Capacity
CCI-000803
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
19
Rule
Severity: High
The Installed Operating System Is FIPS 140-2 Certified
7
Rule
Severity: Medium
Disable Prelinking
5
Rule
Severity: Medium
Install the dracut-fips-aesni Package
5
Rule
Severity: Medium
Install the dracut-fips Package
13
Rule
Severity: High
Ensure '/etc/system-fips' exists
5
Rule
Severity: High
Enable FIPS Mode in GRUB2
20
Rule
Severity: Medium
Set PAM''s Password Hashing Algorithm
11
Rule
Severity: Medium
Uninstall krb5-workstation Package
13
Rule
Severity: Medium
Set PAM''s Password Hashing Algorithm - password-auth
9
Rule
Severity: Medium
Remove the Kerberos Server Package
11
Rule
Severity: Medium
Disable Kerberos by removing host keytab
18
Rule
Severity: Medium
Use Only FIPS 140-2 Validated Ciphers
17
Rule
Severity: Medium
Use Only FIPS 140-2 Validated MACs
9
Rule
Severity: High
Enable Dracut FIPS Module
9
Rule
Severity: High
Enable FIPS Mode
9
Rule
Severity: High
Set kernel parameter 'crypto.fips_enabled' to 1
8
Rule
Severity: Medium
Set Password Hashing Rounds in /etc/login.defs
10
Rule
Severity: Medium
Verify All Account Password Hashes are Shadowed with SHA512
2
Rule
Severity: Medium
Set PAM's Common Authentication Hashing Algorithm
4
Rule
Severity: Medium
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
2
Rule
Severity: High
An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
1
Rule
Severity: Medium
The Arista Multilayer Switch must use FIPS-compliant mechanisms for authentication to a cryptographic module.
1
Rule
Severity: Medium
The Arista Multilayer Switch must encrypt all methods of configured authentication for the OSPF routing protocol.
1
Rule
Severity: Medium
The Arista Multilayer Switch must not enable the RIP routing protocol.
2
Rule
Severity: Medium
The Arista router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
2
Rule
Severity: High
The application server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
2
Rule
Severity: High
The Arista network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
2
Rule
Severity: High
The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1
Rule
Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) server must be configured to enable FIPS mode.
2
Rule
Severity: High
The Central Log Server must use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).
2
Rule
Severity: High
The Central Log Server must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
1
Rule
Severity: High
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
1
Rule
Severity: High
The FortiGate device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
2
Rule
Severity: High
Forescout must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1
Rule
Severity: Medium
The HP FlexFabric Switch must encrypt all methods of configured authentication for routing protocols.
1
Rule
Severity: Medium
The HP FlexFabric Switch must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms for routing protocols.
1
Rule
Severity: High
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: High
The HYCU server must use FIPS-validated algorithms for authentication to a cryptographic module and Keyed-Hash Message Authentication Code (HMAC) to protect the integrity and confidentiality of remote maintenance sessions.
1
Rule
Severity: Medium
The DataPower Gateway must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1
Rule
Severity: High
DB2 must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations.
1
Rule
Severity: Medium
The MQ Appliance messaging server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
2
Rule
Severity: High
The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.
1
Rule
Severity: Medium
The MQ Appliance network device must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1
Rule
Severity: Medium
The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
1
Rule
Severity: High
The IBM z/VM TCP/IP VMSSL command operands must be configured properly.
1
Rule
Severity: High
The Ivanti MobileIron Core server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
1
Rule
Severity: High
MobileIron Sentry must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
2
Rule
Severity: Medium
The ISEC7 EMM Suite must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
4
Rule
Severity: Medium
The Juniper router must be configured to use encryption for routing protocol authentication.
2
Rule
Severity: Medium
The Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 140-2 message authentication code algorithm.
2
Rule
Severity: Medium
The layer 2 switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
2
Rule
Severity: Medium
The Mainframe Product must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
2
Rule
Severity: Medium
Message formats must be set to use SMime.
3
Rule
Severity: Medium
Run in FIPS compliant mode must be enforced.
2
Rule
Severity: Medium
S/Mime interoperability with external clients for message handling must be configured.
