Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-17684 | RTS-VTC 1230.00 | SV-18858r1_rule | ECCT-1 ECNK-1 ECSC-1 | Medium |
Description |
---|
The current DoD requirement for commercial grade encryption is that the encryption module, which includes a FIPS 197 validated encryption algorithm plus “approved functions” (i.e., key management and sharing/distribution functions), be NIST validated to FIPS 140-2. It must be noted that legacy equipment validated to FIPS 140-1 may still be used and FIPS 140-3 is in development. While many VTU vendors support AES, they have only validated the algorithm to FIPS-197, if at all. This does not meet the FIPS 140-2 requirement because the additional “approved functions” have not also been addressed. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. |
STIG | Date |
---|---|
Video Teleconference STIG | 2014-02-11 |
Check Text ( C-18954r1_chk ) |
---|
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure VTUs under his/her control employ encryption module(s) validated to FIPS 140-2. Determine if the various VTUs with which the system under review is expected to communicate support and are using FIPS 140-2 validated encryption modules and that they are operated in FIPS mode. Have the IAO or SA demonstrate and verify that the VTU is using 140-2 encryption in FIPS mode. Review documentation from the vendor designating the encryption modules in use and verify that they are listed on the NIST CMVP “validated modules” web site. http://csrc.nist.gov/groups/STM/cmvp/validation.html Note: For APL testing and new installations of new (non-legacy) equipment, this finding can be reduced to a CAT III in the event the crypto module in use is in the FIPS validation process as listed on the NIST CMVP “modules in Process” web site. http://csrc.nist.gov/groups/STM/cmvp/inprocess.html. The POA&M for closing the finding must indicate the expected date that the module will achieve validation and the process to ensure the module in use is the validated module. |
Fix Text (F-17581r1_fix) |
---|
[IP][ISDN]; Perform the following tasks: Purchase and install only those VTUs and MCUs that employ an encryption module(s) validated to FIPS 140-2 standards. Upgrade/replace old non compliant devices. |