Skip to main content
CUI

STIG Rule - V-276238

Back to STIG Browser

V-276238

SV-276238r1150056_rule

CAT II

Azure SQL Managed Instance must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

From: Microsoft Azure SQL Managed Instance Security Technical Implementation Guide (V1R1)

Description

<VulnDiscussion>Azure SQL Managed Instance handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of the Azure SQL Managed Instance to ensure data-at-rest protections are implemented. If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding. Use the query below to check the encryption status for each database. If any databases have an is_encrypted status of "0", this is a finding. SELECT [name] AS DatabaseName,is_encrypted FROM master.sys.databases WHERE database_id > 4;

Fix Text

For any database with an is_encrypted status of "0", use the query below to enable transparent data encryption: ALTER DATABASE [Database Name Here] SET ENCRYPTION ON;

CCI Reference

CCI-002476
Created
2026-04-07 20:08:22
Last Updated
2026-04-07 20:08:22
Back to Browse
CUI