Algorithm Usage Checks
Audits the keys, certs, and cipher lines that already exist on disk, not just what the policy permits in theory.
The problem
An assessor can request to see the SSH host keys and the trusted certificate store, and they will. DSA host keys, MD5-signed certs, and SHA-1 signatures in non-legacy positions are immediate findings, regardless of what the OS FIPS policy says, because these are artifacts already deployed to the system rather than configurations that govern future behavior.
Ed25519 keys are excellent cryptography but not FIPS-approved, since Curve25519 is not on the NIST-approved curve list. RSA under 2048 bits is non-compliant outright, and even 2048 carries a deprecation note past 2030 the contractor will inherit. Most contractors have DSA host keys still in production from server templates that predate the deprecation by half a decade.
Application cipher strings are the third surface. haproxy.cfg, stunnel.conf, and postfix main.cf routinely contain cipher lines pasted from a tutorial five years ago. RC4, DES, and 3DES sitting in those files mean any client that connects can negotiate them. The OS being in FIPS mode does nothing to stop the application from advertising the suite, and the assessor's scanner picks it up on contact.
What CMMC requires
NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.
Verifies FIPS-approved algorithms are actually in use across keys, certificates, and cipher strings,not just that the system permits them.
Read in NIST 800-171 r2↗Audits SSH host key type and size against FIPS 186-4/186-5 minimums. DSA keys and sub-2048-bit RSA fail key establishment requirements directly.
Read in NIST 800-171 r2↗Detects RC4, DES, 3DES, NULL, and EXPORT cipher patterns in application configs that violate transmission confidentiality regardless of OS-level policy.
Read in NIST 800-171 r2↗Treats MD5-signed and SHA-1 end-entity certificates as known cryptographic weaknesses in deployed artifacts requiring remediation.
Read in NIST 800-171 r2↗How it works
Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.
Iterates /etc/ssh/ssh_host_*_key.pub and reads each via ssh-keygen -l -f, classifying by type and key length. Scans up to 50 certificates from /etc/ssl/certs and /etc/pki/ca-trust/source/anchors via openssl x509 -text -noout, parsing the Signature Algorithm field. Greps haproxy.cfg, stunnel.conf, postfix/main.cf, and similar configs for RC4, DES, 3DES, MD5, NULL, EXPORT, ADH, and AECDH, skipping commented lines and reporting exact line numbers for every hit.
Reads the LocalMachine\Root and LocalMachine\My certificate stores via the certificate store APIs and runs the same signature-algorithm validation across every entry. Cipher string scanning runs against any Windows-based haproxy, stunnel, or Apache install detected on the host, with the install path and line number attached to each finding.
Reads system keychain certificates and runs the same signature checks. SSH host key validation works the same way as Linux against ssh_host_*_key.pub. Less common to find weak cipher strings in macOS application configs, but the scan still runs across detected haproxy and stunnel deployments and reports clean if none are present.
What it finds
Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.
- CRITICALMD5-signed certificateCertificate in trust store uses MD5 signature algorithm,practically forgeable since 2008. Direct 3.13.11 violation.
- HIGHDSA SSH host keyDSA is not approved for new key generation under FIPS 186-5. Host key must be regenerated as RSA 3072+ or ECDSA P-256/384.
- HIGHRSA SSH host key under 2048 bitsKey size below the FIPS minimum for RSA. Cryptographically weak and non-compliant for any host handling CUI.
- HIGHSHA-1 end-entity certificateCertificate in end-entity or intermediate position is signed with SHA-1. Permitted only for legacy chain verification at the root, not in active use.
- CRITICALRC4 in haproxy.cfg ciphers line 47Cipher string in production load balancer config explicitly includes RC4. Any client advertising RC4 will reach the backend with a broken cipher.
- MEDIUMEd25519 SSH host keyCurve25519 is excellent cryptography but not on the NIST-approved curve list,flag as non-FIPS even though the key itself is strong.
Algorithm-level findings land on 3.13.11 (5 points) and 3.13.10 (5 points) simultaneously, and a single MD5-signed cert in active use is a defensible 5-point loss on its own. SSH host keys in production are scrutinized in every CMMC assessment, and DSA keys produce immediate findings the contractor cannot remediate during the engagement window. Application cipher strings routinely produce multiple findings against 3.13.8 (5 points) when discovered together, so a single host can carry 13+ points of cryptographic exposure from artifacts alone.
How it hooks into the platform
The platform sweeps SSH host keys, trust-store certificates, and application cipher strings across every discovered host on a recurring cadence. You configure whether artifact metadata stays on-prem or syncs up. Each artifact lands in the SSP's cryptographic protection section with algorithm and status. Findings name the cert subject, key fingerprint, and file path plus line number so remediation is unambiguous. POA&M items open per artifact with the regeneration command. Weak artifacts shipped by a server template or container image surface on the next scan.
How we know it's working
Acceptance criteria from the engineering spec,what the agent must do to ship.
- Reads SSH public keys only, never touches private key material
- Continues past broken PEM files without aborting the trust-store scan
- Reports exact line number for every weak cipher finding
- Skips commented configuration lines so legitimate notes never trigger
- Caps trust-store scans at 50 certificates per host to stay bounded
Run this agent against your environment.
Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.