The organization must require the cryptographic module be FIPS-validated when no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300730

Associated with: CCI-000635

VVSP-01-000201_rule The organization must require the cryptographic module be FIPS-validated when no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy.

Vulnerability discussion

Information system components are discrete, identifiable information technology assets that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life-cycle.Voice Video elements must meet security functionality, assurance, and documentation requirements as produced by specific organization. NIAP provides Protection Profiles for many elements of information systems, and these are recognized for providing element-specific security guidance. Additionally, for Voice Video elements, DISA and other DoD entities have produced guidance to ensure a standards-based approach. The APL works with the Unified Capabilities Requirements (UCR) to provide consistency. In cases where NIAP has not provided a Protection Profile, the solution must be FIPS-validated to ensure the strength of the algorithm is sufficient.

Check content

Review each Voice Video system security plan (SSP). Verify that the organization requires products with a cryptographic module be FIPS-validated. Products with a NIAP-approved Protection Profile for a specific technology type are evaluated for FIPS-validated cryptographic modules as part of the compliance process. Those products without NIAP approval must be FIPS-validated when relying on cryptographic functionality to enforce its security policy. If the Voice Video SSP does not document, and the organization does not enforce, that products relying on cryptographic functionality to enforce security policy must have FIPS-validated cryptographic modules, this is a finding.

Fix text

Document in the Voice Video SSP all network components and/or devices used in the design of the Voice Video system. The design requires products with a cryptographic module be FIPS-validated. Products with NIAP-approved Protection Profile for a specific technology type are evaluated for FIPS-validated cryptographic modules as part of the compliance process. Those products without NIAP approval must be FIPS-validated when relying on cryptographic functionality to enforce its security policy.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer