Capacity
CCI-002450
Implement organization-defined types of cryptography for each specified cryptography use.
19
Rule
Severity: High
The Installed Operating System Is FIPS 140-2 Certified
7
Rule
Severity: Medium
Disable Prelinking
5
Rule
Severity: Medium
Install the dracut-fips-aesni Package
5
Rule
Severity: Medium
Install the dracut-fips Package
13
Rule
Severity: High
Ensure '/etc/system-fips' exists
5
Rule
Severity: High
Enable FIPS Mode in GRUB2
9
Rule
Severity: High
Enable Dracut FIPS Module
9
Rule
Severity: High
Enable FIPS Mode
9
Rule
Severity: High
Set kernel parameter 'crypto.fips_enabled' to 1
4
Rule
Severity: High
Verify '/proc/sys/crypto/fips_enabled' exists
1
Rule
Severity: Medium
Adobe Acrobat Pro DC Continuous FIPS mode must be enabled.
1
Rule
Severity: Medium
Adobe Reader DC must enable FIPS mode.
1
Rule
Severity: High
Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
1
Rule
Severity: Medium
Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
1
Rule
Severity: High
Kona Site Defender providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
2
Rule
Severity: Medium
The ALG providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
2
Rule
Severity: Medium
The ALG providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
2
Rule
Severity: Medium
The ALG providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
2
Rule
Severity: Medium
Application servers must use NIST-approved or NSA-approved key management technology and processes.
2
Rule
Severity: Medium
The application server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
2
Rule
Severity: Medium
The application server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: Medium
The application must utilize FIPS-validated cryptographic modules when signing application components.
2
Rule
Severity: Medium
The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.
2
Rule
Severity: Medium
The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.
2
Rule
Severity: Medium
Applications making SAML assertions must use FIPS-approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.
2
Rule
Severity: Medium
The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: High
A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes.
1
Rule
Severity: Medium
The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
1
Rule
Severity: Medium
The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
1
Rule
Severity: Medium
The CA API Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
2
Rule
Severity: Medium
CA IDMS must implement NIST FIPS 140-2 validated cryptographic modules to protect data-in-transit.
2
Rule
Severity: High
The Central Log Server must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection.
1
Rule
Severity: High
Delivery Controller must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: High
Citrix Receiver must implement DoD-approved encryption.
1
Rule
Severity: High
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
1
Rule
Severity: Medium
Docker Enterprise data exchanged between Linux containers on different nodes must be encrypted on the overlay network.
2
Rule
Severity: Medium
The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
1
Rule
Severity: High
The Infoblox DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
1
Rule
Severity: High
The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
1
Rule
Severity: High
IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
1
Rule
Severity: High
IBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
1
Rule
Severity: High
The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key.
1
Rule
Severity: High
The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key.
1
Rule
Severity: Medium
The DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
1
Rule
Severity: Medium
The DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
1
Rule
Severity: Medium
The DataPower Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
1
Rule
Severity: Medium
The MQ Appliance messaging server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: Medium
The MQ Appliance messaging server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
1
Rule
Severity: Medium
MQ Appliance messaging servers must use NIST-approved or NSA-approved key management technology and processes.
2
Rule
Severity: Medium
The WebSphere Liberty Server must use DoD-issued/signed certificates.
2
Rule
Severity: High
The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.
1
Rule
Severity: High
DB2 must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.
1
Rule
Severity: Medium
The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
1
Rule
Severity: Medium
The WebSphere Application Server must use DoD-approved Signer Certificates.
1
Rule
Severity: Medium
The IBM z/VM TCP/IP SECUREDATA option for FTP must be set to REQUIRED.
1
Rule
Severity: Medium
All IBM z/VM TCP/IP servers must be configured for SSL/TLS connection.
1
Rule
Severity: High
The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
1
Rule
Severity: High
The Ivanti MobileIron Core server must use a FIPS-validated cryptographic module to generate cryptographic hashes.
1
Rule
Severity: High
The Ivanti MobileIron Core server must be configured to implement FIPS 140-2 mode for all server and agent encryption.
