The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6136	APP3250	SV-6136r1_rule	ECCT-1 ECCT-2 ECNK-1 ECNK-2	High

Description
Unencrypted sensitive application data could be intercepted in transit.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-2947r1_chk )
Policy: The designer will ensure unclassified, sensitive data transmitted through a commercial or wireless network is protected using NIST certified cryptography. The designer will ensure classified data, transmitted through a network that is cleared to a lower level than the data being transmitted, is separately protected using NSA approved cryptography. The designer will ensure data in transit through a network at the same classification level, but which must be separated for need to know reasons, is protected minimally with NIST certified cryptography. The designer will ensure SAMI data in transit through a network at the same classification level is protected with NSA approved cryptography. Interview the application representative to determine if sensitive data is transmitted over a commercial circuit or wireless network (e.g., NIPRNet, ISP, etc.). 1) If any sensitive data is transferred over a commercial or wireless network and is not encrypted using NIST FIPS 140-2 validated encryption, this is a CAT I finding. Interview the application representative to determine if classified data is transmitted over a network cleared to a lower level than the data. (e.g., TS over SIPRNet, Secret over NIPRNet, etc.). 2) If classified data is transmitted over a network cleared to a lower level than the data and NSA approved type-1 encryption is not used to encrypt the data, this is a CAT I finding. Interview the application representative and determine if the data in transit must be separated for need to know reasons. 3) If data in transit across a network at the same classification level is separated for need-to-know reasons and the data is not minimally encrypted using NIST FIPS 140-2 validated encryption, this is a CAT II finding. Interview the application representative and determine if SAMI data is transmitted. 4) If SAMI data in transit across a network at the same classification level is not separately encrypted using NSA type-1 approved encryption, this is a CAT II finding. *Note: These checks apply to all data transmitted by REST-styled or SOAP-based Web Services.

Check Text ( C-2947r1_chk )

Policy:

The designer will ensure unclassified, sensitive data transmitted through a commercial or wireless network is protected using NIST certified cryptography.

The designer will ensure classified data, transmitted through a network that is cleared to a lower level than the data being transmitted, is separately protected using NSA approved cryptography.

The designer will ensure data in transit through a network at the same classification level, but which must be separated for need to know reasons, is protected minimally with NIST certified cryptography.

The designer will ensure SAMI data in transit through a network at the same classification level is protected with NSA approved cryptography.

Interview the application representative to determine if sensitive data is transmitted over a commercial circuit or wireless network (e.g., NIPRNet, ISP, etc.).

1) If any sensitive data is transferred over a commercial or wireless network and is not encrypted using NIST FIPS 140-2 validated encryption, this is a CAT I finding.

Interview the application representative to determine if classified data is transmitted over a network cleared to a lower level than the data. (e.g., TS over SIPRNet, Secret over NIPRNet, etc.).

2) If classified data is transmitted over a network cleared to a lower level than the data and NSA approved type-1 encryption is not used to encrypt the data, this is a CAT I finding.

Interview the application representative and determine if the data in transit must be separated for need to know reasons.

3) If data in transit across a network at the same classification level is separated for need-to-know reasons and the data is not minimally encrypted using NIST FIPS 140-2 validated encryption, this is a CAT II finding.

Interview the application representative and determine if SAMI data is transmitted.

4) If SAMI data in transit across a network at the same classification level is not separately encrypted using NSA type-1 approved encryption, this is a CAT II finding.

*Note: These checks apply to all data transmitted by REST-styled or SOAP-based Web Services.

Fix Text (F-17014r1_fix)
Encrypt data in transit.