UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.


Overview

Finding ID Version Rule ID IA Controls Severity
V-70225 APSC-DV-002330 SV-84847r1_rule Medium
Description
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile memory) can be read, copied, or altered. Applications and application users generate information throughout the course of their application use, including data that is stored in areas of volatile memory. Volatile memory must not be overlooked when assigning protections. This requirement addresses protection of user-generated data, as well as, operating system-specific configuration data. Applications must employ mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. This can include segmenting and controlling access to the data such as utilizing file permissions to restrict access, using role based controls to restrict access or applying a cryptographic hash to the data and evaluating hash values for changes made to data.
STIG Date
Application Security and Development Security Technical Implementation Guide 2020-06-12

Details

Check Text ( C-70701r1_chk )
Review the application documentation and interview the application administrator.

Identify the data processed by the application and the accompanying data protection requirements.

Determine if the data owner has specified stored data protection requirements.

Determine if the application is processing publicly releasable, FOUO or classified stored data.

Determine if the application configuration information contains sensitive information.

Access the data repository and have the application administrator, application developer or designer identify the data integrity and confidentiality protections utilized to protect stored data.

If the application processes classified data or if the data owner has specified data protection requirements and the application administrator is unable to demonstrate how the data is protected, this is a finding.
Fix Text (F-76461r1_fix)
Identify data elements that require protection. Document the data types and specify protection requirements and methods used.