💼 SC-28(1) Cryptographic Protection (L)(M)(H)

Contextual name: 💼 SC-28(1) Cryptographic Protection (L)(M)(H)
ID: /frameworks/fedramp-high-security-controls/sc/28/01
Located in: 💼 SC-28 Protection of Information at Rest (L)(M)(H)

Description

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [FedRAMP Assignment: all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels]: [Assignment: organization-defined information].

SC-28 (1) Additional FedRAMP Requirements and Guidance:

Guidance: Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

Examples:

A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

Similar

Sections
- /frameworks/nist-sp-800-53-r5/sc/28/01
Internal
- ID: dec-c-583700c7

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	12

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			12
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			12

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Policies (12)

Policy	Logic Count	Flags
📝 AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟢	1	🟢 x6
📝 AWS CloudTrail is not encrypted with KMS CMK 🟢	1	🟢 x6
📝 AWS EFS File System encryption is not enabled 🟢	1	🟢 x6
📝 AWS KMS Symmetric CMK Rotation is not enabled 🟢	1	🟢 x6
📝 AWS RDS Instance Encryption is not enabled 🟢	1	🟢 x6
📝 Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟢	1	🟢 x6
📝 Azure SQL Server Transparent Data Encryption Protector is not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure Storage Account Require Infrastructure Encryption is not enabled 🟢	1	🟢 x6
📝 Azure Virtual Machine is not utilizing Managed Disks 🟢	1	🟢 x6
📝 Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Unattached Azure Managed Disk is not encrypted with Customer-managed key 🟢	1	🟢 x6

Internal Rules

Rule	Policies	Flags
✉️ dec-x-0bdcd276	1
✉️ dec-x-6ba5ecd2	1
✉️ dec-x-9cdb7407	1
✉️ dec-x-966d3183	1
✉️ dec-x-f63fd4f0	1

Description​

Similar​

Similar Sections (Take Policies From)​

Similar Sections (Give Policies To)​

Sub Sections​

Policies (12)​

Internal Rules​