|Finding ID||Version||Rule ID||IA Controls||Severity|
|TLS is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2-approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 defines the approved TLS versions for government applications.|
|Microsoft IIS 10.0 Server Security Technical Implementation Guide||2022-12-09|
|Check Text ( C-20294r310941_chk )|
| Review the web server documentation and deployed configuration to determine which version of TLS is being used. |
If the TLS version is not TLS 1.2 or higher, according to NIST SP 800-52, or if non-FIPS-approved algorithms are enabled, this is a finding.
|Fix Text (F-20292r310942_fix)|
|Configure the web server to use an approved TLS version according to NIST SP 800-52 and to disable all non-approved versions.|