Use of weak or untested certificates undermines the purposes of utilizing encryption to protect data. The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS-140 validation and NSA approval provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government. Similarly, NSA approval of cryptography for classified data and applications is a strict requirement.
Traffic between the firewall, sensors, and/or other network elements must be protected by cryptographic mechanisms. Digital signatures must be used to validate the authenticity of information, firmware, or health checks. Digital signatures must be implemented using either of the following:
(i) FIPS-validated (e.g., DoD PKI) cryptographic module.
(ii) NSA-approved cryptographic module. |