1
Rule
Severity: Medium
S/Mime interoperability with external clients for message handling must be configured.
1
Rule
Severity: Medium
Message formats must be set to use SMime.
1
Rule
Severity: High
All SCOM servers must be configured for FIPS 140-2 compliance.
1
Rule
Severity: High
SharePoint must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
1
Rule
Severity: High
SharePoint must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
3
Rule
Severity: High
SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
2
Rule
Severity: High
ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.
2
Rule
Severity: High
The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1
Rule
Severity: High
Nutanix AOS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1
Rule
Severity: Medium
OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1
Rule
Severity: Medium
OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1
Rule
Severity: Medium
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1
Rule
Severity: Medium
OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1
Rule
Severity: Medium
OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1
Rule
Severity: Medium
OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1
Rule
Severity: Medium
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1
Rule
Severity: Medium
OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1
Rule
Severity: Medium
Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1
Rule
Severity: Medium
Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
2
Rule
Severity: Medium
Prisma Cloud Compute release tar distributions must have an associated SHA-256 digest.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.
2
Rule
Severity: Medium
The router must be configured to use encryption for routing protocol authentication.
2
Rule
Severity: Medium
The router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
2
Rule
Severity: High
The SDN controller must be configured to authenticate southbound Application Program Interface (API) control-plane messages received from SDN-enabled network elements using a FIPS-approved message authentication code algorithm.
2
Rule
Severity: High
The SDN controller must be configured to authenticate northbound Application Program Interface (API) messages received from business applications and management systems using a FIPS-approved message authentication code algorithm.
2
Rule
Severity: High
The SDN controller must be configured to authenticate received southbound Application Program Interface (API) management-plane messages using a FIPS-approved message authentication code algorithm.
1
Rule
Severity: High
Northbound API traffic received by the SDN controller must be authenticated using a FIPS-approved message authentication code algorithm.
1
Rule
Severity: Medium
The SEL-2740S must be configured to establish trust relationships with parent OTSDN Controller(s).
1
Rule
Severity: High
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
4
Rule
Severity: High
Splunk Enterprise must use TLS 1.2 and SHA-2 or higher cryptographic algorithms.
1
Rule
Severity: High
Symantec ProxySG must be configured to use only FIPS 140-2 approved algorithms for authentication to a cryptographic module with any application or protocol.
2
Rule
Severity: High
The TippingPoint TPS must have FIPS Mode enforced.
2
Rule
Severity: Medium
The Tanium Operating System (TanOS) must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
2
Rule
Severity: High
The UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
2
Rule
Severity: High
The application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.
1
Rule
Severity: High
The Horizon Connection Server must only use FIPS 140-2 validated cryptographic modules.
2
Rule
Severity: Medium
The VPN Gateway must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.
2
Rule
Severity: Medium
The Apache web server must use cryptography to protect the integrity of remote sessions.
2
Rule
Severity: High
Tomcat must use FIPS-validated ciphers on secured connectors.
2
Rule
Severity: Medium
Apple iOS/iPadOS 17 must not include applications with the following characteristics: access to Siri when the device is locked.
3
Rule
Severity: High
The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
3
Rule
Severity: High
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
3
Rule
Severity: High
The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
1
Rule
Severity: High
The macOS system must implement approved ciphers to protect the confidentiality of SSH connections.
1
Rule
Severity: High
The macOS system must implement approved Message Authentication Codes (MACs).
1
Rule
Severity: High
The macOS system must implement approved Key Exchange Algorithms.
3
Rule
Severity: High
The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
3
Rule
Severity: High
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
3
Rule
Severity: High
The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
3
Rule
Severity: High
The macOS system must limit SSHD to FIPS-compliant connections.
3
Rule
Severity: High
The macOS system must limit SSH to FIPS-compliant connections.
1
Rule
Severity: Medium
The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.
2
Rule
Severity: Medium
The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
4
Rule
Severity: High
PostgreSQL must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
3
Rule
Severity: High
The DBMS must be configured on a platform that has a NIST certified FIPS 140-2 or 140-3 installation of OpenSSL.
