The VTU must use FIPS 140-2 validated encryption module.

From Video Services Policy STIG

Part of RTS-VTC 1230

Associated with IA controls: ECCT-1, ECNK-1, ECSC-1

SV-18858r2_rule The VTU must use FIPS 140-2 validated encryption module.

Vulnerability discussion

The current DoD requirement for commercial grade encryption is that the encryption module, which includes a FIPS 197 validated encryption algorithm plus approved functions (i.e., key management and sharing/distribution functions), be NIST validated to FIPS 140-2. It must be noted that legacy equipment validated to FIPS 140-1 may still be used and FIPS 140-3 is in development.While many VTU vendors support AES, they have only validated the algorithm to FIPS-197, if at all. This does not meet the FIPS 140-2 requirement because the additional approved functions have not been addressed.

Check content

Interview the ISSO to validate compliance with the following requirement: Ensure VTUs under his/her control employ encryption module(s) validated to FIPS 140-2. Determine if the various VTUs with which the system under review is expected to communicate support and are using FIPS 140-2 validated encryption modules and that they are operated in FIPS mode. Have the ISSO or SA demonstrate and verify that the VTU is using 140-2 encryption in FIPS mode. Review documentation from the vendor designating the encryption modules in use and verify that they are listed on the NIST CMVP validated modules web site (http://csrc.nist.gov/groups/STM/cmvp/validation.html). If the VTU does not use FIPS 140-2 validated encryption module, this is a finding.

Fix text

Purchase and install only those VTUs and MCUs that employ encryption modules that are validated to FIPS 140-2 standards. Upgrade or replace non-compliant devices. Note: Updating firmware or software to provide desired functionality is preferred. A vendor may provide security updates and patches that offer additional functions. In many cases, the IA Vulnerability Management (IAVM) system mandates updating software to reduce risk to DoD networks.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer