Level 2

Description:

Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; and [NIST CMVP].


Priority: Medium


Domain:  SYSTEM AND COMMUNICATIONS PROTECTION (SC) 


Category: Network Security 


Services Associated with AWS:

  • AWS Key Management Service (KMS)
  • AWS CloudHSM
  • Amazon S3

Services Associated with Azure: 

  • Azure Key Vault
  • Azure Key Vault for HSMs
  • Azure Disk Encryption
  • Azure Storage Service Encryption


Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings
  • Technical: screen shot of cryptography in use 


Possible Technology Considerations : 

  •  Secure Baseline Configurations (SBC)
  • Cryptographic Solution (data in transit)


What needs to be answered?

Is FIPS-validated cryptography used to protect CUI? Do communication cryptographic mechanisms comply with applicable policies, standards, and guidance?

Checks for AWS 

  • FIPS-Validated Cryptography Check

    Description: This check ensures that Federal Information Processing Standards (FIPS)-validated cryptography is employed when used to protect the confidentiality of Controlled Unclassified Information (CUI). The check verifies that the cryptographic solutions employed meet FIPS standards and are used appropriately for data encryption, digital signatures, information separation enforcement, random number generation, and hash generation.

  • NSA-Approved Cryptography Check
    Description: This check ensures that National Security Agency (NSA)-approved cryptography is utilized as per organizational requirements. The check verifies that cryptographic methods used are approved by the NSA and are properly implemented for the relevant security solutions, including data encryption, digital signatures, and information separation enforcement."

Checks for Azure 

  • FIPS-Validated Cryptography Compliance
    Description: This policy ensures that all cryptographic solutions used for systems containing Controlled Unclassified Information (CUI) comply with Federal Information Processing Standards (FIPS) requirements. It verifies that FIPS-validated cryptographic algorithms and modules are appropriately employed for data encryption, digital signatures, information separation enforcement, random number generation, and hash generation.
  • NSA-Approved Cryptography Implementation
    Description: This policy verifies that cryptographic methods employed within the organization are approved by the National Security Agency (NSA) as per organizational requirements. It ensures that the NSA-approved cryptographic algorithms are correctly implemented for relevant security solutions, including data encryption, digital signatures, and information separation enforcement.
  • Network Traffic Encryption using FIPS-Validated Cryptography
    Description: This policy mandates the use of FIPS-validated cryptographic algorithms for encrypting network traffic. It ensures that data in transit is adequately protected with approved cryptographic mechanisms to prevent unauthorized access or disclosure.
  • Azure Key Vault Configuration Compliance
    Description: This policy checks the configuration settings of Azure Key Vault to ensure that it complies with security best practices and FIPS requirements. It verifies that cryptographic keys and secrets stored in Azure Key Vault are adequately protected using FIPS-validated algorithms.
  • Azure Disk Encryption Compliance
    Description: This policy ensures that Azure Disk Encryption is configured with FIPS-validated cryptographic algorithms for encrypting virtual machine disks. It helps protect data at rest within the virtual machines running in the Azure environment.


More Details:

FIPS validated cryptography used for all systems containing CUI.