Title

The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated. (Cat II impact)

Discussion

DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.

Check Content

Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the devices have a VPN client installed and that it is FIPS 140-2 validated. Mark as a finding if the VPN is not FIPS 140-2 validated.

Fix Text

Comply with requirement.

Additional Identifiers

Rule ID: SV-40039r1_rule

Vulnerability ID: V-18627

Group Title: Remote access VPN - FIPS 140-2

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.