Rule ID
SV-273808r1111022_rule
Version
V1R1
Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms. Satisfies: SRG-APP-000179-NDM-000265, SRG-APP-000156-NDM-000250, SRG-APP-000172-NDM-000259, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331, SRG-APP-000880-NDM-000290
Verify the FIPS module has been enabled. Router#fips show Cryptographic Module Version: FI-IP-CRYPTO FIPS mode: Administrative status ON: Operational status ON Common-Criteria: Administrative status ON: Operational status ON System Specific: OS monitor access status is: Disabled Management Protocol Specific: Telnet server: Disabled Telnet client: Disabled TFTP client: Disabled SNMP Access to security objects: Disabled Critical security Parameter updates across FIPS boundary: Protocol Shared secret and host passwords: Clear Password Display: Disabled Certificate Specific: HTTPS RSA Host Keys and Signature: Clear SSH DSA Host keys: Clear SSH RSA Host keys: Clear CC Enable AAA Server Any: Retain If the fips show command does not output "FIPS mode: Administrative status ON: Operational status ON", this is a finding.
Configure the network device to use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module. Use a console session directly attached to the ICX switch to log in: device(config)#configuration terminal device(config)# fips enable common-criteria device# fips zeroize all device# write memory device# reload