Automation Controller must implement cryptography mechanisms to protect the integrity of information.

Description

<VulnDiscussion>Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify Automation Controller configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk. Automation Controller utilizes a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS and scripted access requires using SSH or some other form of approved cryptography. Automation Controller must have the ability to enable a secure remote admin capability. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. Automation Controller requires the use of Red Hat Enterprise Linux as an operating system and its underlying FIPS validated cryptographic modules to ensure it meets FIPS 140-2 criteria. Satisfies: SRG-APP-000015-AS-000010, SRG-APP-000179-AS-000129, SRG-APP-000224-AS-000152, SRG-APP-000231-AS-000133, SRG-APP-000231-AS-000156, SRG-APP-000416-AS-000140, SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157, SRG-APP-000439-AS-000274, SRG-APP-000440-AS-000167, SRG-APP-000514-AS-000136</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>