Share via


Does the DoD STIG require Transparent Database Encryption (TDE)?

Does the DoD STIG require Transparent Database Encryption (TDE)?

The short answer is: It depends on whether or not the Data Owner says the data must be encrypted.

The current version of the DoD Database STIG is v8r1. Here are two relevant sections from that document:

3.1.4.3
Unique security requirements (encryption of sensitive data)
Access to sensitive data may not always be sufficiently protected by authorizations and requires encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access.
• (DG0106: CAT II) The DBA will ensure security requirements specific to the use of the database are configured as identified in the System Security Plan.

3.3.5
Encryption for Confidentiality - Data at Rest (ECCR)
Where access controls do not provide complete protection of sensitive data, encryption can help to close the gap. Where privileged users do not have a need-to-know, where files are stored externally to the database, where application user roles cannot be restricted by privileges to single rows and columns of data to those they need to access, encryption can provide the required level of protection.
• (DG0068: CAT II) The DBA will ensure applications that access the database are not used with options that display the database account password on the command line.
• (DG0090: CAT II) The IAO/DBA will ensure sensitive data is encrypted within the database where required by the Information Owner.
• (DG0092: CAT II) The DBA will ensure database data files are encrypted where encryption of sensitive data within the DBMS is not available.

While the Database STIG is a generic document, Security Readiness Review (SRR) documents are brand and version specific. The latest SRR for SQL Server is v8r1-2, and here are a couple of relevant sections:

4.53 DG0090: DBMS sensitive data identification and encryption
Description: Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing.
Check: If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding.

4.54 DG0092: DBMS data file encryption
Description: Where access controls do not provide complete protection of sensitive or classified data, encryption can help to close the gap. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to view the data that is stored in files outside of the database. Data encryption also provides a level of protection where database controls cannot restrict access to single rows and columns of data.
Check: Review the System Security Plan and/or the AIS Functional Architecture documentation to discover sensitive or classified data identified by the Information Owner that requires encryption. If no sensitive or classified data is identified as requiring encryption by the Information Owner, this check is Not a Finding.

So, if a data owner asks you if their data should be encrypted, what should you tell them? I discuss some of the issues you should consider in this article.

I'll also mention that the SharePoint STIG includes a requirement that seems to say that the DoD requires every SharePoint database to be encrypted with TDE. Fortunately, that is not the case, and their requirement is consistent with the Database STIG: It depends on the decision of the Data Owner.

DISA Clarification on SharePoint STIG

Action Description: Customer has a question regarding the intent of the check V-28066 SRG-APP-000188-COL-000134 from the SharePoint STIG.
Status or Resolution Summary: The data only has be encrypted in the SQL database if it is required by the Data Owner. This is rare. There is another requirement that covers protection of data removed from the database, so that's not applicable here. So no, you wouldn't encrypte unless there is a mission requirement.