STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-7 — Cryptographic Module Authentication

CCI-000803

Definition

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Parent Control

IA-7Cryptographic Module AuthenticationIdentification and Authentication

Linked STIG Checks (200)

V-279094CAT IColdFusion must remove all export ciphers to protect the confidentiality and integrity of transmitted information.Adobe ColdFusion Security Technical Implementation Guide V-274032CAT IIAmazon Linux 2023 must have the libreswan package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274035CAT IIAmazon Linux 2023 must have the packages required for encrypting off-loaded audit logs installed.Amazon Linux 2023 Security Technical Implementation Guide V-274058CAT IAmazon Linux 2023 crypto policy must not be overridden.Amazon Linux 2023 Security Technical Implementation Guide V-274162CAT IIAmazon Linux 2023 password-auth must be configured to use a sufficient number of hashing rounds.Amazon Linux 2023 Security Technical Implementation Guide V-274163CAT IIAmazon Linux 2023 system-auth must be configured to use a sufficient number of hashing rounds.Amazon Linux 2023 Security Technical Implementation Guide V-283452CAT IAmazon Linux 2023 must implement a FIPS 140-2/140-3 compliant systemwide cryptographic policy.Amazon Linux 2023 Security Technical Implementation Guide V-268175CAT IINixOS must employ approved cryptographic hashing algorithms for all stored passwords.Anduril NixOS Security Technical Implementation Guide V-214230CAT IIThe Apache web server must use cryptography to protect the integrity of remote sessions.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214278CAT IIThe Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214308CAT IIThe Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-222968CAT ITomcat must use FIPS-validated ciphers on secured connectors.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-258327CAT IIApple iOS/iPadOS 17 must not include applications with the following characteristics: access to Siri when the device is locked.Apple iOS/iPadOS 17 Security Technical Implementation Guide V-267995CAT IIApple iOS/iPadOS 18 must not include applications with the following characteristics: access to Siri when the device is locked.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-267997CAT IIThe Apple iOS/iPadOS 18 allow list must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Allows synchronization of data or applications between devices associated with user; - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs or printers; - Backs up its own data to a remote system; and - Uses artificial intelligence (AI), which processes data in the cloud (off device). Exception: Apple Intelligence Private Cloud Compute (PCC).Apple iOS/iPadOS 18 Security Technical Implementation Guide V-278755CAT IIApple iOS/iPadOS 26 must not include applications with the following characteristics: access to Siri when the device is locked.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-278757CAT IIApple iOS/iPadOS 26 allow list must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Allows synchronization of data or applications between devices associated with user; - Allows unencrypted (or encrypted but not FIPS 140-3-validated) data sharing with other MDs or printers; and - Backs up own data to a remote system.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-252459CAT IThe macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252460CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252461CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257773CAT IThe macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257774CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257775CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257165CAT IThe macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257166CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257167CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257293CAT IThe macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257294CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257295CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268438CAT IThe macOS system must limit SSHD to FIPS-compliant connections.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268439CAT IThe macOS system must limit SSH to FIPS-compliant connections.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277046CAT IThe macOS system must limit SSHD to FIPS-compliant connections.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277047CAT IThe macOS system must limit SSH to FIPS-compliant connections.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222555CAT IThe application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.Application Security and Development Security Technical Implementation Guide V-204758CAT IThe application server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.Application Server Security Requirements Guide V-237329CAT IThe ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272629CAT ICylanceON-PREM must be configured to use TLS 1.2 or higher.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-217379CAT IIThe Arista Multilayer Switch must use FIPS-compliant mechanisms for authentication to a cryptographic module.Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide V-217500CAT IIThe Arista Multilayer Switch must encrypt all methods of configured authentication for the OSPF routing protocol.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-217502CAT IIThe Arista Multilayer Switch must not enable the RIP routing protocol.