Level 2
Description:
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National Security Agency Cryptographic Standards.
Priority: High
Domain: ACCESS CONTROL (AC)
Services Associated with AWS:
- AWS Key Management Service (KMS), AWS Certificate Manager, AWS VPN, AWS Direct Connect
Services Associated with Azure:
- Azure Key Vault
- Azure Active Directory (Azure AD) for authentication and access control
- Azure Virtual Network (VNet) for secure network connectivity
- Azure Disk Encryption for encrypting data at rest
- Azure Storage Service Encryption for encrypting data in Azure storage services
- Azure VPN Gateway for secure remote access
- Azure Information Protection for protecting sensitive data
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screen shot of firewall/VPN settings
Possible Technology Considerations:
- VPN Concentrator Secure Baseline Configurations (SBC)
What needs to be answered:
Do applications that are used for remote access use encryption methods to protect the remote access sessions? (Must be FIPS 140 encryption)
Checks for AWS
- Ensure Cryptographic Protection of Remote Access Sessions
Description: This check verifies that cryptographic mechanisms are used to maintain the confidentiality of remote access sessions. Cryptographic standards should include FIPS-validated cryptography and NSA-approved cryptography.
Checks for Azure
- Ensure Cryptographic Protection of Remote Access Sessions in Azure Key Vault:
Description: This check verifies that cryptographic mechanisms are used to maintain the confidentiality of remote access sessions in Azure Key Vault. Cryptographic standards should include FIPS-validated cryptography and NSA-approved cryptography. - Validate Cryptographic Protection for Remote Access Sessions in Azure Virtual Network (VNet):
Description: This check confirms that cryptographic protection is implemented to maintain the confidentiality of remote access sessions in Azure Virtual Network (VNet). Cryptographic standards should adhere to FIPS-validated cryptography and NSA-approved cryptography. - Check Cryptographic Protection for Remote Access Sessions in Azure Disk Encryption:
Description: This check ensures that cryptographic protection is applied to maintain the confidentiality of remote access sessions in Azure Disk Encryption. Cryptographic standards should meet the requirements of FIPS-validated cryptography and NSA-approved cryptography. - Verify Cryptographic Protection for Remote Access Sessions in Azure Storage Service Encryption:
Description: This check verifies that cryptographic protection is in place to maintain the confidentiality of remote access sessions in Azure Storage Service Encryption. Cryptographic standards should align with FIPS-validated cryptography and NSA-approved cryptography. - Ensure Cryptographic Protection of Remote Access Sessions in Azure VPN Gateway:
Description: This check ensures that cryptographic mechanisms are employed to maintain the confidentiality of remote access sessions in Azure VPN Gateway. Cryptographic standards should include FIPS-validated cryptography and NSA-approved cryptography. - Validate Cryptographic Protection for Remote Access Sessions in Azure Information Protection:
Description: This check confirms that cryptographic protection is implemented to maintain the confidentiality of remote access sessions in Azure Information Protection. Cryptographic standards should adhere to FIPS-validated cryptography and NSA-approved cryptography.
More Details: Remote access sessions use FIPS validated encryption for connection to CUI containing systems.