CCI-000803
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
The Arista Multilayer Switch must use FIPS-compliant mechanisms for authentication to a cryptographic module.
1 rule found Severity: Medium
The Arista Multilayer Switch must encrypt all methods of configured authentication for the OSPF routing protocol.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The FortiGate device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High
The HP FlexFabric Switch must encrypt all methods of configured authentication for routing protocols.
1 rule found Severity: Medium
The HP FlexFabric Switch must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms for routing protocols.
1 rule found Severity: Medium
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: High
The HYCU server must use FIPS-validated algorithms for authentication to a cryptographic module and Keyed-Hash Message Authentication Code (HMAC) to protect the integrity and confidentiality of remote maintenance sessions.
1 rule found Severity: High
The DataPower Gateway must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium
1 rule found Severity: High
The MQ Appliance messaging server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
1 rule found Severity: Medium
The MQ Appliance network device must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium
The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
1 rule found Severity: Medium
The Ivanti MobileIron Core server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
1 rule found Severity: High
MobileIron Sentry must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High
The ISEC7 EMM Suite must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
1 rule found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
2 rules found Severity: High
Nutanix AOS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: High
OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: Medium
OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: Medium
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: Medium
OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: Medium
OHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: Medium
OHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: Medium
OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: Medium
OHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: Medium
Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: Medium
Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium
Northbound API traffic received by the SDN controller must be authenticated using a FIPS-approved message authentication code algorithm.
1 rule found Severity: High
1 rule found Severity: Medium
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: High
Symantec ProxySG must be configured to use only FIPS 140-2 approved algorithms for authentication to a cryptographic module with any application or protocol.
1 rule found Severity: High
The Tanium Operating System (TanOS) must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
2 rules found Severity: Medium
1 rule found Severity: High
The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.
2 rules found Severity: High
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.
2 rules found Severity: High
The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.
2 rules found Severity: High
The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.
2 rules found Severity: High
The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.
2 rules found Severity: High
The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.
2 rules found Severity: High
The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.
1 rule found Severity: Medium
1 rule found Severity: High
MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
2 rules found Severity: High
1 rule found Severity: Medium
The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
1 rule found Severity: Medium
PostgreSQL must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
3 rules found Severity: High
The DBMS must be configured on a platform that has a NIST certified FIPS 140-2 or 140-3 installation of OpenSSL.
2 rules found Severity: High
The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
1 rule found Severity: Medium
The EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations including generation of cryptographic hashes and data protection.
1 rule found Severity: High
The EDB Postgres Advanced Server must be configured on a platform that has a NIST certified FIPS 140-2 or 140-3 installation of OpenSSL.
1 rule found Severity: High
The BIG-IP appliance must be configured to use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium
Apple iOS/iPadOS 17 must not include applications with the following characteristics: access to Siri when the device is locked.
1 rule found Severity: Medium
The Arista network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High
The Arista router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1 rule found Severity: Medium
The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
1 rule found Severity: Medium
The Cisco ASA must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE) Phase 1.
1 rule found Severity: Medium
The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
3 rules found Severity: Medium
The Cisco switch must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.
2 rules found Severity: Medium
The Cisco router must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.
3 rules found Severity: Medium
The Cisco ISE must use FIPS-validated SHA-2 (or greater) to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
1 rule found Severity: High
The EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
1 rule found Severity: High
The EDB Postgres Advanced Server must be configured on a platform that has a NIST-certified FIPS 140-2 or 140-3 installation of OpenSSL.
1 rule found Severity: High
The HPE 3PAR OS must be configured to initialize its FIPS module to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: High
The HPE 3PAR OS cimserver process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: High
The HPE 3PAR OS WSAPI process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: High
AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1 rule found Severity: Medium
The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.
1 rule found Severity: High
The ISEC7 SPHERE must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).
1 rule found Severity: Medium
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
1 rule found Severity: Medium
The Ivanti EPMM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
The Juniper EX switch must be configured to use FIPS 140-2/140-3 validated algorithms for authentication to a cryptographic module.
1 rule found Severity: High
2 rules found Severity: Medium
The Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1 rule found Severity: Medium
The layer 2 switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.
1 rule found Severity: Medium
MarkLogic Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations and protect classified information in accordance with the requirements of the data owner.
1 rule found Severity: High
1 rule found Severity: Medium
3 rules found Severity: Medium
The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High
1 rule found Severity: High
Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.
1 rule found Severity: Medium
The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
1 rule found Severity: Medium
The MySQL Database Server 8.0 must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
1 rule found Severity: High
The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.
1 rule found Severity: High
Redis Enterprise DBMS must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
1 rule found Severity: High
Automation Controller must implement cryptography mechanisms to protect the integrity of information.
