800-53|SC-28(1)

Title

CRYPTOGRAPHIC PROTECTION

Description

The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].

Supplemental

Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.

Reference Item Details

Related: AC-19,SC-12

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: PROTECTION OF INFORMATION AT REST

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 MS L1 v1.3.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2019 DC L1 v1.3.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 MS
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 DC
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
1.2.4.2.1.3 Set 'Configure use of passwords for fixed data drives' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.4 Set 'Recovery Key' to 'Allow 256-bit recovery key'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.10 Set 'Choose how BitLocker-protected fixed drives can be recovered' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' to 'False'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.13 Set 'Save BitLocker recovery information to AD DS for fixed data drives' to 'False'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.16 Set 'Require use of smart cards on fixed data drives' to 'True'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.17 Configure 'Deny write access to fixed drives not protected by BitLocker'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.1.18 Set 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - certfileUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - certfileUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - keyfileUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - keyfileUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.28 Ensure that the --etcd-cafile argument is set as appropriateUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.28 Ensure that the --etcd-cafile argument is set as appropriateUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.28 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - certfileUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.28 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - keyfileUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.29 Ensure that the --encryption-provider-config argument is set as appropriateUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.29 Ensure that the --encryption-provider-config argument is set as appropriateUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.30 Ensure that encryption providers are appropriately configuredUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.30 Ensure that encryption providers are appropriately configuredUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.31 Ensure that the --etcd-cafile argument is set as appropriateUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.32 Ensure that the --encryption-provider-config argument is set as appropriateUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.33 Ensure that encryption providers are appropriately configuredUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master