The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70225	APSC-DV-002330	SV-84847r1_rule		Medium

Description
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile memory) can be read, copied, or altered. Applications and application users generate information throughout the course of their application use, including data that is stored in areas of volatile memory. Volatile memory must not be overlooked when assigning protections. This requirement addresses protection of user-generated data, as well as, operating system-specific configuration data. Applications must employ mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. This can include segmenting and controlling access to the data such as utilizing file permissions to restrict access, using role based controls to restrict access or applying a cryptographic hash to the data and evaluating hash values for changes made to data.

Description

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile memory) can be read, copied, or altered. Applications and application users generate information throughout the course of their application use, including data that is stored in areas of volatile memory. Volatile memory must not be overlooked when assigning protections. This requirement addresses protection of user-generated data, as well as, operating system-specific configuration data. Applications must employ mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. This can include segmenting and controlling access to the data such as utilizing file permissions to restrict access, using role based controls to restrict access or applying a cryptographic hash to the data and evaluating hash values for changes made to data.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2017-01-09

Details

Check Text ( C-70701r1_chk )
Review the application documentation and interview the application administrator. Identify the data processed by the application and the accompanying data protection requirements. Determine if the data owner has specified stored data protection requirements. Determine if the application is processing publicly releasable, FOUO or classified stored data. Determine if the application configuration information contains sensitive information. Access the data repository and have the application administrator, application developer or designer identify the data integrity and confidentiality protections utilized to protect stored data. If the application processes classified data or if the data owner has specified data protection requirements and the application administrator is unable to demonstrate how the data is protected, this is a finding.

Check Text ( C-70701r1_chk )

Review the application documentation and interview the application administrator.

Identify the data processed by the application and the accompanying data protection requirements.

Determine if the data owner has specified stored data protection requirements.

Determine if the application is processing publicly releasable, FOUO or classified stored data.

Determine if the application configuration information contains sensitive information.

Access the data repository and have the application administrator, application developer or designer identify the data integrity and confidentiality protections utilized to protect stored data.

If the application processes classified data or if the data owner has specified data protection requirements and the application administrator is unable to demonstrate how the data is protected, this is a finding.

Fix Text (F-76461r1_fix)
Identify data elements that require protection. Document the data types and specify protection requirements and methods used.