STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-28 (3) — Protection of Information at Rest

CCI-004910

Definition

Provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.

Parent Control

SC-28 (3)Protection of Information at RestSystem and Communications Protection

Linked STIG Checks (32)

V-268144CAT INixOS must protect the confidentiality and integrity of all information at rest.Anduril NixOS Security Technical Implementation Guide V-222967CAT IIKeystore file must be protected.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-263545CAT IIThe ALG must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Application Layer Gateway Security Requirements Guide V-274830CAT IIThe API must provide protected storage for API keys.Application Programming Interface (API) Security Requirements Guide V-263555CAT IIThe application server must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Application Server Security Requirements Guide V-270747CAT IIUbuntu 24.04 LTS handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-263583CAT IIThe Central Log Server must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Central Log Server Security Requirements Guide V-215687CAT IThe Cisco router must only store cryptographic representations of passwords.Cisco IOS Router NDM Security Technical Implementation Guide V-220595CAT IThe Cisco switch must only store cryptographic representations of passwords.Cisco IOS Switch NDM Security Technical Implementation Guide V-215832CAT IThe Cisco router must only store cryptographic representations of passwords.Cisco IOS XE Router NDM Security Technical Implementation Guide V-220543CAT IThe Cisco switch must only store cryptographic representations of passwords.Cisco IOS XE Switch NDM Security Technical Implementation Guide V-269412CAT IIAlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-263600CAT IIThe container platform must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Container Platform Security Requirements Guide V-263620CAT IIThe DBMS must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Database Security Requirements Guide V-263644CAT IIThe DNS server implementation must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Domain Name System (DNS) Security Requirements Guide V-279972CAT IIThe private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.Domain Name System (DNS) Security Requirements Guide V-263660CAT IIThe operating system must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.General Purpose Operating System Security Requirements Guide V-223568CAT IIIBM z/OS must use ICSF or SAF Key Rings for key management.IBM z/OS ACF2 Security Technical Implementation Guide V-223811CAT IIIBM z/OS, for PKI-based authentication, must use the ICSF or ESM for key management.IBM z/OS RACF Security Technical Implementation Guide V-223883CAT IIIBM z/OS for PKI-based authentication must use ICSF or the ESM to store keys.IBM z/OS TSS Security Technical Implementation Guide V-263685CAT IIThe Mainframe Product must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Mainframe Product Security Requirements Guide V-277993CAT IIWindows Server 2025 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.Microsoft Windows Server 2025 Security Technical Implementation Guide V-279412CAT IIMongoDB must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-279622CAT IINutanix OS must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Nutanix Acropolis GPOS Security Technical Implementation Guide V-271431CAT IIThe OL 9 operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest.Oracle Linux 9 Security Technical Implementation Guide V-281329CAT IIRHEL 10 must, for PKI-based authentication, validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-275578CAT IIUbuntu OS must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information that requires protection at rest.Riverbed NetIM OS Security Technical Implementation Guide V-221932CAT IISplunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251690CAT IISplunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-282771CAT IITOSS 5 must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-264325CAT IIThe VMM must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Virtual Machine Manager Security Requirements Guide V-264357CAT IIThe web server must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.Web Server Security Requirements Guide