This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the VPN client leverages FIPS 140-2 validated cryptographic modules. It may accomplish this either by using its own FIPS 140-2 validated cryptographic module or the FIPS 140-2 validated Apple iOS CoreCrypto Kernel Module. Only VPN client applications that Apple has granted the VPN entitlement have the capability to leverage this module. Verify the VPN client has the Apple iOS VPN entitlement or check that it has its own FIPS 140-2 certificate.
If the VPN client does not leverage FIPS 140-2 validated cryptography, this is a finding.
Fix Text (F-37266r2_fix)
Install a VPN client that uses FIPS 140-2 validated cryptographic modules to protect data in transit.