The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70159	APSC-DV-001860	SV-84781r2_rule		Medium

Description
A cryptographic module is a hardware or software device or component that performs cryptographic operations securely within a physical or logical boundary, using a hardware, software or hybrid cryptographic engine contained within the boundary, and cryptographic keys that do not leave the boundary. Based on the criticality of the application, system designers might choose to utilize a hardware based cryptographic module due to the protections and security benefits a hardware based solution provides over a software based solution. Due to various factors, including expense, hardware based encryption modules are usually relegated to only those applications where the system requirements specify it as a required protection. Examples include applications that handle extremely sensitive data or those used in life and death situations, e.g., weapons systems. General purpose applications such as a web site will often opt to leverage an underlying software based encryption capability that is offered by the OS, database or application development framework. Operating systems or database products often provide their own cryptographic modules that are FIPS 140-2 compliant and can meet the authentication to the crypto module requirement via their Role Based Access Controls (users and groups) built into the product. In all cases, user’s accessing the cryptographic module must be authenticated and granted the appropriate rights in order to access the encryption module. Any encryption utilized by the access control mechanisms must be FIPS 140-2 compliant.

Description

A cryptographic module is a hardware or software device or component that performs cryptographic operations securely within a physical or logical boundary, using a hardware, software or hybrid cryptographic engine contained within the boundary, and cryptographic keys that do not leave the boundary. Based on the criticality of the application, system designers might choose to utilize a hardware based cryptographic module due to the protections and security benefits a hardware based solution provides over a software based solution. Due to various factors, including expense, hardware based encryption modules are usually relegated to only those applications where the system requirements specify it as a required protection. Examples include applications that handle extremely sensitive data or those used in life and death situations, e.g., weapons systems. General purpose applications such as a web site will often opt to leverage an underlying software based encryption capability that is offered by the OS, database or application development framework. Operating systems or database products often provide their own cryptographic modules that are FIPS 140-2 compliant and can meet the authentication to the crypto module requirement via their Role Based Access Controls (users and groups) built into the product. In all cases, user’s accessing the cryptographic module must be authenticated and granted the appropriate rights in order to access the encryption module. Any encryption utilized by the access control mechanisms must be FIPS 140-2 compliant.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2018-09-13

Details

Check Text ( C-70635r1_chk )
Review the application documentation and interview the application administrator. Identify if the application provides access to cryptographic modules and if access is required in order to manage cryptographic modules contained within the application. If the application does not provide authenticated access to a cryptographic module, the requirement is not applicable. Review and identify the cryptographic module. Refer to the NIST website listing all FIPS-approved cryptographic modules. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm If the cryptographic module that requires authentication is not on the FIPS-approved module list, this is a finding.

Check Text ( C-70635r1_chk )

Review the application documentation and interview the application administrator.

Identify if the application provides access to cryptographic modules and if access is required in order to manage cryptographic modules contained within the application.

If the application does not provide authenticated access to a cryptographic module, the requirement is not applicable.

Review and identify the cryptographic module. Refer to the NIST website listing all FIPS-approved cryptographic modules.

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

If the cryptographic module that requires authentication is not on the FIPS-approved module list, this is a finding.

Fix Text (F-76395r1_fix)
Use FIPS-approved cryptographic modules.