STIGhub
STIGs
RMF Controls
Compare
← SC-13 — Cryptographic Protection
CCI-002450
Definition
Implement organization-defined types of cryptography for each specified cryptography use.
Parent Control
SC-13
Cryptographic Protection
System and Communications Protection
Linked STIG Checks (200)
V-245874
CAT II
Adobe Acrobat Pro DC Continuous FIPS mode must be enabled.
Adobe Acrobat Professional DC Continuous Track Security Technical Implementation Guide
V-213193
CAT II
Adobe Reader DC must enable FIPS mode.
Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide
V-279063
CAT II
ColdFusion must be configured to use only DOD-approved keystores and truststores containing certificates issued by a DOD Public Key Infrastructure (PKI) Certificate Authority (CA), and all keystore and truststore files must be protected by file system permissions that prevent unauthorized access or modification.
Adobe ColdFusion Security Technical Implementation Guide
V-76427
CAT I
Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide
V-76429
CAT II
Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide
V-76431
CAT I
Kona Site Defender providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide
V-274040
CAT I
Amazon Linux 2023 must have the crypto-policies package installed.
Amazon Linux 2023 Security Technical Implementation Guide
V-274057
CAT I
Amazon Linux 2023 must enable FIPS mode.
Amazon Linux 2023 Security Technical Implementation Guide
V-274058
CAT I
Amazon Linux 2023 crypto policy must not be overridden.
Amazon Linux 2023 Security Technical Implementation Guide
V-283452
CAT I
Amazon Linux 2023 must implement a FIPS 140-2/140-3 compliant systemwide cryptographic policy.
Amazon Linux 2023 Security Technical Implementation Guide
V-268168
CAT I
NixOS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Anduril NixOS Security Technical Implementation Guide
V-214278
CAT II
The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
Apache Server 2.4 UNIX Site Security Technical Implementation Guide
V-223001
CAT III
Application servers must use NIST-approved or NSA-approved key management technology and processes.
Apache Tomcat Application Server 9 Security Technical Implementation Guide
V-252519
CAT I
The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Apple macOS 12 (Monterey) Security Technical Implementation Guide
V-257225
CAT I
The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.
Apple macOS 13 (Ventura) Security Technical Implementation Guide
V-268438
CAT I
The macOS system must limit SSHD to FIPS-compliant connections.
Apple macOS 15 (Sequoia) Security Technical Implementation Guide
V-268439
CAT I
The macOS system must limit SSH to FIPS-compliant connections.
Apple macOS 15 (Sequoia) Security Technical Implementation Guide
V-277046
CAT I
The macOS system must limit SSHD to FIPS-compliant connections.
Apple macOS 26 (Tahoe) Security Technical Implementation Guide
V-277047
CAT I
The macOS system must limit SSH to FIPS-compliant connections.
Apple macOS 26 (Tahoe) Security Technical Implementation Guide
V-205042
CAT II
The ALG providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
Application Layer Gateway Security Requirements Guide
V-205043
CAT II
The ALG providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
Application Layer Gateway Security Requirements Guide
V-205044
CAT II
The ALG providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
Application Layer Gateway Security Requirements Guide
V-278955
CAT II
The ALG must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
Application Layer Gateway Security Requirements Guide
V-278956
CAT II
The ALG must be configured to use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.
Application Layer Gateway Security Requirements Guide
V-278957
CAT II
The ALG must use a FIPS-validated cryptographic module to provision digital signatures.
Application Layer Gateway Security Requirements Guide
V-278958
CAT II
The ALG must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
Application Layer Gateway Security Requirements Guide
V-274783
CAT II
The API must use a FIPS-validated cryptographic module to provision digital signatures for tokens.
Application Programming Interface (API) Security Requirements Guide
V-222570
CAT II
The application must utilize FIPS-validated cryptographic modules when signing application components.
Application Security and Development Security Technical Implementation Guide
V-222571
CAT II
The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.
Application Security and Development Security Technical Implementation Guide
V-222572
CAT II
The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection.
Application Security and Development Security Technical Implementation Guide
V-222573
CAT II
Applications making SAML assertions must use FIPS-approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.
Application Security and Development Security Technical Implementation Guide
V-265634
CAT II
The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Application Security and Development Security Technical Implementation Guide
V-204831
CAT II
Application servers must use NIST-approved or NSA-approved key management technology and processes.
Application Server Security Requirements Guide
V-204832
CAT II
The application server must use DOD- or CNSS-approved PKI Class 3 or Class 4 certificates.
