An error occurred:

Check: DTOO262

Microsoft Outlook 2016 STIG: DTOO262 (in versions v2 r3 through v1 r1)

Title

Run in FIPS compliant mode must be enforced. (Cat II impact)

Discussion

This policy setting controls whether Outlook is required to use FIPS-compliant algorithms when signing and encrypting messages. Outlook can run in a mode that complies with Federal Information Processing Standards (FIPS), a set of standards published by the National Institute of Standards and Technology (NIST) for use by non-military United States government agencies and by government contractors. If you enable this policy setting, Outlook runs in a mode that complies with the FIPS 140-1 standard for cryptographic modules. This mode requires the use of the SHA-1 algorithm for signing and 3DES for encryption. If you disable or do not configure this policy setting, Outlook does not run in FIPS-compliant mode. Organizations that do business with the United States government but do not run Outlook in FIPS-compliant mode risk violating the U.S. government's rules regarding the handling of sensitive information.For more information about FIPS, see FIPS - General Information at http://www.itl.nist.gov/fipspubs/geninfo.htm FIPS mode in Windows enforces 3DES, AES 256/192/128, SHA1, and SHA 512/384/256. The 3DES and SHA1 modules are FIPS 140 certified. FIPS mode restricts Outlook to a very short list of SMIME capabilities. Almost all SMIME algorithms are FIPS certified on Windows. Reference https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation#microsoft-fips-140-2-validated-cryptographic-modules to double check that the SMIME capabilities used and specified in certificates are FIPS certified.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Run in FIPS compliant mode" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value FIPSMode is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Run in FIPS compliant mode" to "Enabled".

Additional Identifiers

Rule ID: SV-228454r559729_rule

Vulnerability ID: V-228454

Group Title: SRG-APP-000179

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000803

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-7

Cryptographic Module Authentication