Title

The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks will be FIPS 140-2 validated. This check is not applicable if the installed VPN client is not used for remote access to DoD networks. (Cat II impact)

Discussion

DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.

Check Content

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the devices have a VPN client installed and is FIPS 140-2 validated. Check the NIST certificate for the mobile OS or VPN client. Mark as a finding if the VPN is not FIPS 140-2 validated.

Fix Text

Comply with requirement.

Additional Identifiers

Rule ID: SV-38990r1_rule

Vulnerability ID: V-18627

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.