Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-70159 | APSC-DV-001860 | SV-84781r1_rule | Medium |
Description |
---|
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised. Applications utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. |
STIG | Date |
---|---|
Application Security and Development Security Technical Implementation Guide | 2017-12-18 |
Check Text ( C-70635r1_chk ) |
---|
Review the application documentation and interview the application administrator. Identify if the application provides access to cryptographic modules and if access is required in order to manage cryptographic modules contained within the application. If the application does not provide authenticated access to a cryptographic module, the requirement is not applicable. Review and identify the cryptographic module. Refer to the NIST website listing all FIPS-approved cryptographic modules. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm If the cryptographic module that requires authentication is not on the FIPS-approved module list, this is a finding. |
Fix Text (F-76395r1_fix) |
---|
Use FIPS-approved cryptographic modules. |