The network device must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000308-NDM-000193	SRG-NET-000308-NDM-000193	SRG-NET-000308-NDM-000193_rule		Medium

Description
Use of weak or untested certificates undermines the purposes of utilizing encryption to protect data. The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS-140 validation and NSA approval provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government. Similarly, NSA approval of cryptography for classified data and applications is a strict requirement. Traffic between the network device, sensors, and/or other network devices must be protected by cryptographic mechanisms. Digital signatures must be used to validate the authenticity of information, firmware, or health checks. Digital signatures must be implemented using either of the following: (i) FIPS-validated (e.g., DoD PKI) cryptographic module. (ii) NSA-approved cryptographic module.

Description

Use of weak or untested certificates undermines the purposes of utilizing encryption to protect data. The most common vulnerabilities with cryptographic modules are those associated with poor implementation. FIPS-140 validation and NSA approval provides assurance that the relevant cryptography has been implemented correctly. FIPS validation is also a strict requirement for use of cryptography in the Federal Government. Similarly, NSA approval of cryptography for classified data and applications is a strict requirement. Traffic between the network device, sensors, and/or other network devices must be protected by cryptographic mechanisms. Digital signatures must be used to validate the authenticity of information, firmware, or health checks. Digital signatures must be implemented using either of the following: (i) FIPS-validated (e.g., DoD PKI) cryptographic module. (ii) NSA-approved cryptographic module.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000308-NDM-000193_chk )
Verify digital signatures used by the network device to validate the authenticity of information using either of the following: (i) a cryptographic module from the NIST Cryptographic Algorithm Validation Program (CAVP) product lists to determine if FIPS 140-validated cryptography is used (e.g., DoD PKI); or (ii) an NSA-approved cryptographic module. If NSA-approved or FIPS-validated cryptography is not used to implement digital signatures, this is a finding.

Check Text ( C-SRG-NET-000308-NDM-000193_chk )

Verify digital signatures used by the network device to validate the authenticity of information using either of the following:
(i) a cryptographic module from the NIST Cryptographic Algorithm Validation Program (CAVP) product lists to determine if FIPS 140-validated cryptography is used (e.g., DoD PKI); or
(ii) an NSA-approved cryptographic module.

If NSA-approved or FIPS-validated cryptography is not used to implement digital signatures, this is a finding.

Fix Text (F-SRG-NET-000308-NDM-000193_fix)
Install digital signatures that comply with FIPS or NSA certificate requirements.