Application Server Security Requirements Guide
V-240925
CAT II
The application server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Application Server Security Requirements Guide
V-237338
CAT I
The ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
ArcGIS for Server 10.3 Security Technical Implementation Guide
V-272436
CAT II
A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes.
BIND 9.x Security Technical Implementation Guide
V-237414
CAT II
The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
CA API Gateway ALG Security Technical Implementation Guide
V-237415
CAT II
The CA API Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
CA API Gateway ALG Security Technical Implementation Guide
V-237416
CAT II
The CA API Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
CA API Gateway ALG Security Technical Implementation Guide
V-251656
CAT II
CA IDMS must implement NIST FIPS 140-2 validated cryptographic modules to protect data-in-transit.
CA IDMS Security Technical Implementation Guide
V-219151
CAT I
The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide
V-238363
CAT I
The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
V-260650
CAT I
Ubuntu 22.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide
V-270744
CAT I
Ubuntu 24.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide
V-206510
CAT I
The Central Log Server must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection.
Central Log Server Security Requirements Guide
V-239953
CAT II
The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1.
Cisco ASA VPN Security Technical Implementation Guide
V-239955
CAT II
The Cisco ASA must be configured to use a FIPS-validated cryptographic module to generate cryptographic hashes.
Cisco ASA VPN Security Technical Implementation Guide
V-239956
CAT II
The Cisco ASA must be configured to use a FIPS-validated cryptographic module to implement IPsec encryption services.
Cisco ASA VPN Security Technical Implementation Guide
V-239962
CAT I
The Cisco ASA VPN gateway must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
Cisco ASA VPN Security Technical Implementation Guide
V-239985
CAT I
The Cisco ASA VPN remote access server must be configured to use an approved High Assurance Commercial Solution for Classified (CSfC) cryptographic algorithm for remote access to a classified network.
Cisco ASA VPN Security Technical Implementation Guide
V-234565
CAT I
Citrix Delivery Controller must implement DoD-approved encryption.
Citrix Virtual Apps and Desktop 7.x Delivery Controller Security Technical Implementation Guide
V-213197
CAT I
Delivery Controller must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Citrix XenDesktop 7.x Delivery Controller Security Technical Implementation Guide
V-213208
CAT I
Citrix Receiver must implement DoD-approved encryption.
Citrix XenDesktop 7.x Receiver Security Technical Implementation Guide
V-269125
CAT I
AlmaLinux OS 9 must use the TuxCare ESU repository.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269126
CAT I
AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-269127
CAT I
AlmaLinux OS 9 must enable FIPS mode.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-283453
CAT I
AlmaLinux 9 cryptographic policy must not be overridden.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-283454
CAT I
AlmaLinux OS 9 must have the crypto-policies package installed.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-283455
CAT I
AlmaLinux OS 9 must implement a FIPS 140-3-compliant systemwide cryptographic policy.
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V-233211
CAT II
The container platform must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Container Platform Security Requirements Guide
V-233271
CAT II
The container platform must use a valid FIPS 140-2 or FIPS 140-3 approved cryptographic module to generate hashes.
Container Platform Security Requirements Guide
V-233289
CAT I
The container platform must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
Container Platform Security Requirements Guide
V-233583
CAT I
PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
Crunchy Data PostgreSQL Security Technical Implementation Guide
V-233584
CAT I
PostgreSQL must use NSA-approved cryptography to protect classified information in accordance with the data owner’s requirements.
Crunchy Data PostgreSQL Security Technical Implementation Guide
V-233585
CAT I
PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner’s requirements.
Crunchy Data PostgreSQL Security Technical Implementation Guide
V-261928
CAT I
PostgreSQL must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.
Crunchy Data Postgres 16 Security Technical Implementation Guide
V-261965
CAT II
PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
Crunchy Data Postgres 16 Security Technical Implementation Guide
V-261966
CAT II
PostgreSQL must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners' requirements.
Crunchy Data Postgres 16 Security Technical Implementation Guide
V-206639
CAT II
The DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
Database Security Requirements Guide
V-206640
CAT II
The DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
Database Security Requirements Guide
V-206641
CAT II
The DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
Database Security Requirements Guide
V-233495
CAT I
The DBMS must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.
Database Security Requirements Guide
V-235777
CAT I
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide
V-235872
CAT II
Docker Enterprise data exchanged between Linux containers on different nodes must be encrypted on the overlay network.
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide
V-205226
CAT II
The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
Domain Name System (DNS) Security Requirements Guide
V-224174
CAT I
The EDB Postgres Advanced Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations including generation of cryptographic hashes and data protection.
EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide
V-224239
CAT II
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide
V-213664
CAT I
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide
V-213665
CAT I
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide
V-213666
CAT I
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the requirements of the data owner.
EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide
V-259971
CAT II
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide
V-260039
CAT I
The Enterprise Voice, Video, and Messaging Session Manager must implement NIST FIPS-validated cryptography for communications sessions.
Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide
V-259288
CAT II
The DBMS must use NSA-approved cryptography to protect classified information in accordance with the requirements of the data owner.
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide
V-259325
CAT II
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide
V-259326
CAT II
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide
V-259327
CAT II
The EDB Postgres Advanced Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the requirements of the data owner.
EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide
V-215798
CAT II
The BIG-IP Core implementation must be configured to implement NIST FIPS-validated cryptography to generate cryptographic hashes when providing encryption traffic to virtual servers.
F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide
V-215799
CAT II
The BIG-IP Core implementation must be configured to implement NIST FIPS-validated cryptography for digital signatures when providing encrypted traffic to virtual servers.
F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide
V-215800
CAT II
The BIG-IP Core implementation must be configured to use NIST FIPS-validated cryptography to implement encryption services when providing encrypted traffic to virtual servers.
F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide
V-266170
CAT I
The F5 BIG-IP appliance must be configured to use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.
F5 BIG-IP TMOS ALG Security Technical Implementation Guide
V-266286
CAT I
The F5 BIG-IP appliance IPsec VPN must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
F5 BIG-IP TMOS VPN Security Technical Implementation Guide
V-278405
CAT II
NGINX must be configured to use FIPS-approved algorithms to protect the confidentiality and integrity of transmitted information.
F5 NGINX Security Technical Implementation Guide
V-278407
CAT II
NGINX must be configured to use a FIPS-validated cryptographic module for confidentiality and integrity.
F5 NGINX Security Technical Implementation Guide
V-203739
CAT I
The operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
General Purpose Operating System Security Requirements Guide
V-203776
CAT I
The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
General Purpose Operating System Security Requirements Guide
V-278975
CAT II
The operating system must use a FIPS-validated cryptographic module to provision digital signatures.
General Purpose Operating System Security Requirements Guide
V-255239
CAT II
SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
HPE 3PAR SSMC Operating System Security Technical Implementation Guide
V-255251
CAT I
The SSMC web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
HPE 3PAR SSMC Web Server Security Technical Implementation Guide
V-255285
CAT II
The HPE 3PAR OS must be configured to implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide
V-266986
CAT II
AOS, when used as a VPN Gateway, must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
HPE Aruba Networking AOS VPN Security Technical Implementation Guide
V-266639
CAT II
AOS must use cryptographic algorithms approved by the National Security Agency (NSA) to protect national security systems (NSS) when transporting classified traffic across an unclassified network.
HPE Aruba Networking AOS Wireless Security Technical Implementation Guide
V-274315
CAT I
All mobile Honeywell cryptography must be configured to be in FIPS 140-3 validated mode.
Honeywell Android 13 COBO Security Technical Implementation Guide
V-274411
CAT I
All mobile Honeywell cryptography must be configured to be in FIPS 140-3 validated mode.
Honeywell Android 13 COPE Security Technical Implementation Guide
V-215216
CAT II
AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
IBM AIX 7.x Security Technical Implementation Guide
V-252570
CAT I
The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252590
CAT I
IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252607
CAT I
IBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252616
CAT I
The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252619
CAT II
The IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252630
CAT I
The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-252635
CAT II
The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key.
IBM Aspera Platform 4.2 Security Technical Implementation Guide
V-253507
CAT I
DB2 must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.
IBM DB2 V10.5 LUW Security Technical Implementation Guide
V-65309
CAT II
The DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
IBM DataPower ALG Security Technical Implementation Guide
V-65311
CAT II
The DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
IBM DataPower ALG Security Technical Implementation Guide
V-65313
CAT II
The DataPower Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
IBM DataPower ALG Security Technical Implementation Guide
V-255780
CAT II
The MQ Appliance messaging server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
IBM MQ Appliance V9.0 AS Security Technical Implementation Guide
V-255793
CAT II
The MQ Appliance messaging server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
IBM MQ Appliance V9.0 AS Security Technical Implementation Guide
V-255808
CAT II
MQ Appliance messaging servers must use NIST-approved or NSA-approved key management technology and processes.
IBM MQ Appliance V9.0 AS Security Technical Implementation Guide
V-250338
CAT II
The WebSphere Liberty Server must use DoD-issued/signed certificates.
IBM WebSphere Liberty Server Security Technical Implementation Guide
V-250339
CAT I
The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.
IBM WebSphere Liberty Server Security Technical Implementation Guide
V-283668
CAT I
The WebSphere Liberty Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.
