Title

The mobile application must employ NSA-approved cryptography to protect classified information. (Cat I impact)

Discussion

Unclassified information is also at risk to exposure if no encryption is used, or if a non-NSA validated cryptography module is not used. NSA-compliant cryptography must be applied; unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. Additionally, it must be known that FIPS 140-2 validated encryption is not suitable for classified information. In applying this control, integrity and privacy of unclassified information is maintained. Organizations should contact their NSA liaison to determine what the available options are for cryptographic support.

Check Content

Identify what cryptography, if any, protects classified information stored, processed, or transmitted on the device. Verify that the cryptography is NSA approved for the protection of classified information from the documentation submitted with the application. If the application does not use cryptography to protect classified information, or does not use NSA approved cryptography for this purpose, this is a finding.

Fix Text

Modify code and architecture to ensure the application utilizes NSA-approved and validated cryptography for modules implementing encryption approved for classified information, key exchange, digital signature, and hash.

Additional Identifiers

Rule ID: SV-46811r1_rule

Vulnerability ID: V-35524

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.