FIPS compliance

Last Updated : Jul 06, 2022 |

FIPS 140-2 compliance

Ensure that the Avaya Contact Center – Extended Capacity components meet the following requirements to be FIPS compliant:

  • Operating system: In Deployment Manager, use the option to enable FIPS mode when installing Avaya Contact Center – Extended Capacity. Ensure that you enable FIPS mode on the kernel and user spaces of the Linux servers that host Avaya Contact Center – Extended Capacity components. Also ensure that the Docker image contains FIPS compliant cryptology modules.

  • OpenSSL: Activate FIPS mode at startup for all Avaya Contact Center – Extended Capacity components that use cryptographic functions. The components must also report FIPS status and OpenSSL errors to logs. Replace MD5 or SHA-1 on compoents with suitable FIPS-compliant algorithms. Additionally, Cipher suites must not use SHA-1 to sign server key exchanges.

  • TLS: Set the default TLS version as 1.2, except on components that do not support TLS.

  • Certificates: Use FIPS approved algorithms and key length for certificates. Ensure that the key length is at least 2048 bits. Replace the MD5 hash with an appropriate and approved hash function. The MD5-based password scrambling, if any, must use an SHA-2-based hash function.

    If you enable FIPS mode and a certificate does not comply with the FIPS approved algorithms and key length, Avaya Contact Center – Extended Capacity raises an alarm and rejects the certificate.

    Avaya Contact Center – Extended Capacity components must not use certificates signed using SHA-1. If the are SHA-1 signed certificates, convert them using FIPS approved algorithms. Each certificate in the certificate chain must at least have an SHA-256 signature.

FIPS-199 compliance

Each security category in FIPS-199 has the following objectives: Confidentiality, Integrity, and Availability. The following table summarizes the potential impact of each of the security objectives:

Security Objective

Potential Impact

Low

Moderate

High

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

[44 U.S.C., SEC. 3542]

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, assets, or individuals.

The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, assets, or individuals.

The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, assets, or individuals.

Integrity: Guarding against improper modification or destruction, and includes ensuring information non-repudiation and authenticity.

[44 U.S.C., SEC. 3542]

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, assets, or individuals.

Availability: Ensuring timely and reliable access to and use of information.

[44 U.S.C., SEC. 3542]

The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, assets, or individuals.