IBM WebSphere Liberty Server Security Technical Implementation Guide
V-255875
CAT II
The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
IBM WebSphere Traditional V9.x Security Technical Implementation Guide
V-255877
CAT II
The WebSphere Application Server must use DoD-approved Signer Certificates.
IBM WebSphere Traditional V9.x Security Technical Implementation Guide
V-283677
CAT II
The WebSphere Application Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.
IBM WebSphere Traditional V9.x Security Technical Implementation Guide
V-223569
CAT I
The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223610
CAT II
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
IBM z/OS ACF2 Security Technical Implementation Guide
V-223831
CAT II
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
IBM z/OS RACF Security Technical Implementation Guide
V-224067
CAT II
IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
IBM z/OS TSS Security Technical Implementation Guide
V-237945
CAT II
The IBM z/VM TCP/IP SECUREDATA option for FTP must be set to REQUIRED.
IBM zVM Using CA VM:Secure Security Technical Implementation Guide
V-237947
CAT II
All IBM z/VM TCP/IP servers must be configured for SSL/TLS connection.
IBM zVM Using CA VM:Secure Security Technical Implementation Guide
V-224778
CAT II
The ISEC7 SPHERE must use a FIPS-validated cryptographic module to provision digital signatures.
ISEC7 Sphere Security Technical Implementation Guide
V-224779
CAT II
The ISEC7 SPHERE must use a FIPS 140-2-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, generate cryptographic hashes, and to configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
ISEC7 Sphere Security Technical Implementation Guide
V-214201
CAT I
The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
Infoblox 7.x DNS Security Technical Implementation Guide
V-233906
CAT I
The Infoblox DNS service member must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
Infoblox 8.x DNS Security Technical Implementation Guide
V-258595
CAT II
The ICS must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
Ivanti Connect Secure VPN Security Technical Implementation Guide
V-251420
CAT I
The Ivanti EPMM server must use a FIPS-validated cryptographic module to generate cryptographic hashes.
Ivanti EPMM Server Security Technical Implementation Guide
V-251423
CAT I
The Ivanti EPMM server must be configured to implement FIPS 140-2 mode for all server and agent encryption.
Ivanti EPMM Server Security Technical Implementation Guide
V-251420
CAT I
The Ivanti MobileIron Core server must use a FIPS-validated cryptographic module to generate cryptographic hashes.
Ivanti MobileIron Core MDM Server Security Technical Implementation Guide
V-251423
CAT I
The Ivanti MobileIron Core server must be configured to implement FIPS 140-2 mode for all server and agent encryption.
Ivanti MobileIron Core MDM Server Security Technical Implementation Guide
V-251036
CAT II
The Sentry providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide
V-251037
CAT II
The Sentry providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide
V-251038
CAT II
The Sentry providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide
V-251036
CAT II
The Sentry providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.
Ivanti Sentry 9.x ALG Security Technical Implementation Guide
V-251037
CAT II
The Sentry providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures.
Ivanti Sentry 9.x ALG Security Technical Implementation Guide
V-251038
CAT II
The Sentry providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.
Ivanti Sentry 9.x ALG Security Technical Implementation Guide
V-213558
CAT II
The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide
V-241790
CAT II
When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.
Jamf Pro v10.x EMM Security Technical Implementation Guide
V-66625
CAT I
The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.
Juniper SRX SG VPN Security Technical Implementation Guide
V-66671
CAT II
The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
Juniper SRX SG VPN Security Technical Implementation Guide
V-214690
CAT I
The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.
Juniper SRX Services Gateway VPN Security Technical Implementation Guide
V-214691
CAT II
The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
Juniper SRX Services Gateway VPN Security Technical Implementation Guide
V-213862
CAT I
SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
MS SQL Server 2014 Instance Security Technical Implementation Guide
V-251040
CAT I
SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.
MS SQL Server 2016 Database Security Technical Implementation Guide
V-205619
CAT II
The Mainframe Product must implement NIST FIPS-validated cryptography to provision digital signatures in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
Mainframe Product Security Requirements Guide
V-205620
CAT II
The Mainframe Product must implement NIST FIPS-validated cryptography to generate and validate cryptographic hashes in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
Mainframe Product Security Requirements Guide
V-205621
CAT II
The Mainframe Product must implement NIST FIPS-validated cryptography to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
Mainframe Product Security Requirements Guide
V-253508
CAT II
The Mainframe Product must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
Mainframe Product Security Requirements Guide
V-253737
CAT I
MariaDB must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.
MariaDB Enterprise 10.x Security Technical Implementation Guide
V-220368
CAT I
MarkLogic Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations and protect classified information in accordance with the requirements of the data owner.
