800-53|SC-13

Title

CRYPTOGRAPHIC PROTECTION

Description

The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Supplemental

Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).

Reference Item Details

Related: AC-17,AC-18,AC-2,AC-3,AC-7,AU-10,AU-9,CM-11,CP-9,IA-3,IA-7,MA-4,MP-2,MP-4,MP-5,SA-4,SC-12,SC-28,SC-8,SI-7

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.5.2 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.5.3 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.5.5 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.7.2 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.7.3 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.8.3 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.8.5 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.30 Ensure that the API Server only makes use of Strong Cryptographic CiphersUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.39 Ensure that the API Server only makes use of Strong Cryptographic CiphersUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.2 Enable SSH (sshd_enable)UnixCIS FreeBSD v1.0.5
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - HTTPSWindowsCIS Microsoft SharePoint 2016 OS v1.1.0
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - Port 443WindowsCIS Microsoft SharePoint 2016 OS v1.1.0
1.3 Configure SSH - Check if RhostsRSAAuthentication is set to no and not commented for server.UnixCIS Solaris 9 v1.3
1.3.5 Ensure AIDE is configured to use FIPS 140-2UnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Auth ProviderWindowsCIS Microsoft SharePoint 2016 OS v1.1.0
1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Authentication ProviderWindowsCIS Microsoft SharePoint 2019 OS v1.0.0
1.5.6 Ensure NIST FIPS-validated cryptography is configured - enabledUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.5.9 Ensure NIST FIPS-validated cryptography is configured - etcUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5.9 Ensure NIST FIPS-validated cryptography is configured - grubUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5.9 Ensure NIST FIPS-validated cryptography is configured - procUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5.9 Ensure NIST FIPS-validated cryptography is configured - rpmUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6 Support Web Access Security - a) ciphersuiteZTE_ROSNGTenable ZTE ROSNG
1.6 Support Web Access Security - b) ssl-context fieldZTE_ROSNGTenable ZTE ROSNG
1.6 Support Web Access Security - c) versionZTE_ROSNGTenable ZTE ROSNG
1.8 Set 'External send connector authentication: Ignore Start TLS' to 'False'WindowsCIS Microsoft Exchange Server 2016 Edge v1.0.0
1.8 Set 'External send connector authentication: Ignore Start TLS' to 'False'WindowsCIS Microsoft Exchange Server 2013 Edge v1.1.0
1.8 SSH Strong Algorithm - a) Disable encryption noneZTE_ROSNGTenable ZTE ROSNG
1.8 SSH Strong Algorithm - b) Disable encryption 3des-cbcZTE_ROSNGTenable ZTE ROSNG
1.8 SSH Strong Algorithm - c) Disable encryption aes128-cbcZTE_ROSNGTenable ZTE ROSNG
1.8 SSH Strong Algorithm - d) Disable encryption aes192-cbcZTE_ROSNGTenable ZTE ROSNG
1.8 SSH Strong Algorithm - e) Disable encryption aes256-cbcZTE_ROSNGTenable ZTE ROSNG
1.8 SSH Strong Algorithm - f) Disable encryption blowfish-cbcZTE_ROSNGTenable ZTE ROSNG
1.8 SSH Strong Algorithm - g) Disable hmac md5ZTE_ROSNGTenable ZTE ROSNG
1.8 SSH Strong Algorithm - h) Disable hmac noneZTE_ROSNGTenable ZTE ROSNG
1.8 SSH Strong Algorithm - i) Disable diffie-hellman group-exchange-sha1ZTE_ROSNGTenable ZTE ROSNG
1.8 SSH Strong Algorithm - j) Disable diffie-hellman group1-sha1ZTE_ROSNGTenable ZTE ROSNG
1.8 SSH Strong Algorithm - k) Disable hmac sha1ZTE_ROSNGTenable ZTE ROSNG
1.9 SSL Strong Algorithm - a) VersionZTE_ROSNGTenable ZTE ROSNG
1.9 SSL Strong Algorithm - b) ciphersuiteZTE_ROSNGTenable ZTE ROSNG
1.9 SSL Strong Algorithm - c) pki-profileZTE_ROSNGTenable ZTE ROSNG
1.12 Ensure App Tier ELB have SSL\TLS Certificate attachedamazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.12 Set 'External send connector authentication: Domain Security' to 'True'WindowsCIS Microsoft Exchange Server 2016 Edge v1.0.0
1.12 Set 'External send connector authentication: Domain Security' to 'True'WindowsCIS Microsoft Exchange Server 2013 Edge v1.1.0
1.13.2.4 Ensure 'Message Formats' is set to Enabled:S/MIME and FortezzaWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.4 Ensure 'Message Formats' is set to Enabled:S/MIME and FortezzaWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.16 Ensure all S3 buckets have policy to require server-side and in transit encryption for all objects stored in bucket.amazon_awsCIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
10 - Enable SSL ConnectorUnixTNS Best Practice JBoss 7 Linux
10.4 Force SSL when accessing the manager applicationUnixCIS Apache Tomcat 7 L1 v1.1.0
10.4 Force SSL when accessing the manager applicationUnixCIS Apache Tomcat 7 L1 v1.1.0 Middleware
10.12 Force SSL for all applicationsUnixCIS Apache Tomcat 7 L2 v1.1.0