Title: The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Vulnerability ID: V-32498
IA Controls: None
Description: Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.
Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html.
Check Text: If the DBMS has not implemented federally required cryptographic protections for the level of classification of the data it contains, this is a finding.
Fix Text: Implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.[divider]