UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The application must utilize FIPS-validated cryptographic modules when signing application components.


Overview

Finding ID Version Rule ID IA Controls Severity
V-70191 APSC-DV-002020 SV-84813r1_rule Medium
Description
Applications that distribute components of the application must sign the components to provide an identity assurance to consumers of the application component. Components can include application messages or application code. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to validate the author of application components. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance the modules have been tested and validated. If the application resides on a National Security System (NSS) it must not use algorithm weaker than SHA-256.
STIG Date
Application Security and Development Security Technical Implementation Guide 2017-01-09

Details

Check Text ( C-70667r1_chk )
Review the application documentation and interview the application administrator to identify the cryptographic modules used by the application.

Review the application components and the application requirements to determine if the application components are distributable and require digital signatures.

If the application components are not distributable, this requirement is not applicable.

Have the application admin or the developer demonstrate how the application components are signed and what hashing algorithms are used when signing the application components.

SHA 1 is currently an approved hashing algorithm, however if SHA 2 is available, SHA 2 is recommended.

If the application resides on a National Security System (NSS) and uses an algorithm weaker than SHA-256, this is a finding.

If the application is designed to sign distributable application components and the application is not configured to use SHA1, SHA2, or if the application signs with the MD5 hashing algorithm, this is a finding.
Fix Text (F-76427r1_fix)
Configure the application to sign application components with a FIPS-validated algorithms such as SHA1 or SHA2.