2
Rule
Severity: Medium
The ISEC7 EMM Suite must use a FIPS 140-2-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, generate cryptographic hashes, and to configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
2
Rule
Severity: Medium
The ISEC7 EMM Suite must use a FIPS-validated cryptographic module to provision digital signatures.
2
Rule
Severity: Medium
The Sentry providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
2
Rule
Severity: Medium
The Sentry providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
2
Rule
Severity: Medium
The Sentry providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
1
Rule
Severity: Medium
When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.
2
Rule
Severity: Medium
The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
2
Rule
Severity: High
The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
2
Rule
Severity: Medium
The Mainframe Product must implement NIST FIPS-validated cryptography to provision digital signatures in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
2
Rule
Severity: Medium
The Mainframe Product must implement NIST FIPS-validated cryptography to generate and validate cryptographic hashes in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
2
Rule
Severity: Medium
The Mainframe Product must implement NIST FIPS-validated cryptography to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
2
Rule
Severity: Medium
The Mainframe Product must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
2
Rule
Severity: High
Azure SQL Database must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.
1
Rule
Severity: Medium
The ability to add signatures to email messages must be allowed.
1
Rule
Severity: Medium
Digital signatures must be allowed.
3
Rule
Severity: Medium
Outlook minimum encryption key length settings must be set.
1
Rule
Severity: High
SharePoint must employ NSA-approved cryptography to protect classified information.
1
Rule
Severity: High
SharePoint must employ FIPS-validated cryptography to protect unclassified information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
1
Rule
Severity: High
SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
1
Rule
Severity: Medium
The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
1
Rule
Severity: High
Nutanix AOS must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
1
Rule
Severity: High
Nutanix AOS must enable FIPS mode to implement NIST FIPS-validated cryptography.
1
Rule
Severity: High
OHS must have the SSLFIPS directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
1
Rule
Severity: High
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
2
Rule
Severity: High
Splunk Enterprise must be installed with FIPS mode enabled, to implement NIST FIPS 140-2 approved ciphers for all cryptographic functions.
1
Rule
Severity: Medium
Symantec ProxySG providing forward proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
1
Rule
Severity: Medium
Symantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
1
Rule
Severity: Medium
Symantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
1
Rule
Severity: Medium
Symantec ProxySG providing reverse proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
6
Rule
Severity: Medium
The SSLHonorCipherOrder must be configured to disable weak encryption algorithms on the Tanium Server.
6
Rule
Severity: Medium
The SSLCipherSuite must be configured to disable weak encryption algorithms on the Tanium Server.
2
Rule
Severity: High
The Tanium Operating System (TanOS) must use a FIPS-validated cryptographic module to provision digital signatures.
2
Rule
Severity: High
All UEM Agent cryptography supporting DoD functionality must be FIPS 140-2 validated.
2
Rule
Severity: High
The UEM server must use a FIPS-validated cryptographic module to generate cryptographic hashes.
2
Rule
Severity: High
The UEM server must be configured to implement FIPS 140-2 mode for all server and agent encryption.
2
Rule
Severity: Medium
The VPN Gateway must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
2
Rule
Severity: Medium
The VPN Gateway must use a FIPS-validated cryptographic module to generate cryptographic hashes.
2
Rule
Severity: Medium
The VPN Gateway must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
2
Rule
Severity: Medium
The IPsec VPN Gateway IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
2
Rule
Severity: High
The VPN remote access server must be configured use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.
2
Rule
Severity: High
The VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
2
Rule
Severity: Medium
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
2
Rule
Severity: Low
Application servers must use NIST-approved or NSA-approved key management technology and processes.
4
Rule
Severity: High
The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
3
Rule
Severity: High
The macOS system must limit SSHD to FIPS-compliant connections.
3
Rule
Severity: High
The macOS system must limit SSH to FIPS-compliant connections.
1
Rule
Severity: High
The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: High
The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
3
Rule
Severity: High
PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
2
Rule
Severity: High
PostgreSQL must use NSA-approved cryptography to protect classified information in accordance with the data owner’s requirements.
