Ensuring NIST FIPS-validated cryptography to protect the confidentiality of TLS
Rule Title: If TLS optimization is enabled RiOS must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of TLS.
STIG ID: RICX-AG-000039
Rule ID: SV-77307r1_rule Severity: CAT II
Vuln ID: V-62817 Class: Unclass
Without confidentiality protection mechanisms, unauthorized individuals might gain access to sensitive information through a remote access session.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (for example, transport layer security (TLS) gateways, web content filters, and web email proxies).
Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information.
This requirement applies to ALGs providing remote-access proxy services as part of its intermediary services (for example, OWA or TLS gateway).
Verifying the TLS version support
Verify RiOS is configured to support TLS v1.1 as a minimum and preferably TLS v1.2.
For detailed information, see
Verifying the TLS version.
Configuring TLS version for peer, client, and server ciphers
Configure RiOS to support TLS v1.1 as a minimum and preferably TLS v1.2.