UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6137 APP3150 SV-6137r1_rule DCNR-1 ECCR-1 ECCR-2 ECCT-1 ECCT-2 Medium
Description
Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms.
STIG Date
Application Security and Development STIG 2014-04-03

Details

Check Text ( C-2948r1_chk )
If the application does not utilize encryption, key exchange, digital signature, or hash, FIPS 140-2 cryptography is not required and this check is not applicable.

Identify all application or supporting infrastructure features that require cryptography such as, file encryption, VPN, SSH, etc. Verify the application is using FIPS-140 validated cryptographic modules.

The National Institute of Standards and Technology’s FIPS 140-1 and FIPS 140-2 Vendor List is located at: http://csrc.nist.gov/cryptval/.

1) If the application requiring encryption, key exchange, digital signature or hash is using an unapproved module or no module, it is a finding.

2) If the application utilizes unapproved modules for cryptographic random number generation, it is a finding.

Note: If the application uses WS Security tokens, W3C XML Signature can be used to digitally sign messages and provide message integrity.
Fix Text (F-16997r1_fix)
Utilize FIPS 140-2 cryptography for modules implementing encryption, key exchange, digital signature, and hash.