STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-28 (1) — Protection of Information at Rest

CCI-002475

Definition

Implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined system components.

Parent Control

SC-28 (1)Protection of Information at RestSystem and Communications Protection

Linked STIG Checks (91)

V-273994CAT IAmazon Linux 2023 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.Amazon Linux 2023 Security Technical Implementation Guide V-268144CAT INixOS must protect the confidentiality and integrity of all information at rest.Anduril NixOS Security Technical Implementation Guide V-222968CAT ITomcat must use FIPS-validated ciphers on secured connectors.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-252535CAT IIThe macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257241CAT IThe macOS system must implement cryptographic mechanisms to protect the confidentiality and integrity of all information at rest.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268556CAT IThe macOS system must enforce FileVault.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277166CAT IThe macOS system must enforce FileVault.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222588CAT IThe application must implement approved cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.Application Security and Development Security Technical Implementation Guide V-204812CAT IThe application server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.Application Server Security Requirements Guide V-219150CAT IIUbuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238335CAT IIUbuntu operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260484CAT IIUbuntu 22.04 LTS must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information that requires protection at rest.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270747CAT IIUbuntu 24.04 LTS handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-259881CAT IFor storage service offerings, the Mission Owner must configure or ensure the cloud instance uses encryption to protect all DOD files housed in the cloud instance.Cloud Computing Mission Owner Operating System Security Requirements Guide V-269429CAT IAlmaLinux OS 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233590CAT IIPostgreSQL must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261930CAT IIPostgreSQL must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206604CAT IThe DBMS must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.Database Security Requirements Guide V-205214CAT IThe DNS server implementation must utilize cryptographic mechanisms to prevent unauthorized modification of DNS zone data.Domain Name System (DNS) Security Requirements Guide V-224206CAT IIThe EDB Postgres Advanced Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213631CAT IIThe EDB Postgres Advanced Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259290CAT IIThe EDB Postgres Advanced Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-203745CAT IThe operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components.General Purpose Operating System Security Requirements Guide V-237819CAT IIIThe storage system must implement cryptographic mechanisms to prevent unauthorized modification or disclosure of all information at rest on all storage system components.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255274CAT IIThe HPE 3PAR OS must be configured to implement cryptographic mechanisms to prevent the unauthorized modification or disclosure of all information at rest on all operating system components.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-215283CAT IIAIX must encrypt user data at rest using AIX Encrypted File System (EFS) if it is required.IBM AIX 7.x Security Technical Implementation Guide V-252591CAT IIIBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252608CAT IIIBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252617CAT IIThe IBM Aspera High-Speed Transfer Endpoint must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252621CAT IIThe IBM Aspera High-Speed Transfer Endpoint must not store group content-protection secrets in plain text.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252622CAT IIThe IBM Aspera High-Speed Transfer Endpoint must not store node content-protection secrets in plain text.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252623CAT IIThe IBM Aspera High-Speed Transfer Endpoint must not store user content-protection secrets in plain text.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252632CAT IIThe IBM Aspera High-Speed Transfer Server must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252637CAT IIThe IBM Aspera High-Speed Transfer Server must not store group content-protection secrets in plain text.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252638CAT IIThe IBM Aspera High-Speed Transfer Server must not store node content-protection secrets in plain text.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252639CAT IIThe IBM Aspera High-Speed Transfer Server must not store user content-protection secrets in plain text.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-213729CAT IIDB2 must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-255776CAT IIThe MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-250336CAT IThe WebSphere Liberty Server must store only encrypted representations of user passwords.IBM WebSphere Liberty Server Security Technical Implementation Guide V-250346CAT IIThe WebSphere Liberty Server LTPA keys password must be changed.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255883CAT IIIThe WebSphere Application Server must not generate LTPA keys automatically.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255884CAT IIIThe WebSphere Application Server must periodically regenerate LTPA keys.