The API must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

STIG ID: SRG-APP-000148-API-000255  |  SRG: SRG-APP-000148 |  Severity: medium |  CCI: CCI-000764 |  Vulnerability Id: V-274559

Vulnerability Discussion

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. This is typically accomplished via the use of a user store, which is either local (OS-based) or centralized (LDAP) in nature. However, DODI 8520.03 now requires that applications use an approved DOD enterprise (E-ICAM) solution whenever the ICAM solution addresses information system needs. Where the ICAM solution has been evaluated and found to not meet the needs of information system owners, information system owners must reevaluate decisions to use locally managed solutions and transition to DOD enterprise ICAM solutions to the maximum extent possible as the enterprise ICAM solutions mature.

Check

Review the API documentation and interview the API administrator to determine access methods to the API.

Attempt to access the API and confirm that an approved DOD enterprise ICAM solution is required for an external client to establish initial access to the API. Authentication of subsequent calls to the API may be accomplished using a time-limited credential such as an API key or JWT.

If the API does not use an approved DOD enterprise ICAM solution for external clients to establish initial access, this is a finding.

Fix

Configure the API to use an approved DOD enterprise ICAM solution.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.