The HPE 3PAR OS must be configured to implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-255285	SRG-OS-000396-GPOS-00176	HP3P-33-002069	SV-255285r987791_rule	2024-08-27	2

Description
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government, since this provides assurance they have been tested and validated. The HPE 3PAR OS can be configured to use FIPS validated cryptographic methods for communications secrecy. It also has an encryption license feature that controls the handling of Self-Encrypting backend drives, which requires an authorized service provider for install and activation. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223

Description

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government, since this provides assurance they have been tested and validated. The HPE 3PAR OS can be configured to use FIPS validated cryptographic methods for communications secrecy. It also has an encryption license feature that controls the handling of Self-Encrypting backend drives, which requires an authorized service provider for install and activation. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223

ℹ️ Check
Verify the status of the FIPS communication library: cli% controlsecurity fips status If the line "FIPS Mode:" is not "Enabled", this is a finding. If any of the service lines for CLI, EKM, LDAP, SNMP, SSH, or SYSLOG are Disabled, this is a finding. If CIM, VASA, or WSAPI are "Disabled", and the mission requires any of these services, this is a finding. Review the requirements by the Information Owner to determine if the system will store sensitive or classified information. If the mission does not store sensitive, or classified information, the remainder of the check is not applicable. If the mission stores classified data, check the status of backend drive encryption: cli% controlencryption status If Licensed, Enabled, or BackupSaved are "no", or the keystore is not EKM, this is a finding.

ℹ️ Check

Verify the status of the FIPS communication library: cli% controlsecurity fips status If the line "FIPS Mode:" is not "Enabled", this is a finding. If any of the service lines for CLI, EKM, LDAP, SNMP, SSH, or SYSLOG are Disabled, this is a finding. If CIM, VASA, or WSAPI are "Disabled", and the mission requires any of these services, this is a finding. Review the requirements by the Information Owner to determine if the system will store sensitive or classified information. If the mission does not store sensitive, or classified information, the remainder of the check is not applicable. If the mission stores classified data, check the status of backend drive encryption: cli% controlencryption status If Licensed, Enabled, or BackupSaved are "no", or the keystore is not EKM, this is a finding.

✔️ Fix
Set the communications encryption module into fips mode: cli% controlsecurity fips enable If the mission stores classified information, contact an authorized service provider to install and configure the licensed encryption feature.