STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cloud Computing Mission Owner Operating System Security Requirements Guide

V-259881

CAT I (High)

For storage service offerings, the Mission Owner must configure or ensure the cloud instance uses encryption to protect all DOD files housed in the cloud instance.

Rule ID

SV-259881r958870_rule

STIG

Cloud Computing Mission Owner Operating System Security Requirements Guide

Version

V1R3

CCIs

CCI-002475

Discussion

Mission systems at all Impact Levels must have the capability for DOD data to be encrypted at rest with exclusive DOD control of encryption keys and key management. Some cloud service offerings (CSOs) may facilitate this by providing a Hardware Security Module (HSM) or offering customer-dedicated HSM devices as a service. CSOs that do not provide such a capability may require Mission Owners to use encryption hardware/software on the Defense Information Systems Network (DISN) or a cloud encryption service that provides DOD control of keys and key management. Some CSOs may offer a key management service that can suffice for management of customer keys by the customer while preventing cloud service provider (CSP) access to the keys. An NSA-validated CSP key management service is required. Data-at-rest (DAR) encryption with customer-controlled keys and key management protects the DOD data stored in CSOs with the following benefits: - Maintains the integrity of publicly released information and websites at Level 2 where confidentiality is not an issue. - Maintains the confidentiality and integrity of CUI at Levels 4 and 5 with the following benefits: - Limits the insider threat vector of unauthorized access by CSP personnel by increasing the work necessary to compromise/access unencrypted DOD data. Mission Owners and their Authorizing Officials should consider the benefits of DAR encryption and a cryptography-based process for data destruction and/or spill remediation at Impact Level 2 in addition to the benefit of maintaining information integrity.

Check Content

Unless the information owner requires encryption and KMS, for Impact Level 2 public cloud with nonprivileged user access to publicly releasable information, this is not applicable.

Verify the cloud storage service is configured to use encryption and KMS to protect all DOD files housed in the virtual storage service. 

If the cloud storage service is not configured to use encryption to protect all DOD files housed in the virtual storage service, this is a finding.

Fix Text

This applies to Impact Levels 4/5/6 and applies to Impact Level 2 where the Mission Owner has control of the environment.
FedRAMP Moderate, High.

Configure the cloud instance to use encryption to protect all DOD files housed in the virtual storage service.