Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6135 | APP3210 | SV-6135r1_rule | ECCR-1 ECCR-2 ECCR-3 | Medium |
Description |
---|
Application data needs to be properly protected. Content of application data contains not only operationally sensitive data, but also personal data covered by the privacy act that needs to be protected internally and externally. Classifed data could be compromised if the required level of encryption is not utilized. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-01-07 |
Check Text ( C-2946r1_chk ) |
---|
The designer will ensure: - NIST-certified cryptography is used to protect stored sensitive information if required by the information owner. - NIST-certified cryptography is used to store classified non-Sources and Methods Intelligence (SAMI) information if required by the information owner. - A classified enclave containing SAMI data is encrypted with NSA-approved cryptography. Review the system security plan or interview the application representative to determine the classification of data in the application. Also, review encryption mechanisms protecting the data. This should include all data stored by REST-Style or SOAP-based web services. NIST-certified cryptography should be used to protect stored sensitive information if required by the information owner. NIST-certified cryptography should be used to protect stored classified non-SAMI data if required by the information owner. NSA-approved cryptography should be used to protect stored classified SAMI information. 1) If data at rest is not protected with the appropriate level of encryption, this is a finding. |
Fix Text (F-17009r1_fix) |
---|
Configure system to encrypt stored sensitive information as required by the data owner; ensure encryption is performed using NIST FIPS 140-2 validated encryption. Replace cryptography that is not NIST certified. Encrypt stored, non-SAMI classified information using NIST FIPS 140-2 validated encryption. Implement NSA validated type-1 encryption of all SAMI data stored in the enclave. Remove the SAMI from the enclave. Remove the uncleared users from the enclave. |