UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Information at rest must be encrypted using a DoD-accepted algorithm to protect the confidentiality and integrity of the information.


Overview

Finding ID Version Rule ID IA Controls Severity
V-41815 SRG-APP-000231-WSR-000144 SV-54392r3_rule Medium
Description
Data at rest is inactive data which is stored physically in any digital form (e.g., databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Data at rest includes, but is not limited to, archived data, data which is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and files stored off-site or on a storage area network. While data at rest can reside in many places, data at rest for a web server is data on the hosting system storage devices. Data stored as a backup on tape or stored off-site is no longer under the protection measures covered by the web server. There are several pieces of data that the web server uses during operation. The web server must use an accepted encryption method, such as SHA1, to protect the confidentiality and integrity of the information.
STIG Date
Web Server Security Requirements Guide 2019-03-20

Details

Check Text ( C-48203r2_chk )
Review the web server documentation and deployed configuration to locate where potential data at rest is stored.

Verify that the data is encrypted using a DoD-accepted algorithm to protect the confidentiality and integrity of the information.

If the data is not encrypted using a DoD-accepted algorithm, this is a finding.
Fix Text (F-47274r2_fix)
Use a DoD-accepted algorithm to encrypt data at rest to protect the information's confidentiality and integrity.