In the case of unclassified equipment, when the mobile application either runs on a mobile operating system with applicable FIPS 140-2 validated cryptographic modules or has its own native FIPS 140-2 validated cryptographic modules, then it is presumed to comply with all applicable federal laws, Executive Orders, directives, regulations, standards, and guidance. This check only applies when the reviewer has identified a specific requirement related to cryptographic protections beyond the FIPS 140-2 requirement. If there no such known additional requirements, there is no finding with respect to this potential vulnerability. Perform a review of the application's documentation to assess if the mobile application implements and uses required protections, using cryptographic modules per the identified legal and policy requirements. Refer to http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm for a list of approved cryptography devices. If the documentation review is unable to prove the application implements the required protections or is inconclusive, perform a static program analysis to assess if the application hosts code that is functional and able to be executed that uses cryptographic modules that protects in accordance with the requirements. If the documentation and or static program analysis reveals the application does not employ code in order to implement the necessary protections, this is a finding. |