💼 SC-28 Protection of Information at Rest (L)(M)(H)

• Contextual name: 💼 SC-28 Protection of Information at Rest (L)(M)(H)
• ID: /frameworks/fedramp-high-security-controls/sc/28
• Located in: 💼 System and Communications Protection

Description

Protect the [FedRAMP Assignment: confidentiality AND integrity] of the following information at rest: [Assignment: organization-defined information at rest].

SC-28 Additional FedRAMP Requirements and Guidance:

Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest.

Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13.

Similar

• Sections
  • /frameworks/nist-sp-800-53-r5/sc/28
• Internal
  • ID: dec-c-ae145ea2

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	16	25

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		24
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		24

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	14

Policies (22)

Policy	Logic Count	Flags
📝 AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟢	1	🟢 x6
📝 AWS CloudTrail is not encrypted with KMS CMK 🟢	1	🟢 x6
📝 AWS DAX Cluster Server-Side Encryption is not enabled 🟢	1	🟢 x6
📝 AWS EBS Attached Volume is not encrypted 🟢	1	🟢 x6
📝 AWS EFS File System encryption is not enabled 🟢	1	🟢 x6
📝 AWS RDS Instance Encryption is not enabled 🟢	1	🟢 x6
📝 Azure App Service FTP deployments are not disabled 🟢	1	🟢 x6
📝 Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟢	1	🟢 x6
📝 Azure SQL Server Transparent Data Encryption Protector is not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure Storage Account Require Infrastructure Encryption is not enabled 🟢	1	🟢 x6
📝 Azure Storage Account With Critical Data is not encrypted with customer managed key 🟢		🟢 x3
📝 Azure Unattached Managed Disk is not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢	1	🟢 x6
📝 Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢	1	🟢 x6
📝 Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key 🟢	1	🟢 x6
📝 Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK) 🟢	1	🟢 x6
📝 Google GCE Instance Confidential Compute is not enabled 🟢	1	🟢 x6

Internal Rules

Rule	Policies	Flags
✉️ dec-x-0bdcd276	1
✉️ dec-x-5c3c2067	1
✉️ dec-x-6ba5ecd2	1
✉️ dec-x-9cdb7407	1
✉️ dec-x-966d3183	1
✉️ dec-x-aef11ebd	1
✉️ dec-x-f63fd4f0	1