Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The mobile operating system PKI certificate store must be FIPS 140-2 validated.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33156 | SRG-OS-000170-MOS-000092 | SV-43554r2_rule | Medium |
| Description |
|---|
| The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140-2 validation provides assurance that the relevant cryptography has been implemented correctly. This particular control concerns the need for a strong password to be enforced on the actual certificate store in addition to the unlock code on the device. FIPS 140-2 validation is also a strict requirement for use of cryptography in the Federal Government. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41416r3_chk ) |
|---|
| Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. A mobile operating system may satisfy this requirement if the certificate store is encrypted with a FIPS 140-2 validated cryptographic module that also encrypts other data at rest beyond the certificate store. If the module is not currently FIPS validated, this is a finding. If the cryptographic module is not operating in FIPS mode, this is a finding. If the device unlock password also unlocks the certificate store, this is a finding. |
| Fix Text (F-37056r1_fix) |
|---|
| Configure the mobile operating system PKI certificate store to be FIPS 140-2 validated. |