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-255955CAT IThe Arista network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.Arista MLS EOS 4.2x NDM Security Technical Implementation Guide V-256010CAT IIThe Arista router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-255955CAT IThe Arista network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.Arista MLS EOS 4.X NDM Security Technical Implementation Guide V-256010CAT IIThe Arista router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-254729CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) server must be configured to enable FIPS mode.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-219182CAT IIThe Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238325CAT IIThe Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260572CAT IIUbuntu 22.04 LTS must encrypt all stored passwords with a FIPS 140-3-approved cryptographic hashing algorithm.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270739CAT IIUbuntu 24.04 LTS must encrypt all stored passwords with a FIPS 140-3 approved cryptographic hashing algorithm.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206482CAT IThe Central Log Server must use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).Central Log Server Security Requirements Guide V-221929CAT IThe Central Log Server must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).Central Log Server Security Requirements Guide V-271966CAT IThe Cisco ACI must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.Cisco ACI NDM Security Technical Implementation Guide V-272077CAT IIThe Cisco ACI must be configured to use encryption for routing protocol authentication.Cisco ACI Router Security Technical Implementation Guide V-272078CAT IIThe Cisco ACI must be configured to authenticate all routing protocol messages using a NIST-validated FIPS 198-1 message authentication code algorithm.Cisco ACI Router Security Technical Implementation Guide V-239958CAT IIThe Cisco ASA must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE) Phase 1.Cisco ASA VPN Security Technical Implementation Guide V-216555CAT IIThe Cisco router must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.Cisco IOS Router RTR Security Technical Implementation Guide V-220624CAT IIThe Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.Cisco IOS Switch L2S Security Technical Implementation Guide V-220423CAT IIThe Cisco switch must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.Cisco IOS Switch RTR Security Technical Implementation Guide V-216645CAT IIThe Cisco router must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.Cisco IOS XE Router RTR Security Technical Implementation Guide V-220650CAT IIThe Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220990CAT IIThe Cisco switch must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216739CAT IIThe Cisco router must be configured to enable routing protocol authentication using FIPS 198-1 algorithms with keys not exceeding 180 days of lifetime.Cisco IOS XR Router RTR Security Technical Implementation Guide V-242653CAT IThe Cisco ISE must use FIPS-validated SHA-2 (or greater) to protect the integrity of hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.Cisco ISE NDM Security Technical Implementation Guide V-220676CAT IIThe Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.Cisco NX OS Switch L2S Security Technical Implementation Guide V-221074CAT IIThe Cisco switch must be configured to use encryption for routing protocol authentication.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221075CAT IIThe Cisco switch must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.Cisco NX OS Switch RTR Security Technical Implementation Guide V-269415CAT IIThe libreswan package must be installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269416CAT IIAlmaLinux OS 9 must have the packages required for encrypting offloaded audit logs installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233285CAT IIThe container platform must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).Container Platform Security Requirements Guide V-233619CAT IPostgreSQL must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.Crunchy Data PostgreSQL Security Technical Implementation Guide V-233623CAT IThe DBMS must be configured on a platform that has a NIST certified FIPS 140-2 or 140-3 installation of OpenSSL.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261896CAT IPostgreSQL must use NIST FIPS 140-2/140-3 validated cryptographic modules for cryptographic operations.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206562CAT IThe DBMS must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.Database Security Requirements Guide V-269788CAT IThe Dell OS10 Switch must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.Dell OS10 Switch NDM Security Technical Implementation Guide V-269868CAT IIThe Dell OS10 Router must be configured to use encryption for routing protocol authentication.Dell OS10 Switch Router Security Technical Implementation Guide V-269869CAT IIThe Dell OS10 Router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.Dell OS10 Switch Router Security Technical Implementation Guide V-235777CAT IFIPS mode must be enabled on all Docker Engine - Enterprise nodes.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-224174CAT IThe EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations including generation of cryptographic hashes and data protection.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-224242CAT IThe EDB Postgres Advanced Server must be configured on a platform that has a NIST certified FIPS 140-2 or 140-3 installation of OpenSSL.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213603CAT IThe EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-213668CAT IThe EDB Postgres Advanced Server must be configured on a platform that has a NIST certified FIPS 140-2 ior 140-3 nstallation of OpenSSL.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259254CAT IThe EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-259255CAT IThe EDB Postgres Advanced Server must be configured on a platform that has a NIST-certified FIPS 140-2 or 140-3 installation of OpenSSL.