The cryptographic module supporting encryption of data in transit (including email and attachments) must be FIPS 140-2 validated.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33153 | SRG-OS-000170-MOS-000089 | SV-43551r1_rule | Medium |
| Description |
|---|
| The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140-2 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS 140-2 validation is also a strict requirement for use of cryptography in the Federal Government. This general IA control is applicable to all wireless interfaces but is primarily targeted at interfaces other than Wi-Fi or Bluetooth, which have their own controls. STIGs for devices that have wireless interfaces other than Wi-Fi or Bluetooth only may use those controls in lieu of this one. For other wireless interfaces, this control must be applied. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41413r1_chk ) |
|---|
| Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding. If the cryptographic module is not operating in FIPS mode, this is a finding. |
| Fix Text (F-37053r1_fix) |
|---|
| Configure the mobile operating system's cryptographic module to encrypt data in transit (including email and attachments) using FIPS 140-2 validated modules. |