Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-35524 | SRG-APP-000198-MAPP-00043 | SV-46811r1_rule | High |
Description |
---|
Unclassified information is also at risk to exposure if no encryption is used, or if a non-NSA validated cryptography module is not used. NSA-compliant cryptography must be applied; unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. Additionally, it must be known that FIPS 140-2 validated encryption is not suitable for classified information. In applying this control, integrity and privacy of unclassified information is maintained. Organizations should contact their NSA liaison to determine what the available options are for cryptographic support. |
STIG | Date |
---|---|
Mobile Application Security Requirements Guide | 2013-01-04 |
Check Text ( C-43864r1_chk ) |
---|
Identify what cryptography, if any, protects classified information stored, processed, or transmitted on the device. Verify that the cryptography is NSA approved for the protection of classified information from the documentation submitted with the application. If the application does not use cryptography to protect classified information, or does not use NSA approved cryptography for this purpose, this is a finding. |
Fix Text (F-40065r1_fix) |
---|
Modify code and architecture to ensure the application utilizes NSA-approved and validated cryptography for modules implementing encryption approved for classified information, key exchange, digital signature, and hash. |