The DBMS must employ NIST validated FIPS compliant cryptography to protect unclassified information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32502	SRG-APP-000199-DB-000144	SV-42839r1_rule		Medium

Description
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively. Often individuals accessing information on the database may have the appropriate clearance to access the information but may lack the necessary approvals or need to know. In these cases, it's important that cryptography is utilized in order to protect the information from accidental disclosure. Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html.

Description

Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively. Often individuals accessing information on the database may have the appropriate clearance to access the information but may lack the necessary approvals or need to know. In these cases, it's important that cryptography is utilized in order to protect the information from accidental disclosure. Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40940r3_chk )
Review system documentation to determine whether there are individuals with access to the system who do not have the necessary approvals to view some or all of the data. If cryptography is not being used to protect the data from those individuals, this is a finding. If the cryptography being used is not NIST FIPS 140-2 certified, this is a finding. If non-compliant algorithms or hash functions are specified, this is a finding. If un-validated cryptographic modules are in use, this is a finding. Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html

Check Text ( C-40940r3_chk )

Review system documentation to determine whether there are individuals with access to the system who do not have the necessary approvals to view some or all of the data. If cryptography is not being used to protect the data from those individuals, this is a finding.

If the cryptography being used is not NIST FIPS 140-2 certified, this is a finding.

If non-compliant algorithms or hash functions are specified, this is a finding.

If un-validated cryptographic modules are in use, this is a finding.

Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html

Fix Text (F-36417r1_fix)
Obtain and utilize native or third-party NIST validated FIPS 140-2 compliant cryptography solution for the DBMS. Configure cryptographic functions to use FIPS 140-2 compliant algorithms and hashing functions.