Application servers must use NIST-approved or NSA-approved key management technology and processes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-204831 | SRG-APP-000514-AS-000136 | SV-204831r961857_rule | CCI-002450 | medium |
| Description | ||||
| An asymmetric encryption key must be protected during transmission. The public portion of an asymmetric key pair can be freely distributed without fear of compromise, and the private portion of the key must be protected. The application server will provide software libraries that applications can programmatically utilize to encrypt and decrypt information. These application server libraries must use NIST-approved or NSA-approved key management technology and processes when producing, controlling, or distributing symmetric and asymmetric keys. | ||||
| STIG | Date | |||
| Application Server Security Requirements Guide | 2025-02-11 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-13
1.00
- DISA · 4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.13.11
1.00
- DISA · 4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002450
1.00
- DISA · 4 · disa_xccdf · related
Details
Check Text (C-204831r961857_chk)
Review application server configuration and the NIST FIPS certificate to validate the application server uses NIST-approved or NSA-approved key management technology and processes when producing, controlling or distributing symmetric and asymmetric keys.
If the application server does not use this NIST-approved or NSA-approved key management technology and processes, this is a finding.
Fix Text (F-4951r283135_fix)
Configure the application server to utilize NIST-approved or NSA-approved key management technology when the application server produces, controls, and distributes symmetric and asymmetric cryptographic keys.