Web Server SRG Version Comparison

There are 1 differences between versions v4 r1 (July 24, 2024) (the "left" version) and v4 r3 (April 2, 2025) (the "right" version).

Check SRG-APP-000231-WSR-000144 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

Information at rest must be encrypted using a DoD-accepted DOD-accepted algorithm to protect the confidentiality and integrity of the information.

Check Content

Review the web server documentation and deployed configuration to locate where potential data at rest is stored. Verify that the data is encrypted using a DoD-accepted DOD-accepted algorithm to protect the confidentiality and integrity of the information. If the data is not encrypted using a DoD-accepted DOD-accepted algorithm, this is a finding.

Discussion

Data at rest is inactive data which is stored physically in any digital form (e.g., databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Data at rest includes, but is not limited to, archived data, data which that is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and files stored off-site or on a storage area network. While data at rest can reside in many places, data at rest for a web server is data on the hosting system storage devices. Data stored as a backup on tape or stored off-site is no longer under the protection measures covered by the web server. There are several pieces of data that the web server uses during operation. The web server must use an accepted encryption method, such as AES-256, to protect the confidentiality and integrity of the information.

Fix

Use a DoD-accepted DOD-accepted algorithm to encrypt data at rest to protect the information's confidentiality and integrity.