Skip to main content

💼 SC-13 Cryptographic Protection (L)(M)(H)

  • ID: /frameworks/fedramp-moderate-security-controls/sc/13

Description

a. Determine the [Assignment: organization-defined cryptographic uses]; and

b. Implement the following types of cryptography required for each specified cryptographic use: [FedRAMP Assignment: FIPS-validated or NSA-approved cryptography].

SC-13 Additional FedRAMP Requirements and Guidance:

Guidance: This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation.

Examples include the following:

  • Encryption of data
  • Decryption of data
  • Generation of one time passwords (OTPs) for MFA
  • Protocols such as TLS, SSH, and HTTPS

The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

Guidance: For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location: https://www.niap-ccevs.org/Product/index.cfm

Guidance:Guidance**: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

Guidance: Moving to non-FIPS CM or product is acceptable when:

  • FIPS validated version has a known vulnerability

  • Feature with vulnerability is in use

  • Non-FIPS version fixes the vulnerability

  • Non-FIPS version is submitted to NIST for FIPS validation

  • POA&M is added to track approval, and deployment when ready

Guidance: At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

Similar

  • Sections
    • /frameworks/fedramp-high-security-controls/sc/13
  • Internal
    • ID: dec-c-366da66a

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)1624no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance

Policies (24)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account EBS Volume Encryption Attribute is not enabled in all regions🟢1🟢 x6no data
🛡️ AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication🟢1🟢 x6no data
🛡️ AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic🟢1🟢 x6no data
🛡️ AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins🟢1🟢 x6no data
🛡️ AWS CloudFront Web Distribution uses default SSL/TLS certificate🟢1🟢 x6no data
🛡️ AWS CloudFront Web Distribution uses Dedicated IP for SSL🟢1🟢 x6no data
🛡️ AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins🟢1🟢 x6no data
🛡️ AWS CloudTrail is not encrypted with KMS CMK🟢1🟢 x6no data
🛡️ AWS DAX Cluster Server-Side Encryption is not enabled🟢1🟢 x6no data
🛡️ AWS DMS Endpoint doesn't use SSL🟢1🟢 x6no data
🛡️ AWS EBS Attached Volume is not encrypted🟢1🟢 x6no data
🛡️ AWS EFS File System encryption is not enabled🟢1🟢 x6no data
🛡️ AWS IAM Server Certificate is expired🟢1🟢 x6no data
🛡️ AWS RDS Instance Encryption is not enabled🟢1🟢 x6no data
🛡️ AWS S3 Bucket Policy is not set to deny HTTP requests🟢1🟢 x6no data
🛡️ Azure App Service FTP deployments are not disabled🟢1🟢 x6no data
🛡️ Azure App Service HTTPS Only configuration is not enabled🟢1🟢 x6no data
🛡️ Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key🟢1🟢 x6no data
🛡️ Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled🟢1🟢 x6no data
🛡️ Azure Storage Account Secure Transfer Required is not enabled🟢1🟢 x6no data
🛡️ Azure Unattached Managed Disk is not encrypted with Customer-managed key🟢1🟢 x6no data
🛡️ Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key🟢1🟢 x6no data