Title

Information at rest must be encrypted using a DOD-accepted algorithm to protect the confidentiality and integrity of the information. (Cat II impact)

Discussion

Data at rest is inactive data stored physically in any digital form (e.g., databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Data at rest includes, but is not limited to, archived data, data that is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and files stored off-site or on a storage area network. While data at rest can reside in many places, data at rest for a web server is data on the hosting system storage devices. Data stored as a backup on tape or stored off-site is no longer under the protection measures covered by the web server. There are several pieces of data the web server uses during operation. The web server must use an accepted encryption method, such as AES-256, to protect the confidentiality and integrity of the information.

Check Content

Review the web server documentation and deployed configuration to locate where potential data at rest is stored. Verify that the data is encrypted using a DOD-accepted algorithm to protect the confidentiality and integrity of the information. If the data is not encrypted using a DOD-accepted algorithm, this is a finding.

Fix Text

Use a DOD-accepted algorithm to encrypt data at rest to protect the information's confidentiality and integrity.

Additional Identifiers

Rule ID: SV-206407r1029555_rule

Vulnerability ID: V-206407

Group Title: SRG-APP-000231

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.