STIGQter: STIG Summary: Microsoft DotNet Framework 4.0 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The .NET CLR must be configured to use FIPS approved encryption modules.

DISA Rule

SV-225230r615940_rule

Vulnerability Number

V-225230

Group Title

SRG-APP-000635

Rule Version

APPNET0062

Severity

CAT II

CCI(s)

CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Weight

Fix Recommendation

Examine the .NET CLR configuration files to find the runtime element and then the "enforceFIPSPolicy" element.

Example:
<configuration>
<runtime>
<enforceFIPSPolicy enabled="true|false" />
</runtime>
</configuration>

Delete the "enforceFIPSPolicy" runtime element, change the setting to "true" or there must be documented IAO approvals for the FIPS setting.

Check Contents

Examine the .NET CLR configuration files from the vulnerability discussion to find the runtime element and then the "enforceFIPSPolicy" element.

Example:
<configuration>
<runtime>
<enforceFIPSPolicy enabled="true|false" />
</runtime>
</configuration>

By default, the .NET "enforceFIPSPolicy" element is set to "true".

If the "enforceFIPSPolicy" element does not exist within the "runtime" element of the CLR configuration, this is not a finding.

If the "enforceFIPSPolicy" element exists and is set to "false", and the IAO has not accepted the risk and documented the risk acceptance, this is a finding.

The .NET CLR must be configured to use FIPS approved encryption modules.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments