Rule ID
SV-237416r831436_rule
Version
V1R3
CCIs
CCI-002450
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC). Encryption operations are performed in the following assertions: "Encrypt XML Element" and "Encrypt Element". Any of the listed encryption methods (AES 128 CBC, AES 192 CBC, AES 128 GCM, AES 256 GCM, Triple DES) included with the Assertions are NIST-FIPS validated. The FIPS-140-2 Certified RSA BSAFE Crypto-J Module is used for encryption operations. All CA API Gateway references to Triple-DES directly imply three-key and NOT two-key.
Open the CA API Gateway - Policy Manager. Double-click each of the Registered Services that requires NIST-FIPS validated encryption services. Verify that the "Encrypt XML Element" or "Encrypt Element" Assertion has/have been added to the policy in accordance with organizational requirements. If the Assertion(s) is/are not present, this is a finding.
Open the CA API Gateway - Policy Manager. Double-click each of the Registered Services that require NIST-FIPS validated encryption services. Add the "Encrypt XML Element" and/or "Encrypt Element" to the policy and configure in accordance with organizational requirements.