STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft SQL Server 2022 Database Security Technical Implementation Guide

V-271199

CAT I (High)

SQL Server must use NSA-approved cryptography to protect classified information in accordance with the data owner’s requirements.

Rule ID

SV-271199r1117186_rule

STIG

Microsoft SQL Server 2022 Database Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-002450

Discussion

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. It is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards. NSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a DBMS with the encryption devices.

Check Content

Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html.

Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner.

If the system documentation does not specify the type of information hosted on SQL Server as classified, sensitive, and/or unclassified, this is a finding.

If neither classified nor sensitive information exists within SQL Server databases or configuration, this is not a finding.

Verify that Windows is configured to require the use of FIPS-compliant algorithms.

1. Click "Start".
2. Type "Local Security Policy".
3. Press "Enter". 
4. Expand "Local Policies". 
5. Select "Security Options".
6. Locate "System Cryptography:  Use FIPS compliant algorithms for encryption, hashing, and signing". 

If the Security Setting for this option is "Disabled", this is a finding.

Note: The list of acceptable algorithms is "AES 256" and "Triple DES".

If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 or 140-3 certified by running the following SQL query:

SELECT DISTINCT name, algorithm_desc
FROM sys.symmetric_keys
WHERE key_algorithm NOT IN ('D3','A3')
ORDER BY name

If any items listed show an uncertified NIST FIPS 140-2 algorithm type, this is a finding.

Fix Text

Configure cryptographic functions to use NSA-approved cryptography compliant algorithms.

Use DOD code-signing certificates to create asymmetric keys stored in the database used to encrypt sensitive data stored in the database.

Run the following SQL script to create a certificate:

USE 
CREATE CERTIFICATE 
 ENCRYPTION BY PASSWORD = <'password'>
 FROM FILE = <'path/file_name'>
 WITH SUBJECT = 'name of person creating key',
 EXPIRY_DATE = '<'expiration date: yyyymmdd'>'

Run the following SQL script to create a symmetric key and assign an existing certificate:

USE 
CREATE SYMMETRIC KEY <'key name'>
 WITH ALGORITHM = AES_256 
 ENCRYPTION BY CERTIFICATE

For Transparent Data Encryption (TDE):

USE master;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '';
CREATE CERTIFICATE  . . .;
USE ;
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE ;
ALTER DATABASE 
SET ENCRYPTION ON;