MarkLogic Server v9 Security Technical Implementation Guide
V-220414
CAT II
MarkLogic Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
MarkLogic Server v9 Security Technical Implementation Guide
V-220415
CAT II
MarkLogic Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
MarkLogic Server v9 Security Technical Implementation Guide
V-220416
CAT II
MarkLogic Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the requirements of the data owner.
MarkLogic Server v9 Security Technical Implementation Guide
V-255320
CAT I
Azure SQL Database must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.
Microsoft Azure SQL Database Security Technical Implementation Guide
V-276236
CAT I
Azure SQL Managed Instance must use NSA-approved cryptography to protect classified information in accordance with the data owners' requirements.
Microsoft Azure SQL Managed Instance Security Technical Implementation Guide
V-225230
CAT II
The .NET CLR must be configured to use FIPS approved encryption modules.
Microsoft DotNet Framework 4.0 Security Technical Implementation Guide
V-250540
CAT II
Turn off Encryption Support must be enabled.
Microsoft Internet Explorer 11 Security Technical Implementation Guide
V-250541
CAT II
Allow Fallback to SSL 3.0 (Internet Explorer) must be disabled.
Microsoft Internet Explorer 11 Security Technical Implementation Guide
V-223356
CAT II
The minimum encryption key length in Outlook must be at least 168.
Microsoft Office 365 ProPlus Security Technical Implementation Guide
V-228474
CAT II
Outlook minimum encryption key length settings must be set.
Microsoft Outlook 2016 Security Technical Implementation Guide
V-271199
CAT I
SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owner’s requirements.
Microsoft SQL Server 2022 Database Security Technical Implementation Guide
V-271314
CAT I
SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic operations for encryption, hashing, and signing.
Microsoft SQL Server 2022 Instance Security Technical Implementation Guide
V-220942
CAT II
The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
Microsoft Windows 10 Security Technical Implementation Guide
V-253466
CAT II
The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
Microsoft Windows 11 Security Technical Implementation Guide
V-215609
CAT II
The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.
Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide
V-215637
CAT II
The Windows 2012 DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide
V-224977
CAT II
Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
Microsoft Windows Server 2016 Security Technical Implementation Guide
V-225059
CAT II
Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
Microsoft Windows Server 2016 Security Technical Implementation Guide
V-205818
CAT II
Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205842
CAT II
Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
Microsoft Windows Server 2019 Security Technical Implementation Guide
V-254398
CAT II
Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
Microsoft Windows Server 2022 Security Technical Implementation Guide
V-254480
CAT II
Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
Microsoft Windows Server 2022 Security Technical Implementation Guide
V-278145
CAT II
Windows Server 2025 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
Microsoft Windows Server 2025 Security Technical Implementation Guide
V-278230
CAT II
Windows Server 2025 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
Microsoft Windows Server 2025 Security Technical Implementation Guide
V-259400
CAT II
The Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
V-260908
CAT I
FIPS mode must be enabled.
Mirantis Kubernetes Engine Security Technical Implementation Guide
V-260911
CAT II
Swarm Secrets or Kubernetes Secrets must be used.
Mirantis Kubernetes Engine Security Technical Implementation Guide
V-221174
CAT I
MongoDB must use NIST FIPS 140-2-validated cryptographic modules for cryptographic operations.
MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide
V-252146
CAT I
MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide
V-265922
CAT I
MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide
V-265945
CAT I
MongoDB must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.
MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide
V-279353
CAT I
MongoDB must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide
V-279385
CAT I
MongoDB must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.
MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide
V-254114
CAT I
Nutanix AOS must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
Nutanix AOS 5.20.x Application Security Technical Implementation Guide
V-254224
CAT I
Nutanix AOS must enable FIPS mode to implement NIST FIPS-validated cryptography.
Nutanix AOS 5.20.x OS Security Technical Implementation Guide
V-279445
CAT II
Nutanix AOS must be configured to use DOD PKI-issued certificates.
Nutanix Acropolis Application Server Security Technical Implementation Guide
V-279535
CAT I
Nutanix OS must implement cryptography to protect the integrity of remote access session by setting the systemwide policy to use FIPS mode.
Nutanix Acropolis GPOS Security Technical Implementation Guide
V-270571
CAT I
Oracle Database must implement NIST FIPS 140-2/140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements.
Oracle Database 19c Security Technical Implementation Guide
V-252546
CAT I
OHS must have the SSLFIPS directive enabled to implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting data that must be compartmentalized.
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide
V-221758
CAT I
The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Oracle Linux 7 Security Technical Implementation Guide