked, this is a finding.

✔️ Fix
1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Select the "SSL" and "OCSP" area. 3. Select "Add Responder". 4. Under URL, select "from certificate". 5. Check "Issuer CCL" and select the one that matches the HTTPS-console or the SSH-console x.509 CCL. 6. Check "Response CCL" and select the one that matches the HTTPS-console or the SSH-console x.509 CCL. 7. Under "SSL Device Profile", ensure it matches the one in the HTTPS-console. 8. Check "Enable Forwarding". Do not check any of the "Ignore Settings". 9. Click "Apply" and "Save".

✔️ Fix

1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Select the "SSL" and "OCSP" area. 3. Select "Add Responder". 4. Under URL, select "from certificate". 5. Check "Issuer CCL" and select the one that matches the HTTPS-console or the SSH-console x.509 CCL. 6. Check "Response CCL" and select the one that matches the HTTPS-console or the SSH-console x.509 CCL. 7. Under "SSL Device Profile", ensure it matches the one in the HTTPS-console. 8. Check "Enable Forwarding". Do not check any of the "Ignore Settings". 9. Click "Apply" and "Save".