DoD STIGs – V-32500

Overview:

Title: The DBMS must employ NIST validated cryptography to protect unclassified information.

Vulnerability ID: V-32500

STIG ID:

IA Controls: None

Severity: medium

Description: Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.

This control does not impose any requirements on organizations to use cryptography. Rather, if cryptography is required based on the selection of other controls and subsequently implemented by organizational information systems, the cryptographic modules comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Generally applicable cryptographic standards include, for example, FIPS-validated cryptography to protect unclassified information and NSA-approved cryptography to protect classified information.

Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html.

Check Text: Review system documentation to determine whether cryptography for unclassified information is required by the information owner. If unclassified information is not required to be encrypted, this is NA.

If cryptography being used by the DBMS is not NIST FIPS 140-2 certified, this is a finding.

If non-compliant algorithms or hash functions are specified, this is a finding.

If un-validated cryptographic modules are in use, this is a finding.

Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following web site: http://csrc.nist.gov/groups/STM/cmvp/index.html.

Fix Text: Obtain and utilize native or third-party NIST validated FIPS 140-2 compliant cryptography solution for the DBMS.
Configure cryptographic functions to use FIPS 140-2 compliant algorithms and hashing functions.

[divider]

Interpreting V-32500:

Coming Soon!

Return to the DoD STIGs – Database Security Requirements Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.