3.1.19 has a weight of -3 points

1. System Security Plan (SSP)

   Organization: [Organization Name]

   System Name: Mobile Device and Computer Encryption System

   Date: [Date]

   ---

   1. Introduction

   This System Security Plan details the encryption measures and policies put in place to ensure that all devices, particularly those within the mobile device organizational unit, are protected against unauthorized access and potential data breaches.

   2. System Description

   The system encompasses all connected devices, including but not limited to desktop computers, laptops, and mobile devices. It specifies encryption standards and practices for devices that are part of or have access to Controlled Unclassified Information (CUI).

   3. Device Encryption Policy

   3.1. BitLocker in FIPS Mode: All devices within the mobile device organizational unit are mandated to activate BitLocker in FIPS mode. T

   3.2. Group Policy Management: Encryption policies are managed through Group Policy and applied to members of specific organizational units in the Active Directory.

   3.3. Device Access to CUI: All devices that have access permissions to CUI must adhere to the BitLocker Group Policy, ensuring encryption across all devices, not limited to mobile ones.

   4. Mobile Device Encryption and Verification

   4.1. IT Verification: All company-owned mobile devices with clearance to access CUI are subjected to a verification process by the IT department.

   4.2. Encryption Standards: Devices must be encrypted either straight from the factory or using approved aftermarket solutions to gain CUI access clearance.

   ---

   Signatures:

   IT Manager: ____________________ Date: _______

   Security Officer: ____________________ Date: ______

1. Vulnerability: Non-compliant Devices

• Description: Devices that are yet to adhere to the BitLocker in FIPS mode requirement.
• Action: Perform a system-wide audit to identify and update non-compliant devices.
• Timeline: 3 months from the date of this SSP.
• Responsible Party: IT Department.

2. Vulnerability: Outdated Encryption Standards

• Description: Devices using encryption standards that do not meet the current policy.
• Action: Update all devices to the approved encryption standards. Retire devices that do not support these standards.
• Timeline: 6 months from the date of this SSP.
• Responsible Party: IT Department in collaboration with the Security Office.

3. Vulnerability: Unauthorized Access to CUI

• Description: Potential risk of unauthorized devices accessing CUI.
• Action: Review and update access controls, ensuring only verified devices can access CUI.
• Timeline: 2 months from the date of this SSP.
• Responsible Party: IT Department and Security Office.

4. Vulnerability: Inadequate IT Verification Process

• Description: Inefficiencies or oversights in the IT verification process for mobile devices.
• Action: Review and enhance the IT verification process to ensure all devices accessing CUI are adequately verified.
• Timeline: 4 months from the date of this SSP.
• Responsible Party: IT Department.

5. Vulnerability: Non-standard Aftermarket Solutions

• Description: Use of non-approved aftermarket encryption solutions.
• Action: Audit to identify devices with non-approved solutions and update them to use organization-approved encryption solutions.
• Timeline: 5 months from the date of this SSP.
• Responsible Party: IT Department.

BitLocker is a full disk encryption feature included with Microsoft Windows versions starting with Windows Vista. It’s designed to protect data by providing encryption for entire volumes. By doing so, BitLocker helps to ensure that data stored on a computer is not accessed or modified by unauthorized individuals.

Turning on BitLocker for a drive on a Windows computer involves several steps. Here’s a general guide to enable BitLocker on your drive:

1. Check System Requirements:
   • Ensure your computer has a Trusted Platform Module (TPM) chip. Most modern PCs come with a TPM. BitLocker typically requires TPM version 1.2 or later.
   • Your hard drive should have at least two partitions: a system partition (which contains the necessary files to start Windows) and an operating system partition (which contains Windows, your programs, and user data).
2. Start BitLocker:
   • Open File Explorer.
   • Right-click on the drive you want to encrypt (typically the C: drive) and select Turn on BitLocker.
3. Unlock Method:
   • Choose how you want to unlock your drive during startup:
     • Insert a USB flash drive: Save a startup key on a USB drive.
     • Enter a password: Use a password to unlock the drive.
   • Click Next after making your choice.
4. Backup Your Recovery Key:
   • You’ll be given a recovery key that can be used to unlock your drive if you forget the password or if the system doesn’t recognize your drive. You can save this key to your Microsoft account, a USB flash drive, a file, or print it.
   • It’s essential to save this key securely, as it’s your only way to access your data if there are issues with the normal unlock method.
5. Choose Encryption Option:
   • You’ll have two options:
     • Encrypt used disk space only (faster and best for new PCs and drives): This will only encrypt sectors of your hard drive that have data.
     • Encrypt entire drive (slower but best for PCs and drives already in use): This encrypts the entire drive, including parts without data.
   • Choose the option that best fits your needs and click Next.
6. Choose Encryption Mode:
   • You might be presented with an option to choose between new encryption mode and compatible mode. The new encryption mode is more secure and recommended for internal drives. Compatible mode is best if you expect to move the drive to older versions of Windows.
7. Start Encryption:
   • Click Continue and confirm any prompts.
   • Restart your computer if prompted. After the restart, BitLocker will begin encrypting your drive. This can take a while, especially if you have a large drive with lots of data.
8. Check Encryption Status:
   • You can check the encryption progress by hovering over the BitLocker icon in the system tray. Once encryption is complete, you’ll need to use your chosen unlock method (password or USB drive) to access your drive every time your computer starts up.

Note: Ensure you always have backups of your essential data, especially when making changes like encrypting your drive.

FIPS Mode refers to the Federal Information Processing Standards, which are government standards for encrypting data.

Overview of enabling FIPS mode on several platforms:

1. Windows:
   • Open the Local Group Policy Editor (gpedit.msc from Run).
   • Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
   • Find the policy “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” and set it to “Enabled”.
   • Restart the computer for the change to take effect.
2. Linux (Red Hat/CentOS):
   • Edit the /etc/sysconfig/prelink file and change PRELINKING=yes to PRELINKING=no.
   • Run the command prelink -u -a to undo existing prelinking.
   • Edit the /etc/crypto-policies/config file and set it to FIPS.
   • Apply the change using update-crypto-policies.
   • Restart the computer.
3. OpenSSL:
   • Some versions of OpenSSL can be run in FIPS mode, but it might require a FIPS-capable OpenSSL build. Once you have that, you can typically enable FIPS mode programmatically within apps using the OpenSSL library.
4. iOS/macOS:
   • Apple does not provide a general “FIPS mode” toggle like some other platforms. Instead, developers use Apple’s cryptographic libraries, which have been validated for FIPS 140-2, in their applications.
5. Networking Devices:
   • For routers, switches, and firewalls, the process varies widely. Consult the device’s manual or manufacturer’s documentation.

1. Secure Enclave: Every iPhone with an A7 chip or later contains a Secure Enclave, a hardware-based key manager that’s isolated from the main processor. It is used to handle encryption keys and operations securely. The Secure Enclave is essential for several security features on the iPhone, including:
   • Touch ID: The mathematical representations of your fingerprint are encrypted and stored only in the Secure Enclave. They are never sent to Apple or backed up to iCloud.
   • Face ID: Data utilized to recognize your face is encrypted and protected by the Secure Enclave.
   • Apple Pay: The device account number and other payment information are stored in the Secure Enclave.
2. Data Protection: iOS provides strong encryption for data in transit and data at rest on the device. Every time you lock your iPhone, the hardware encryption on the device pairs with the software encryption of the operating system to lock your data away.
3. Processor Architecture: The A-series chips in iPhones come with security features that prevent unauthorized access to data. The silicon design of these chips ensures that iOS runs in a secure environment.
4. End-to-End Encryption: iMessages and FaceTime have end-to-end encryption, meaning that only the sender and the receiver can view them. Apple doesn’t have access to this content.
5. Secure Boot Chain: This ensures that only trusted components are used during the boot-up process, from hardware to software.
6. Software Updates: Apple regularly provides updates to iOS to address security vulnerabilities and enhance the security framework.

Here are general steps and considerations to configure your macOS system for FIPS 140-2 compliance:

1. Use Apple’s Cryptographic Modules: Apple has FIPS 140-2 certified cryptographic modules in macOS. Make sure you are using applications and services that leverage Apple’s core cryptographic libraries.
2. FileVault2 for Disk Encryption: Ensure that you are using FileVault2 for full-disk encryption. This will encrypt the entire startup disk, and any user of the computer must enter a password before the computer will boot from the disk or access its data.
3. Gatekeeper: Ensure that Gatekeeper is enabled. This will restrict the sources from which applications can be installed. Ideally, allow apps downloaded only from the ‘App Store’ or ‘App Store and identified developers’.
4. Firewall: Turn on macOS’s built-in firewall to block incoming connections.
5. Regular Updates: Keep your macOS system updated. Apple provides security updates that can patch vulnerabilities. Turn on “Automatically keep my Mac up to date” from System Preferences > Software Update.
6. Disable Unnecessary Services: Turn off unnecessary services and features. For instance, if you don’t need Bluetooth, disable it. The fewer open doors and windows, the fewer routes there are for unauthorized access.
7. Use Strong Passwords: Ensure that all user accounts have strong, complex passwords. This can be enforced through System Preferences > Users & Groups.
8. Limit Use of the Root Account: The root user account has privileges that allow changes to the system that may bypass security. Ensure it’s disabled unless absolutely necessary.
9. Review Installed Applications: Regularly review and remove any unnecessary applications.
10. Audit and Logging: Ensure that the macOS logging features are enabled and regularly reviewed. This will help in identifying and understanding any unauthorized access attempts.
11. Remote Access: If not needed, disable “Remote Management” and “Remote Login” from System Preferences > Sharing. If remote access is necessary, ensure it’s done securely with strong authentication.
12. Browser Settings: Ensure that web browsers are set up securely. Disable unnecessary plugins, use private browsing modes, and consider using tools to block trackers or malicious sites.
13. VPN: If accessing the internet from public places, consider using a VPN to ensure your connection is encrypted.
14. Third-Party Security Solutions: Consider using third-party security solutions that may offer additional features or protections tailored for FIPS 140-2 compliance.
15. Regular Backups: Ensure you regularly back up your data. Use encrypted backups.

Please note that these steps provide a general path towards hardening your macOS system and aligning it with FIPS 140-2 principles. However, FIPS 140-2 compliance in an organizational setting may have additional requirements or nuances based on specific use cases, data classifications, and enterprise policies.