Sensitive or Personally Identifiable Information (PII) must not be transferred between an RFID tag and RFID scanner unless the information is encrypted using a FIPS 140-2 validated encryption module.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-18620 | WIR0510 | SV-20178r1_rule | ECWN-1 | Low |
| Description |
|---|
| Sensitive or PII info could be compromised if it is not encrypted because adversaries often can intercept wireless signals transmitted between an RFID interrogator and tag. Using FIPS 140-2 validated encryption modules provides assurance that the implementation of the cryptography is correct. |
| STIG | Date |
|---|---|
| RFID Scanner Security Technical Implementation Guide (STIG) | 2014-03-18 |
Details
| Check Text ( C-22302r1_chk ) |
|---|
| Interview the IAO to verifiy if sensitive or PII data is stored on the RFID tag. If it is not, encryption of data transmitted between the RFID Tag and Scanner is not required. If it is, perform the following: - Verify that the data on the tag is either stored in an encrypted form on the tag (an encryption module used to encrypt the data before it is stored and the module is 140-2 validated), or - Verify the data being transmitted between the tag and scanned is encrypted before it is transmitted to the scanner with a FIPS 140-2 validated encryption module. Mark as a finding if either of these requirements is not met. |
| Fix Text (F-34077r1_fix) |
|---|
| Procure RFID tags that integrate 140-2 validated encryption modules or congure the RFID system such that data is encrypted with a FIPS 140-2 validated encryption module prior to being written to the tag. |