NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-23(5)Allowed Certificate Authorities

Only allow the use of {{ insert: param, sc-23.05_odp }} for verification of the establishment of protected sessions.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Reliance on certificate authorities for the establishment of secure sessions includes the use of Transport Layer Security (TLS) certificates. These certificates, after verification by their respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers.

Practitioner Notes

Only accept TLS certificates from certificate authorities your organization has explicitly approved. This prevents attackers from using certificates from rogue or compromised CAs.

Example 1: Use GPO to manage the Trusted Root Certification Authorities store on domain-joined machines. Remove CAs you do not trust and only keep the CAs your organization uses. Audit the trusted root store quarterly.

Example 2: Configure certificate pinning for your critical internal web applications. The application only accepts connections presenting certificates from your specific CA, rejecting all others — even if the certificate is technically valid and from a public CA.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability