← Back to context

Comment by tptacek

3 years ago

1075 does not appear to require that access VPNs use FIPS cryptography. Arguably, it would if you were relying exclusively on WireGuard for data protection, but it's uncommon for people to do that (we're WireGuard true believers and we do in places depend on WireGuard authentication and encryption for our security model, but it's a weird enough thing to do that we notice it when we do it).

3 comments

tptacek

Reply
Spooky23  3 years ago

See section 4.18, control SC-13.

  • tptacek  3 years ago

    Yes, I'm familiar. I don't believe that means everything you use that happens to involve cryptography has to comply with that control.

    • Spooky23  3 years ago

      At the time we looked at it for a client, in an audit, certain aspects would be at the discretion of the auditor. They are typically pragmatic about this stuff.

      That said my original statement was too broad. It’s not an “enterprise” issue, more use case dependent in regulated scenarios.