CCI-000803
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
The Arista Multilayer Switch must use FIPS-compliant mechanisms for authentication to a cryptographic module.
1 rule found Severity: Medium

The Arista Multilayer Switch must encrypt all methods of configured authentication for the OSPF routing protocol.
1 rule found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Medium

The FortiGate device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High

The HP FlexFabric Switch must encrypt all methods of configured authentication for routing protocols.
1 rule found Severity: Medium

The HP FlexFabric Switch must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms for routing protocols.
1 rule found Severity: Medium

DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: High

The HYCU server must use FIPS-validated algorithms for authentication to a cryptographic module and Keyed-Hash Message Authentication Code (HMAC) to protect the integrity and confidentiality of remote maintenance sessions.
1 rule found Severity: High

The DataPower Gateway must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium

1 rule found Severity: High

The MQ Appliance messaging server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
1 rule found Severity: Medium

The MQ Appliance network device must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium

The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
1 rule found Severity: Medium

The Ivanti MobileIron Core server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
1 rule found Severity: High

MobileIron Sentry must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High

The ISEC7 EMM Suite must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
2 rules found Severity: High

Nutanix AOS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: High

OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: Medium

OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: Medium

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: Medium

OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: Medium

OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: Medium

OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: Medium

OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: Medium

OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: Medium

Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: Medium

Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
1 rule found Severity: Medium

Riverbed Optimization System (RiOS) must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium

Northbound API traffic received by the SDN controller must be authenticated using a FIPS-approved message authentication code algorithm.
1 rule found Severity: High

1 rule found Severity: Medium

Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: High

Symantec ProxySG must be configured to use only FIPS 140-2 approved algorithms for authentication to a cryptographic module with any application or protocol.
1 rule found Severity: High

The Tanium Operating System (TanOS) must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
2 rules found Severity: Medium

1 rule found Severity: High

The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
2 rules found Severity: High

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
2 rules found Severity: High

The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
2 rules found Severity: High

The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
2 rules found Severity: High

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
2 rules found Severity: High

The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
2 rules found Severity: High

The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.
1 rule found Severity: Medium

1 rule found Severity: High

MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
2 rules found Severity: High

1 rule found Severity: Medium

The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
1 rule found Severity: Medium

PostgreSQL must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
3 rules found Severity: High

The DBMS must be configured on a platform that has a NIST certified FIPS 140-2 or 140-3 installation of OpenSSL.
2 rules found Severity: High

The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
1 rule found Severity: Medium

The EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations including generation of cryptographic hashes and data protection.
1 rule found Severity: High

The EDB Postgres Advanced Server must be configured on a platform that has a NIST certified FIPS 140-2 or 140-3 installation of OpenSSL.
1 rule found Severity: High

The BIG-IP appliance must be configured to use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium

Apple iOS/iPadOS 17 must not include applications with the following characteristics: access to Siri when the device is locked.
1 rule found Severity: Medium

The Arista network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High

The Arista router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1 rule found Severity: Medium

The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
1 rule found Severity: Medium

The Cisco ASA must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE) Phase 1.
1 rule found Severity: Medium

The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
3 rules found Severity: Medium

The Cisco switch must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.
2 rules found Severity: Medium

The Cisco router must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.
3 rules found Severity: Medium

The Cisco ISE must use FIPS-validated SHA-2 (or greater) to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
1 rule found Severity: High

The EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
1 rule found Severity: High

The EDB Postgres Advanced Server must be configured on a platform that has a NIST-certified FIPS 140-2 or 140-3 installation of OpenSSL.
1 rule found Severity: High

The HPE 3PAR OS must be configured to initialize its FIPS module to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: High

The HPE 3PAR OS cimserver process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: High

The HPE 3PAR OS WSAPI process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: High

AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1 rule found Severity: Medium

The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.
1 rule found Severity: High

The ISEC7 SPHERE must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).
1 rule found Severity: Medium

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
1 rule found Severity: Medium

The Ivanti EPMM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
1 rule found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

The Juniper EX switch must be configured to use FIPS 140-2/140-3 validated algorithms for authentication to a cryptographic module.
1 rule found Severity: High

2 rules found Severity: Medium

The Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1 rule found Severity: Medium

The layer 2 switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
1 rule found Severity: Medium

MarkLogic Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations and protect classified information in accordance with the requirements of the data owner.
1 rule found Severity: High

1 rule found Severity: Medium

3 rules found Severity: Medium

The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High

1 rule found Severity: High

Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.
1 rule found Severity: Medium

The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
1 rule found Severity: Medium

The MySQL Database Server 8.0 must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
1 rule found Severity: High

The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.
1 rule found Severity: High

Redis Enterprise DBMS must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
1 rule found Severity: High