1 rule found Severity: High
1 rule found Severity: Medium
The router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1 rule found Severity: Medium
The SDN controller must be configured to authenticate southbound Application Program Interface (API) control-plane messages received from SDN-enabled network elements using a FIPS-approved message authentication code algorithm.
1 rule found Severity: High
The SDN controller must be configured to authenticate northbound Application Program Interface (API) messages received from business applications and management systems using a FIPS-approved message authentication code algorithm.
1 rule found Severity: High
The SDN controller must be configured to authenticate received southbound Application Program Interface (API) management-plane messages using a FIPS-approved message authentication code algorithm.
1 rule found Severity: High
SLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms for system authentication.
1 rule found Severity: High
1 rule found Severity: High
SLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm for system authentication (login.defs).
1 rule found Severity: Medium
2 rules found Severity: High
Splunk Enterprise must be installed in FIPS mode to implement NIST FIPS-approved cryptography for all cryptographic functions.
1 rule found Severity: High
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers. - Apps which backup their own data to a remote system.
1 rule found Severity: Medium
The TOSS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium
The TOSS pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium
The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
1 rule found Severity: High
The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
2 rules found Severity: Medium
An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
1 rule found Severity: High
Apple iOS/iPadOS 18 must not include applications with the following characteristics: access to Siri when the device is locked.
1 rule found Severity: Medium
The Apple iOS/iPadOS 18 allow list must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Allows synchronization of data or applications between devices associated with user; - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers; - Backs up its own data to a remote system; and - Uses artificial intelligence (AI), which processes data in the cloud (off device). Exception: Apple Intelligence Private Cloud Compute (PCC).
1 rule found Severity: Medium
The application server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
1 rule found Severity: High
The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: High
Ubuntu 22.04 LTS must encrypt all stored passwords with a FIPS 140-3-approved cryptographic hashing algorithm.
1 rule found Severity: Medium
The Central Log Server must use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).
1 rule found Severity: High
The Central Log Server must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
1 rule found Severity: High
1 rule found Severity: Medium
The Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1 rule found Severity: Medium
AlmaLinux OS 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The container platform must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
1 rule found Severity: Medium
The DBMS must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
1 rule found Severity: High
The Dell OS10 Switch must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High
1 rule found Severity: Medium
The Dell OS10 Router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
1 rule found Severity: Medium
1 rule found Severity: High
Google Android 14 allowlist must be configured to not include applications with the following characteristics: - Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers.
2 rules found Severity: Medium
Google Android 15 allow list must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; and - Backs up its own data to a remote system.
2 rules found Severity: Medium
Google Android 15 allow list must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.
2 rules found Severity: Medium
The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium
1 rule found Severity: High
The HYCU virtual appliance must use FIPS 140-2-approved algorithms for authentication to a cryptographic module.
1 rule found Severity: High
AOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
2 rules found Severity: Medium
The Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 140-2 message authentication code algorithm.
1 rule found Severity: Medium
1 rule found Severity: High
IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
1 rule found Severity: Medium
The Mainframe Product must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium
1 rule found Severity: High
The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA256 or greater to negotiate hashing to protect the integrity of remote access sessions.
1 rule found Severity: Medium
SharePoint must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
SharePoint must use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: High
1 rule found Severity: Medium
Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
1 rule found Severity: Medium
The DBMS must use NIST-validated FIPS 140-2 or 140-3 compliant cryptography for authentication mechanisms.
1 rule found Severity: High
The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
1 rule found Severity: High
Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
1 rule found Severity: Medium
The OL 8 "pam_unix.so" module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium
The OL 8 "pam_unix.so" module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
1 rule found Severity: High
OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).
1 rule found Severity: Medium
The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
2 rules found Severity: Medium
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
2 rules found Severity: Medium
The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
1 rule found Severity: Medium
The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
2 rules found Severity: Medium
1 rule found Severity: Medium
RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
1 rule found Severity: Medium
The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for such authentication.
2 rules found Severity: Medium
Samsung Android's Work environment must be configured to not allow installation of applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; and - Backs up its own data to a remote system.
2 rules found Severity: Medium
Samsung Android 15 allowlist must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.
2 rules found Severity: Medium
Samsung Android's Work profile must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
Samsung Android must be configured to not allow installation of applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; and - Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
1 rule found Severity: Medium
The UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
1 rule found Severity: High
The application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.
1 rule found Severity: High
The VMM must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
1 rule found Severity: Medium
The NSX Tier-0 Gateway router must be configured to use encryption for Open Shortest Path First (OSPF) routing protocol authentication.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: High
The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
2 rules found Severity: Medium
The VPN Gateway must use FIPS-validated SHA-2 or higher hash function to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification.
1 rule found Severity: Medium
Zebra Android 13 allowlist must be configured to not include applications with the following characteristics: - Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmit MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers.
2 rules found Severity: Medium
The SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
1 rule found Severity: High