💼 SC-28 Protection of Information at Rest (L)(M)(H)

• ID: /frameworks/fedramp-moderate-security-controls/sc/28

Description

Protect the [FedRAMP Assignment: confidentiality AND integrity] of the following information at rest: [Assignment: organization-defined information at rest].

SC-28 Additional FedRAMP Requirements and Guidance:

Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest.

Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13.

Similar

• Sections
  • /frameworks/fedramp-high-security-controls/sc/28
• Internal
  • ID: dec-c-ae145ea2

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	24		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 SC-28(1) Cryptographic Protection (L)(M)(H)			14		no data

Policies (22)

Policy	Logic Count	Flags	Compliance
🛡️ AWS Account EBS Volume Encryption Attribute is not enabled in all regions🟢	1	🟢 x6	no data
🛡️ AWS CloudTrail is not encrypted with KMS CMK🟢	1	🟢 x6	no data
🛡️ AWS DAX Cluster Server-Side Encryption is not enabled🟢	1	🟢 x6	no data
🛡️ AWS EBS Attached Volume is not encrypted🟢	1	🟢 x6	no data
🛡️ AWS EFS File System encryption is not enabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance Encryption is not enabled🟢	1	🟢 x6	no data
🛡️ Azure App Service FTP deployments are not disabled🟢	1	🟢 x6	no data
🛡️ Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key🟢	1	🟢 x6	no data
🛡️ Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON🟢	1	🟢 x6	no data
🛡️ Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON🟢	1	🟢 x6	no data
🛡️ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled🟢	1	🟢 x6	no data
🛡️ Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled🟢	1	🟢 x6	no data
🛡️ Azure SQL Server Transparent Data Encryption Protector is not encrypted with Customer-managed key🟢	1	🟢 x6	no data
🛡️ Azure Storage Account Require Infrastructure Encryption is not enabled🟢	1	🟢 x6	no data
🛡️ Azure Storage Account With Critical Data is not encrypted with customer managed key🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Azure Unattached Managed Disk is not encrypted with Customer-managed key🟢	1	🟢 x6	no data
🛡️ Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key🟢	1	🟢 x6	no data
🛡️ Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK)🟢	1	🟢 x6	no data
🛡️ Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK)🟢	1	🟢 x6	no data
🛡️ Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key🟢	1	🟢 x6	no data
🛡️ Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK)🟢	1	🟢 x6	no data
🛡️ Google GCE Instance Confidential Compute is not enabled🟢	1	🟢 x6	no data