An error occurred:

Check: RTS-VTC 1230.00

Video Services Policy STIG: RTS-VTC 1230.00 (in versions v1 r12 through v1 r8)

Title

The VTU must use FIPS 140-2 validated encryption module. (Cat II impact)

Discussion

The current DoD requirement for commercial grade encryption is that the encryption module, which includes a FIPS 197 validated encryption algorithm plus approved functions (i.e., key management and sharing/distribution functions), be NIST validated to FIPS 140-2. It must be noted that legacy equipment validated to FIPS 140-1 may still be used and FIPS 140-3 is in development. While many VTU vendors support AES, they have only validated the algorithm to FIPS-197, if at all. This does not meet the FIPS 140-2 requirement because the additional approved functions have not been addressed.

Check Content

Interview the ISSO to validate compliance with the following requirement: Ensure VTUs under his/her control employ encryption module(s) validated to FIPS 140-2. Determine if the various VTUs with which the system under review is expected to communicate support and are using FIPS 140-2 validated encryption modules and that they are operated in FIPS mode. Have the ISSO or SA demonstrate and verify that the VTU is using 140-2 encryption in FIPS mode. Review documentation from the vendor designating the encryption modules in use and verify that they are listed on the NIST CMVP validated modules web site (http://csrc.nist.gov/groups/STM/cmvp/validation.html). If the VTU does not use FIPS 140-2 validated encryption module, this is a finding.

Fix Text

Purchase and install only those VTUs and MCUs that employ encryption modules that are validated to FIPS 140-2 standards. Upgrade or replace non-compliant devices. Note: Updating firmware or software to provide desired functionality is preferred. A vendor may provide security updates and patches that offer additional functions. In many cases, the IA Vulnerability Management (IAVM) system mandates updating software to reduce risk to DoD networks.

Additional Identifiers

Rule ID: SV-18858r2_rule

Vulnerability ID: V-17684

Group Title: RTS-VTC 1230

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check