800-53|SC-13

Title

CRYPTOGRAPHIC PROTECTION

Description

The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Supplemental

Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-17,AC-18,AC-2,AC-3,AC-7,AU-10,AU-9,CM-11,CP-9,IA-3,IA-7,MA-4,MP-2,MP-4,MP-5,SA-4,SC-12,SC-28,SC-8,SI-7

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1.2.1.82 Set 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' to 'Disabled'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.2.1.82 Set 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' to 'Disabled'	Windows	CIS Windows 2003 MS v3.1.0
1.1.2 Install and configure HP-UX Secure Shell 'RhostsRSAAuthentication=no'	Unix	CIS HP-UX 11i v1.5
1.1.3.5.2 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.5.3 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.5.5 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.7.2 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.7.3 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.8.3 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.8.5 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.14.2 Set 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.7 Set 'login authentication for 'ip http' - http secure-server	Cisco	CIS Cisco IOS 16 L1 v1.1.0
1.1.7.5 Disable Password to Open UI: Level I Enabled	Windows	CIS MS Office 2007 v1.1.0 L1
1.1.10.1. Encryption Type for Password Protected Office Open XML Files	Windows	CIS MS Office 2007 v1.1.0 L2
1.1.11.1 Protect Document Metadata for Rights in Office Open XML Files: Level I Enabled	Windows	CIS MS Office 2007 v1.1.0 L1
1.1.11.2 Protect Document Metadata or Password Protected Files: Level I Enabled	Windows	CIS MS Office 2007 v1.1.0 L1
1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers	Unix	CIS Kubernetes 1.13 Benchmark v1.4.0 L1
1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.39 Ensure that the API Server only makes use of Strong Cryptographic Ciphers	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.2 Enable SSH (sshd_enable)	Unix	CIS FreeBSD v1.0.5
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - HTTPS	Windows	CIS Microsoft SharePoint 2016 OS v1.0.0
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - HTTPS	Windows	CIS Microsoft SharePoint 2016 OS v1.1.0
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - Port 443	Windows	CIS Microsoft SharePoint 2016 OS v1.1.0
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - Port 443	Windows	CIS Microsoft SharePoint 2016 OS v1.0.0
1.2.34 Ensure that the API Server only makes use of Strong Cryptographic Ciphers	Unix	CIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers	Unix	CIS Kubernetes Benchmark v1.5.1 L1
1.3 Configure SSH - Check if RhostsRSAAuthentication is set to no and not commented for server.	Unix	CIS Solaris 9 v1.3
1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Auth Provider	Windows	CIS Microsoft SharePoint 2016 OS v1.1.0
1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Auth Provider	Windows	CIS Microsoft SharePoint 2016 OS v1.0.0
1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Authentication Provider	Windows	CIS Microsoft SharePoint 2019 OS v1.0.0
1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctly	Cisco	CIS Cisco Firewall ASA 9 L1 v4.0.0
1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctly	Cisco	CIS Cisco Firewall ASA 8 L1 v4.1.0
1.5.9 Ensure NIST FIPS-validated cryptography is configured - etc	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5.9 Ensure NIST FIPS-validated cryptography is configured - grub	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3	Cisco	CIS Cisco IOS 15 L2 v4.0.1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3	Cisco	CIS Cisco IOS 16 L2 v1.1.0
1.10 Ensure system-wide crypto policy is FUTURE or FIPS	Unix	CIS Oracle Linux 8 Server L2 v1.0.0
1.10 Ensure system-wide crypto policy is FUTURE or FIPS	Unix	CIS Oracle Linux 8 Workstation L2 v1.0.0
1.11 Ensure system-wide crypto policy is FUTURE or FIPS	Unix	CIS Red Hat EL8 Server L2 v1.0.0
1.11 Ensure system-wide crypto policy is FUTURE or FIPS	Unix	CIS Red Hat EL8 Workstation L2 v1.0.0
1.11 Ensure system-wide crypto policy is FUTURE or FIPS	Unix	CIS CentOS Linux 8 Server L2 v1.0.0
1.11 Ensure system-wide crypto policy is FUTURE or FIPS	Unix	CIS CentOS Linux 8 Workstation L2 v1.0.0
1.12 Ensure App Tier ELB have SSL\TLS Certificate attached	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.12 Set 'External send connector authentication: Domain Security' to 'True'	Windows	CIS Microsoft Exchange Server 2013 Edge v1.1.0
1.12 Set 'External send connector authentication: Domain Security' to 'True'	Windows	CIS Microsoft Exchange Server 2016 Edge v1.0.0
1.13.2.4 Ensure 'Message Formats' is set to Enabled:S/MIME and Fortezza	Windows	CIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.4 Ensure 'Message Formats' is set to Enabled:S/MIME and Fortezza	Windows	CIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.16 Ensure all S3 buckets have policy to require server-side and in transit encryption for all objects stored in bucket.	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0
1.210 - The shadow file must be configured to store only encrypted representations of passwords.	Unix	Tenable Fedora Linux Best Practices v2.0.0
1.220 - User and group account administration utilities must be configured to store only encrypted representations of passwords.	Unix	Tenable Fedora Linux Best Practices v2.0.0

Detections

Analytics