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-217407CAT IIThe BIG-IP appliance must be configured to use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.F5 BIG-IP Device Management Security Technical Implementation Guide V-230969CAT IForescout must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.Forescout Network Device Management Security Technical Implementation Guide V-234210CAT IThe FortiGate device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-203649CAT IIThe operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.General Purpose Operating System Security Requirements Guide V-258385CAT IIGoogle Android 14 allowlist must be configured to not include applications with the following characteristics: - Backs up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; - Backs up own data to a remote system; - Renders TV shows and movies.Google Android 14 COBO Security Technical Implementation Guide V-258416CAT IIGoogle Android 14 allowlist must be configured to not include applications with the following characteristics: - Backs up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; - Backs up own data to a remote system; - Renders TV shows and movies.Google Android 14 COPE Security Technical Implementation Guide V-267437CAT IIGoogle Android 15 allowlist must be configured to not include applications with the following characteristics: - Backs up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; - Backs up own data to a remote system; - Renders TV shows and movies.Google Android 15 COBO Security Technical Implementation Guide V-267438CAT IIGoogle Android 15 allow list must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.Google Android 15 COBO Security Technical Implementation Guide V-267532CAT IIGoogle Android 15 allowlist must be configured to not include applications with the following characteristics: - Backs up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; - Backs up own data to a remote system; - Renders TV shows and movies.Google Android 15 COPE Security Technical Implementation Guide V-267533CAT IIGoogle Android 15 allow list must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.Google Android 15 COPE Security Technical Implementation Guide V-276755CAT IIGoogle Android 16 allowlist must be configured to not include applications with the following characteristics: - Backs up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; - Backs up own data to a remote system; - Renders TV shows and movies.Google Android 16 COBO Security Technical Implementation Guide V-276756CAT IIGoogle Android 16 allowlist must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.Google Android 16 COBO Security Technical Implementation Guide V-276857CAT IIGoogle Android 16 allowlist must be configured to not include applications with the following characteristics: - Backs up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; - Allows unencrypted (or encrypted but not FIPS 140-2/140-3 validated) data sharing with other MDs or printers; - Backs up own data to a remote system; - Renders TV shows and movies.Google Android 16 COPE Security Technical Implementation Guide V-276858CAT IIGoogle Android 16 allowlist must be configured to not include artificial intelligence (AI) applications that process device data in the cloud, including Google Gemini.Google Android 16 COPE Security Technical Implementation Guide V-66111CAT IIThe HP FlexFabric Switch must encrypt all methods of configured authentication for routing protocols.HP FlexFabric Switch RTR Security Technical Implementation Guide V-66113CAT IIThe HP FlexFabric Switch must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms for routing protocols.HP FlexFabric Switch RTR Security Technical Implementation Guide V-255251CAT IThe SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-237818CAT IDoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255273CAT IThe HPE 3PAR OS must be configured to initialize its FIPS module to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-255292CAT IThe HPE 3PAR OS cimserver process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-255296CAT IThe HPE 3PAR OS WSAPI process must be properly configured to operate in FIPS mode in order to use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-283387CAT IThe HPE Alletra Storage ArcusOS device must use FIPS 140-approved algorithms for authentication to a cryptographic module.HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide V-266940CAT IAOS must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-266983CAT IIAOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-268269CAT IThe HYCU virtual appliance must use FIPS 140-2-approved algorithms for authentication to a cryptographic module.HYCU Protege Security Technical Implementation Guide V-274289CAT IIHoneywell Android 13 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers.Honeywell Android 13 COBO Security Technical Implementation Guide V-274384CAT IIHoneywell Android 13 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers.Honeywell Android 13 COPE Security Technical Implementation Guide V-215216CAT IIAIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.IBM AIX 7.x Security Technical Implementation Guide V-213702CAT IDB2 must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-65105CAT IIThe DataPower Gateway must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.IBM DataPower Network Device Management Security Technical Implementation Guide V-255809CAT IIThe MQ Appliance messaging server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255748CAT IIThe MQ Appliance network device must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-250339CAT IThe WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.IBM WebSphere Liberty Server Security Technical Implementation Guide V-283668CAT IThe WebSphere