💼 SC-28 Protection of Information at Rest (L)(M)(H)

• Contextual name: 💼 SC-28 Protection of Information at Rest (L)(M)(H)
• ID: /frameworks/fedramp-moderate-security-controls/sc/28
• Located in: 💼 System and Communications Protection

Description

Protect the [FedRAMP Assignment: confidentiality AND integrity] of the following information at rest: [Assignment: organization-defined information at rest].

SC-28 Additional FedRAMP Requirements and Guidance:

Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest.

Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13.

Similar

• Sections
  • /frameworks/fedramp-high-security-controls/sc/28
• Internal
  • ID: dec-c-ae145ea2

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	24

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 SC-28(1) Cryptographic Protection (L)(M)(H)			14

Policies (22)

Policy	Logic Count	Flags
📝 AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟢	1	🟢 x6
📝 AWS CloudTrail is not encrypted with KMS CMK 🟢	1	🟢 x6
📝 AWS DAX Cluster Server-Side Encryption is not enabled 🟢	1	🟢 x6
📝 AWS EBS Attached Volume is not encrypted 🟢	1	🟢 x6
📝 AWS EFS File System encryption is not enabled 🟢	1	🟢 x6
📝 AWS RDS Instance Encryption is not enabled 🟢	1	🟢 x6
📝 Azure App Service FTP deployments are not disabled 🟢	1	🟢 x6
📝 Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟢	1	🟢 x6
📝 Azure SQL Server Transparent Data Encryption Protector is not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure Storage Account Require Infrastructure Encryption is not enabled 🟢	1	🟢 x6
📝 Azure Storage Account With Critical Data is not encrypted with customer managed key 🟢		🟢 x3
📝 Azure Unattached Managed Disk is not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢	1	🟢 x6
📝 Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢	1	🟢 x6
📝 Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key 🟢	1	🟢 x6
📝 Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK) 🟢	1	🟢 x6
📝 Google GCE Instance Confidential Compute is not enabled 🟢	1	🟢 x6