Capacity
CCI-001199
Protects the confidentiality and/or integrity of organization-defined information at rest.
5
Rule
Severity: High
Enable FIPS Mode in GRUB2
17
Rule
Severity: High
Encrypt Partitions
2
Rule
Severity: High
AAA Services must be configured to protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: Medium
The application server must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: Medium
The application server must employ cryptographic mechanisms to ensure confidentiality and integrity of all information at rest when stored off-line.
2
Rule
Severity: Medium
The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.
2
Rule
Severity: Medium
The DNSSEC keys used with the BIND 9.x implementation must be owned by a privileged account.
2
Rule
Severity: Medium
The DNSSEC keys used with the BIND 9.x implementation must be group owned by a privileged account.
2
Rule
Severity: Medium
Permissions assigned to the DNSSEC keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.
1
Rule
Severity: High
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
1
Rule
Severity: Medium
Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.
2
Rule
Severity: Medium
The DNS server implementation must protect the confidentiality and integrity of secret/private cryptographic keys at rest and the integrity of DNS information at rest.
1
Rule
Severity: High
The FortiGate device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
1
Rule
Severity: Medium
CounterACT must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media.
2
Rule
Severity: High
Forescout must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
1
Rule
Severity: Medium
IBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
1
Rule
Severity: Medium
IBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
1
Rule
Severity: Medium
The MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.
1
Rule
Severity: Medium
DB2 must protect the confidentiality and integrity of all information at rest.
1
Rule
Severity: Medium
IBM z/VM tapes must use Tape Encryption.
2
Rule
Severity: Medium
JBoss file permissions must be configured to protect the confidentiality and integrity of application files.
2
Rule
Severity: Medium
The Mainframe Product must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: High
Microsoft Android 11 must be configured to enable encryption for data at rest on removable storage media or alternately, the use of removable storage media must be disabled.
2
Rule
Severity: High
Azure SQL Database must protect the confidentiality and integrity of all information at rest.
1
Rule
Severity: Medium
Exchange Public Folder stores must be retained until backups are complete.
1
Rule
Severity: Low
The Exchange Public Folder database must not be overwritten by a restore.
2
Rule
Severity: Medium
Exchange Mailboxes must be retained until backups are complete.
1
Rule
Severity: Low
The Exchange Mailbox database must not be overwritten by a restore.
4
Rule
Severity: Medium
Exchange email forwarding must be restricted.
4
Rule
Severity: Medium
Exchange email-forwarding SMTP domains must be restricted.
2
Rule
Severity: Medium
Document metadata for password protected files must be protected.
2
Rule
Severity: Medium
The encryption type for password protected Open XML files must be set.
2
Rule
Severity: Medium
The encryption type for password protected Office 97 thru Office 2003 must be set.
2
Rule
Severity: Medium
Passwords for secured documents must be enforced.
2
Rule
Severity: Medium
Document metadata for password protected files must be protected.
2
Rule
Severity: Medium
The encryption type for password protected Open XML files must be set.
2
Rule
Severity: Medium
The encryption type for password protected Office 97 thru Office 2003 must be set.
1
Rule
Severity: Medium
The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified.
1
Rule
Severity: Medium
Database Master Key passwords must not be stored in credentials within the database.
1
Rule
Severity: Medium
Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key.
1
Rule
Severity: Medium
SQL Server must protect data at rest and ensure confidentiality and integrity of data.
2
Rule
Severity: Medium
The Service Master Key must be backed up, stored offline and off-site.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must protect secret/private cryptographic keys while at rest.
2
Rule
Severity: High
ONTAP must enforce administrator privileges based on their defined roles.
2
Rule
Severity: High
The network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
1
Rule
Severity: High
Nutanix AOS must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: High
Samsung Android must be configured to enable encryption for data at rest on removable storage media or alternatively, the use of removable storage media must be disabled.
10
Rule
Severity: High
Samsung Android must be configured to enable encryption for data at rest on removable storage media or, alternately, the use of removable storage media must be disabled.
2
Rule
Severity: Medium
The Tanium Operating System (TanOS) must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of operating system configuration and user-generated data stored on the host.
3
Rule
Severity: High
Apple iOS/iPadOS 16 must require a valid password be successfully entered before the mobile device data is unencrypted.
7
Rule
Severity: Low
The Apple iOS must be configured to disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
3
Rule
Severity: High
Apple iOS/iPadOS 17 must require a valid password be successfully entered before the mobile device data is unencrypted.
2
Rule
Severity: Low
Apple iOS/iPadOS 17 must implement the management setting: limit Ad Tracking.
2
Rule
Severity: Low
Apple iOS/iPadOS 16 must implement the management setting: limit Ad Tracking.
1
Rule
Severity: Medium
The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
3
Rule
Severity: High
The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.
1
Rule
Severity: Medium
Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
3
Rule
Severity: High
The macOS system must enforce FileVault.
2
Rule
Severity: Medium
Ubuntu operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
4
Rule
Severity: High
PostgreSQL must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: High
The Cisco ISE must only allow authorized administrators to view or change the device configuration, system files, and other files stored.
