ComplianceAsCode · Mab879 · Apr 3, 2026 · Apr 2, 2026
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -1,8 +1,8 @@
 controls:
    -   id: SRG-OS-000480-GPOS-00227
        levels:
            - medium
        title: {{{ full_name }}} must be configured in accordance with the security configuration
            settings based on DoD security configuration or implementation guidance, including
            STIGs, NSA configuration guides, CTOs, and DTMs.
        rules:
@@ -245,7 +245,6 @@
             - display_login_attempts
             - installed_OS_is_vendor_supported
             - selinux_all_devicefiles_labeled
-            - chrony_set_nts
             - tftp_uses_secure_mode_systemd
             - grub2_pti_argument
             - chronyd_client_only

diff --git a/linux_os/guide/services/ntp/chrony_set_nts/rule.yml b/linux_os/guide/services/ntp/chrony_set_nts/rule.yml
@@ -25,3 +25,10 @@ severity: medium
 
 platforms:
     - package[chrony]
+
+warnings:
+    - general: |-
+        Network Time Security (NTS) is not compatible with systems running in FIPS mode.
+        Enabling NTS on a system in FIPS mode causes chronyd service to abort with a fatal
+        error. This is because NTS uses algorithms (specifically SIV cipher) that are not
+        approved by NIST and are not compliant with FIPS.
@@ -46,3 +46,4 @@ selections:
     - sshd_use_strong_macs
     - configure_ssh_crypto_policy
     - package_dnsmasq_removed
+    - chrony_set_nts
@@ -147,7 +147,6 @@ auditd_overflow_action
 auditd_write_logs
 banner_etc_issue
 bios_enable_execution_restrictions
-chrony_set_nts
 chronyd_client_only
 chronyd_no_chronyc_network
 chronyd_or_ntpd_set_maxpoll

@@ -147,7 +147,6 @@ auditd_overflow_action
 auditd_write_logs
 banner_etc_issue
 bios_enable_execution_restrictions
-chrony_set_nts
 chronyd_client_only
 chronyd_no_chronyc_network
 chronyd_or_ntpd_set_maxpoll