The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18627	WIR-MOS-WP-034-01	SV-40030r1_rule	ECWN-1	Medium

Description
DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.

STIG	Date
Windows Phone 6.5 (with Good Mobility Suite) Security Technical Implementation Guide	2011-10-04

Details

Check Text ( C-39046r1_chk )
This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the devices have a VPN client installed and is FIPS 140-2 validated. Check the NIST certificate for the mobile OS or VPN client. Mark as a finding if the VPN is not FIPS 140-2 validated

Check Text ( C-39046r1_chk )

This check is not applicable if the installed VPN client is not used for remote access to DoD networks.

Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices.

Review VPN client specification sheets and FIPS 140-2 certificate.

Verify the devices have a VPN client installed and is FIPS 140-2 validated. Check the NIST certificate for the mobile OS or VPN client.

Mark as a finding if the VPN is not FIPS 140-2 validated

Fix Text (F-20573r2_fix)
Comply with policy requirement.