800-53|SC-12

Title

CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

Description

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Supplemental

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-13,SC-17

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.2 Ensure 'Enable Password' is set	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
1.1.2 Ensure 'Enable Password' is set	Cisco	CIS Cisco Firewall ASA 9 L1 v4.1.0
1.1.3 Ensure 'Master Key Passphrase' is set	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
1.1.3 Ensure 'Master Key Passphrase' is set	Cisco	CIS Cisco Firewall ASA 9 L1 v4.1.0
1.2.7.1 Minimum Encryption Settings: Level I Enabled: 128 bit key.	Windows	CIS MS Office 2007 v1.1.0 L1
1.2.7.2. Minimum Encryption Settings: Level II Enabled: 256 bit key.	Windows	CIS MS Office 2007 v1.1.0 L2
1.5.6 Ensure NIST FIPS-validated cryptography is configured - enabled	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.5.6 Ensure NIST FIPS-validated cryptography is configured - grub	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.5.6 Ensure NIST FIPS-validated cryptography is configured - installed	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.13.2.5 Ensure 'Minimum Encryption Settings:' is set to Enabled:168	Windows	CIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.5 Ensure 'Minimum Encryption Settings:' is set to Enabled:168	Windows	CIS Microsoft Office Outlook 2016 v1.1.0 Level 1
2.4 Ensure default self-signed certificate for ESXi communication is not used	Unix	CIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
2.5 Ensure Non-Default, Unique Cryptographic Material is in Use	Unix	CIS MariaDB 10.6 on Linux L1 v1.1.0
2.7 Ensure expired and revoked SSL certificates are removed from the ESXi server	Unix	CIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
2.13 Set 'Minimum key size (in bits):' to 'Enabled:168'	Windows	CIS MS Office Outlook 2010 v1.0.0
2.021 - Software certificate installation files must be removed from a system.	Windows	DISA Windows 7 STIG v1r32
2.021 - Software certificate installation files must be removed from Windows 2008 R2.	Windows	DISA Windows Server 2008 R2 DC STIG v1r34
2.021 - Software certificate installation files must be removed from Windows 2008 R2.	Windows	DISA Windows Server 2008 R2 MS STIG v1r33
2.021 - Software certificate installation files must be removed from Windows 2008.	Windows	DISA Windows Server 2008 DC STIG v6r47
2.021 - Software certificate installation files must be removed from Windows 2008.	Windows	DISA Windows Server 2008 MS STIG v6r46
3.2 Do Not Send Cross SSL/TLS Referrer Header	Unix	CIS Mozilla Firefox 38 ESR Linux L2 v1.0.0
3.4 - Default Weblogic Keystores is used	Windows	TNS Oracle WebLogic Server 11 Windows Best Practices
3.4 - Default Weblogic Keystores is used	Unix	TNS Oracle WebLogic Server 11 Linux Best Practices
4.1 Set SSL Override Behavior	Unix	CIS Mozilla Firefox 38 ESR Linux L2 v1.0.0
4.6 Set SSL Override Behavior	Unix	CIS Mozilla Firefox 102 ESR Linux L2 v1.0.0
6.2 Disable 'nobody' Access for RPC Encryption Key Storage Service	Unix	CIS Solaris 11.1 L1 v1.0.0
6.2 Disable 'nobody' Access for RPC Encryption Key Storage Service	Unix	CIS Solaris 11 L1 v1.1.0
6.2 Disable "nobody" Access for RPC Encryption Key Storage Service	Unix	CIS Solaris 11.2 L1 v1.1.0
6.3 Disable 'nobody' Access for RPC Encryption Key Storage Service - Check if 'ENABLE_NOBODY_KEYS' is set to NO.	Unix	CIS Solaris 10 v5.2
6.3 Disable 'nobody' Access for RPC Encryption Key Storage Service - Check if 'ENABLE_NOBODY_KEYS' is set to NO.	Unix	CIS Solaris 10 L1 v5.2
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors	Unix	CIS Apache Tomcat 9 L1 v1.2.0
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors	Unix	CIS Apache Tomcat 9 L1 v1.2.0 Middleware
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors	Unix	CIS Apache Tomcat 10 L1 v1.1.0
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors	Unix	CIS Apache Tomcat 10 L1 v1.1.0 Middleware
6.5 Ensure SSL Protocol is set to TLS for Secure Connectors - verify sslProtocol is set to TLS	Unix	CIS Apache Tomcat 8 L1 v1.1.0 Middleware
6.5 Ensure SSL Protocol is set to TLS for Secure Connectors - verify sslProtocol is set to TLS	Unix	CIS Apache Tomcat 8 L1 v1.1.0
6.10.1.7 Ensure Only Suite B Ciphers are set for SSH - weak ciphers	Juniper	CIS Juniper OS Benchmark v2.0.0 L2
6.10.1.10 Ensure Only Suite B Key Exchange Methods are set for SSH - weak key-exchange	Juniper	CIS Juniper OS Benchmark v2.0.0 L2
6.10.5.2 Ensure REST is Set to HTTPS	Juniper	CIS Juniper OS Benchmark v2.0.0 L1
6.10.5.3 Ensure REST is Set to use PKI Certificate for HTTPS	Juniper	CIS Juniper OS Benchmark v2.0.0 L2
7.2 Disable 'nobody' access for secure RPC, Check if 'ENABLE_NOBODY_KEYS' is set to No in /etc/default/keyserv (Solaris 9)	Unix	CIS Solaris 9 v1.3
7.8 Ensure node certificates are rotated as appropriate	Unix	CIS Docker Community Edition v1.1.0 L2 Docker
7.8 Ensure that node certificates are rotated as appropriate	Unix	CIS Docker v1.2.0 L2 Docker Engine Enterprise
7.8 Ensure that node certificates are rotated as appropriate	Unix	CIS Docker v1.2.0 L2 Docker Linux
8.2 Ensure Signing Keys are Generated with a Secure Algorithm	Unix	CIS BIND DNS v1.0.0 L2 Authoritative Name Server
AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4
AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000870 - The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000870 - The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4
AS24-U2-000890 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware

Detections

Analytics