The ICS must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.

An XCCDF Rule

Description

<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables commercial products to be used in layered solutions to protect classified National Security Systems (NSS) data. Currently, Suite B cryptographic algorithms are specified by NIST and are used by NSA's Information Assurance Directorate in solutions approved for protecting classified and unclassified NSS. However, quantum resistant algorithms will be required for future required Suite B implementations. Satisfies: SRG-NET-000352-VPN-001460, SRG-NET-000565-VPN-002400, SRG-NET-000565-VPN-002390</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258595r930473_rule
Severity: Medium
References: CCI-002450
Updated: 17 days ago

In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates.
1. Click "New CSR".
2. Add a Common Name in FQDN format.
3. Add a Country code of "US".
4. Under key type, select "ECC".
5. Under the key length, select "P-384".6. Click "Create CSR".
7. Copy the Base 64/PEM encoded certificate request that is shown on the screen and paste it to a text file. Ensure the file has the file suffix of .csr.
8. Go through the local RA process for DOD Web Server certificate requests. Ensure that SANs are added to the certificate by the issuing CA to include the hostname, cluster names, and all FQDNs.
9. Once the certificate is provided by the CA, go to System >> Configuration >> Certificates >> Device Certificates.
10. Click "Browse" and select the certificate file issued by the CA. Then click "Import".
11. Click "Save Changes".
12. Click on the imported certificate.
13. On the "Internal Port", click "add" for the cluster internal VIP and <Internal Port>.
14. On the "External Port" click "add" for the cluster external VIP and <External Port>.
15. Check the box for "Management Port".
16. Under "Certificate Status Checking", click the box for "Use CRLs".
17. Click "Save Changes".

In the ICS Web UI, navigate to System >> Configuration >> Inbound SSL Options.
1. Under "Allowed Encryption Strength", click "SuiteB - Accept only SuiteB ciphers".
2. Click "Save Changes" and accept the cipher suite changes.

The ICS must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network.

Description

Remediation - Manual Procedure