UCF STIG Viewer Logo

The mobile operating system must employ FIPS validated or NSA approved cryptography to implement digital signatures.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33161 SRG-OS-000173-MOS-000096 SV-43559r1_rule Medium
Description
The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS 140 validation and NSA approval provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government. Similarly, NSA approval of cryptography for classified data and applications is a strict requirement. The objective is to validate the implementation of the cryptography, not the cryptographic algorithm or mode.
STIG Date
Mobile Operating System Security Requirements Guide 2013-07-03

Details

Check Text ( C-41421r1_chk )
Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST web site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid. If the module is not currently FIPS validated, this is a finding. If the cryptographic module is not operating in FIPS mode, this is a finding. Similarly, if NSA approved cryptography is not used to implement digital signatures for classified systems operating in an approved mode, this is a finding.
Fix Text (F-37061r1_fix)
Configure the mobile operating system to employ FIPS validated or NSA approved cryptography for implementing digital signatures.