STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Network Infrastructure Policy Security Technical Implementation Guide

V-251351

CAT I (High)

Tunneling of classified traffic across an unclassified IP transport network must employ cryptographic algorithms in accordance with CNSS Policy No. 15.

Rule ID

SV-251351r916232_rule

STIG

Network Infrastructure Policy Security Technical Implementation Guide

Version

V10R7

CCIs

CCI-002396, CCI-002418

Discussion

When transporting classified data over an unclassified IP network, it is imperative that traffic from the classified enclave or community of interest is encrypted prior reaching the point of presence or service delivery node of the unclassified network. Confidentiality and integrity of the classified traffic must be preserved by employing cryptographic algorithms in accordance with CNSS Policy No. 15 which requires the appropriate Suite B cryptographic algorithms listed in ANNEX B or a commensurate suite of NSA-approved cryptographic algorithms.

Check Content

Review the configuration of the IPsec VPN gateway and verify that the tunnel provisioned for transporting classified traffic across an unclassified IP transport network is using cryptographic algorithms in accordance with CNSS Policy No. 15.

If cryptographic algorithms used for tunneling classified traffic across an unclassified network are not in accordance with CNSS Policy No. 15, this is a finding.

Fix Text

Configure the tunnel used for transporting classified traffic across an unclassified IP transport network to negotiate with the remote end point to employ cryptographic algorithms in accordance with CNSS Policy No. 15.