Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Microsoft Outlook 2016 Security Technical Implementation Guide
SRG-APP-000179
SRG-APP-000179
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-APP-000179
1 Rule
<GroupDescription></GroupDescription>
Run in FIPS compliant mode must be enforced.
Medium Severity
<VulnDiscussion>This policy setting controls whether Outlook is required to use FIPS-compliant algorithms when signing and encrypting messages. Outlook can run in a mode that complies with Federal Information Processing Standards (FIPS), a set of standards published by the National Institute of Standards and Technology (NIST) for use by non-military United States government agencies and by government contractors. If you enable this policy setting, Outlook runs in a mode that complies with the FIPS 140-1 standard for cryptographic modules. This mode requires the use of the SHA-1 algorithm for signing and 3DES for encryption. If you disable or do not configure this policy setting, Outlook does not run in FIPS-compliant mode. Organizations that do business with the United States government but do not run Outlook in FIPS-compliant mode risk violating the U.S. government's rules regarding the handling of sensitive information.For more information about FIPS, see FIPS - General Information at http://www.itl.nist.gov/fipspubs/geninfo.htm FIPS mode in Windows enforces 3DES, AES 256/192/128, SHA1, and SHA 512/384/256. The 3DES and SHA1 modules are FIPS 140 certified. FIPS mode restricts Outlook to a very short list of SMIME capabilities. Almost all SMIME algorithms are FIPS certified on Windows. Reference https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation#microsoft-fips-140-2-validated-cryptographic-modules to double check that the SMIME capabilities used and specified in certificates are FIPS certified. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>