Liberty Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255875CAT IIThe WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-283677CAT IIThe WebSphere Application Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223589CAT IIBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.IBM z/OS ACF2 Security Technical Implementation Guide V-223610CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS ACF2 Security Technical Implementation Guide V-223729CAT INIST FIPS-validated cryptography must be used to protect passwords in the security database.IBM z/OS RACF Security Technical Implementation Guide V-223831CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS RACF Security Technical Implementation Guide V-224044CAT IThe SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.IBM z/OS TSS Security Technical Implementation Guide V-224067CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS TSS Security Technical Implementation Guide V-237920CAT IThe IBM z/VM TCP/IP VMSSL command operands must be configured properly.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-224777CAT IIThe ISEC7 SPHERE must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).ISEC7 Sphere Security Technical Implementation Guide V-258601CAT IIThe ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.Ivanti Connect Secure NDM Security Technical Implementation Guide V-251413CAT IThe Ivanti EPMM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.Ivanti EPMM Server Security Technical Implementation Guide V-251413CAT IThe Ivanti MobileIron Core server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.Ivanti MobileIron Core MDM Server Security Technical Implementation Guide V-250995CAT IMobileIron Sentry must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.Ivanti MobileIron Sentry 9.x NDM Security Technical Implementation Guide V-250995CAT ISentry must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.Ivanti Sentry 9.x NDM Security Technical Implementation Guide V-253950CAT IIThe Juniper layer 2 switch must be configured to disable all dynamic VLAN registration protocols.Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide V-253911CAT IThe Juniper EX switch must be configured to use FIPS 140-2/140-3-validated algorithms for authentication to a cryptographic module.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-254001CAT IIThe Juniper router must be configured to use encryption for routing protocol authentication.Juniper EX Series Switches Router Security Technical Implementation Guide V-254002CAT IIThe Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.Juniper EX Series Switches Router Security Technical Implementation Guide V-217014CAT IIThe Juniper router must be configured to use encryption for routing protocol authentication.Juniper Router RTR Security Technical Implementation Guide V-217015CAT IIThe Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 140-2 message authentication code algorithm.Juniper Router RTR Security Technical Implementation Guide V-66667CAT IIThe Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.Juniper SRX SG VPN Security Technical Implementation Guide V-214675CAT IIThe Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA256 or greater to negotiate hashing to protect the integrity of remote access sessions.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-206648CAT IIWhen using VLAN Trunk Protocol (VTP) or similar features, the layer 2 switch must authenticate all VTP messages with a hash function using the most secured cryptographic algorithm available.Layer 2 Switch Security Requirements Guide V-213862CAT ISQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.MS SQL Server 2014 Instance Security Technical Implementation Guide V-213969CAT ISQL Server must use NIST FIPS 140-2/140-3-validated cryptographic operations for encryption, hashing, and signing.MS SQL Server 2016 Instance Security Technical Implementation Guide V-205509CAT IIThe Mainframe Product must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.Mainframe Product Security Requirements Guide V-253703CAT IMariaDB must use NIST FIPS 140-2/140-3 validated cryptographic modules for cryptographic operations.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220368CAT IMarkLogic Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations and protect classified information in accordance with the requirements of the data owner.MarkLogic Server v9 Security Technical Implementation Guide V-223297CAT IIConsistent MIME handling must be enabled for all Office 365 ProPlus programs.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223301CAT IIThe MIME Sniffing safety feature must be enabled in all Office programs.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223303CAT IIObject Caching Protection must be enabled in all Office programs.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-228452CAT IIS/Mime interoperability with external clients for message handling must be configured.Microsoft Outlook 2016 Security Technical Implementation Guide V-228453CAT IIMessage formats must be set to use SMime.Microsoft Outlook 2016 Security Technical Implementation Guide V-228454CAT IIRun in FIPS compliant mode must be enforced.Microsoft Outlook 2016 Security Technical Implementation Guide V-237439CAT IAll SCOM servers must be configured for FIPS 140-2 compliance.Microsoft SCOM Security Technical Implementation Guide V-271314CAT ISQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic operations for encryption, hashing, and signing.