STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco ASA VPN Security Technical Implementation Guide

V-239977

CAT II (Medium)

The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.

Rule ID

SV-239977r666337_rule

STIG

Cisco ASA VPN Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-001188

Discussion

Both IPsec and TLS gateways use the RNG to strengthen the security of the protocols. Using a weak RNG will weaken the protocol and make it more vulnerable. Use of a FIPS validated RNG that is not DRGB mitigates to a CAT III.

Check Content

Review the ASA configuration to verify that FIPS mode has been enabled as shown in the example below.

ASA Version x.x
!
hostname  ASA1
fips enable 

If the ASA is not configured to be enabled in FIPS mode, this is a finding.

Fix Text

Configure the ASA to have FIPS-mode enabled as shown in the example below.

ASA1(config)# fips enable 
ASA1(config)# end

Note: FIPS mode change will not take effect until the configuration is saved and the device rebooted.