The DBMS must employ NIST validated cryptography to protect unclassified information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32500	SRG-APP-000197-DB-000142	SV-42837r1_rule		Medium

Description
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively. This control does not impose any requirements on organizations to use cryptography. Rather, if cryptography is required based on the selection of other controls and subsequently implemented by organizational information systems, the cryptographic modules comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Generally applicable cryptographic standards include, for example, FIPS-validated cryptography to protect unclassified information and NSA-approved cryptography to protect classified information. Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html.

Description

Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively. This control does not impose any requirements on organizations to use cryptography. Rather, if cryptography is required based on the selection of other controls and subsequently implemented by organizational information systems, the cryptographic modules comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Generally applicable cryptographic standards include, for example, FIPS-validated cryptography to protect unclassified information and NSA-approved cryptography to protect classified information. Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40938r2_chk )
Review system documentation to determine whether cryptography for unclassified information is required by the information owner. If unclassified information is not required to be encrypted, this is NA. If cryptography being used by the DBMS is not NIST FIPS 140-2 certified, this is a finding. If non-compliant algorithms or hash functions are specified, this is a finding. If un-validated cryptographic modules are in use, this is a finding. Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html.

Check Text ( C-40938r2_chk )

Review system documentation to determine whether cryptography for unclassified information is required by the information owner. If unclassified information is not required to be encrypted, this is NA.

If cryptography being used by the DBMS is not NIST FIPS 140-2 certified, this is a finding.

If non-compliant algorithms or hash functions are specified, this is a finding.

If un-validated cryptographic modules are in use, this is a finding.

Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html.

Fix Text (F-36415r1_fix)
Obtain and utilize native or third-party NIST validated FIPS 140-2 compliant cryptography solution for the DBMS. Configure cryptographic functions to use FIPS 140-2 compliant algorithms and hashing functions.