The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-239977 | CASA-VN-000610 | SV-239977r666337_rule | CCI-001188 | medium |
| Description | ||||
| Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable. Use of a FIPS validated RNG that is not DRGB mitigates to a CAT III. | ||||
| STIG | Date | |||
| Cisco ASA VPN Security Technical Implementation Guide | 2024-08-22 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
SC-23(3)
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-001188
1.00
- DISA · V2R2 · disa_xccdf · related
Details
Check Text (C-239977r666337_chk)
Review the ASA configuration to verify that FIPS mode has been enabled as shown in the example below.
ASA Version x.x
!
hostname ASA1
fips enable
If the ASA is not configured to be enabled in FIPS mode, this is a finding.
Fix Text (F-43169r666336_fix)
Configure the ASA to have FIPS-mode enabled as shown in the example below.
ASA1(config)# fips enable
ASA1(config)# end
Note: FIPS mode change will not take effect until the configuration is saved and the device rebooted.