STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide

V-279387

CAT I (High)

MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.

Rule ID

SV-279387r1179328_rule

STIG

MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002475CCI-002476

Discussion

Database management system (DBMSs) handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides. Satisfies: SRG-APP-000428-DB-000386, SRG-APP-000429-DB-000387

Check Content

Review the documentation or specification for the organization-defined information. 

If any data is PII, classified, or per the organization must be encrypted at rest, verify the method of encryption is documented.

If no documented mechanism is being used to encrypt data-at-rest such as hardware encryption, volume encryption, filesystem encryption or the use of third-party products to enable encryption at rest, this is a finding.

If the documented method to encrypt MongoDB data-at-rest is the native MongoDB encryption-at-rest, verify the MongoDB configuration file (default location /etc/mongod.conf) contains the following options:

security:
    kmip:
      keyIdentifier: <string>
      rotateMasterKey: <boolean>
      serverName: <string>
      port: <string>
      clientCertificateFile: <string>
      clientCertificatePassword: <string>
      clientCertificateSelector: <string>
      serverCAFile: <string>
      connectRetries: <int>
      connectTimeoutMS: <int>
      activateKeys: <boolean>
      keyStatePollingSeconds: <int>

If these above options are not configured in the MongoDB security.kmip section in the MongoDB configuration file, this is a finding.

Fix Text

Configure encryption-at-rest through hardware encryption, volume encryption, filesystem encryption, or third-party products if not using MongoDBs native encryption-at-rest.

When using MongoDBs native encryption-at-rest, configure MongoDB to use the Encrypted Storage Engine and a KMIP appliance as documented here:

https://www.mongodb.com/docs/v8.0/core/security-encryption-at-rest/

https://www.mongodb.com/docs/v8.0/tutorial/configure-encryption/