VTU does not use or provide FIPS 140-2 validated encryption module.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17684	RTS-VTC 1230.00	SV-18858r1_rule	ECCT-1 ECNK-1 ECSC-1	Medium

Description
The current DoD requirement for commercial grade encryption is that the encryption module, which includes a FIPS 197 validated encryption algorithm plus “approved functions” (i.e., key management and sharing/distribution functions), be NIST validated to FIPS 140-2. It must be noted that legacy equipment validated to FIPS 140-1 may still be used and FIPS 140-3 is in development. While many VTU vendors support AES, they have only validated the algorithm to FIPS-197, if at all. This does not meet the FIPS 140-2 requirement because the additional “approved functions” have not also been addressed. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU.

Description

The current DoD requirement for commercial grade encryption is that the encryption module, which includes a FIPS 197 validated encryption algorithm plus “approved functions” (i.e., key management and sharing/distribution functions), be NIST validated to FIPS 140-2. It must be noted that legacy equipment validated to FIPS 140-1 may still be used and FIPS 140-3 is in development. While many VTU vendors support AES, they have only validated the algorithm to FIPS-197, if at all. This does not meet the FIPS 140-2 requirement because the additional “approved functions” have not also been addressed. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU.

STIG	Date
Video Services Policy STIG	2014-06-26

Details

Check Text ( C-18954r1_chk )
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure VTUs under his/her control employ encryption module(s) validated to FIPS 140-2. Determine if the various VTUs with which the system under review is expected to communicate support and are using FIPS 140-2 validated encryption modules and that they are operated in FIPS mode. Have the IAO or SA demonstrate and verify that the VTU is using 140-2 encryption in FIPS mode. Review documentation from the vendor designating the encryption modules in use and verify that they are listed on the NIST CMVP “validated modules” web site. http://csrc.nist.gov/groups/STM/cmvp/validation.html Note: For APL testing and new installations of new (non-legacy) equipment, this finding can be reduced to a CAT III in the event the crypto module in use is in the FIPS validation process as listed on the NIST CMVP “modules in Process” web site. http://csrc.nist.gov/groups/STM/cmvp/inprocess.html. The POA&M for closing the finding must indicate the expected date that the module will achieve validation and the process to ensure the module in use is the validated module.

Check Text ( C-18954r1_chk )

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure VTUs under his/her control employ encryption module(s) validated to FIPS 140-2.

Determine if the various VTUs with which the system under review is expected to communicate support and are using FIPS 140-2 validated encryption modules and that they are operated in FIPS mode. Have the IAO or SA demonstrate and verify that the VTU is using 140-2 encryption in FIPS mode. Review documentation from the vendor designating the encryption modules in use and verify that they are listed on the NIST CMVP “validated modules” web site. http://csrc.nist.gov/groups/STM/cmvp/validation.html

Note: For APL testing and new installations of new (non-legacy) equipment, this finding can be reduced to a CAT III in the event the crypto module in use is in the FIPS validation process as listed on the NIST CMVP “modules in Process” web site. http://csrc.nist.gov/groups/STM/cmvp/inprocess.html. The POA&M for closing the finding must indicate the expected date that the module will achieve validation and the process to ensure the module in use is the validated module.

Fix Text (F-17581r1_fix)
[IP][ISDN]; Perform the following tasks: Purchase and install only those VTUs and MCUs that employ an encryption module(s) validated to FIPS 140-2 standards. Upgrade/replace old non compliant devices.