UCF STIG Viewer Logo

The VPN client on mobile devices used for remote access to DoD networks must be FIPS 140-2 validated.


Finding ID Version Rule ID IA Controls Severity
V-18627 WIR-MOS-iOS-034-01 SV-40265r3_rule ECWN-1 Medium
DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.
Apple iOS 6 Security Technical Implementation Guide (STIG) 2013-05-23


Check Text ( C-39120r5_chk )
This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required.

Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the VPN client leverages FIPS 140-2 validated cryptographic modules. It may accomplish this either by using its own FIPS 140-2 validated cryptographic module or the FIPS 140-2 validated Apple iOS CoreCrypto Kernel Module. Only VPN client applications that Apple has granted the VPN entitlement have the capability to leverage this module. Verify the VPN client has the Apple iOS VPN entitlement or check that it has its own FIPS 140-2 certificate.

If the VPN client does not leverage FIPS 140-2 validated cryptography, this is a finding.
Fix Text (F-37266r2_fix)
Install a VPN client that uses FIPS 140-2 validated cryptographic modules to protect data in transit.