| Review a sample of site-managed devices (3-4), interview the IAO, and review product documentation. |
Note: iOS does not currently provide a FIPS 140-2 validated cryptographic module for application services. Accordingly, third-party applications transmitting or receiving DoD sensitive information (MDM agent, email client, or browser) that leverage FIPS 140-2 validated cryptographic modules must be used to meet the requirement. VPN clients that do not possess the Apple VPN entitlement must also use a third-party FIPS 140-2 validated cryptographic module.
If a site uses an application that transmits or receives sensitive DoD information, verify the application (MDM agent, email client, browser, or VPN client) leverages a FIPS 140-2 validated cryptographic module for this purpose. Review system documentation to identify the FIPS 140-2 certificate for the cryptographic module. Visit the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm to verify the certificate is still valid.
If a site uses a third-party application that handles data in transit (MDM agent, email client, or browser) using cryptography that has not been FIPS 140-2 validated, this is a finding.