2
Rule
Severity: Medium
The Cisco ASA must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE) Phase 1.
6
Rule
Severity: Medium
The Cisco router must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.
6
Rule
Severity: Medium
The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
4
Rule
Severity: Medium
The Cisco switch must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.
2
Rule
Severity: High
The Cisco ISE must use FIPS-validated SHA-2 (or greater) to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
2
Rule
Severity: Medium
The Cisco switch must be configured to use encryption for routing protocol authentication.
2
Rule
Severity: Medium
The Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
2
Rule
Severity: Medium
The container platform must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
2
Rule
Severity: High
The EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
2
Rule
Severity: High
The EDB Postgres Advanced Server must be configured on a platform that has a NIST-certified FIPS 140-2 or 140-3 installation of OpenSSL.
2
Rule
Severity: High
The DBMS must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
4
Rule
Severity: Medium
Google Android 14 allowlist must be configured to not include applications with the following characteristics:
- Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers.
2
Rule
Severity: Medium
The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
2
Rule
Severity: High
The HPE 3PAR OS must be configured to initialize its FIPS module to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
2
Rule
Severity: High
The HPE 3PAR OS cimserver process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
2
Rule
Severity: High
The HPE 3PAR OS WSAPI process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
2
Rule
Severity: Medium
AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: High
IBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
4
Rule
Severity: Medium
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
2
Rule
Severity: High
NIST FIPS-validated cryptography must be used to protect passwords in the security database.
2
Rule
Severity: High
The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
2
Rule
Severity: Medium
IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
2
Rule
Severity: Medium
The Juniper layer 2 switch must be configured to disable all dynamic VLAN registration protocols.
2
Rule
Severity: Medium
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
2
Rule
Severity: Medium
The Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1
Rule
Severity: High
The Juniper EX switch must be configured to use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
2
Rule
Severity: High
MarkLogic Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations and protect classified information in accordance with the requirements of the data owner.
2
Rule
Severity: High
MariaDB must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations.
1
Rule
Severity: High
MongoDB must use NIST FIPS 140-2-validated cryptographic modules for cryptographic operations.
2
Rule
Severity: High
MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
3
Rule
Severity: Medium
Consistent MIME handling must be enabled for all Office 365 ProPlus programs.
3
Rule
Severity: Medium
The MIME Sniffing safety feature must be enabled in all Office programs.
3
Rule
Severity: Medium
Object Caching Protection must be enabled in all Office programs.
2
Rule
Severity: Medium
Windows 10 must be configured to prioritize ECC Curves with longer key lengths first.
6
Rule
Severity: Medium
Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
2
Rule
Severity: Medium
Windows 11 must be configured to prioritize ECC Curves with longer key lengths first.
2
Rule
Severity: Medium
Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
2
Rule
Severity: Medium
Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
2
Rule
Severity: Medium
Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.
1
Rule
Severity: Medium
The DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms.
1
Rule
Severity: Medium
The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
2
Rule
Severity: High
The DBMS must use NIST-validated FIPS 140-2 or 140-3 compliant cryptography for authentication mechanisms.
2
Rule
Severity: High
The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
2
Rule
Severity: Medium
The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
2
Rule
Severity: Medium
The OL 8 "pam_unix.so" module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
2
Rule
Severity: Medium
The OL 8 "pam_unix.so" module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
2
Rule
Severity: Medium
OL 8 must prevent system daemons from using Kerberos for authentication.
2
Rule
Severity: Medium
The krb5-workstation package must not be installed on OL 8.
2
Rule
Severity: Medium
The krb5-server package must not be installed on OL 8.
2
Rule
Severity: High
The MySQL Database Server 8.0 must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
2
Rule
Severity: High
Automation Controller must implement cryptography mechanisms to protect the integrity of information.
2
Rule
Severity: High
Redis Enterprise DBMS must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
2
Rule
Severity: Medium
OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).
2
Rule
Severity: Medium
The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
2
Rule
Severity: Medium
RHEL 8 must prevent system daemons from using Kerberos for authentication.
