The HPE 3PAR OS must be configured to implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-255285	HP3P-33-002069	SV-255285r877380_rule		Medium

Description
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government, since this provides assurance they have been tested and validated. The HPE 3PAR OS can be configured to use FIPS validated cryptographic methods for communications secrecy. It also has an encryption license feature that controls the handling of Self-Encrypting backend drives, which requires an authorized service provider for install and activation. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223

Description

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government, since this provides assurance they have been tested and validated. The HPE 3PAR OS can be configured to use FIPS validated cryptographic methods for communications secrecy. It also has an encryption license feature that controls the handling of Self-Encrypting backend drives, which requires an authorized service provider for install and activation. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223

STIG	Date
HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide	2023-11-30

Details

Check Text ( C-58958r870172_chk )
Verify the status of the FIPS communication library: cli% controlsecurity fips status If the line "FIPS Mode:" is not "Enabled", this is a finding. If any of the service lines for CLI, EKM, LDAP, SNMP, SSH, or SYSLOG are Disabled, this is a finding. If CIM, VASA, or WSAPI are "Disabled", and the mission requires any of these services, this is a finding. Review the requirements by the Information Owner to determine if the system will store sensitive or classified information. If the mission does not store sensitive, or classified information, the remainder of the check is not applicable. If the mission stores classified data, check the status of backend drive encryption: cli% controlencryption status If Licensed, Enabled, or BackupSaved are "no", or the keystore is not EKM, this is a finding.

Check Text ( C-58958r870172_chk )

Verify the status of the FIPS communication library:

cli% controlsecurity fips status

If the line "FIPS Mode:" is not "Enabled", this is a finding.

If any of the service lines for CLI, EKM, LDAP, SNMP, SSH, or SYSLOG are Disabled, this is a finding.

If CIM, VASA, or WSAPI are "Disabled", and the mission requires any of these services, this is a finding.

Review the requirements by the Information Owner to determine if the system will store sensitive or classified information.

If the mission does not store sensitive, or classified information, the remainder of the check is not applicable.

If the mission stores classified data, check the status of backend drive encryption:

cli% controlencryption status

If Licensed, Enabled, or BackupSaved are "no", or the keystore is not EKM, this is a finding.

Fix Text (F-58902r870173_fix)
Set the communications encryption module into fips mode: cli% controlsecurity fips enable If the mission stores classified information, contact an authorized service provider to install and configure the licensed encryption feature.