TOSS 5 must accept only external credentials that are NIST compliant.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-282768SRG-OS-000745-GPOS-00210TOSS-05-000027SV-282768r1201307_rule2026-04-011

Description

Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B]. Approved external authenticators meet or exceed the minimum federal governmentwide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding federal requirements allows federal government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.

ℹ️ Check

Sites must document external authenticators being used and that they are NIST compliant. The following command will verify that Kerberos is functional and produce the list of signing hosts: $ sudo klist -ekt /etc/krb5.keytab If external authenticators are being use that are not documented and are not NIST compliant, this is a finding.

✔️ Fix

Document all NIST-compliant external authenticators in use.