Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Application Security and Development Security Technical Implementation Guide
SRG-APP-000231
The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.
The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.
An XCCDF Rule
Details
Profiles
Prose
The application must protect the confidentiality and integrity of stored information when required by DoD policy or the information owner.
Medium Severity
<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile memory) can be read, copied, or altered. Applications and application users generate information throughout the course of their application use, including data that is stored in areas of volatile memory. Volatile memory must not be overlooked when assigning protections. This requirement addresses protection of user-generated data, as well as, operating system-specific configuration data. Applications must employ mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. This can include segmenting and controlling access to the data such as utilizing file permissions to restrict access, using role based controls to restrict access or applying a cryptographic hash to the data and evaluating hash values for changes made to data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>