800-53|SC-12

Title

CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT

Description

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Supplemental

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

Reference Item Details

Related: SC-13,SC-17

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2 Ensure 'Enable Password' is setCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.1.2 Ensure 'Enable Password' is setCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.1.3 Ensure 'Master Key Passphrase' is setCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.1.3 Ensure 'Master Key Passphrase' is setCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.5.6 Ensure NIST FIPS-validated cryptography is configured - enabledUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.5.6 Ensure NIST FIPS-validated cryptography is configured - grubUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.5.6 Ensure NIST FIPS-validated cryptography is configured - installedUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.13.2.5 Ensure 'Minimum Encryption Settings:' is set to Enabled:168WindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.5 Ensure 'Minimum Encryption Settings:' is set to Enabled:168WindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
2.4 Ensure default self-signed certificate for ESXi communication is not usedUnixCIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
2.5 Ensure Non-Default, Unique Cryptographic Material is in UseUnixCIS MariaDB 10.6 on Linux L1 v1.1.0
2.7 Ensure expired and revoked SSL certificates are removed from the ESXi serverUnixCIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
2.13 Set 'Minimum key size (in bits):' to 'Enabled:168'WindowsCIS MS Office Outlook 2010 v1.0.0
3.2 Do Not Send Cross SSL/TLS Referrer HeaderUnixCIS Mozilla Firefox 38 ESR Linux L2 v1.0.0
4.1 Set SSL Override BehaviorUnixCIS Mozilla Firefox 38 ESR Linux L2 v1.0.0
4.6 Set SSL Override BehaviorUnixCIS Mozilla Firefox 102 ESR Linux L2 v1.0.0
6.2 Disable 'nobody' Access for RPC Encryption Key Storage ServiceUnixCIS Solaris 11.1 L1 v1.0.0
6.2 Disable 'nobody' Access for RPC Encryption Key Storage ServiceUnixCIS Solaris 11 L1 v1.1.0
6.2 Disable "nobody" Access for RPC Encryption Key Storage ServiceUnixCIS Solaris 11.2 L1 v1.1.0
6.3 Disable 'nobody' Access for RPC Encryption Key Storage Service - Check if 'ENABLE_NOBODY_KEYS' is set to NO.UnixCIS Solaris 10 L1 v5.2
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure ConnectorsUnixCIS Apache Tomcat 9 L1 v1.2.0
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure ConnectorsUnixCIS Apache Tomcat 9 L1 v1.2.0 Middleware
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure ConnectorsUnixCIS Apache Tomcat 10 L1 v1.1.0
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure ConnectorsUnixCIS Apache Tomcat 10 L1 v1.1.0 Middleware
6.5 Ensure SSL Protocol is set to TLS for Secure Connectors - verify sslProtocol is set to TLSUnixCIS Apache Tomcat 8 L1 v1.1.0 Middleware
6.5 Ensure SSL Protocol is set to TLS for Secure Connectors - verify sslProtocol is set to TLSUnixCIS Apache Tomcat 8 L1 v1.1.0
7.2 Disable 'nobody' access for secure RPC, Check if 'ENABLE_NOBODY_KEYS' is set to No in /etc/default/keyserv (Solaris 9)UnixCIS Solaris 9 v1.3
7.8 Ensure node certificates are rotated as appropriateUnixCIS Docker Community Edition v1.1.0 L2 Docker
8.2 Ensure Signing Keys are Generated with a Secure AlgorithmUnixCIS BIND DNS v1.0.0 L2 Authoritative Name Server
Access Security - J-Web - Use HTTPS with a valid certificate signed by a trusted CA - local-certificateJuniperJuniper Hardening JunOS 12 Devices Checklist
Access Security - J-Web - Use HTTPS with a valid certificate signed by a trusted CA - trusted CAJuniperJuniper Hardening JunOS 12 Devices Checklist
AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.UnixDISA STIG Apache Server 2.4 Unix Site v2r4
AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.UnixDISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000870 - The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.UnixDISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000870 - The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.UnixDISA STIG Apache Server 2.4 Unix Site v2r4
AS24-U2-000890 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.UnixDISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000890 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.UnixDISA STIG Apache Server 2.4 Unix Site v2r4
CNTR-K8-002620 - Kubernetes API Server must disable basic authentication to protect information in transit.UnixDISA STIG Kubernetes v2r1
CNTR-K8-002630 - Kubernetes API Server must disable token authentication to protect information in transit.UnixDISA STIG Kubernetes v2r1
CNTR-K8-002640 - Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit.UnixDISA STIG Kubernetes v2r1
Minimum encryption settingsWindowsMSCT Microsoft 365 Apps for Enterprise 2206 v1.0.0
Minimum encryption settingsWindowsMSCT Office 2016 v1.0.0
Minimum encryption settingsWindowsMSCT Office 365 ProPlus 1908 v1.0.0
Minimum encryption settingsWindowsMSCT Microsoft 365 Apps for Enterprise 2112 v1.0.0
Minimum encryption settingsWindowsMicrosoft 365 Apps for Enterprise 2306 v1.0.0
Minimum encryption settingsWindowsMSCT M365 Apps for enterprise 2312 v1.0.0
Switch identity profileArubaOSArubaOS Switch 16.x Hardening Guide v1.0.0
WN16-PK-000020 - The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems - DoD Root CA 2WindowsDISA Windows Server 2016 STIG v2r9