Ensuring the system is using FIPS 140-2 cryptographic modules
Rule Title: RiOS must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
STIG ID: RICX-DM-000130
Rule ID: SV-77467r1_rule Severity: CAT II
Vuln ID: V-62977 Class: Unclass
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data might be compromised.
Network devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.
Adding the FIPS 140-2 licenses incurs a cost from the vendor for support for FIPS mode/module.
Verifying the system is using FIPS 140-2 cryptographic modules
Verify that RiOS is licensed to use FIPS 140-2 cryptographic modules.
1. Connect to the CLI and enter these commands.
enable
config terminal
show licenses
2. Verify the FIPS License has been installed.
3. At the system prompt, enter:
show web ssl cipher
4. Verify that the web ssl cipher string is:
TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL
If a FIPS license is not present and the web SSL cipher string is not set properly, this is a security vulnerability finding.
Configuring the system to use FIPS 140-2 cryptographic modules
Configure RiOS to be licenses to use FIPS 140-2 cryptographic modules.
1. Connect to the CLI and enter these commands.
enable
config terminal
license install <license-string>
web ssl cipher TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL
write memory
2. To verify the FIPS License has been installed, at the system prompt, enter:
show licenses
show web ssl cipher