STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must protect the confidentiality and integrity of transmitted information.

DISA Rule

SV-222596r508029_rule

Vulnerability Number

V-222596

Group Title

SRG-APP-000439

Rule Version

APSC-DV-002440

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure all of the application systems to require TLS encryption in accordance with data protection requirements.

Check Contents

Review the application documentation and interview the application administrator.

Identify application clients, servers and associated network connections including application networking ports.

Identify the types of data processed by the application and review any documented data protection requirements.

Identify the application communication protocols.

Review application documents for instructions or guidance on configuring application encryption settings.

Verify the application is configured to enable encryption protections for data in accordance with the data protection requirements. If no data protection requirements exist, ensure all application data is encrypted.

If the application does not utilize TLS, IPsec or other approved encryption mechanism to protect the confidentiality and integrity of transmitted information, this is a finding.

Vulnerability Number

V-222596

Documentable

False

Rule Version

APSC-DV-002440

Severity Override Guidance

Review the application documentation and interview the application administrator.

Identify application clients, servers and associated network connections including application networking ports.

Identify the types of data processed by the application and review any documented data protection requirements.

Identify the application communication protocols.

Review application documents for instructions or guidance on configuring application encryption settings.

Verify the application is configured to enable encryption protections for data in accordance with the data protection requirements. If no data protection requirements exist, ensure all application data is encrypted.

If the application does not utilize TLS, IPsec or other approved encryption mechanism to protect the confidentiality and integrity of transmitted information, this is a finding.

Check Content Reference

M

Target Key

4093

Comments