The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32706	WIR-MOS-iOS-65-08	SV-43052r1_rule	DCNR-1	Medium

Description
The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.

STIG	Date
Apple iOS 5 Security Technical Implementation Guide (STIG)	2012-07-20

Details

Check Text ( C-41069r3_chk )
Review system documentation to identify the FIPS 140 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the operating system cryptographic module is not currently FIPS validated or a third party application that provides a security module protected by a FIPS 140-2 validated encryption module is not used on the mobile device, this is a finding.

Check Text ( C-41069r3_chk )

Review system documentation to identify the FIPS 140 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid.

If the operating system cryptographic module is not currently FIPS validated or a third party application that provides a security module protected by a FIPS 140-2 validated encryption module is not used on the mobile device, this is a finding.

Fix Text (F-36604r2_fix)
Stop using the operating system until the vendor has obtained FIPS validation or install a third party product that contains a security container with a FIPS validated cryptographic module.