800-53|SC-28(1)

Title

CRYPTOGRAPHIC PROTECTION

Description

The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].

Supplemental

Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-19,SC-12

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: PROTECTION OF INFORMATION AT REST

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Windows Server 2012 MS L1 v3.0.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 DC L1 v3.0.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Windows Server 2012 R2 MS L1 v3.0.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Windows Server 2012 DC L1 v3.0.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows Server 2019 DC L1 v2.0.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows Server 2016 MS L1 v2.0.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows Server 2019 MS Standalone L1 v1.0.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled' - Disabled	Windows	CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows Server 2016 DC L1 v2.0.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled' - Disabled	Windows	CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 DC
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows Server 2019 MS L1 v2.0.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled' - Disabled	Windows	CIS Microsoft Windows Server 2019 Standalone DC L1 vCIS Microsoft Windows Server 2019 Standalone DC L1 v1.0.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + NG
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + NG
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2022 v2.0.0 L1 MS
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
1.1.7 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows Server 2022 v2.0.0 L1 DC
1.2.24 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - certfile	Unix	CIS Kubernetes Benchmark v1.8.0 L1 Master
1.2.24 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - keyfile	Unix	CIS Kubernetes Benchmark v1.8.0 L1 Master
1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - certfile	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - certfile	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - keyfile	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.25 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - keyfile	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days	GCP	CIS Google Cloud Platform v2.0.0 L1
1.17 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key	GCP	CIS Google Cloud Platform v2.0.0 L2
1.18 Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager	GCP	CIS Google Cloud Platform v2.0.0 L1

Detections

Analytics