AOS must use cryptographic algorithms approved by the National Security Agency (NSA) to protect national security systems (NSS) when transporting classified traffic across an unclassified network.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266639	SRG-NET-000352	ARBA-NT-000920	SV-266639r1040407_rule	2024-10-29	1

Description
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. National Institute of Standards and Technology (NIST) cryptographic algorithms are approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the Commercial Solutions for Classified (CSfC) program have been changed to more stringent protocols and configured with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm (CNSA) Suite replaces Suite B. Satisfies: SRG-NET-000352, SRG-NET-000565

Description

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. National Institute of Standards and Technology (NIST) cryptographic algorithms are approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the Commercial Solutions for Classified (CSfC) program have been changed to more stringent protocols and configured with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm (CNSA) Suite replaces Suite B. Satisfies: SRG-NET-000352, SRG-NET-000565

ℹ️ Check
If AOS is not being used for CSFC, this requirement is not applicable. 1. Verify the AOS configuration with the following command: show crypto-local ipsec-map Note the IKEv2 Policy number for each configured map. 2. For each configured policy number, run the following command: show crypto isakmp policy <IKEv2 Policy #> 3. Verify each configured transform-set with the following command: show crypto ipsec transform-set If the configured IPsec map, ISAKMP policy, and transform-set do not contain the following, this is a finding: ECDCA 384 certificate IKEv2 policy with AES256, SHA-384, ECDSA-384, Group 20 Transform set with AES-256-GCM

ℹ️ Check

If AOS is not being used for CSFC, this requirement is not applicable. 1. Verify the AOS configuration with the following command: show crypto-local ipsec-map Note the IKEv2 Policy number for each configured map. 2. For each configured policy number, run the following command: show crypto isakmp policy <IKEv2 Policy #> 3. Verify each configured transform-set with the following command: show crypto ipsec transform-set If the configured IPsec map, ISAKMP policy, and transform-set do not contain the following, this is a finding: ECDCA 384 certificate IKEv2 policy with AES256, SHA-384, ECDSA-384, Group 20 Transform set with AES-256-GCM

✔️ Fix
Configure AOS with the following commands: crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 1. Use DOD PKI to generate a public certificate based on the CSR. 2. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 3. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, "ServerCert" type, and click "Submit". 4. Navigate to Configuration >> System >> Admin, choose the imported certificate under "Server Certificate", and click "Submit". 5. Click Pending Changes >> Deploy Changes. configure terminal crypto ipsec transform-set <name> esp-aes256-gcm crypto isakmp policy <#> authentication ecdsa-384 encryption aes256 group 20 hash sha2-384-192 prf prf-hmac-sha384 version v2 exit crypto-local ipsec-map <name> <priority> set transform-set <set created earlier name> <configure VPN settings as needed> exit write memory

✔️ Fix

Configure AOS with the following commands: crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 1. Use DOD PKI to generate a public certificate based on the CSR. 2. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 3. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, "ServerCert" type, and click "Submit". 4. Navigate to Configuration >> System >> Admin, choose the imported certificate under "Server Certificate", and click "Submit". 5. Click Pending Changes >> Deploy Changes. configure terminal crypto ipsec transform-set <name> esp-aes256-gcm crypto isakmp policy <#> authentication ecdsa-384 encryption aes256 group 20 hash sha2-384-192 prf prf-hmac-sha384 version v2 exit crypto-local ipsec-map <name> <priority> set transform-set <set created earlier name> <configure VPN settings as needed> exit write memory