1. Home
  2. FedRAMP
  3. SC-13

BRACKETOLOGY | FEDRAMP

SC-13: CRYPTOGRAPHIC PROTECTION

  • FedRAMP Baseline Membership SC-13:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

SUPPLEMENTAL GUIDANCE

Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).

CONTROL ENHANCEMENTS

SC-13 (1) CRYPTOGRAPHIC PROTECTION | FIPS-VALIDATED CRYPTOGRAPHY

[Withdrawn: Incorporated into SC-13]. (See above.)

SC-13 (2) CRYPTOGRAPHIC PROTECTION | NSA-APPROVED CRYPTOGRAPHY

[Withdrawn: Incorporated into SC-13]. (See above.)

SC-13 (3) CRYPTOGRAPHIC PROTECTION | INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS

[Withdrawn: Incorporated into SC-13]. (See above.)

SC-13 (4) CRYPTOGRAPHIC PROTECTION | DIGITAL SIGNATURES

[Withdrawn: Incorporated into SC-13]. (See above.)

REFERENCES:

  • FIPS Publication 140
  • http://csrc.nist.gov/cryptval
  • http://www.cnss.gov