The cryptographic module supporting the VPN client security functions must be FIPS 140-2 validated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33155	SRG-OS-000170-MOS-000091	SV-43553r2_rule		Medium

Description
The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41415r2_chk )
Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding. Note: This requirement also applies to a private VPN connection from the carrier's network to the DoD network that is designed to route all mobile device traffic directly to the DoD network. If the cryptographic module is not operating in FIPS mode, this is a finding.

Check Text ( C-41415r2_chk )

Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding. Note: This requirement also applies to a private VPN connection from the carrier's network to the DoD network that is designed to route all mobile device traffic directly to the DoD network. If the cryptographic module is not operating in FIPS mode, this is a finding.

Fix Text (F-37055r1_fix)
Configure the mobile operating system's cryptographic module supporting the VPN client security functions to encrypt using FIPS 140-2 validated modules.