2
Rule
Severity: High
PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner’s requirements.
2
Rule
Severity: Medium
The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1.
2
Rule
Severity: Medium
The Cisco ASA must be configured to use a FIPS-validated cryptographic module to generate cryptographic hashes.
2
Rule
Severity: Medium
The Cisco ASA must be configured to use a FIPS-validated cryptographic module to implement IPsec encryption services.
2
Rule
Severity: High
The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
2
Rule
Severity: High
The Cisco ASA VPN remote access server must be configured to use an approved High Assurance Commercial Solution for Classified (CSfC) cryptographic algorithm for remote access to a classified network.
2
Rule
Severity: Medium
The container platform must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: Medium
The container platform must use a valid FIPS 140-2 approved cryptographic modules to generate hashes.
2
Rule
Severity: High
The container platform must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
2
Rule
Severity: Medium
The DBMS must use NSA-approved cryptography to protect classified information in accordance with the requirements of the data owner.
2
Rule
Severity: Medium
The DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
2
Rule
Severity: Medium
The DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
2
Rule
Severity: Medium
The DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
2
Rule
Severity: High
The DBMS must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.
3
Rule
Severity: Medium
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
2
Rule
Severity: Medium
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
2
Rule
Severity: Medium
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the requirements of the data owner.
2
Rule
Severity: High
The operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: High
The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: Medium
SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured to implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: Medium
AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: Medium
The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
4
Rule
Severity: Medium
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
2
Rule
Severity: Medium
IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
2
Rule
Severity: Medium
The ICS must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
2
Rule
Severity: High
MarkLogic Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations and protect classified information in accordance with the requirements of the data owner.
2
Rule
Severity: High
MariaDB must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.
2
Rule
Severity: Medium
MarkLogic Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
2
Rule
Severity: Medium
MarkLogic Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
2
Rule
Severity: Medium
MarkLogic Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the requirements of the data owner.
1
Rule
Severity: High
MongoDB must use NIST FIPS 140-2-validated cryptographic modules for cryptographic operations.
2
Rule
Severity: Medium
The .NET CLR must be configured to use FIPS approved encryption modules.
2
Rule
Severity: Medium
MariaDB must implement NIST FIPS 140-2 validated cryptographic modules to provision digital signatures.
2
Rule
Severity: Medium
MariaDB must implement NIST FIPS 140-2 validated cryptographic modules to generate and validate cryptographic hashes.
2
Rule
Severity: Medium
MariaDB must implement NIST FIPS 140-2 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
2
Rule
Severity: High
MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
1
Rule
Severity: Medium
Turn off Encryption Support must be enabled.
1
Rule
Severity: Medium
Allow Fallback to SSL 3.0 (Internet Explorer) must be disabled.
2
Rule
Severity: High
SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.
3
Rule
Severity: Medium
The minimum encryption key length in Outlook must be at least 168.
2
Rule
Severity: High
SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
2
Rule
Severity: High
SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
2
Rule
Severity: Medium
SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
4
Rule
Severity: Medium
The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
2
Rule
Severity: Medium
Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
2
Rule
Severity: Medium
Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
2
Rule
Severity: Medium
Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
2
Rule
Severity: Medium
Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
2
Rule
Severity: Medium
Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
2
Rule
Severity: Medium
Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
2
Rule
Severity: High
The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: High
PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
2
Rule
Severity: High
The MySQL Database Server 8.0 must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements.
2
Rule
Severity: Medium
The Palo Alto Networks security platform providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
2
Rule
Severity: Medium
The Palo Alto Networks security platform, if used for TLS/SSL decryption, must use NIST FIPS-validated cryptography to implement encryption.
2
Rule
Severity: High
Automation Controller must implement cryptography mechanisms to protect the integrity of information.
2
Rule
Severity: Medium
Automation Controller must only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
1
Rule
Severity: Medium
PostgreSQL must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.
2
Rule
Severity: High
Redis Enterprise DBMS must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.
