AOS must use cryptographic algorithms approved by the National Security Agency (NSA) to protect national security systems (NSS) when transporting classified traffic across an unclassified network.
An XCCDF Rule
Description
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. National Institute of Standards and Technology (NIST) cryptographic algorithms are approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the Commercial Solutions for Classified (CSfC) program have been changed to more stringent protocols and configured with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm (CNSA) Suite replaces Suite B. Satisfies: SRG-NET-000352, SRG-NET-000565
- ID
- SV-266639r1040407_rule
- Version
- ARBA-NT-000920
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Configure AOS with the following commands:
crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email>
show crypto pki csr
1. Use DOD PKI to generate a public certificate based on the CSR.
2. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates.