V-279387
SV-279387r1179328_rule
CAT I
MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.
From: MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide (V1R1)
Description
<VulnDiscussion>Database management system (DBMSs) handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.
Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.
Satisfies: SRG-APP-000428-DB-000386, SRG-APP-000429-DB-000387</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the documentation or specification for the organization-defined information.
If any data is PII, classified, or per the organization must be encrypted at rest, verify the method of encryption is documented.
If no documented mechanism is being used to encrypt data-at-rest such as hardware encryption, volume encryption, filesystem encryption or the use of third-party products to enable encryption at rest, this is a finding.
If the documented method to encrypt MongoDB data-at-rest is the native MongoDB encryption-at-rest, verify the MongoDB configuration file (default location /etc/mongod.conf) contains the following options:
security:
kmip:
keyIdentifier: <string>
rotateMasterKey: <boolean>
serverName: <string>
port: <string>
clientCertificateFile: <string>
clientCertificatePassword: <string>
clientCertificateSelector: <string>
serverCAFile: <string>
connectRetries: <int>
connectTimeoutMS: <int>
activateKeys: <boolean>
keyStatePollingSeconds: <int>
If these above options are not configured in the MongoDB security.kmip section in the MongoDB configuration file, this is a finding.
Fix Text
Configure encryption-at-rest through hardware encryption, volume encryption, filesystem encryption, or third-party products if not using MongoDBs native encryption-at-rest.
When using MongoDBs native encryption-at-rest, configure MongoDB to use the Encrypted Storage Engine and a KMIP appliance as documented here:
https://www.mongodb.com/docs/v8.0/core/security-encryption-at-rest/
https://www.mongodb.com/docs/v8.0/tutorial/configure-encryption/
CCI Reference
CCI-002475,CCI-002476- Created
- 2026-04-07 20:08:22
- Last Updated
- 2026-04-07 20:08:22