Title

The application must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. (Cat II impact)

Discussion

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. Applications utilizing encryption are required to use approved encryption modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA certified hardware based encryption modules. Rationale for non-applicability: In most cases, the mobile OS or third party product provided cryptographic support to mobile applications. In these cases, both the application and cryptographic module are trusted and do not require authentication. When a mobile application contains its own cryptographic module, the code is embedded in the application, obviating the need for authentication. When the cryptographic module is native to the MOS, the MOS SRG covers this control. Other IA controls address requirements for FIPS 140-2 validation generally.

Check Content

This requirement is NA for the MAPP SRG.

Fix Text

The requirement is NA. No fix is required.

Additional Identifiers

Rule ID: SV-46792r1_rule

Vulnerability ID: V-35505

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.