3
Rule
Severity: High
The EDB Postgres Advanced Server must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: High
The DBMS must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: Medium
Browser history must be saved.
2
Rule
Severity: Medium
The operating system must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: Medium
AIX must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: Medium
ACF2 SECVOLS GSO record value must be set to VOLMASK(). Any local changes are justified and documented with the ISSO.
2
Rule
Severity: Medium
ACF2 RESVOLS GSO record value must be set to Volmask(-). Any other setting requires documentation justifying the change.
2
Rule
Severity: Medium
The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
1
Rule
Severity: Medium
The IBM z/OS systems requiring data-at-rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
2
Rule
Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
2
Rule
Severity: High
The Juniper device must be configured to only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).
2
Rule
Severity: High
MarkLogic Server must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: High
MariaDB must protect the confidentiality and integrity of all information at rest.
3
Rule
Severity: High
MongoDB must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: Medium
Exchange mailboxes must be retained until backups are complete.
1
Rule
Severity: Medium
Userdata persistence must be disallowed (Internet zone).
1
Rule
Severity: Medium
Userdata persistence must be disallowed (Restricted Sites zone).
3
Rule
Severity: Medium
Office applications must be configured to specify encryption type in password-protected Office 97-2003 files.
3
Rule
Severity: Medium
Office applications must be configured to specify encryption type in password-protected Office Open XML files.
2
Rule
Severity: Medium
The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key.
2
Rule
Severity: Medium
The Database Master Key encryption password must meet DOD password complexity requirements.
2
Rule
Severity: Medium
The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified.
1
Rule
Severity: Medium
The Certificate used for encryption must be backed up, stored offline and off-site.
1
Rule
Severity: Medium
Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
1
Rule
Severity: Medium
Windows 10 systems must use a BitLocker PIN for pre-boot authentication.
1
Rule
Severity: Medium
Windows 10 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.
2
Rule
Severity: High
SQL Server must protect the confidentiality and integrity of all information at rest.
1
Rule
Severity: Medium
The Master Key must be backed up, stored offline and off-site.
2
Rule
Severity: Medium
Windows 10 nonpersistent VM sessions must not exceed 24 hours.
2
Rule
Severity: Medium
Windows 11 nonpersistent VM sessions must not exceed 24 hours.
1
Rule
Severity: Medium
Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
1
Rule
Severity: Medium
Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
1
Rule
Severity: Medium
Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
1
Rule
Severity: Medium
All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
1
Rule
Severity: Medium
The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
2
Rule
Severity: High
The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
2
Rule
Severity: High
The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
2
Rule
Severity: High
The MySQL Database Server 8.0 must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: High
Automation Controller must implement cryptography mechanisms to protect the integrity of information.
2
Rule
Severity: High
Redis Enterprise DBMS must protect the confidentiality and integrity of all information at rest.
2
Rule
Severity: Medium
All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
1
Rule
Severity: Medium
All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
2
Rule
Severity: High
RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
1
Rule
Severity: Medium
All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
4
Rule
Severity: Low
The operating system must protect the confidentiality and integrity of information at rest.
2
Rule
Severity: Medium
The VMM must protect the confidentiality and integrity of all information at rest.
4
Rule
Severity: High
The vCenter Server must enable FIPS-validated cryptography.
2
Rule
Severity: Medium
Information at rest must be encrypted using a DoD-accepted algorithm to protect the confidentiality and integrity of the information.
2
Rule
Severity: Medium
The Windows DNS Server must protect secret/private cryptographic keys while at rest.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information that requires protection at rest.
1
Rule
Severity: Medium
Dragos must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of application configuration files and user-generated data stored or aggregated on the device.
2
Rule
Severity: High
The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
1
Rule
Severity: High
The IBM z/OS systems requiring data-at-rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
1
Rule
Severity: Medium
The Certificate used for encryption must be backed up and stored in a secure location that is not on the SQL Server.
1
Rule
Severity: Medium
The Service Master Key must be backed up and stored in a secure location that is not on the SQL Server.
1
Rule
Severity: Medium
The Master Key must be backed up and stored in a secure location that is not on the SQL Server.
1
Rule
Severity: High
Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
1
Rule
Severity: High
Windows 10 systems must use a BitLocker PIN for pre-boot authentication.
1
Rule
Severity: High
Windows 10 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.
1
Rule
Severity: High
Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
1
Rule
Severity: High
Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
1
Rule
Severity: High
Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
1
Rule
Severity: High
All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
1
Rule
Severity: High
All SLEM 5 persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
1
Rule
Severity: High
All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
1
Rule
Severity: High
All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
1
Rule
Severity: Medium
All TOSS local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
1
Rule
Severity: High
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.
1
Rule
Severity: High
Apple iOS/iPadOS 18 must require a valid password be successfully entered before the mobile device data is unencrypted.
1
Rule
Severity: Low
Apple iOS/iPadOS 18 must implement the management setting: limit Ad Tracking.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules