800-53|SC-28

Title

PROTECTION OF INFORMATION AT REST

Description

The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].

Supplemental

This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.

Reference Item Details

Related: AC-3,AC-6,CA-7,CM-3,CM-5,CM-6,PE-3,SC-13,SC-8,SI-3,SI-7

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
1.1.34 Ensure that the --encryption-provider-config argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.35 Ensure that the encryption provider is set to aescbcUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.2.4.2.1.1 Set 'Configure use of hardware-based encryption for fixed data drives' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.1 Set 'Configure use of hardware-based encryption for operating system drives' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.1 Set 'Configure use of hardware-based encryption for removable data drives' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.32 Ensure that the --encryption-provider-config argument is set as appropriateUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.33 Ensure that encryption providers are appropriately configuredUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.33 Ensure that the --encryption-provider-config argument is set as appropriateUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.2.34 Ensure that encryption providers are appropriately configuredUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.4 Ensure Databases running on RDS have encryption at rest enabledamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
1.4 Verify That the MYSQL_PWD Environment Variable is Not in UseUnixCIS MySQL 8.0 Enterprise Linux OS L1 v1.2.0
1.4.2 Enable 'service password-encryption'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.4.3 Set 'username secret' for all local usersCiscoCIS Cisco IOS 16 L1 v1.1.2
1.5 Ensure all EBS volumes for Web-Tier are encryptedamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
1.5.9 Ensure NIST FIPS-validated cryptography is configured - etcUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5.9 Ensure NIST FIPS-validated cryptography is configured - grubUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5.9 Ensure NIST FIPS-validated cryptography is configured - procUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5.9 Ensure NIST FIPS-validated cryptography is configured - rpmUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6 Ensure all EBS volumes for App-Tier are encryptedamazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
1.6 Verify That 'MYSQL_PWD' is Not Set in Users' Profiles - .bash_profileUnixCIS MySQL 8.0 Enterprise Linux OS L1 v1.2.0
1.6 Verify That 'MYSQL_PWD' is Not Set in Users' Profiles - .bashrcUnixCIS MySQL 8.0 Enterprise Linux OS L1 v1.2.0
1.6 Verify That 'MYSQL_PWD' is Not Set in Users' Profiles - .profileUnixCIS MySQL 8.0 Enterprise Linux OS L1 v1.2.0
10.19 Ensure Manager Application Passwords are EncryptedUnixCIS Apache Tomcat 9 L1 v1.1.0 Middleware
10.19 Ensure Manager Application Passwords are EncryptedUnixCIS Apache Tomcat 9 L1 v1.1.0
18.3.5 Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + NG
18.3.5 Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL + NG
18.3.5 Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1
18.3.5 Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL
18.3.7 Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
18.3.7 Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
18.3.7 Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
18.3.7 Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
18.4.1 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.8.7.1.1 Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.8.7.1.2 Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.8.7.1.3 Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker