STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279095

CAT I (High)

JVM arguments must be configured to use approved cryptographic mechanisms to protect data in transit.

Rule ID

SV-279095r1171617_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002421

Discussion

ColdFusion uses the underlying JVM to handle transmission and receiving data, but ColdFusion does offer the programmer an encrypt API call to protect the data. This call can use multiple crypto methods but using FIPS 140-2/140-3 or higher is superior to those non-FIPS crypto methods to protect and detect changes to the data. Through JVM arguments set within ColdFusion, the programmer can be forced to use only FIPS crypto methods.

Check Content

Verify JVM Arguments for Crypto.

1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.

If the JVM argument contains "-Dcoldfusion.enablefipscrypto=false" or
 "-Dcoldfusion.enablefipscrypto" is missing, this is a finding.

2. Observe the ColdFusion edition at the top of the Administrator Console. 

If the edition is "Standard", this is a finding.

Fix Text

Configure JVM Arguments for Crypto.

1. From the Admin Console Landing Screen, navigate to Server Settings >> Java and JVM.

2. Amend JVM arguments with "-Dcoldfusion.enablefipscrypto=true".

3. Click "Submit Changes".

4. If not using Enterprise Edition or cryptographic mechanisms are not available, reinstall with Enterprise Edition.