Automation Controller must implement cryptography mechanisms to protect the integrity of information.
1 rule found Severity: High

1 rule found Severity: Medium

The router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1 rule found Severity: Medium

The SDN controller must be configured to authenticate southbound Application Program Interface (API) control-plane messages received from SDN-enabled network elements using a FIPS-approved message authentication code algorithm.
1 rule found Severity: High

The SDN controller must be configured to authenticate northbound Application Program Interface (API) messages received from business applications and management systems using a FIPS-approved message authentication code algorithm.
1 rule found Severity: High

The SDN controller must be configured to authenticate received southbound Application Program Interface (API) management-plane messages using a FIPS-approved message authentication code algorithm.
1 rule found Severity: High

SLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms for system authentication.
1 rule found Severity: High

1 rule found Severity: High

SLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm for system authentication (login.defs).
1 rule found Severity: Medium

2 rules found Severity: High

Splunk Enterprise must be installed in FIPS mode to implement NIST FIPS-approved cryptography for all cryptographic functions.
1 rule found Severity: High

Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers. - Apps which backup their own data to a remote system.
1 rule found Severity: Medium

The TOSS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium

The TOSS pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium

The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: High

The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Medium

The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
2 rules found Severity: Medium

An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
1 rule found Severity: High

Apple iOS/iPadOS 18 must not include applications with the following characteristics: access to Siri when the device is locked.
1 rule found Severity: Medium

The Apple iOS/iPadOS 18 allow list must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Allows synchronization of data or applications between devices associated with user; - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers; - Backs up its own data to a remote system; and - Uses artificial intelligence (AI), which processes data in the cloud (off device). Exception: Apple Intelligence Private Cloud Compute (PCC).
1 rule found Severity: Medium

The application server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
1 rule found Severity: High

The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: High

Ubuntu 22.04 LTS must encrypt all stored passwords with a FIPS 140-3-approved cryptographic hashing algorithm.
1 rule found Severity: Medium

The Central Log Server must use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).
1 rule found Severity: High

The Central Log Server must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
1 rule found Severity: High

1 rule found Severity: Medium

The Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1 rule found Severity: Medium

AlmaLinux OS 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Medium

The container platform must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
1 rule found Severity: Medium

The DBMS must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
1 rule found Severity: High

The Dell OS10 Switch must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High

1 rule found Severity: Medium

The Dell OS10 Router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1 rule found Severity: Medium

1 rule found Severity: High

Google Android 14 allowlist must be configured to not include applications with the following characteristics: - Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers.
2 rules found Severity: Medium

Google Android 15 allow list must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; and - Backs up its own data to a remote system.
2 rules found Severity: Medium

Google Android 15 allow list must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.
2 rules found Severity: Medium

The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium

1 rule found Severity: High

The HYCU virtual appliance must use FIPS 140-2-approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High

AOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.
1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: High

IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
2 rules found Severity: Medium

The Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 140-2 message authentication code algorithm.
1 rule found Severity: Medium

1 rule found Severity: High

IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
1 rule found Severity: Medium

The Mainframe Product must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium

1 rule found Severity: High

The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA256 or greater to negotiate hashing to protect the integrity of remote access sessions.
1 rule found Severity: Medium

SharePoint must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Medium

SharePoint must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: High

1 rule found Severity: Medium

Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
1 rule found Severity: Medium

The DBMS must use NIST-validated FIPS 140-2 or 140-3 compliant cryptography for authentication mechanisms.
1 rule found Severity: High

The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
1 rule found Severity: High

Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
1 rule found Severity: Medium

The OL 8 "pam_unix.so" module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium

The OL 8 "pam_unix.so" module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Medium

Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
1 rule found Severity: High

OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).
1 rule found Severity: Medium

The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium

1 rule found Severity: Medium

The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Medium

The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
2 rules found Severity: Medium

The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
2 rules found Severity: Medium

The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
1 rule found Severity: Medium

The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
2 rules found Severity: Medium

1 rule found Severity: Medium

RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium

The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
1 rule found Severity: Medium

The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.
2 rules found Severity: Medium

Samsung Android's Work environment must be configured to not allow installation of applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; and - Backs up its own data to a remote system.
2 rules found Severity: Medium

Samsung Android 15 allowlist must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.
2 rules found Severity: Medium

Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium

Samsung Android must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium

The UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
1 rule found Severity: High

The application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.
1 rule found Severity: High

The VMM must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium

The NSX Tier-0 Gateway router must be configured to use encryption for Open Shortest Path First (OSPF) routing protocol authentication.
1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
2 rules found Severity: Medium

The VPN Gateway must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.
1 rule found Severity: Medium

Zebra Android 13 allowlist must be configured to not include applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers.
2 rules found Severity: Medium

The SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: High
