800-53|SC-12

Title

CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

Description

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Supplemental

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-13,SC-17

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.2 Ensure 'Enable Password' is set	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
1.1.2 Ensure 'Enable Password' is set	Cisco	CIS Cisco Firewall ASA 9 L1 v4.1.0
1.1.3 Ensure 'Master Key Passphrase' is set	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
1.1.3 Ensure 'Master Key Passphrase' is set	Cisco	CIS Cisco Firewall ASA 9 L1 v4.1.0
1.5.6 Ensure NIST FIPS-validated cryptography is configured - enabled	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.5.6 Ensure NIST FIPS-validated cryptography is configured - grub	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.5.6 Ensure NIST FIPS-validated cryptography is configured - installed	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.13.2.5 Ensure 'Minimum Encryption Settings:' is set to Enabled:168	Windows	CIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.5 Ensure 'Minimum Encryption Settings:' is set to Enabled:168	Windows	CIS Microsoft Office Outlook 2016 v1.1.0 Level 1
2.4 Ensure default self-signed certificate for ESXi communication is not used	Unix	CIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
2.5 Ensure Non-Default, Unique Cryptographic Material is in Use	Unix	CIS MariaDB 10.6 on Linux L1 v1.1.0
2.7 Ensure expired and revoked SSL certificates are removed from the ESXi server	Unix	CIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
2.13 Set 'Minimum key size (in bits):' to 'Enabled:168'	Windows	CIS MS Office Outlook 2010 v1.0.0
3.2 Do Not Send Cross SSL/TLS Referrer Header	Unix	CIS Mozilla Firefox 38 ESR Linux L2 v1.0.0
4.1 Set SSL Override Behavior	Unix	CIS Mozilla Firefox 38 ESR Linux L2 v1.0.0
4.2.9 Ensure 'ocsp.enable' certificate revocation is set to 'true'	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.2.11 Ensure that strong algorithms are used for TLS certificates.	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.2.13 Ensure that hardware crypto cards/modules (HSM) are used to store SSL/TLS certificates	Unix	CIS IBM WebSphere Liberty v1.0.0 L2
4.2.14 Ensure SP800-131a recommendation is used for stronger cryptographic keys and more robust algorithms.	Unix	CIS IBM WebSphere Liberty v1.0.0 L2
4.2.15 Ensure that the Federal Information Processing Standards (FIPS) are used for the cryptographic modules	Unix	CIS IBM WebSphere Liberty v1.0.0 L2
4.3.1 Ensure 'signatureAlgorithm' asymmetric key algorithm is set for encrypting the JSON Web Tokens	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.3.4 Ensure 'disableIssChecking' issuer claim is set to 'false' in the RP (Relying Party)	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.3.6 Ensure 'signatureAlgorithm' is set to a secure algorithm in OIDC Relying Party (RP)	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.3.7 Ensure 'signatureAlgorithm' is set to a secure algorithm in OIDC Provider (OP)	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.3.8 Ensure 'httpsRequired' is set to 'true' in OIDC Relying Party (RP)	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.3.9 Ensure 'tokenEndpointAuthMethodsSupported' is set to a valid authentication method in OIDC Provider (OP)	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.3.10 Ensure 'accessTokenEncoding' is set to a strong hash algorithm in OAuth 2.0	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.3.12 Ensure 'clientSecretEncoding' is set to a strong encoding type in OAuth 2.0	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.3.13 Ensure 'httpsRequired' is set to 'true' in OAuth 2.0	Unix	CIS IBM WebSphere Liberty v1.0.0 L1
4.6 Set SSL Override Behavior	Unix	CIS Mozilla Firefox 102 ESR Linux L2 v1.0.0
6.2 Disable 'nobody' Access for RPC Encryption Key Storage Service	Unix	CIS Solaris 11.1 L1 v1.0.0
6.2 Disable 'nobody' Access for RPC Encryption Key Storage Service	Unix	CIS Solaris 11 L1 v1.1.0
6.2 Disable "nobody" Access for RPC Encryption Key Storage Service	Unix	CIS Solaris 11.2 L1 v1.1.0
6.3 Disable 'nobody' Access for RPC Encryption Key Storage Service - Check if 'ENABLE_NOBODY_KEYS' is set to NO.	Unix	CIS Solaris 10 L1 v5.2
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors	Unix	CIS Apache Tomcat 9 L1 v1.2.0
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors	Unix	CIS Apache Tomcat 9 L1 v1.2.0 Middleware
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors	Unix	CIS Apache Tomcat 10 L1 v1.1.0
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors	Unix	CIS Apache Tomcat 10 L1 v1.1.0 Middleware
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors	Unix	CIS Apache Tomcat 10.1 v1.0.0 L1
6.5 Ensure SSL Protocol is set to TLS for Secure Connectors - verify sslProtocol is set to TLS	Unix	CIS Apache Tomcat 8 L1 v1.1.0 Middleware
6.5 Ensure SSL Protocol is set to TLS for Secure Connectors - verify sslProtocol is set to TLS	Unix	CIS Apache Tomcat 8 L1 v1.1.0
7.2 Disable 'nobody' access for secure RPC, Check if 'ENABLE_NOBODY_KEYS' is set to No in /etc/default/keyserv (Solaris 9)	Unix	CIS Solaris 9 v1.3
7.8 Ensure node certificates are rotated as appropriate	Unix	CIS Docker Community Edition v1.1.0 L2 Docker
8.2 Ensure Signing Keys are Generated with a Secure Algorithm	Unix	CIS BIND DNS v1.0.0 L2 Authoritative Name Server
AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4
AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000870 - The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000870 - The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4
AS24-U2-000890 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000890 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4

Detections

Analytics