The WLAN implementation of AES-CCMP must be FIPS 140-2 validated.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19894	WIR0125-02	SV-22064r2_rule	ECCT-1 ECSC-1 ECWN-1	Medium

Description
Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.

STIG	Date
WLAN Access Point (Enclave-NIPRNet Connected) Security Technical Implementation Guide (STIG)	2013-03-14

Details

Check Text ( C-25502r1_chk )
Check Procedures: Review the WLAN system product documentation (specification sheet, administration manual, etc.), which should include the FIPS 140-2 certificate for the WLAN system. Verify the certificate specifically covers the implementation of AES-CCMP. If there are any concerns about the currency or veracity of the certificate in the product documentation, the reviewer should check the NIST Internet web site (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) and find the certificate.

Check Text ( C-25502r1_chk )

Check Procedures:
Review the WLAN system product documentation (specification sheet, administration manual,
etc.), which should include the FIPS 140-2 certificate for the WLAN system. Verify the certificate specifically covers the implementation of AES-CCMP. If there are any concerns about the currency or veracity of the certificate in the product documentation, the reviewer should check the NIST Internet web site (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) and find the certificate.

Fix Text (F-34065r1_fix)
Procure WLAN equipment whose implementation of AES-CCMP has been FIPS 140-2 validated.