Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
5
Helpful
5
Replies

FIPS 140-2 for CallManager 12.5.1

tina.hopper
Level 1
Level 1

‎02-19-2021 12:22 PM

Hi all:

We're getting ready to deploy a new CUCM cluster for a gov't customer, and need some specifics on which CUCM 12.5.1 SU supports FIPS 140-2.

 

The 12.5 Security guide states only 12.5.1 SU1 supports FIPS:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1/cucm_b_security-guide-1251/cucm_b_security-guide-1251_chapter_0100001.html#CUCM_TP_FDCF810C_00

 

FIPS Mode Not Supported in Some 12.x Versions

FIPS mode is supported with 12.5(1)SU1. However, FIPS mode is not supported with Releases 12.0(x) and 12.5(1) of Cisco Unified Communications Manager and the IM and Presence Service. If you are upgrading from an earlier release with FIPS mode, Enhanced Security Mode, or Common Criteria Mode enabled, you must disable them prior to the upgrade to these releases, or upgrade to 12.5(1)SU1 instead. TFTP and other services will not work in 12.0(x) or 12.5(1) with FIPS mode enabled.

 

==

 

However, the CUCM 12.5.1 SU3 security guide gives steps on how to configure FIPS mode but no statement on whether it supports FIPS or not:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1SU3/cucm_b_security_guide_1251SU3/cucm_m_fips-mode-setup_su2_reorg.html

 

The FIPS 140-2 guide just shows 12.5 as a supported FIPS version, no mention of any SU requirement:

https://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-140.html

 

Can someone provide clarity on if all CUCM 12.5.1 SU's support FIPS, or only SU1?  Ideally we'd like to upgrade to the latest SU for patches/bug fixes, but need to confirm SU3 (or all SU's for 12.5.1) are FIPS compliant.  Also, we need to plan for correct phone firmware and other software for FIPS, and the documentation is confusing, to say the very least.

 

TIA

Labels:
0 Helpful
5 Replies 5

Kaloyan
Cisco Employee
Cisco Employee

‎02-19-2021 03:14 PM

Hello,

 

I don't see where the confusion comes from. The documentaion that you are citing clearly states that FIPS mode is not supported in specific CUCM versions (which are pointed out). You'll have to be running CUCM 12.5 SU1 or higher (which is implicit). 

0 Helpful

tina.hopper
Level 1
Level 1
In response to Kaloyan

‎02-19-2021 03:32 PM

If it was clear it would be clear and I wouldn’t have asked the question. It says only supported in SU1 in the 12.5 guide. I need a definitive answer.
0 Helpful

tina.hopper
Level 1
Level 1
In response to Kaloyan

‎02-19-2021 04:42 PM

I'll add this...the fact that it's implicit to Cisco doesn't mean it's implicit to customers.  We are the ones on the hook having to deploy a solution based on "well I'm assuming that because FIPS mode instructions are in the CUCM 12.5.1 SU3 guide that it's supported."  

 

For us to have to guess instead of putting a note stating "NOTE:  FIPS mode is supported in all 12.5.1 SU releases" either in the 12.5.1 SU3 security guide would help us a great deal.  If we assume, and Cisco backtracks and says "whoops, something is wrong so FIPS isn't supported" - and I've seen that happen too many times - then it's on us and leaves the customer in a bind.

 

So please, if it was "implicit" it would actually be CLEAR and not ASSUMED.

0 Helpful

Nithin Eluvathingal
VIP
VIP

‎02-19-2021 04:07 PM - edited ‎02-19-2021 04:08 PM

FIPS mode is supported with 12.5(1)SU1 and higher. Means its supported on 12.5(1)SU3 and That's the reason Release Guide  12.5(1)SU3 explain the configuration steps.

 

 



Response Signature


tina.hopper
Level 1
Level 1
In response to Nithin Eluvathingal

‎02-19-2021 04:42 PM

Thank you for clarifying before we start deploying SU3, the confirmation is appreciated.

0 Helpful
Customers Also Viewed These Support Documents