Skip to main content
CUI

Vulnerability V-225023

Back
Back to Ships

V-225023

CAT II

The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.

Ships Affected
1
Total Findings
8
Open
0
Closed
8

Check Text

Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025

Fix Text

Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.

STIG Reference

STIG
Microsoft Windows Server 2016 Security Technical Implementation Guide
Version
2
Release
10
Rule ID
SV-225023r958448_rule

All Occurrences

This vulnerability appears on 1 ship(s)

Ship Hull # Source File Status Assigned To Scan Date Actions
USNS MONTFORD POINT T-ESD-1 _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl
Unassigned 2026-01-14T12:57:42.721079 View in Context
USNS MONTFORD POINT T-ESD-1 _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl
Unassigned 2026-01-14T12:57:41.363810 View in Context
USNS MONTFORD POINT T-ESD-1 _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl
Unassigned 2026-01-14T12:57:39.082634 View in Context
USNS MONTFORD POINT T-ESD-1 _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl
Unassigned 2026-01-14T12:57:37.248886 View in Context
USNS MONTFORD POINT T-ESD-1 _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl
Unassigned 2026-01-14T12:57:35.637816 View in Context
USNS MONTFORD POINT T-ESD-1 _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl
Unassigned 2026-01-14T12:57:33.842838 View in Context
USNS MONTFORD POINT T-ESD-1 _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl
Unassigned 2026-01-14T12:57:31.534241 View in Context
USNS MONTFORD POINT T-ESD-1 _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl
Unassigned 2026-01-14T12:57:30.046447 View in Context
CUI