The PKI key store of the MDM server must be FIPS validated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36043	SRG-APP-179-MDM-039-SRV	SV-47432r1_rule		Medium

Description
MDM server applications utilizing encryption are required to use approved encryption modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. FIPS validation ensures the encryption algorithm is suitable for the DoD environment.

Description

MDM server applications utilizing encryption are required to use approved encryption modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. FIPS validation ensures the encryption algorithm is suitable for the DoD environment.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44282r1_chk )
Review system documentation to identify the FIPS 140 certificate for the PKI key store. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding.

Fix Text (F-40573r1_fix)
Stop using the system until the vendor has obtained FIPS validation or install a third party product that contains a FIPS validated cryptographic module providing the same services in the operating system’s non-FIPS validated implementation of cryptography.