STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Programming Interface (API) Security Requirements Guide

V-274840

CAT II (Medium)

The API must protect the private keys used to sign assertions and tokens.

Rule ID

SV-274840r1143882_rule

STIG

Application Programming Interface (API) Security Requirements Guide

Version

V1R1

CCIs

CCI-005157, CCI-000366

Discussion

Private keys are used to sign tokens and assertions, which verify the identity and permissions of users or systems requesting access. If these keys are compromised, attackers could generate fraudulent tokens or assertions, granting unauthorized access to sensitive resources and potentially causing significant damage to both the system and its users. The level of protection required for these private keys depends on the sensitivity of the information and the potential impact of a security breach. By ensuring private keys are properly secured through strong encryption, access controls, and key management, the API can prevent unauthorized access, safeguard the integrity of the authentication process, and minimize the risk of severe consequences from key compromise.

Check Content

To check if the API protects the private keys used to sign assertions and tokens:

Verify private keys used for signing tokens and assertions are stored securely. These keys must not be hard coded in the codebase or stored in plaintext files.

Verify private keys are stored in a secure location such as a hardware security module (HSM) or key management service (KMS), which provides encryption and access control.

Verify only authorized personnel or systems can access the keys. Review filesystem permissions.

Verify that the private keys are encrypted both at rest and in transit. If using cloud-based key management systems, ensure that encryption is enabled by default.

Verify private keys are only used for their intended purpose—signing tokens and assertions. 

Audit the system to ensure that keys are only accessible during token generation or signing processes and not left accessible longer than needed.

Confirm that there is a key rotation policy in place for the private keys used to sign tokens and assertions. These keys should be rotated regularly to reduce the risk of compromise.

Implement monitoring and logging mechanisms to audit any access to, or use of, private keys. Logs must capture who accessed the key, when, and for what purpose.

Review the API's or key management system's documentation to confirm private key protection practices align with industry standards, such as NIST guidelines and FIPS compliance.

If the API is not protecting private keys, this is a finding.

Fix Text

Build or configure the API to properly protect private keys used to sign assertions and tokens.