Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-35344 | SRG-APP-000199-AS-000141 | SV-46631r1_rule | Medium |
Description |
---|
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. FIPS 140-2 Security Requirements for Cryptographic Modules can be found at the following web site: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf. Although persons may have a security clearance, they may not have a "need to know" and are required to be separated from the information in question. The application server must employ FIPS-validated cryptography to protect unclassified information from those individuals who have no "need to know" or when encryption of compartmentalized data is required by the data owner. |
STIG | Date |
---|---|
Application Server Security Requirements Guide | 2013-01-08 |
Check Text ( C-43712r1_chk ) |
---|
Review policy documents to identify data that is compartmentalized and requires cryptographic protection. Review system configuration to identify the encryption modules utilized to protect the compartmentalized data. If the encryption modules used to protect the compartmentalized data are not FIPS validated, this is a finding. |
Fix Text (F-39890r1_fix) |
---|
Configure the AS to utilize FIPS validated cryptography when protecting unclassified, compartmentalized data. |