Can someone explain to me how to be compliant with nist 800-171 control 3.13.08? It seems impossible from a network engineers perspective

old.reddit.com / @/u/toeding, https://old.reddit.com/user/toeding

Did anyone validate of this is possible before writing it?

The first layer of networking is access layer what the computer connects to which if this is possible needs to be able to encrypt transmission.

Problem is both any switch like Cisco switches when you put it in fips-validated mode does not encrypt the control plane. It encrypts the the management interface and ssh to configure the device at fips level ssh encryption.

Same for wifi access points the data plane in fips mode is not encrypted. Only capwap packets and the authentication to get on is encrypted at fips levels.

Also any sort of sslvpn solution like global protect, anyconnect and zscaler is fips-cc not fips validated.

Fips validated seems required in control 3.13.11.

Did any network engineer in the DOD validate their expected architecture exists in the public world?

If the DOD thinks by putting their Cisco switches and APs in fips mode is securing their data plane they are shit out of luck.

Please explain to me how to be compliant with this control?

submitted by /u/toeding
[link] [comments]

published 8 days ago


Previous

Customer is wanting their vendors to have a 3rd party verify compliance. I can’t find a single company that doesn’t just try to get us to move everything into “the cloud”. Does anyone audit and assist with on prem solutions?
published 9 days ago

Next

Does putting all our windows computers in fips mode help enforce those cuis are compliant for nist 800-171r3 control 3.13.8 and 3.13.11
published 7 days ago
See all items from the same source