UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Sensitive or Personally Identifiable Information (PII) must not be transferred between an RFID tag and RFID scanner unless the information is encrypted using a FIPS 140-2 validated encryption module.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18620 WIR0510 SV-20178r3_rule ECWN-1 Low
Description
Sensitive or PII info could be compromised if it is not encrypted because adversaries often can intercept wireless signals transmitted between an RFID interrogator and tag. Using FIPS 140-2 validated encryption modules provides assurance that the implementation of the cryptography is correct.
STIG Date
RFID Scanner Security Technical Implementation Guide 2011-10-07

Details

Check Text ( C-22302r2_chk )
Interview the IAO to verifiy if sensitive or PII data is stored on the RFID tag. If it is not, encryption of data transmitted between the RFID Tag and Scanner is not required. If it is, perform the following:

- Verify that the data on the tag is either stored in an encrypted form on the tag (an encryption module used to encrypt the data before it is stored and the module is 140-2 validated), or
- Verify the data being transmitted between the tag and scanned is encrypted before it is transmitted to the scanner with a FIPS 140-2 validated encryption module.
Mark as a finding if either of these requirements is not met.
Fix Text (F-34077r1_fix)
Procure RFID tags that integrate 140-2 validated encryption modules or congure the RFID system such that data is encrypted with a FIPS 140-2 validated encryption module prior to being written to the tag.