2
Rule
Severity: Medium
The krb5-workstation package must not be installed on RHEL 8.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
4
Rule
Severity: Medium
The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
8
Rule
Severity: Medium
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
2
Rule
Severity: Medium
The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
2
Rule
Severity: Medium
The krb5-server package must not be installed on RHEL 8.
2
Rule
Severity: Medium
The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
2
Rule
Severity: Medium
RHEL 9 libreswan package must be installed.
2
Rule
Severity: Medium
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
2
Rule
Severity: Medium
RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.
2
Rule
Severity: Medium
RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.
1
Rule
Severity: Medium
RHEL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.
2
Rule
Severity: Medium
RHEL 9 must prevent system daemons from using Kerberos for authentication.
2
Rule
Severity: Medium
RHEL 9 must have the packages required for encrypting offloaded audit logs installed.
2
Rule
Severity: Medium
RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
2
Rule
Severity: Medium
RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
4
Rule
Severity: Medium
The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.
2
Rule
Severity: High
Splunk Enterprise must be installed in FIPS mode to implement NIST FIPS-approved cryptography for all cryptographic functions.
2
Rule
Severity: Medium
Samsung Android must be configured to not allow installation of applications with the following characteristics:
- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
2
Rule
Severity: Medium
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics:
- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
2
Rule
Severity: Medium
The VMM must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1
Rule
Severity: High
VAMI must enable FIPS mode.
4
Rule
Severity: High
The vCenter Server must enable FIPS-validated cryptography.
1
Rule
Severity: Medium
The Photon operating system must use an OpenSSH server version that does not support protocol 1.
1
Rule
Severity: High
VMware Postgres must use FIPS 140-2 approved Transport Layer Security (TLS) ciphers.
1
Rule
Severity: Medium
Envoy must be configured to operate in FIPS mode.
3
Rule
Severity: Medium
The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
2
Rule
Severity: High
The vCenter VAMI service must enable FIPS mode.
2
Rule
Severity: High
The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
2
Rule
Severity: Medium
The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1
Rule
Severity: High
The EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations including generation of cryptographic hashes and data protection.
1
Rule
Severity: High
The EDB Postgres Advanced Server must be configured on a platform that has a NIST certified FIPS 140-2 or 140-3 installation of OpenSSL.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must encrypt all stored passwords with a FIPS 140-3-approved cryptographic hashing algorithm.
2
Rule
Severity: Medium
Google Android 15 allow list must be configured to not include applications with the following characteristics:
- Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmits MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user;
- Payment processing;
- Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; and
- Backs up its own data to a remote system.
2
Rule
Severity: Medium
Google Android 15 allow list must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.
1
Rule
Severity: Medium
The ISEC7 SPHERE must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).
1
Rule
Severity: High
The Ivanti EPMM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
1
Rule
Severity: High
Sentry must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1
Rule
Severity: High
The Juniper EX switch must be configured to use FIPS 140-2/140-3 validated algorithms for authentication to a cryptographic module.
1
Rule
Severity: High
FIPS mode must be enabled.
1
Rule
Severity: High
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
1
Rule
Severity: High
SLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms for system authentication.
1
Rule
Severity: High
SLEM 5 shadow password suite must be configured to use a sufficient number of hashing rounds.
1
Rule
Severity: Medium
SLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm for system authentication (login.defs).
1
Rule
Severity: Medium
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics:
- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);
- Transmit MD diagnostic data to non-DOD servers;
- Voice assistant application if available when MD is locked;
- Voice dialing application if available when MD is locked;
- Allows synchronization of data or applications between devices associated with user; and
- Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers.
- Apps which backup their own data to a remote system.
1
Rule
Severity: Medium
The TOSS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.
1
Rule
Severity: Medium
The TOSS pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.
1
Rule
Severity: High
The NSX Tier-0 Gateway router must be configured to use encryption for Open Shortest Path First (OSPF) routing protocol authentication.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must not include applications with the following characteristics: access to Siri when the device is locked.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 allow list must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services);- Transmits MD diagnostic data to non-DOD servers;- Allows synchronization of data or applications between devices associated with user; and- Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers.- Apps which backup their own data to a remote system.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules