SC-13 Cryptographic Protection
Control
a.
Determine the [Assignment: organization-defined cryptographic uses] ; and
b.
Implement the following types of cryptography required for each specified cryptographic use: [FIPS-validated or NSA-approved cryptography].
Guidance:
This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:
- Encryption of data
- Decryption of data
- Generation of one time passwords (OTPs) for MFA
- Protocols such as TLS, SSH, and HTTPS
The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).
https://csrc.nist.gov/projects/cryptographic-module-validation-program
Guidance:
For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:
Guidance:
When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.
Guidance:
Moving to non-FIPS CM or product is acceptable when:
- FIPS validated version has a known vulnerability
- Feature with vulnerability is in use
- Non-FIPS version fixes the vulnerability
- Non-FIPS version is submitted to NIST for FIPS validation
- POA&M is added to track approval, and deployment when ready
Guidance:
At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).
Discussion
Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
FedRAMP-Defined Assignment / Selection Parameters
- SC-13 (b) [FIPS-validated or NSA-approved cryptography] - types of cryptography for each specified cryptographic use are defined;