CCI-002890

Use Only FIPS 140-2 Validated Ciphers

Set kernel parameter 'crypto.fips_enabled' to 1

Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config

Operators of the A10 Networks ADC must not use the Telnet client built into the device.

The A10 Networks ADC must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.

Arista Multilayer Switches used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

The Arista network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.

Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications.

Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

FIPS mode must be enabled on all Docker Engine - Enterprise nodes.

The FortiGate devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.

The HYCU server must use FIPS-validated algorithms for authentication to a cryptographic module and Keyed-Hash Message Authentication Code (HMAC) to protect the integrity and confidentiality of remote maintenance sessions.

The IBM DataPower Gateway must only allow the use of protocols that implement cryptographic mechanisms to protect the integrity and confidentiality of management communications.

Applications used for nonlocal maintenance sessions using the MQ Appliance WebGUI must implement cryptographic mechanisms to protect the confidentiality and integrity of nonlocal maintenance and diagnostic communications.

The Juniper router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.

For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA to protect the integrity of maintenance and diagnostic communications.

For nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configure SSHv2 Message Authentication Code (MAC) algorithms to protect the integrity of maintenance and diagnostic communications.

Mainframe Products must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.

The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.

The Symantec ProxySG must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

The TippingPoint TPS must have FIPS mode enforced.

The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.

The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.

The macOS system must disable the SSHD service.

The macOS system must implement approved ciphers to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs).

The macOS system must implement approved Key Exchange Algorithms.

The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.

The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.

The macOS system must limit SSHD to FIPS-compliant connections.

The Ubuntu operating system must configure the SSH daemon to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms to protect the integrity of nonlocal maintenance and diagnostic communications.

The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

The Cisco ASA must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of non-local maintenance and diagnostic communications.

The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.

The Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.

The Cisco ISE must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

The Cisco ISE must verify the checksum value of any software download, including install files (ISO or OVA), patch files, and upgrade bundles.

Container platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

The operating system must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.

AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.

IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

The Juniper EX switches must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

Remote Desktop Services must be configured with the client connection encryption set to the required level.

The Windows Remote Management (WinRM) client must not allow unencrypted traffic.

The Windows Remote Management (WinRM) service must not allow unencrypted traffic.

Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.

Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.

Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic.

Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic.

OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.

The Palo Alto Networks security platform must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.

OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.

The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.

RHEL 9 must have the crypto-policies package installed.

RHEL 9 crypto policy must not be overridden.

RHEL 9 must implement a system-wide encryption policy.

The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

The Photon operating system must configure sshd to use approved encryption algorithms.

The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.

Ubuntu 22.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3-approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

FIPS mode must be enabled.

RHEL 9 must implement a systemwide encryption policy.

SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.

TOSS must implement DoD-approved encryption in the OpenSSL package.