Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; and [NIST CMVP].

Priority: Medium

Category: Network Security 

Services Associated with AWS:

  1. AWS Key Management Service (KMS)
  2. AWS CloudHSM
  3. Amazon S3

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings
  • Technical: screen shot of cryptography in use 

Possible Technology Considerations : 

  •  Secure Baseline Configurations (SBC)
  • Cryptographic Solution (data in transit)

What needs to be answered?

Is FIPS-validated cryptography used to protect CUI? Do communication cryptographic mechanisms comply with applicable policies, standards, and guidance?

  • FIPS-Validated Cryptography Check

    Description: This check ensures that Federal Information Processing Standards (FIPS)-validated cryptography is employed when used to protect the confidentiality of Controlled Unclassified Information (CUI). The check verifies that the cryptographic solutions employed meet FIPS standards and are used appropriately for data encryption, digital signatures, information separation enforcement, random number generation, and hash generation.

  • NSA-Approved Cryptography Check
    Description: This check ensures that National Security Agency (NSA)-approved cryptography is utilized as per organizational requirements. The check verifies that cryptographic methods used are approved by the NSA and are properly implemented for the relevant security solutions, including data encryption, digital signatures, and information separation enforcement."

More Details:

FIPS validated cryptography used for all systems containing CUI.