The organization must use FIPS 140-2 validated cryptographic modules for unclassified DoD data in transit over Bluetooth (or ZigBee) devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35931	SRG-MPOL-013	SV-47247r1_rule		Medium

Description
FIPS validation provides assurance that the cryptographic modules are implemented correctly and resistant to compromise. Failure to use FIPS 140-2 validated cryptographic modules makes it more likely that sensitive DoD data will be exposed to unauthorized individuals. Sites can review listed FIPS 140-2 validated cryptographic modules at these websites: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm

Description

FIPS validation provides assurance that the cryptographic modules are implemented correctly and resistant to compromise. Failure to use FIPS 140-2 validated cryptographic modules makes it more likely that sensitive DoD data will be exposed to unauthorized individuals. Sites can review listed FIPS 140-2 validated cryptographic modules at these websites: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm

STIG	Date
Mobile Policy Security Requirements Guide	2013-01-24

Details

Check Text ( C-44168r2_chk )
If the site uses Bluetooth (or ZigBee) for data in transit, check a sample (3-4) of Bluetooth (or ZigBee) enabled devices and note their make and model. Examine the associated product documentation to determine if the devices employ FIPS 140-2 validated cryptographic modules for data in transit. This should be accomplished by reviewing the relevant FIPS certificate in the product documentation or the NIST website. If any Bluetooth (or ZigBee) device does not have a FIPS 140-2 validated cryptographic module supporting encryption of data in transit, this is a finding. Note: This check also applies to wireless USB (WUSB) devices. However, this check does not apply to ZigBee telemetry sensor data or other ZigBee data where the approval authority has determined the data is not sensitive.

Check Text ( C-44168r2_chk )

If the site uses Bluetooth (or ZigBee) for data in transit, check a sample (3-4) of Bluetooth (or ZigBee) enabled devices and note their make and model. Examine the associated product documentation to determine if the devices employ FIPS 140-2 validated cryptographic modules for data in transit. This should be accomplished by reviewing the relevant FIPS certificate in the product documentation or the NIST website.

If any Bluetooth (or ZigBee) device does not have a FIPS 140-2 validated cryptographic module supporting encryption of data in transit, this is a finding.

Note: This check also applies to wireless USB (WUSB) devices. However, this check does not apply to ZigBee telemetry sensor data or other ZigBee data where the approval authority has determined the data is not sensitive.

Fix Text (F-40455r1_fix)
Disable Bluetooth or utilize only those Bluetooth devices that employ FIPS 140-2 validated cryptographic modules for data in transit.