myctrl.tools
Compare

SC-28(1)Cryptographic Protection

MODERATE
HIGH

>Control Description

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on organization-defined system components or media: organization-defined information.

>Cross-Framework Mappings

SCF

BCD-11.4
Compare
CRY-04
Compare
CRY-05
Compare
DCH-07.2
Compare

>Programmatic Queries

Beta

Related Services

KMS
EBS Encryption
RDS Encryption

CLI Commands

Create customer-managed KMS key for at-rest encryption
aws kms create-key --description 'KMS key for protecting data at rest' --key-usage ENCRYPT_DECRYPT
Enable default EBS encryption for all volumes in account
aws ec2 enable-ebs-encryption-by-default --region us-east-1
Create encrypted RDS instance with customer-managed key
aws rds create-db-instance --db-instance-identifier secure-database --db-instance-class db.t3.micro --engine postgres --allocated-storage 100 --storage-encrypted --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Enable S3 default encryption for bucket with KMS key
aws s3api put-bucket-encryption --bucket data-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"}}]}'
Open AWS ConsoleDocumentation

>Supplemental Guidance

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.

>Related Controls

AC-19
SC-12
SC-13

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of cryptographic protection?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-28(1)?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is cryptographic protection technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that cryptographic protection remains effective as the system evolves?
  • What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-28(1)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.