diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
new file mode 100644
index 000000000000..a6adf6762362
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+
+
+cp="CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'"
+file=/etc/crypto-policies/local.d/opensshserver-ospp.config
+
+#blank line at the begining to ease later readibility
+echo '' > "$file"
+echo "$cp" >> "$file"
+update-crypto-policies
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml
new file mode 100644
index 000000000000..76154f880fa8
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml
@@ -0,0 +1 @@
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensshserver.config", prefix_regex="^(?:.*\\n)*\s*", parameter="CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'", separator_regex="=", application="sshd") }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
new file mode 100644
index 000000000000..84f25f135896
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+title: 'Harden SSHD Crypto Policy'
+
+description: |-
+    Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server.
+    The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy intact.
+    This can be done by dropping a file named <tt>opensshserver-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
+    Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt>. This rule checks if this file contains predefined <tt>CRYPTO_POLICY</tt> environment variable configured with predefined value.
+
+rationale: |-
+    The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82176-9
+
+references:
+    ospp : FCS_SSHS_EXT.1
+
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured according to CC requirements'
+
+ocil: |-
+    To verify if the OpenSSH server uses defined Crypto Policy, run:
+    <pre>$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1</pre>
+    and verify that the line matches
+    <pre>CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'</pre>
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 2f6928e8bef4..98141052e27d 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -1226,3 +1226,5 @@ selections:
 
     ## Enable dnf-automatic Timer
     - timer_dnf-automatic_enabled
+
+    - harden_sshd_crypto_policy
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 0d6150580b33..ccaaf75b3879 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -9,7 +9,6 @@ CCE-82172-8
 CCE-82173-6
 CCE-82174-4
 CCE-82175-1
-CCE-82176-9
 CCE-82177-7
 CCE-82178-5
 CCE-82179-3
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct.pass.sh
new file mode 100644
index 000000000000..24bc4aa9632f
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" > "$configfile"
+
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_commented.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_commented.fail.sh
new file mode 100644
index 000000000000..e2059a1bd9ea
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_commented.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "#CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" > "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_followed_by_incorrect.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_followed_by_incorrect.fail.sh
new file mode 100644
index 000000000000..5ea8a4c4f510
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_followed_by_incorrect.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" > "$configfile"
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,spamspam'" >> "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_file.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_file.fail.sh
new file mode 100644
index 000000000000..f9ef2781c505
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_file.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "" > "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_policy.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_policy.fail.sh
new file mode 100644
index 000000000000..ac99aa83a53b
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "CRYPTO_POLICY=" > "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_followed_by_correct.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_followed_by_correct.pass.sh
new file mode 100644
index 000000000000..ce9244f39d38
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_followed_by_correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,bogusbogus'" > "$configfile"
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" >> "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_policy.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_policy.fail.sh
new file mode 100644
index 000000000000..95dc844282e3
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp38'" > "$configfile"
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/missing_file.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/missing_file.fail.sh
new file mode 100644
index 000000000000..3e91d242a01d
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/missing_file.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+rm -f "$configfile"