The VPN client on mobile devices used for remote access to DoD networks must be FIPS 140-2 validated.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-18627 | WIR-MOS-iOS-034-01 | SV-40265r2_rule | ECWN-1 | Medium |
| Description |
|---|
| DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented. |
| STIG | Date |
|---|---|
| Apple iOS 6 Interim Security Configuration Guide (ISCG) | 2013-01-17 |
Details
| Check Text ( C-39120r4_chk ) |
|---|
| This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the VPN client is FIPS 140-2 validated. Check the NIST certificate for the mobile OS or VPN client. Mark as a finding if the VPN is not FIPS 140-2 validated. |
| Fix Text (F-37266r1_fix) |
|---|
| Install a FIPS 140-2 validated VPN client. |