The mobile operating system PKI certificate store must be FIPS 140-2 validated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33156	SRG-OS-000170-MOS-000092	SV-43554r2_rule		Medium

Description
The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140-2 validation provides assurance that the relevant cryptography has been implemented correctly. This particular control concerns the need for a strong password to be enforced on the actual certificate store in addition to the unlock code on the device. FIPS 140-2 validation is also a strict requirement for use of cryptography in the Federal Government.

Description

The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140-2 validation provides assurance that the relevant cryptography has been implemented correctly. This particular control concerns the need for a strong password to be enforced on the actual certificate store in addition to the unlock code on the device. FIPS 140-2 validation is also a strict requirement for use of cryptography in the Federal Government.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41416r3_chk )
Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. A mobile operating system may satisfy this requirement if the certificate store is encrypted with a FIPS 140-2 validated cryptographic module that also encrypts other data at rest beyond the certificate store. If the module is not currently FIPS validated, this is a finding. If the cryptographic module is not operating in FIPS mode, this is a finding. If the device unlock password also unlocks the certificate store, this is a finding.

Check Text ( C-41416r3_chk )

Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. A mobile operating system may satisfy this requirement if the certificate store is encrypted with a FIPS 140-2 validated cryptographic module that also encrypts other data at rest beyond the certificate store. If the module is not currently FIPS validated, this is a finding. If the cryptographic module is not operating in FIPS mode, this is a finding. If the device unlock password also unlocks the certificate store, this is a finding.

Fix Text (F-37056r1_fix)
Configure the mobile operating system PKI certificate store to be FIPS 140-2 validated.