The cryptographic module supporting encryption of data at rest must be FIPS 140-2 validated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32707	WIR-MOS-iOS-65-09	SV-43053r1_rule	DCNR-1	Medium

Description
The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.

STIG	Date
Apple iOS 6 Interim Security Configuration Guide (ISCG)	2013-01-17

Details

Check Text ( C-41070r6_chk )
Review a sample of site managed devices (3-4), interview the IAO, and review product documentation. Note: iOS does not currently meet this requirement but a third-party application could be used to meet the requirement. Verify one or more third-party applications (security container app, email app, etc.) are used that meet this requirement. Verify the site uses a security container application to store all data saved to the device and the container is FIPS 140-2 validated. This includes all data generated by applications on the device and all data downloaded from the browser or VPN client (if used). In most cases, the browser and VPN client will have to be installed inside the security container or integrated with the container in some way for this to occur. Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding. Note, additional requirements for the security container will be reviewed during the review of the MDM server (check V-32747/WIR-WMS-MDM-02). Determine how the site has ensured all data generated by applications or downloaded from the browser or VPN client is stored in the security container application. Mark as a finding if all DoD data stored on site managed devices is not saved inside a security container that is FIPS 140-2 validated.

Check Text ( C-41070r6_chk )

Review a sample of site managed devices (3-4), interview the IAO, and review product documentation.

Note: iOS does not currently meet this requirement but a third-party application could be used to meet the requirement. Verify one or more third-party applications (security container app, email app, etc.) are used that meet this requirement.

Verify the site uses a security container application to store all data saved to the device and the container is FIPS 140-2 validated. This includes all data generated by applications on the device and all data downloaded from the browser or VPN client (if used). In most cases, the browser and VPN client will have to be installed inside the security container or integrated with the container in some way for this to occur. Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding. Note, additional requirements for the security container will be reviewed during the review of the MDM server (check V-32747/WIR-WMS-MDM-02).

Determine how the site has ensured all data generated by applications or downloaded from the browser or VPN client is stored in the security container application.

Mark as a finding if all DoD data stored on site managed devices is not saved inside a security container that is FIPS 140-2 validated.

Fix Text (F-36605r1_fix)
Stop using the operating system until the vendor has obtained FIPS validation or install a third party product that contains a FIPS validated cryptographic module providing the same services in the operating system’s non-FIPS validated implementation of cryptography.