The .NET CLR must be configured to use FIPS approved encryption modules.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-225230 | APPNET0062 | SV-225230r961908_rule | Medium |
| Description |
| STIG | Date |
| Microsoft DotNet Framework 4.0 Security Technical Implementation Guide | 2025-05-16 |
Details
| Check Text (C-26929r468005_chk) |
Examine the .NET CLR configuration files from the vulnerability discussion to find the runtime element and then the "enforceFIPSPolicy" element. Example: <configuration> <runtime> <enforceFIPSPolicy enabled="true|false" /> </runtime> </configuration> By default, the .NET "enforceFIPSPolicy" element is set to "true". If the "enforceFIPSPolicy" element does not exist within the "runtime" element of the CLR configuration, this is not a finding. If the "enforceFIPSPolicy" element exists and is set to "false", and the IAO has not accepted the risk and documented the risk acceptance, this is a finding. |
| Fix Text (F-26917r468006_fix) |
| Examine the .NET CLR configuration files to find the runtime element and then the "enforceFIPSPolicy" element. Example: <configuration> <runtime> <enforceFIPSPolicy enabled="true|false" /> </runtime> </configuration> Delete the "enforceFIPSPolicy" runtime element, change the setting to "true" or there must be documented IAO approvals for the FIPS setting. |