>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-13Cryptographic Protection

LI-SaaS
Low
Moderate
High

>Control Description

a

Determine the organization-defined cryptographic uses; and

b

Implement the following types of cryptography required for each specified cryptographic use: organization-defined types of cryptography for each specified cryptographic use.

>FedRAMP Baseline Requirements

Parameter Values

b
FIPS-validated or NSA-approved cryptography

Additional Requirements and Guidance

SC-13 Guidance: This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following: - Encryption of data - Decryption of data - Generation of one time passwords (OTPs) for MFA - Protocols such as TLS, SSH, and HTTPS The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP). https://csrc.nist.gov/projects/cryptographic-module-validation-program SC-13 Guidance: For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. SC-13 Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured. SC-13 Guidance: Moving to non-FIPS CM or product is acceptable when: - FIPS validated version has a known vulnerability - Feature with vulnerability is in use - Non-FIPS version fixes the vulnerability - Non-FIPS version is submitted to NIST for FIPS validation - POA&M is added to track approval, and deployment when ready SC-13 Guidance: At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

>Discussion

Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.

For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

>Cross-Framework Mappings

SCF

CRY-01
Compare
CRY-01.2
Compare
CRY-05
Compare

>Programmatic Queries

Beta

Related Services

KMS
ACM
S3 Encryption

CLI Commands

Check S3 default encryption
aws s3api get-bucket-encryption --bucket BUCKET_NAME
List KMS key algorithms
aws kms describe-key --key-id KEY_ID --query 'KeyMetadata.{Algorithm:KeySpec,Usage:KeyUsage}'
Check EBS encryption default
aws ec2 get-ebs-encryption-by-default
Verify RDS encryption
aws rds describe-db-instances --query 'DBInstances[*].{Id:DBInstanceIdentifier,Encrypted:StorageEncrypted,KmsKey:KmsKeyId}'
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of cryptographic protection?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-13?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is cryptographic protection technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that cryptographic protection remains effective as the system evolves?
  • What encryption mechanisms and algorithms are used to protect data?
  • How is separation of duties or partitioning technically enforced?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-13?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.