Application servers must use NIST-approved or NSA-approved key management technology and processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35337	SRG-APP-000193-AS-000136	SV-46624r1_rule		Medium

Description
A symmetric encryption key must be protected during transmission. The public portion of an asymmetric key pair can be freely distributed without fear of compromise and the private portion of the key must be protected. The AS will provide software libraries that applications can programmatically utilize so as to encrypt and decrypt information. These AS libraries must use NIST-approved or NSA-approved key management technology and processes when producing, controlling, or distributing asymmetric and asymmetric keys.

Description

A symmetric encryption key must be protected during transmission. The public portion of an asymmetric key pair can be freely distributed without fear of compromise and the private portion of the key must be protected. The AS will provide software libraries that applications can programmatically utilize so as to encrypt and decrypt information. These AS libraries must use NIST-approved or NSA-approved key management technology and processes when producing, controlling, or distributing asymmetric and asymmetric keys.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43705r1_chk )
Review AS configuration, and the NIST FIPS certificate to validate the AS uses NIST-approved or NSA-approved key management technology and processes when producing, controlling or distributing symmetric and asymmetric keys. If the AS does not use this NIST-approved or NSA-approved key management technology and processes, this is a finding.

Fix Text (F-39883r1_fix)
Configure the AS to utilize NIST-approved or NSA-approved key management technology when the AS produces, controls, and distributes symmetric and asymmetric cryptographic keys.