Skip to content
Log In

CCI-001199

Protects the confidentiality and/or integrity of organization-defined information at rest.

Enable FIPS Mode in GRUB2

5 rules found Severity: High

Logo

Encrypt Partitions

20 rules found Severity: High

Logo

FIPS mode must be enabled on all Docker Engine - Enterprise nodes.

1 rule found Severity: High

Logo

Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.

1 rule found Severity: Medium

Logo

The FortiGate device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).

1 rule found Severity: High

Logo

CounterACT must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media.

1 rule found Severity: Medium

Logo

IBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

1 rule found Severity: Medium

Logo

IBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

1 rule found Severity: Medium

Logo

The MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.

1 rule found Severity: Medium

Logo

DB2 must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: Medium

Logo

IBM z/VM tapes must use Tape Encryption.

1 rule found Severity: Medium

Logo

Microsoft Android 11 must be configured to enable encryption for data at rest on removable storage media or alternately, the use of removable storage media must be disabled.

2 rules found Severity: High

Logo

Exchange Public Folder stores must be retained until backups are complete.

1 rule found Severity: Medium

Logo

The Exchange Public Folder database must not be overwritten by a restore.

1 rule found Severity: Low

Logo

Exchange Mailboxes must be retained until backups are complete.

2 rules found Severity: Medium

Logo

The Exchange Mailbox database must not be overwritten by a restore.

1 rule found Severity: Low

Logo

Exchange email forwarding must be restricted.

3 rules found Severity: Medium

Logo

Exchange email-forwarding SMTP domains must be restricted.

3 rules found Severity: Medium

Logo

Document metadata for password protected files must be protected.

2 rules found Severity: Medium

Logo

The encryption type for password protected Open XML files must be set.

2 rules found Severity: Medium

Logo

The encryption type for password protected Office 97 thru Office 2003 must be set.

2 rules found Severity: Medium

Logo

Passwords for secured documents must be enforced.

2 rules found Severity: Medium

Logo

The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified.

1 rule found Severity: Medium

Logo

Database Master Key passwords must not be stored in credentials within the database.

1 rule found Severity: Medium

Logo

Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key.

1 rule found Severity: Medium

Logo

SQL Server must protect data at rest and ensure confidentiality and integrity of data.

1 rule found Severity: Medium

Logo

The Service Master Key must be backed up, stored offline and off-site.

1 rule found Severity: Medium

Logo

The Windows 2012 DNS Server must protect secret/private cryptographic keys while at rest.

1 rule found Severity: Medium

Logo

Nutanix AOS must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

Samsung Android must be configured to enable encryption for data at rest on removable storage media or alternatively, the use of removable storage media must be disabled.

2 rules found Severity: High

Logo

The Tanium Operating System (TanOS) must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of operating system configuration and user-generated data stored on the host.

2 rules found Severity: Medium

Logo

Apple iOS/iPadOS 16 must require a valid password be successfully entered before the mobile device data is unencrypted.

2 rules found Severity: High

Logo

The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.

5 rules found Severity: Low

Logo

The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.

1 rule found Severity: Medium

Logo

Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

1 rule found Severity: Medium

Logo

MongoDB must protect the confidentiality and integrity of all information at rest.

3 rules found Severity: High

Logo

Userdata persistence must be disallowed (Internet zone).

1 rule found Severity: Medium

Logo

Userdata persistence must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.

1 rule found Severity: Medium

Logo

PostgreSQL must protect the confidentiality and integrity of all information at rest.

3 rules found Severity: High

Logo

The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

1 rule found Severity: High

Logo

Samsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.

8 rules found Severity: High

Logo

The EDB Postgres Advanced Server must protect the confidentiality and integrity of all information at rest.

2 rules found Severity: High

Logo

Apple iOS/iPadOS 17 must require a valid password be successfully entered before the mobile device data is unencrypted.

2 rules found Severity: High

Logo

Apple iOS/iPadOS 16 must implement the management setting: limit Ad Tracking.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 17 must implement the management setting: limit Ad Tracking.

1 rule found Severity: Low

Logo

The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

The DNSSEC keys used with the BIND 9.x implementation must be owned by a privileged account.

1 rule found Severity: Medium

Logo

The DNSSEC keys used with the BIND 9.x implementation must be group owned by a privileged account.

1 rule found Severity: Medium

Logo

Permissions assigned to the DNSSEC keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.

1 rule found Severity: Medium

Logo

Ubuntu operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

1 rule found Severity: Medium

Logo

The Cisco ISE must only allow authorized administrators to view or change the device configuration, system files, and other files stored.

1 rule found Severity: High

Logo

The DNS server implementation must protect the confidentiality and integrity of secret/private cryptographic keys at rest and the integrity of DNS information at rest.

1 rule found Severity: Medium

Logo

Browser history must be saved.

