...
We recommend that V-222950 be completely removed from the STIG as it has no perceivable benefit.
V-222968
This finding requires that FIPS-validated cipher (suites) are used on secure connectors, but gets confused after that.
It's not clear whether this Finding requires that a FIPS-validated cryptographic module be used in FIPS mode, or that a FIPS-validated cryptographic module must be used (in any mode), or that only cipher suites be FIPS-140-2 validated (whatever that means). It also states that setting FIPSMode="on" on the AprLifecycleListener (a) will enable FIPS and (b) FIPS mode is not possible without it.
Enabling the AprLifecycleListener and using FIPSMode="on" is only applicable if OpenSSL is being used as the underlying cryptographic module, and that module has been built with FIPS support. There are other ways to use FIPS-valiated cryptographic modules that do not use this setting.
This recommendation should clarify what is actually required, and be specific about how to ensure that a FIPS-validated module is actually in use.
Additions
No recommended additions at this point.
...