STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco ASA VPN Security Technical Implementation Guide

V-239953

CAT II (Medium)

The Cisco ASA must be configured to use NIST FIPS-validated cryptography for Internet Key Exchange (IKE) Phase 1.

Rule ID

SV-239953r916122_rule

STIG

Cisco ASA VPN Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-002450

Discussion

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The VPN gateway must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Check Content

Verify the ASA uses a NIST FIPS-validated cryptography for IKE Phase 1 as shown in the example below.

crypto ikev2 policy 1
 encryption aes-256

If the ASA is not configured to use NIST FIPS-validated cryptography for IKE Phase 1, this is a finding.

Fix Text

Configure the ASA to use NIST FIPS-validated cryptography for IKE Phase 1.

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# encryption aes-256