SC-13: Cryptographic Protection

An OSCAL Control

Statement

a.
Determine the ; and
b.
Implement the following types of cryptography required for each specified cryptographic use: .
- Guidance:
  This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:
  
  Encryption of data
  
  Decryption of data
  
  Generation of one time passwords (OTPs) for MFA
  
  Protocols such as TLS, SSH, and HTTPS
  
  The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).
  
  https://csrc.nist.gov/projects/cryptographic-module-validation-program
- Guidance:
  For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:
  
  https://www.niap-ccevs.org/Product/index.cfm
- Guidance:
  When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.
- Guidance:
  Moving to non-FIPS CM or product is acceptable when:
  
  FIPS validated version has a known vulnerability
  
  Feature with vulnerability is in use
  
  Non-FIPS version fixes the vulnerability
  
  Non-FIPS version is submitted to NIST for FIPS validation
  
  POA&M is added to track approval, and deployment when ready
- Guidance:
  At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).