The cryptographic module supporting encryption of data at rest must be FIPS 140-2 validated.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33154 | SRG-OS-000170-MOS-000090 | SV-43552r1_rule | Medium |
| Description |
|---|
| The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government. This general IA control is applicable to all wireless interfaces but is primarily targeted at interfaces other than Wi-Fi or Bluetooth, which have their own controls. Guidance for mobile devices, which has wireless interfaces other than Wi-Fi or Bluetooth only, may use those controls in lieu of this one. For other wireless interfaces, this control must be applied. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41414r1_chk ) |
|---|
| Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding. If the cryptographic module is not operating in FIPS mode, this is a finding. |
| Fix Text (F-37054r1_fix) |
|---|
| Configure the mobile operating system's cryptographic module to encrypt data at rest using FIPS 140-2 validated modules. |