CCI-003123

Use Only FIPS 140-2 Validated Ciphers

Use Only FIPS 140-2 Validated MACs

Set kernel parameter 'crypto.fips_enabled' to 1

Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config

The A10 Networks ADC must not use SNMP Versions 1 or 2.

Arista Multilayer Switches used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

The Arista network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of non-local maintenance and diagnostic communications.

Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

FIPS mode must be enabled on all Docker Engine - Enterprise nodes.

The FortiGate device must implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.

The HYCU server must use FIPS-validated algorithms for authentication to a cryptographic module and Keyed-Hash Message Authentication Code (HMAC) to protect the integrity and confidentiality of remote maintenance sessions.

Applications used for nonlocal maintenance sessions using the MQ Appliance WebGUI must implement cryptographic mechanisms to protect the confidentiality and integrity of nonlocal maintenance and diagnostic communications.

The Ivanti MobileIron Core server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

MobileIron Sentry must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

The ISEC7 EMM Suite must use a FIPS-validated cryptographic module to provision digital signatures.

The Juniper router must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.

For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

For nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configured SSHv2 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured.

Mainframe Products must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

The SCOM Web Console must be configured for HTTPS.

ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.

The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions

Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.

The SEL-2740S must be adopted by OTSDN Controllers for secure communication identifiers and initial trust for configuration of remote maintenance and diagnostic communications.

The Symantec ProxySG Web Management Console and SSH sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

The TippingPoint TPS must have FIPS mode enforced.

The UEM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.

The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.

The macOS system must disable the SSHD service.

The macOS system must implement approved ciphers to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs).

The macOS system must implement approved Key Exchange Algorithms.

The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.

The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.

The macOS system must limit SSHD to FIPS-compliant connections.

The Ubuntu operating system must configure the SSH daemon to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms to protect the integrity of nonlocal maintenance and diagnostic communications.

The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

The Cisco ASA must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

The Cisco router must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.

The Cisco switch must be configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions.

The Cisco ISE must be configured to implement cryptographic mechanisms using a FIPS 140-2 validated algorithm to protect the confidentiality of remote maintenance sessions.

The container platform must configure web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

The operating system must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.

AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.

IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

The ICS must be configured to implement cryptographic mechanisms using a FIPS 140-2/3 approved algorithm.

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

The Juniper EX switch must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

The Windows Remote Management (WinRM) client must not allow unencrypted traffic.

The Windows Remote Management (WinRM) service must not allow unencrypted traffic.

Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.

Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.

Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic.

Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic.

OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.

The Palo Alto Networks security platform must not use SNMP Versions 1 or 2.

OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.

The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

RHEL 9 must have the crypto-policies package installed.

RHEL 9 crypto policy must not be overridden.

RHEL 9 must implement a system-wide encryption policy.

The Photon operating system must configure sshd to use FIPS 140-2 ciphers.

The vCenter Server must enable FIPS-validated cryptography.

The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.

Ubuntu 22.04 LTS must configure the SSH daemon to use FIPS 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

The ISEC7 SPHERE must use a FIPS-validated cryptographic module to provision digital signatures.

The Ivanti EPMM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

Sentry must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

FIPS mode must be enabled.

RHEL 9 must implement a systemwide encryption policy.

SLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.

The TOSS operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.