Skip to main content

💼 SC-13 Cryptographic Protection (L)(M)(H)

Description

a. Determine the [Assignment: organization-defined cryptographic uses]; and

b. Implement the following types of cryptography required for each specified cryptographic use: [FedRAMP Assignment: FIPS-validated or NSA-approved cryptography].

SC-13 Additional FedRAMP Requirements and Guidance:

Guidance: This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation.

Examples include the following:

  • Encryption of data
  • Decryption of data
  • Generation of one time passwords (OTPs) for MFA
  • Protocols such as TLS, SSH, and HTTPS

The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

Guidance: For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location: https://www.niap-ccevs.org/Product/index.cfm

Guidance:Guidance**: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

Guidance: Moving to non-FIPS CM or product is acceptable when:

  • FIPS validated version has a known vulnerability

  • Feature with vulnerability is in use

  • Non-FIPS version fixes the vulnerability

  • Non-FIPS version is submitted to NIST for FIPS validation

  • POA&M is added to track approval, and deployment when ready

Guidance: At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

Similar

  • Sections
    • /frameworks/fedramp-high-security-controls/sc/13
  • Internal
    • ID: dec-c-366da66a

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlags
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)1624

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlags

Policies (24)

PolicyLogic CountFlags
📝 AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟢1🟢 x6
📝 AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication 🟢1🟢 x6
📝 AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic 🟢1🟢 x6
📝 AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins 🟢1🟢 x6
📝 AWS CloudFront Web Distribution uses default SSL/TLS certificate 🟢1🟢 x6
📝 AWS CloudFront Web Distribution uses Dedicated IP for SSL 🟢1🟢 x6
📝 AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins 🟢1🟢 x6
📝 AWS CloudTrail is not encrypted with KMS CMK 🟢1🟢 x6
📝 AWS DAX Cluster Server-Side Encryption is not enabled 🟢1🟢 x6
📝 AWS DMS Endpoint doesn't use SSL 🟢1🟢 x6
📝 AWS EBS Attached Volume is not encrypted 🟢1🟢 x6
📝 AWS EFS File System encryption is not enabled 🟢1🟢 x6
📝 AWS IAM Server Certificate is expired 🟢1🟢 x6
📝 AWS RDS Instance Encryption is not enabled 🟢1🟢 x6
📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢1🟢 x6
📝 Azure App Service FTP deployments are not disabled 🟢1🟢 x6
📝 Azure App Service HTTPS Only configuration is not enabled 🟢1🟢 x6
📝 Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟢1🟢 x6
📝 Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟢1🟢 x6
📝 Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟢1🟢 x6
📝 Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟢1🟢 x6
📝 Azure Storage Account Secure Transfer Required is not enabled 🟢1🟢 x6
📝 Azure Unattached Managed Disk is not encrypted with Customer-managed key 🟢1🟢 x6
📝 Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟢1🟢 x6