The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.
Review system documentation to identify the FIPS 140 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding.
Fix Text (F-36606r1_fix)
Stop using the operating system until the vendor has obtained FIPS validation or install a third party product that contains a FIPS validated cryptographic module providing the same services in the operating system’s non-FIPS validated implementation of cryptography.