| SRG-APP-000014-API-000020 | The API must encrypt data in transit. |
| SRG-APP-000033-API-000070 | The API must be configured to use approved authorizations for access control. |
| SRG-APP-000089-API-000120 | The API must enable monitoring and alerts. |
| SRG-APP-000091-API-001725 | The API Gateway must generate audit records when successful/unsuccessful attempts to access privileges occur. |
| SRG-APP-000091-API-001730 | The API must generate audit records when successful/unsuccessful attempts to access privileges occur. |
| SRG-APP-000095-API-001735 | The API Gateway must generate audit records of what type of events occurred. |
| SRG-APP-000095-API-001740 | The API must monitor the usage of API keys to detect any anomalies. |
| SRG-APP-000095-API-001745 | The API must generate audit records of what type of events occurred. |
| SRG-APP-000095-API-001750 | The API must audit rate-limiting events. |
| SRG-APP-000095-API-001755 | The API Gateway must audit rate limiting events. |
| SRG-APP-000095-API-001760 | The API Gateway must audit authentication and authorization information. |
| SRG-APP-000095-API-001765 | The API must audit authentication and authorization information. |
| SRG-APP-000095-API-001770 | The API Gateway must audit exceptions and errors that occur during the processing. |
| SRG-APP-000095-API-001775 | The API must audit exceptions and errors that occur during the processing. |
| SRG-APP-000095-API-001780 | The API Gateway must audit execution time and performance metrics. |
| SRG-APP-000095-API-001785 | The API must audit execution time and performance metrics. |
| SRG-APP-000095-API-001790 | The API Gateway must audit request and response details (such as method, URL, headers, body, status, etc.). |
| SRG-APP-000095-API-001795 | The API must audit request and response details (such as method, URL, headers, body, status, etc.). |
| SRG-APP-000098-API-000145 | All defined API elements must be documented. |
| SRG-APP-000141-API-000240 | API keys must be configured with usage restrictions. |
| SRG-APP-000141-API-000245 | The API must limit the exposure of endpoints. |
| SRG-APP-000148-API-000255 | The API must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
| SRG-APP-000219-API-000460 | The API must protect Session IDs via encryption. |
| SRG-APP-000224-API-000475 | The API keys must be securely generated using a FIPS-validated Random Number Generator (RNG). |
| SRG-APP-000231-API-000490 | The API implementation must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of API keys. |
| SRG-APP-000231-API-000495 | The API must encrypt sensitive cached data. |
| SRG-APP-000247-API-000520 | The API must employ throttling. |
| SRG-APP-000251-API-000525 | The API must specify allowed origins when using Cross-Origin Resource Sharing (CORS). |
| SRG-APP-000266-API-000535 | The API must not disclose sensitive data in error messages. |
| SRG-APP-000340-API-000675 | Access to API privileged features and functions must be restricted. |
| SRG-APP-000389-API-000820 | The API must require periodic reauthentication. |
| SRG-APP-000400-API-000845 | The API must have a mechanism for cache invalidation when using cache policy data. |
| SRG-APP-000400-API-000850 | When stateless authentication tokens are used, the API must configure them with appropriate security settings. |
| SRG-APP-000400-API-000855 | The API's internal authorization tokens must not be provided back to the user. |
| SRG-APP-000400-API-000860 | API access tokens must be configured to expire. |
| SRG-APP-000400-API-000865 | API refresh tokens must be configured to expire. |
| SRG-APP-000247-API-000870 | The API must enforce per-client rate limits. |
| SRG-APP-000419-API-000945 | Clients must be configured to route requests through a single API gateway that enforces the association and transmission of organization-defined security attributes with each request. |
| SRG-APP-000435-API-000995 | The API must use a gateway. |
| SRG-APP-000439-API-001005 | The amount of data returned by the API must be restricted. |
| SRG-APP-000439-API-001010 | The API must use TLS version 1.2 at a minimum. |
| SRG-APP-000441-API-001020 | The API must audience-restrict access tokens in accordance with organization-defined identification and authentication policy. |
| SRG-APP-000447-API-001030 | The API must use parameterized queries. |
| SRG-APP-000447-API-001035 | The API must provide input validation. |
| SRG-APP-000461-API-001075 | The API must authenticate remote commands. |
| SRG-APP-000516-API-001295 | The API must encode outputs. |
| SRG-APP-000516-API-001300 | The API must use a static type of system. |
| SRG-APP-000516-API-001305 | The API must use Web Application Firewall (WAF). |
| SRG-APP-000630-API-001375 | The API must use a FIPS-validated cryptographic module to provision digital signatures for tokens. |
| SRG-APP-000645-API-001385 | API services identified within the system as unnecessary and/or nonsecure must be disabled. |
| SRG-APP-000915-API-001610 | The API must provide protected storage for API keys. |
| SRG-APP-000945-API-001635 | API must use a circuit breaker pattern to handle failures and timeouts. |
| SRG-APP-000965-API-001655 | Cryptographic keys that protect access tokens must be protected. |
| SRG-APP-000970-API-001660 | The API must protect the private keys used to sign assertions and tokens. |
| SRG-APP-000975-API-001665 | Generating assertions must be restricted. |
| SRG-APP-000980-API-001670 | The API must issue assertions in accordance with organization-defined identification and authentication policy. |
| SRG-APP-000985-API-001675 | The API must refresh assertions in accordance with organization-defined identification and authentication policy. |
| SRG-APP-000990-API-001680 | The API must revoke assertions in accordance with organization-defined identification and authentication policy. |
| SRG-APP-000995-API-001685 | The API must time-restrict assertions in accordance with organization-defined identification and authentication policy. |
| SRG-APP-001000-API-001690 | The API must audience-restrict assertions in accordance with organization-defined identification and authentication policy. |
| SRG-APP-001005-API-001695 | The API must generate access tokens in accordance with organization-defined identification and authentication policy. |
| SRG-APP-001010-API-001700 | The API must issue access tokens in accordance with organization-defined identification and authentication policy. |
| SRG-APP-001015-API-001705 | The API must refresh access tokens in accordance with organization-defined identification and authentication policy. |
| SRG-APP-001020-API-001710 | The API must revoke access tokens in accordance with organization-defined identification and authentication policy. |
| SRG-APP-001025-API-001715 | The API must time-restrict access tokens in accordance with organization-defined identification and authentication policy. |