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223569CAT IThe IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.IBM z/OS ACF2 Security Technical Implementation Guide V-213788CAT IISQL Server must implement and/or support cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.MS SQL Server 2014 Database Security Technical Implementation Guide V-213926CAT ISQL Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.MS SQL Server 2016 Database Security Technical Implementation Guide V-205584CAT IThe Mainframe Product must implement cryptographic mechanisms to prevent unauthorized modification of all information not cleared for public release at rest on system components outside of organization facilities.Mainframe Product Security Requirements Guide V-253739CAT IMariaDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220387CAT IMarkLogic Server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.MarkLogic Server v9 Security Technical Implementation Guide V-255321CAT IAzure SQL Database must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.Microsoft Azure SQL Database Security Technical Implementation Guide V-276237CAT IIAzure SQL Managed Instance must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-271201CAT ISQL Server must implement cryptographic mechanisms to prevent unauthorized modification or disclosure of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.Microsoft SQL Server 2022 Database Security Technical Implementation Guide V-220702CAT IWindows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.Microsoft Windows 10 Security Technical Implementation Guide V-220703CAT IWindows 10 systems must use a BitLocker PIN for pre-boot authentication.Microsoft Windows 10 Security Technical Implementation Guide V-220704CAT IWindows 10 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.Microsoft Windows 10 Security Technical Implementation Guide V-253259CAT IWindows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.Microsoft Windows 11 Security Technical Implementation Guide V-215631CAT IThe Windows 2012 DNS Server must not contain zone records that have not been validated in over a year.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-224843CAT ISystems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205727CAT IWindows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254262CAT IWindows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278009CAT IIWindows Server 2025 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.Microsoft Windows Server 2025 Security Technical Implementation Guide V-259394CAT IIThe Windows DNS Server must only contain zone records that have been validated annually.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-221196CAT IIMongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252147CAT IIMongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265947CAT IIMongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279387CAT IMongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-254115CAT INutanix AOS must protect the confidentiality and integrity of all information at rest.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-279448CAT IINutanix AOS must implement cryptographic mechanisms to prevent unauthorized access to data at rest.Nutanix Acropolis Application Server Security Technical Implementation Guide V-279621CAT INutanix OS must protect the confidentiality and integrity of all information at rest.Nutanix Acropolis GPOS Security Technical Implementation Guide V-270575CAT IIOracle Database must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.Oracle Database 19c Security Technical Implementation Guide V-248525CAT IAll OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.Oracle Linux 8 Security Technical Implementation Guide V-271756CAT IOL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.Oracle Linux 9 Security Technical Implementation Guide V-235192CAT IThe MySQL Database Server 8.0 must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.Oracle MySQL 8.0 Security Technical Implementation Guide V-214124CAT IIPostgreSQL must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.PostgreSQL 9.x Security Technical Implementation Guide V-280935CAT IRHEL 10 must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information on local disk partitions that requires at-rest protection.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280979CAT IIRHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280981CAT IIRHEL 10 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280982CAT IIRHEL 10 must be configured so that the file integrity tool verifies extended attributes.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-257879CAT IRHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-251243CAT IRedis Enterprise DBMS must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.Redis Enterprise 6.x Security Technical Implementation Guide V-275578CAT IIUbuntu OS must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information that requires protection at rest.Riverbed NetIM OS Security Technical Implementation Guide V-261284CAT IAll SLEM 5 persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217146CAT IAll SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-219982CAT IIIThe operating system must employ cryptographic mechanisms to protect information in storage.Solaris 11 SPARC Security Technical Implementation Guide V-219983CAT IIIThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.Solaris 11 SPARC Security Technical Implementation Guide V-220010CAT IIIThe operating system must employ cryptographic mechanisms to protect information in storage.Solaris 11 X86 Security Technical Implementation Guide V-220011CAT IIIThe operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.Solaris 11 X86 Security Technical Implementation Guide V-253085CAT IIAll TOSS local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282514CAT ITOSS 5 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-256410CAT IThe ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified.VMware vSphere 7.0 ESXi Security Technical Implementation Guide V-258929CAT IIThe vCenter Server must enable data at rest encryption for vSAN.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207494CAT IIThe VMM must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all VMM components.Virtual Machine Manager Security Requirements Guide