The vCenter Server must enable FIPS-validated cryptography.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-258917	SRG-APP-000172	VCSA-80-000077	SV-258917r961029_rule	2024-12-16	2

Description
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. In vSphere 6.7 and later, ESXi and vCenter Server use FIPS-validated cryptography to protect management interfaces and the VMware Certificate Authority (VMCA). vSphere 7.0 Update 2 and later adds additional FIPS-validated cryptography to vCenter Server Appliance. By default, this FIPS validation option is disabled and must be enabled. Satisfies: SRG-APP-000172, SRG-APP-000179, SRG-APP-000224, SRG-APP-000231, SRG-APP-000412, SRG-APP-000514, SRG-APP-000555, SRG-APP-000600, SRG-APP-000610, SRG-APP-000620, SRG-APP-000630, SRG-APP-000635

Description

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. In vSphere 6.7 and later, ESXi and vCenter Server use FIPS-validated cryptography to protect management interfaces and the VMware Certificate Authority (VMCA). vSphere 7.0 Update 2 and later adds additional FIPS-validated cryptography to vCenter Server Appliance. By default, this FIPS validation option is disabled and must be enabled. Satisfies: SRG-APP-000172, SRG-APP-000179, SRG-APP-000224, SRG-APP-000231, SRG-APP-000412, SRG-APP-000514, SRG-APP-000555, SRG-APP-000600, SRG-APP-000610, SRG-APP-000620, SRG-APP-000630, SRG-APP-000635

ℹ️ Check
From the vSphere Web Client, go to Developer Center >> API Explorer. From the "Select API" drop-down menu, select appliance. Expand system/security/global_fips >> GET. Click "Execute" and then "Copy Response" to view the results. Example response: { "enabled": true } or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Invoke-GetSystemGlobalFips If global FIPS mode is not enabled, this is a finding.

ℹ️ Check

From the vSphere Web Client, go to Developer Center >> API Explorer. From the "Select API" drop-down menu, select appliance. Expand system/security/global_fips >> GET. Click "Execute" and then "Copy Response" to view the results. Example response: { "enabled": true } or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Invoke-GetSystemGlobalFips If global FIPS mode is not enabled, this is a finding.

✔️ Fix
From the vSphere Web Client go to Developer Center >> API Explorer. From the "Select API" drop-down menu, select appliance. Expand system/security/global_fips >> PUT. In the response body under "Try it out" paste the following: { "enabled": true } Click "Execute". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: $spec = Initialize-SystemSecurityGlobalFipsUpdateSpec -Enabled $true; Invoke-SetSystemGlobalFips -SystemSecurityGlobalFipsUpdateSpec $spec Note: The vCenter server reboots after FIPS is enabled or disabled.

✔️ Fix

From the vSphere Web Client go to Developer Center >> API Explorer. From the "Select API" drop-down menu, select appliance. Expand system/security/global_fips >> PUT. In the response body under "Try it out" paste the following: { "enabled": true } Click "Execute". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: $spec = Initialize-SystemSecurityGlobalFipsUpdateSpec -Enabled $true; Invoke-SetSystemGlobalFips -SystemSecurityGlobalFipsUpdateSpec $spec Note: The vCenter server reboots after FIPS is enabled or disabled.