2
Rule
Severity: Medium
Redis Enterprise DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
2
Rule
Severity: Medium
Redis Enterprise DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
2
Rule
Severity: Medium
Redis Enterprise DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
2
Rule
Severity: High
OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: Medium
FIPS 140-2 mode must be enabled on the SUSE operating system.
2
Rule
Severity: High
FIPS 140-2 mode must be enabled on the SUSE operating system.
2
Rule
Severity: High
RHEL 9 must enable FIPS mode.
2
Rule
Severity: Medium
RHEL 9 must have the crypto-policies package installed.
1
Rule
Severity: High
RHEL 9 crypto policy files must match files shipped with the operating system.
2
Rule
Severity: Medium
RHEL 9 crypto policy must not be overridden.
1
Rule
Severity: Medium
RHEL 9 must implement a system-wide encryption policy.
4
Rule
Severity: Medium
The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
2
Rule
Severity: High
Splunk Enterprise must be installed in FIPS mode to implement NIST FIPS-approved cryptography for all cryptographic functions.
2
Rule
Severity: Medium
The VMM must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: Medium
The VMM must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: Medium
The ESXi host SSH daemon must be configured to only use FIPS 140-2 validated ciphers.
1
Rule
Severity: High
VAMI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
3
Rule
Severity: Medium
The ESXi host Secure Shell (SSH) daemon must be configured to only use FIPS 140-2 validated ciphers.
1
Rule
Severity: Low
The Photon operating system must configure sshd to use approved encryption algorithms.
1
Rule
Severity: Medium
The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, generate cryptographic hashes, and protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
4
Rule
Severity: High
The vCenter Server must enable FIPS-validated cryptography.
1
Rule
Severity: High
VMware Postgres must use FIPS 140-2 approved Transport Layer Security (TLS) ciphers.
1
Rule
Severity: Medium
Envoy must be configured to operate in FIPS mode.
3
Rule
Severity: High
The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: High
The vCenter VAMI service must enable FIPS mode.
2
Rule
Severity: Medium
The web server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
1
Rule
Severity: High
The EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations including generation of cryptographic hashes and data protection.
2
Rule
Severity: Medium
The Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to implement NIST FIPS-validated cryptography to generate cryptographic hashes when providing encryption traffic to virtual servers.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to implement NIST FIPS-validated cryptography for digital signatures when providing encrypted traffic to virtual servers.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to use NIST FIPS-validated cryptography to implement encryption services when providing encrypted traffic to virtual servers.
1
Rule
Severity: High
Ubuntu 22.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: High
PostgreSQL must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.
1
Rule
Severity: Medium
PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
1
Rule
Severity: Medium
PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners' requirements.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
1
Rule
Severity: High
The F5 BIG-IP appliance must be configured to use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must implement NIST FIPS-validated cryptography for communications sessions.
1
Rule
Severity: High
The F5 BIG-IP appliance IPsec VPN must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
1
Rule
Severity: High
The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
1
Rule
Severity: Medium
The ISEC7 SPHERE must use a FIPS-validated cryptographic module to provision digital signatures.
1
Rule
Severity: Medium
The ISEC7 SPHERE must use a FIPS 140-2-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, generate cryptographic hashes, and to configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
1
Rule
Severity: High
The Ivanti EPMM server must use a FIPS-validated cryptographic module to generate cryptographic hashes.
1
Rule
Severity: High
The Ivanti EPMM server must be configured to implement FIPS 140-2 mode for all server and agent encryption.
1
Rule
Severity: High
FIPS mode must be enabled.
1
Rule
Severity: Medium
Swarm Secrets or Kubernetes Secrets must be used.
1
Rule
Severity: High
MongoDB must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.
1
Rule
Severity: High
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
1
Rule
Severity: Medium
RHEL 9 must implement a systemwide encryption policy.
1
Rule
Severity: High
FIPS 140-2/140-3 mode must be enabled on SLEM 5.
1
Rule
Severity: High
TOSS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: Medium
The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules