STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide

V-283387

CAT I (High)

The HPE Alletra Storage ArcusOS device must use FIPS 140-approved algorithms for authentication to a cryptographic module.

Rule ID

SV-283387r1194855_rule

STIG

HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000803CCI-000197CCI-001188CCI-002890CCI-003123

Discussion

Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices can accomplish this by making direct function calls to encryption modules or by leveraging operating system encryption capabilities. Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Network devices using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms. The use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions. Satisfies: SRG-APP-000179-NDM-000265, SRG-APP-000172-NDM-000259, SRG-APP-000224-NDM-000270, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331

Check Content

Verify the status of the FIPS communication library with the following command:

cli% controlsecurity fips status

FIPS mode: Enabled
Service                      Status
AUTHN                        Enabled
CIM                          Disabled
CLI          Enabled
EKM         Enabled
LDAP         Enabled
QW          Enabled
RDA         Enabled
SC CONNECTOR Disabled
SNMP         Enabled
SSH          Enabled
SYSLOG       Enabled
VASA         Enabled
WSAPI        Enabled

If the line "FIPS Mode:" is not "Enabled", this is a finding.

If any of the service lines for "CLI", "EKM", "LDAP", "SNMP", "SSH", or "SYSLOG" are "Disabled", this is a finding.

If CIM, VASA, or WSAPI are "Disabled", and the services are enabled, this is a finding.

Fix Text

Warning: Enabling FIPS mode requires restarting all system management interfaces, which will terminate all existing connections including this one.

Set the communications encryption module into FIPS mode:

cli% controlsecurity fips enable