Title

Information at rest must be encrypted using a DoD-accepted algorithm to protect the confidentiality and integrity of the information. (Cat II impact)

Discussion

Data at rest is inactive data which is stored physically in any digital form (e.g., databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Data at rest includes, but is not limited to, archived data, data which is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and files stored off-site or on a storage area network. While data at rest can reside in many places, data at rest for a web server is data on the hosting system storage devices. Data stored as a backup on tape or stored off-site is no longer under the protection measures covered by the web server. There are several pieces of data that the web server uses during operation. The web server must use an accepted encryption method, such as AES-256, to protect the confidentiality and integrity of the information.

Check Content

Review the web server documentation and deployed configuration to locate where potential data at rest is stored. Verify that the data is encrypted using a DoD-accepted algorithm to protect the confidentiality and integrity of the information. If the data is not encrypted using a DoD-accepted algorithm, this is a finding.

Fix Text

Use a DoD-accepted algorithm to encrypt data at rest to protect the information's confidentiality and integrity.

Additional Identifiers

Rule ID: SV-206407r1022707_rule

Vulnerability ID: V-206407

Group Title: SRG-APP-000231

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.