STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.

DISA Rule

SV-222588r508029_rule

Vulnerability Number

V-222588

Group Title

SRG-APP-000428

Rule Version

APSC-DV-002340

Severity

CAT II

CCI(s)

• CCI-002475 - The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.

Weight

10

Fix Recommendation

Identify data elements that require protection.

Document the data types and specify encryption requirements.

Encrypt data according to DoD policy or data owner requirements.

Check Contents

Review the documentation and interview the application administrator.

Identify the data processed by the application and the accompanying data protection requirements.

Determine if the data owner has specified data protection encryption requirements regarding modification of data.

Determine if the application is processing publicly releasable, FOUO or classified data.

Determine if the application configuration information contains sensitive information.

If the data is strictly publicly releasable information and system documentation specifies no data encryption is required for any hosted application data, this is not applicable.

Access the data repository and have the application administrator identify the encryption protections that are utilized.

If the application processes classified data or if the data owner has specified encryption requirements and the application administrator is unable to demonstrate how the data is encrypted, this is a finding.

Vulnerability Number

V-222588

Documentable

False

Rule Version

APSC-DV-002340

Severity Override Guidance

Review the documentation and interview the application administrator.

Identify the data processed by the application and the accompanying data protection requirements.

Determine if the data owner has specified data protection encryption requirements regarding modification of data.

Determine if the application is processing publicly releasable, FOUO or classified data.

Determine if the application configuration information contains sensitive information.

If the data is strictly publicly releasable information and system documentation specifies no data encryption is required for any hosted application data, this is not applicable.

Access the data repository and have the application administrator identify the encryption protections that are utilized.

If the application processes classified data or if the data owner has specified encryption requirements and the application administrator is unable to demonstrate how the data is encrypted, this is a finding.

Check Content Reference

M

Target Key

4093

Comments