πΌ SC-13 Cryptographic Protection (L)(M)(H)
- Contextual name: πΌ SC-13 Cryptographic Protection (L)(M)(H)
- ID:
/frameworks/fedramp-high-security-controls/sc/13 - Located in: πΌ System and Communications Protection
Descriptionβ
a. Determine the [Assignment: organization-defined cryptographic uses]; and
b. Implement the following types of cryptography required for each specified cryptographic use: [FedRAMP Assignment: FIPS-validated or NSA-approved cryptography].
SC-13 Additional FedRAMP Requirements and Guidance:
Guidance: This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation.
Examples include the following:
- Encryption of data
- Decryption of data
- Generation of one time passwords (OTPs) for MFA
- Protocols such as TLS, SSH, and HTTPS
The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).
Guidance: For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location: https://www.niap-ccevs.org/Product/index.cfm
Guidance:Guidance**: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.
Guidance: Moving to non-FIPS CM or product is acceptable when:
-
FIPS validated version has a known vulnerability
-
Feature with vulnerability is in use
-
Non-FIPS version fixes the vulnerability
-
Non-FIPS version is submitted to NIST for FIPS validation
-
POA&M is added to track approval, and deployment when ready
Guidance: At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).
Similarβ
- Sections
/frameworks/nist-sp-800-53-r5/sc/13
- Internal
- ID:
dec-c-366da66a
- ID:
Similar Sections (Take Policies From)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ NIST SP 800-53 Revision 5 β πΌ SC-13 Cryptographic Protection | 4 | 6 |
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ FedRAMP Low Security Controls β πΌ SC-13 Cryptographic Protection (L)(M)(H) | 16 | |||
| πΌ FedRAMP Moderate Security Controls β πΌ SC-13 Cryptographic Protection (L)(M)(H) | 16 |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
Policies (16)β
Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-0bdcd276 | 1 | |
| βοΈ dec-x-5c3c2067 | 1 | |
| βοΈ dec-x-6ba5ecd2 | 1 | |
| βοΈ dec-x-9cdb7407 | 1 | |
| βοΈ dec-x-12a85339 | 1 | |
| βοΈ dec-x-14f5fc25 | 1 | |
| βοΈ dec-x-75db76ad | 1 | |
| βοΈ dec-x-966d3183 | 1 | |
| βοΈ dec-x-995424b7 | 2 | |
| βοΈ dec-x-c0a7793e | 1 | |
| βοΈ dec-x-d5fbfc40 | 1 | |
| βοΈ dec-x-d95ea48b | 1 | |
| βοΈ dec-x-f63fd4f0 | 1 |