STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Symantec Edge SWG NDM Security Technical Implementation Guide

V-279273

CAT II (Medium)

The Edge SWG must obtain its public key certificates from an appropriate certificate policy through an approved service provider.

Rule ID

SV-279273r1170704_rule

STIG

Symantec Edge SWG NDM Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000366CCI-001159CCI-004909

Discussion

Before continuing, the site must follow the configuration steps in SYME-ND-000100. For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this certification authority will suffice. Satisfies: SRG-APP-000516-NDM-000344, SRG-APP-000910-NDM-000300

Check Content

1. Log in to the Edge SWG SSH CLI.
2. Enter "enable" and "configure terminal".
3. Issue the command "ssl", then issue the command "view keyring".
4. Find the keyrings that state: "FIPS compliant: yes".

1. Log in to the Edge SWG Web UI.
2. Navigate to the Configuration tab. 
3. Click the SSL, and then keyrings section.

If the keyring in use was not FIPS compliant from step #3 above, this is a finding.

Click the keyring in use.

If the certificate in the keyring was not issued by a DOD certificate authority this is a finding.

Fix Text

1. Log in to the Edge SWG SSH CLI.
2. Enter "enable" and "configure terminal".
3. Enter "ssl".
4. Enter "create fips keyring show fips-keyring 2048". The "fips-keyring" name can be changed to whatever the site wants to use.
5. Enter "create signing-request fips-keyring".
6. Enter "view signing-request fips-keyring". Copy the signing request PEM data and provide it to the CA for certificate issuance.
7. Once the DOD CA issues/signs the certificate for the keyring type "inline certificate fips-keyring ~", paste the raw certificate data into a text editor, then press enter. Ensure the "~" is present at the end of the inserted text.
8. For each LDAP server, CA certificate, and CAC authentication CA certificate, issue the following command: "inline fips ca-certificate DODCA1 ~". Ensure the ~ is entered at the end of the certificate data paste. Note: DODCA1 is used as an example.
9. Repeat the "inline fips ca-certificate" command for all CA certificates in use for LDAPS and CAC authentication.
10. Create a new FIPS-enabled CCL by entering: "create fips ccl fips-ccl". The fips-ccl name can be changed to whatever the site wants to use.
11. Enter "edit ccl fips-ccl".
12. Enter "add", then enter all the CAs added in all previous steps.
13. Create an SSL device profile by entering: "create fips ssl-device-profile fips-profile fips-keyring". The "fips-profile" name can be changed to whatever the site wants to use.