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-220805CAT IIWindows 10 must be configured to prioritize ECC Curves with longer key lengths first.Microsoft Windows 10 Security Technical Implementation Guide V-220936CAT IIKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.Microsoft Windows 10 Security Technical Implementation Guide V-253363CAT IIWindows 11 must be configured to prioritize ECC Curves with longer key lengths first.Microsoft Windows 11 Security Technical Implementation Guide V-253460CAT IIKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.Microsoft Windows 11 Security Technical Implementation Guide V-225052CAT IIKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205708CAT IIWindows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254473CAT IIWindows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278223CAT IIWindows Server 2025 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260908CAT IFIPS mode must be enabled.Mirantis Kubernetes Engine Security Technical Implementation Guide V-221174CAT IMongoDB must use NIST FIPS 140-2-validated cryptographic modules for cryptographic operations.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252146CAT IMongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265922CAT IMongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279354CAT IMongoDB must use NIST FIPS 140-2/140-3 validated cryptographic modules for cryptographic operations.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-272179CAT IIMotorola Solutions Android 13 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers.Motorola Solutions Android 13 COBO Security Technical Implementation Guide V-272316CAT IIMotorola Solutions Android 13 allowlist must be configured to not include applications with the following characteristics: - Backs up MD data to non-DOD cloud servers (including user and application access to cloud backup services); - Transmits MD diagnostic data to non-DOD servers; - Voice assistant application if available when MD is locked; - Voice dialing application if available when MD is locked; - Allows synchronization of data or applications between devices associated with user; - Payment processing; and - Allows unencrypted (or encrypted but not FIPS 140-3 validated) data sharing with other MDs, display screens (screen mirroring), or printers.Motorola Solutions Android 13 COPE Security Technical Implementation Guide V-246958CAT IONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.NetApp ONTAP DSC 9.x Security Technical Implementation Guide V-202072CAT IThe network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module.Network Device Management Security Requirements Guide V-251383CAT IIMulti-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.Network Infrastructure Policy Security Technical Implementation Guide V-254222CAT INutanix AOS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279613CAT IINutanix OS must configure pam_uni.so module to use SHA-512 for authentication to a cryptographic module.Nutanix Acropolis GPOS Security Technical Implementation Guide V-219778CAT IIThe DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms.Oracle Database 11.2g Security Technical Implementation Guide V-238474CAT IIThe DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.Oracle Database 11.2g Security Technical Implementation Guide V-220294CAT IThe DBMS must use NIST-validated FIPS 140-2 or 140-3 compliant cryptography for authentication mechanisms.Oracle Database 12c Security Technical Implementation Guide V-237739CAT IThe DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.Oracle Database 12c Security Technical Implementation Guide V-270569CAT IOracle Database must use NIST-validated FIPS 140-2/140-3 compliant cryptography for authentication mechanisms.Oracle Database 19c Security Technical Implementation Guide V-221486CAT IIOHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221487CAT IIOHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221488CAT IIOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221489CAT IIOHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221490CAT IIOHS must have the LoadModule ossl_module directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221491CAT IIOHS must have the SSLFIPS directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221492CAT IIOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221493CAT IIOHS must have the SSLCipherSuite directive enabled to meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221840CAT IIThe Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.Oracle Linux 7 Security Technical Implementation Guide V-248543CAT IIThe OL 8 "pam_unix.so" module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.Oracle Linux 8 Security Technical Implementation Guide V-248544CAT IIThe OL 8 "pam_unix.so" module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.Oracle Linux 8 Security Technical Implementation Guide V-248545CAT IIOL 8 must prevent system daemons from using Kerberos for authentication.Oracle Linux 8 Security Technical Implementation Guide V-248546CAT IIThe krb5-workstation package must not be installed on OL 8.Oracle Linux 8 Security Technical Implementation Guide V-248547CAT IIThe krb5-server package must not be installed on OL 8.Oracle Linux 8 Security Technical Implementation Guide V-271510CAT IIOL 9 must have the packages required for encrypting offloaded audit logs installed.Oracle Linux 9 Security Technical Implementation Guide V-271517CAT IIOL 9 must have the libreswan package installed.Oracle Linux 9 Security Technical Implementation Guide V-271625CAT IIOL 9 password-auth must be configured to use a sufficient number of hashing rounds.Oracle Linux 9 Security Technical Implementation Guide V-271626CAT IIOL 9 system-auth must be configured to use a sufficient number of hashing rounds.Oracle Linux 9 Security Technical Implementation Guide V-271627CAT IIOL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.Oracle Linux 9 Security Technical Implementation Guide V-271628CAT IIOL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.Oracle Linux 9 Security Technical Implementation Guide V-235148CAT IThe MySQL Database Server 8.0 must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.Oracle MySQL 8.0 Security Technical Implementation Guide