Identification and Authentication, Security Compliance and Regulatory Requirements
LOW, MOD, HIGH
P1
Yes
August 17, 2016
All cryptographic modules shall use FIPS 140-2 approved algorithms and authenticate to a trusted authority where public key infrastructure is employed.
Laws and regulations are inadvertently violated due to illegal use of cryptographic controls.
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Encryption mechanisms used on information systems that must comply with federal standards use FIPS 140-2 approved algorithms.
Encryption used by the state organization meets the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Obtain Identification and authentication policy; FIPS 140-2 (as amended); procedures addressing cryptographic module authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records and ascertain if the information system employs authentication methods that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module (for non-national security systems, the cryptographic requirements are defined by FIPS 140-2, as amended).