The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32706	WIR-MOS-iOS-65-08	SV-43052r2_rule	DCNR-1	Medium

Description
The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.

STIG	Date
Apple iOS 6 Security Technical Implementation Guide (STIG)	2013-05-23

Details

Check Text ( C-41069r8_chk )
Review a sample of site-managed devices (3-4), interview the IAO, and review product documentation. Note: iOS does not currently provide a FIPS 140-2 validated cryptographic module for application services. Accordingly, third-party applications transmitting or receiving DoD sensitive information (MDM agent, email client, or browser) that leverage FIPS 140-2 validated cryptographic modules must be used to meet the requirement. VPN clients that do not possess the Apple VPN entitlement must also use a third-party FIPS 140-2 validated cryptographic module. If a site uses an application that transmits or receives sensitive DoD information, verify the application (MDM agent, email client, browser, or VPN client) leverages a FIPS 140-2 validated cryptographic module for this purpose. Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If a site uses a third-party application that handles data in transit (MDM agent, email client, or browser) using cryptography that has not been FIPS 140-2 validated, this is a finding.

Check Text ( C-41069r8_chk )

Review a sample of site-managed devices (3-4), interview the IAO, and review product documentation.
Note: iOS does not currently provide a FIPS 140-2 validated cryptographic module for application services. Accordingly, third-party applications transmitting or receiving DoD sensitive information (MDM agent, email client, or browser) that leverage FIPS 140-2 validated cryptographic modules must be used to meet the requirement. VPN clients that do not possess the Apple VPN entitlement must also use a third-party FIPS 140-2 validated cryptographic module.

If a site uses an application that transmits or receives sensitive DoD information, verify the application (MDM agent, email client, browser, or VPN client) leverages a FIPS 140-2 validated cryptographic module for this purpose. Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid.

If a site uses a third-party application that handles data in transit (MDM agent, email client, or browser) using cryptography that has not been FIPS 140-2 validated, this is a finding.

Fix Text (F-36604r4_fix)
Stop using the operating system until the vendor has obtained FIPS validation, or install a third-party product that has a FIPS 140-2 validated cryptographic module.