800-53|SC-28

Title

PROTECTION OF INFORMATION AT REST

Description

The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].

Supplemental

This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AC-6,CA-7,CM-3,CM-5,CM-6,PE-3,SC-13,SC-8,SI-3,SI-7

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.4 Ensure 'Password Recovery' is disabled	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
1.1.35 Ensure that the encryption provider is set to aescbc	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.2.4.2.1.1 Set 'Configure use of hardware-based encryption for fixed data drives' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.3 Set 'Configure use of passwords for fixed data drives' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.4 Set 'Recovery Key' to 'Allow 256-bit recovery key'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.5 Set 'Recovery Password' to 'Allow 48-digit recovery password'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.9 Set 'Allow data recovery agent' to 'True'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.10 Set 'Choose how BitLocker-protected fixed drives can be recovered' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' to 'False'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.13 Set 'Save BitLocker recovery information to AD DS for fixed data drives' to 'False'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.16 Set 'Require use of smart cards on fixed data drives' to 'True'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.17 Configure 'Deny write access to fixed drives not protected by BitLocker'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.18 Set 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.1 Set 'Configure use of hardware-based encryption for operating system drives' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.3 Set 'Configure use of passwords for operating system drives' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.4 Set 'Recovery Key' to 'Do not allow 256-bit recovery key'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.5 Set 'Recovery Password' to 'Require 48-digit recovery password'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.6 Set 'Use BitLocker software-based encryption when hardware encryption is not available' to 'True'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.7 Set 'Restrict crypto algorithms or cipher suites to the following:' to '2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.8 Set 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' to 'False'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.9 Set 'Allow data recovery agent' to 'False'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.10 Set 'Choose how BitLocker-protected operating system drives can be recovered' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' to 'True'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Store recovery passwords and key packages'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.13 Set 'Save BitLocker recovery information to AD DS for operating system drives' to 'True'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.14 Set 'Omit recovery options from the BitLocker setup wizard' to 'True'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.16 Set 'Allow BitLocker without a compatible TPM' to 'False'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.18 Set 'Configure TPM startup PIN:' to 'Require startup PIN with TPM'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.19 Set 'Configure TPM startup:' to 'Do not allow TPM'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.20 Set 'Configure TPM startup key:' to 'Do not allow startup key with TPM'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.21 Configure 'Use enhanced Boot Configuration Data validation profile'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.22 Configure 'Enable use of BitLocker authentication requiring preboot keyboard input on slates'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.28 Set 'Minimum characters:' to 'Enabled:7 or more characters'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.29 Configure 'Allow network unlock at startup'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.30 Configure 'Reset platform validation data after BitLocker recovery'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.3.1 Set 'Configure use of hardware-based encryption for removable data drives' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.3.10 Set 'Choose how BitLocker-protected removable drives can be recovered' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.3.11 Set 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' to 'False'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.3.12 Set 'Configure storage of BitLocker recovery information to AD DS:' to 'Backup recovery passwords and key packages'	Windows	CIS Windows 8 L1 v1.0.0
1.2.27 Ensure that the --encryption-provider-config argument is set as appropriate	Unix	CIS Kubernetes v1.10.0 L1 Master
1.2.28 Ensure that encryption providers are appropriately configured	Unix	CIS Kubernetes v1.10.0 L1 Master
1.2.30 Ensure that encryption providers are appropriately configured	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.30 Ensure that encryption providers are appropriately configured	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.31 Ensure that encryption providers are appropriately configured	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.33 Ensure that encryption providers are appropriately configured	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master

Detections

Analytics