CCI-002476

Implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined system components.

5 rules found Severity: High

20 rules found Severity: High

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

CCI-002476

Enable FIPS Mode in GRUB2

Encrypt Partitions

The storage system must implement cryptographic mechanisms to prevent unauthorized modification or disclosure of all information at rest on all storage system components.

IBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

IBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

The IBM Aspera High-Speed Transfer Endpoint must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).

The IBM Aspera High-Speed Transfer Endpoint must not store group content-protection secrets in plain text.

The IBM Aspera High-Speed Transfer Endpoint must not store node content-protection secrets in plain text.

The IBM Aspera High-Speed Transfer Endpoint must not store user content-protection secrets in plain text.

The IBM Aspera High-Speed Transfer Server must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).

The IBM Aspera High-Speed Transfer Server must not store group content-protection secrets in plain text.

The IBM Aspera High-Speed Transfer Server must not store node content-protection secrets in plain text.

The IBM Aspera High-Speed Transfer Server must not store user content-protection secrets in plain text.

The MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.

DB2 must implement and/or support cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Rights managed Office Open XML files must be protected.

Encrypt document properties must be configured for OLE documents.

SQL Server must implement and/or support cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Nutanix AOS must protect the confidentiality and integrity of all information at rest.

The Tanium Server must protect the confidentiality and integrity of transmitted information, in preparation to be transmitted and data at rest, with cryptographic signing capabilities enabled to protect the authenticity of communications sessions when making requests from Tanium Clients.

The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.

Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.

PostgreSQL must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

The EDB Postgres Advanced Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Tomcat must use FIPS-validated ciphers on secured connectors.

The macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.

CA IDMS must use pervasive encryption to cryptographically protect the confidentiality and integrity of all information at rest in accordance with data owner requirements.

Ubuntu operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

The DNS server implementation must utilize cryptographic mechanisms to prevent unauthorized disclosure of non-DNS data stored on the DNS server.

The HPE 3PAR OS must be configured to implement cryptographic mechanisms to prevent the unauthorized modification or disclosure of all information at rest on all operating system components.

The WebSphere Liberty Server must store only encrypted representations of user passwords.

AIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required.

MarkLogic Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Swarm Secrets or Kubernetes Secrets must be used.

Azure SQL Database must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

The IIS 10.0 private website must employ cryptographic mechanisms (TLS) and require client certificates.

Windows 11 systems must use a BitLocker PIN for pre-boot authentication.

Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

The MySQL Database Server 8.0 must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Automation Controller must implement cryptography mechanisms to protect the integrity of information.

Redis Enterprise DBMS must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

The Automation Controller NGINX web server must employ cryptographic mechanisms (TLS/DTLS/SSL) to prevent the unauthorized disclosure of information during transmission.

All SLEM 5 persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

All TOSS local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

The web server must encrypt user identifiers and passwords.

NixOS must protect the confidentiality and integrity of all information at rest.

An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.

The macOS system must enforce FileVault.

The application must implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.

Ubuntu 22.04 LTS must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information that requires protection at rest.

AlmaLinux OS 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

The container platform keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

The DBMS must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all operating system components.

The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.

The Mainframe Product must implement cryptographic mechanisms to prevent unauthorized disclosure of all information not cleared for public release at rest on system components outside of organization facilities.

MariaDB must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Rights managed Office Open XML files must be protected.

Document metadata for rights managed Office Open XML files must be protected.

SQL Server must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.

Windows 10 systems must use a BitLocker PIN for pre-boot authentication.

Windows 10 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.

Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

Rancher RKE2 keystore must implement encryption to prevent unauthorized disclosure of information at rest within Rancher RKE2.

OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

The VMM must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all VMM components.