Skip to main content

πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)

Description​

a. Determine the [Assignment: organization-defined cryptographic uses]; and

b. Implement the following types of cryptography required for each specified cryptographic use: [FedRAMP Assignment: FIPS-validated or NSA-approved cryptography].

SC-13 Additional FedRAMP Requirements and Guidance:

Guidance: This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation.

Examples include the following:

  • Encryption of data
  • Decryption of data
  • Generation of one time passwords (OTPs) for MFA
  • Protocols such as TLS, SSH, and HTTPS

The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

Guidance: For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location: https://www.niap-ccevs.org/Product/index.cfm

Guidance:Guidance**: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

Guidance: Moving to non-FIPS CM or product is acceptable when:

  • FIPS validated version has a known vulnerability

  • Feature with vulnerability is in use

  • Non-FIPS version fixes the vulnerability

  • Non-FIPS version is submitted to NIST for FIPS validation

  • POA&M is added to track approval, and deployment when ready

Guidance: At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

Similar​

  • Sections
    • /frameworks/nist-sp-800-53-r5/sc/13
    • /frameworks/fedramp-high-security-controls/sc/13
  • Internal
    • ID: dec-c-366da66a

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1316
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection46

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags

Policies (16)​

PolicyLogic CountFlags
πŸ“ AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟒1🟒 x6
πŸ“ AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication 🟒1🟒 x6
πŸ“ AWS CloudTrail is not encrypted with KMS CMK 🟒1🟒 x6
πŸ“ AWS EFS File System encryption is not enabled 🟒1🟒 x6
πŸ“ AWS IAM Server Certificate is expired 🟒1🟒 x6
πŸ“ AWS RDS Instance Encryption is not enabled 🟒1🟒 x6
πŸ“ AWS S3 Bucket Policy is not set to deny HTTP requests 🟒1🟒 x6
πŸ“ Azure App Service FTP deployments are not disabled 🟒1🟒 x6
πŸ“ Azure App Service HTTPS Only configuration is not enabled 🟒1🟒 x6
πŸ“ Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟒1🟒 x6
πŸ“ Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟒1🟒 x6
πŸ“ Azure Storage Account Secure Transfer Required is not enabled 🟒1🟒 x6
πŸ“ Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟒1🟒 x6
πŸ“ Unattached Azure Managed Disk is not encrypted with Customer-managed key 🟒1🟒 x6