Information at rest must be encrypted using a DOD-accepted algorithm to protect the confidentiality and integrity of the information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-206407	SRG-APP-000231-WSR-000144	SV-206407r1029555_rule		Medium

Description

Data at rest is inactive data stored physically in any digital form (e.g., databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Data at rest includes, but is not limited to, archived data, data that is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and files stored off-site or on a storage area network. While data at rest can reside in many places, data at rest for a web server is data on the hosting system storage devices. Data stored as a backup on tape or stored off-site is no longer under the protection measures covered by the web server. There are several pieces of data the web server uses during operation. The web server must use an accepted encryption method, such as AES-256, to protect the confidentiality and integrity of the information.

STIG	Date
Web Server Security Requirements Guide	2025-02-12

Details

Check Text (C-6668r1029553_chk)

Review the web server documentation and deployed configuration to locate where potential data at rest is stored.

Verify that the data is encrypted using a DOD-accepted algorithm to protect the confidentiality and integrity of the information.

If the data is not encrypted using a DOD-accepted algorithm, this is a finding.

Fix Text (F-6668r1029554_fix)

Use a DOD-accepted algorithm to encrypt data at rest to protect the information's confidentiality and integrity.