Level 2


Description:

Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National Security Agency Cryptographic Standards. 


Priority: High 


Domain: ACCESS CONTROL (AC) 


Services Associated with AWS: 

  • AWS Key Management Service (KMS), AWS Certificate Manager, AWS VPN, AWS Direct Connect


Services Associated with Azure:

  • Azure Key Vault
  • Azure Active Directory (Azure AD) for authentication and access control
  • Azure Virtual Network (VNet) for secure network connectivity
  • Azure Disk Encryption for encrypting data at rest
  • Azure Storage Service Encryption for encrypting data in Azure storage services
  • Azure VPN Gateway for secure remote access
  • Azure Information Protection for protecting sensitive data


Objective Evidence: 

  • Administrative: documented policies, standards & procedures 
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations 
  • Technical: screen shot of firewall/VPN settings


Possible Technology Considerations:

  • VPN Concentrator Secure Baseline Configurations (SBC) 


What needs to be answered:

Do applications that are used for remote access use encryption methods to protect the remote access sessions? (Must be FIPS 140 encryption) 


Checks for AWS

  • Ensure Cryptographic Protection of Remote Access Sessions
    Description: This check verifies that cryptographic mechanisms are used to maintain the confidentiality of remote access sessions. Cryptographic standards should include FIPS-validated cryptography and NSA-approved cryptography.
     
     


Checks for Azure

  • Ensure Cryptographic Protection of Remote Access Sessions in Azure Key Vault:
    Description: This check verifies that cryptographic mechanisms are used to maintain the confidentiality of remote access sessions in Azure Key Vault. Cryptographic standards should include FIPS-validated cryptography and NSA-approved cryptography.
  • Validate Cryptographic Protection for Remote Access Sessions in Azure Virtual Network (VNet):
    Description: This check confirms that cryptographic protection is implemented to maintain the confidentiality of remote access sessions in Azure Virtual Network (VNet). Cryptographic standards should adhere to FIPS-validated cryptography and NSA-approved cryptography.
  • Check Cryptographic Protection for Remote Access Sessions in Azure Disk Encryption:
    Description: This check ensures that cryptographic protection is applied to maintain the confidentiality of remote access sessions in Azure Disk Encryption. Cryptographic standards should meet the requirements of FIPS-validated cryptography and NSA-approved cryptography.
  • Verify Cryptographic Protection for Remote Access Sessions in Azure Storage Service Encryption:
    Description: This check verifies that cryptographic protection is in place to maintain the confidentiality of remote access sessions in Azure Storage Service Encryption. Cryptographic standards should align with FIPS-validated cryptography and NSA-approved cryptography.
  • Ensure Cryptographic Protection of Remote Access Sessions in Azure VPN Gateway:
    Description: This check ensures that cryptographic mechanisms are employed to maintain the confidentiality of remote access sessions in Azure VPN Gateway. Cryptographic standards should include FIPS-validated cryptography and NSA-approved cryptography.
  • Validate Cryptographic Protection for Remote Access Sessions in Azure Information Protection:
    Description: This check confirms that cryptographic protection is implemented to maintain the confidentiality of remote access sessions in Azure Information Protection. Cryptographic standards should adhere to FIPS-validated cryptography and NSA-approved cryptography.


More Details: Remote access sessions use FIPS validated encryption for connection to CUI containing systems.