The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6137 | APP3150 | SV-6137r1_rule | DCNR-1 ECCR-1 ECCR-2 ECCT-1 ECCT-2 | Medium |
| Description |
|---|
| Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-2948r1_chk ) |
|---|
| If the application does not utilize encryption, key exchange, digital signature, or hash, FIPS 140-2 cryptography is not required and this check is not applicable. Identify all application or supporting infrastructure features that require cryptography such as, file encryption, VPN, SSH, etc. Verify the application is using FIPS-140 validated cryptographic modules. The National Institute of Standards and Technology’s FIPS 140-1 and FIPS 140-2 Vendor List is located at: http://csrc.nist.gov/cryptval/. 1) If the application requiring encryption, key exchange, digital signature or hash is using an unapproved module or no module, it is a finding. 2) If the application utilizes unapproved modules for cryptographic random number generation, it is a finding. Note: If the application uses WS Security tokens, W3C XML Signature can be used to digitally sign messages and provide message integrity. |
| Fix Text (F-16997r1_fix) |
|---|
| Utilize FIPS 140-2 cryptography for modules implementing encryption, key exchange, digital signature, and hash. |