UCF STIG Viewer Logo

The application server must utilize FIPS validated cryptography when protecting unclassified compartmentalized data.


Overview

Finding ID Version Rule ID IA Controls Severity
V-35344 SRG-APP-000199-AS-000141 SV-46631r1_rule Medium
Description
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. FIPS 140-2 Security Requirements for Cryptographic Modules can be found at the following web site: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf. Although persons may have a security clearance, they may not have a "need to know" and are required to be separated from the information in question. The application server must employ FIPS-validated cryptography to protect unclassified information from those individuals who have no "need to know" or when encryption of compartmentalized data is required by the data owner.
STIG Date
Application Server Security Requirements Guide 2013-01-08

Details

Check Text ( C-43712r1_chk )
Review policy documents to identify data that is compartmentalized and requires cryptographic protection. Review system configuration to identify the encryption modules utilized to protect the compartmentalized data. If the encryption modules used to protect the compartmentalized data are not FIPS validated, this is a finding.
Fix Text (F-39890r1_fix)
Configure the AS to utilize FIPS validated cryptography when protecting unclassified, compartmentalized data.