STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

DISA Rule

SV-222569r561293_rule

Vulnerability Number

V-222569

Group Title

SRG-APP-000416

Rule Version

APSC-DV-002010

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure application to encrypt stored classified information; Ensure encryption is performed using NIST FIPS 140-2-validated encryption.

Encrypt stored, non-SAMI classified information using NIST FIPS 140-2-validated encryption.

Implement NSA-validated type-1 encryption of all SAMI data stored in the enclave.

Check Contents

Review the application documentation, system security plan and interview the application administrator to determine if the application processes classified data.

If the application does not process classified data, this requirement is not applicable.

Identify the data classifications and the cryptographic protections established to protect the application data.

Verify the application is configured to utilize the appropriate encryption based upon data classification, cryptographic tasks that need to be performed (information protection, hashing, signing) and information protection requirements.

NIST-certified cryptography must be used to store classified non-Sources and Methods Intelligence (SAMI) information if required by the information owner.

NSA-validated type-1 encryption must be used for all SAMI data stored in the enclave.

If the application is not configured to utilize the NSA-approved cryptographic modules in accordance with data protection requirements specified in the security plan, this is a finding.

Vulnerability Number

V-222569

Documentable

False

Rule Version

APSC-DV-002010

Severity Override Guidance

Review the application documentation, system security plan and interview the application administrator to determine if the application processes classified data.

If the application does not process classified data, this requirement is not applicable.

Identify the data classifications and the cryptographic protections established to protect the application data.

Verify the application is configured to utilize the appropriate encryption based upon data classification, cryptographic tasks that need to be performed (information protection, hashing, signing) and information protection requirements.

NIST-certified cryptography must be used to store classified non-Sources and Methods Intelligence (SAMI) information if required by the information owner.

NSA-validated type-1 encryption must be used for all SAMI data stored in the enclave.

If the application is not configured to utilize the NSA-approved cryptographic modules in accordance with data protection requirements specified in the security plan, this is a finding.

Check Content Reference

M

Target Key

4093

Comments