An error occurred:

Check: CASA-VN-000170

Cisco ASA VPN STIG: CASA-VN-000170 (in versions v1 r1 through v1 r0.1)

Title

The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1. (Cat II impact)

Discussion

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Check Content

Verify the ASA uses a NIST FIPS-validated cryptography for IKE Phase 1 as shown in the example below. crypto ikev2 policy 1 encryption aes-192 If the ASA is not configured to use NIST FIPS-validated cryptography for IKE Phase 1, this is a finding.

Fix Text

Configure the ASA to use NIST FIPS-validated cryptography for IKE Phase 1. ASA1(config)# crypto ikev2 policy 1 ASA1(config-ikev2-policy)# encryption aes-192

Additional Identifiers

Rule ID: SV-239953r666265_rule

Vulnerability ID: V-239953

Group Title: SRG-NET-000510-VPN-002180

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002450

The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-13

Cryptographic Protection