1 rule found Severity: Medium

Logo

AIX must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: Medium

Logo

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

1 rule found Severity: High

Logo

The Juniper device must be configured to only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).

1 rule found Severity: High

Logo

JBoss file permissions must be configured to protect the confidentiality and integrity of application files.

1 rule found Severity: Medium

Logo

MarkLogic Server must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

Azure SQL Database must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key.

1 rule found Severity: Medium

Logo

Windows 11 nonpersistent VM sessions must not exceed 24 hours.

1 rule found Severity: Medium

Logo

Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

1 rule found Severity: High

Logo

The Windows DNS Server must protect secret/private cryptographic keys while at rest.

1 rule found Severity: Medium

Logo

The network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).

1 rule found Severity: High

Logo

ONTAP must enforce administrator privileges based on their defined roles.

1 rule found Severity: High

Logo

The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

1 rule found Severity: High

Logo

The MySQL Database Server 8.0 must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

Automation Controller must implement cryptography mechanisms to protect the integrity of information.

1 rule found Severity: High

Logo

Redis Enterprise DBMS must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

All SLEM 5 persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

1 rule found Severity: High

Logo

All TOSS local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

1 rule found Severity: Medium

Logo

Information at rest must be encrypted using a DoD-accepted algorithm to protect the confidentiality and integrity of the information.

1 rule found Severity: Medium

Logo

NixOS must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

AAA Services must be configured to protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

Apple iOS/iPadOS 18 must require a valid password be successfully entered before the mobile device data is unencrypted.

1 rule found Severity: High

Logo

Apple iOS/iPadOS 18 must implement the management setting: limit Ad Tracking.

1 rule found Severity: Low

Logo

The macOS system must enforce FileVault.

2 rules found Severity: High

Logo

The application server must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: Medium

Logo

The application server must employ cryptographic mechanisms to ensure confidentiality and integrity of all information at rest when stored off-line.

1 rule found Severity: Medium

Logo

The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information that requires protection at rest.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

1 rule found Severity: High

Logo

The DBMS must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

Dragos must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of application configuration files and user-generated data stored or aggregated on the device.

1 rule found Severity: Medium

Logo

Forescout must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).

1 rule found Severity: High

Logo

The operating system must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: Medium

Logo

ACF2 SECVOLS GSO record value must be set to VOLMASK(). Any local changes are justified and documented with the ISSO.

1 rule found Severity: Medium

Logo

ACF2 RESVOLS GSO record value must be set to Volmask(-). Any other setting requires documentation justifying the change.

1 rule found Severity: Medium

Logo

The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.

2 rules found Severity: High

Logo

The IBM z/OS systems requiring data-at-rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.

1 rule found Severity: High

Logo

The Mainframe Product must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: Medium

Logo

MariaDB must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

Exchange mailboxes must be retained until backups are complete.

1 rule found Severity: Medium

Logo

Document metadata for password protected files must be protected.

1 rule found Severity: Medium

Logo

The encryption type for password protected Open XML files must be set.

1 rule found Severity: Medium

Logo

The encryption type for password protected Office 97 thru Office 2003 must be set.

1 rule found Severity: Medium

Logo

Office applications must be configured to specify encryption type in password-protected Office 97-2003 files.

1 rule found Severity: Medium

Logo

Office applications must be configured to specify encryption type in password-protected Office Open XML files.

1 rule found Severity: Medium

Logo

The Database Master Key encryption password must meet DOD password complexity requirements.

1 rule found Severity: Medium

Logo

The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified.

1 rule found Severity: Medium

Logo

The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.

1 rule found Severity: Medium

Logo

SQL Server must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

The Service Master Key must be backed up and stored in a secure location that is not on the SQL Server.

1 rule found Severity: Medium

Logo

The Master Key must be backed up and stored in a secure location that is not on the SQL Server.

1 rule found Severity: Medium

Logo

Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.

1 rule found Severity: High

Logo

Windows 10 systems must use a BitLocker PIN for pre-boot authentication.

1 rule found Severity: High

Logo

Windows 10 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.

1 rule found Severity: High

Logo

Windows 10 nonpersistent VM sessions must not exceed 24 hours.

1 rule found Severity: Medium

Logo

Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

1 rule found Severity: High

Logo

Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

1 rule found Severity: High

Logo

The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.

1 rule found Severity: High

Logo

All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

1 rule found Severity: High

Logo

All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

1 rule found Severity: High

Logo

RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

1 rule found Severity: High

Logo

All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

1 rule found Severity: High

Logo

All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

1 rule found Severity: High

Logo

The operating system must protect the confidentiality and integrity of information at rest.

2 rules found Severity: Low

Logo

The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.

1 rule found Severity: High

Logo

The VMM must protect the confidentiality and integrity of all information at rest.

1 rule found Severity: Medium

Logo

The vCenter Server must enable FIPS-validated cryptography.

3 rules found Severity: High

Logo