Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
NIST 800-53 (r4) Supplemental Guidance:
The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13.
NIST 800-53 (r5) Discussion:
Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.
38North Guidance:
Meets Minimum Requirement:
All remote access to the information system in scope must utilize encryption that meets FIPS 140-2 validation. This is to include VPN, SSH, RDP, and operating systems used to support the information system.
Best Practice:
Organizations must ensure that remote access sessions are protected using encryption. For customer access, organizations should implement at least PKI Class 3 certificates and the session should be configured to use at the very least TLS 1.2. For personnel access using a VPN, the VPN should support FIPS 140-2 validated encryption. For personnel access using SSH, the organization should ensure that keys are generated using strong encryption and are stored within some sort of key vault within the information system in scope. For personnel access using RDP, the organization must verify that all system components are utilizing FIPS 140-2 validated cryptographic modules to ensure the most restrictive encryption settings are configured are each of the information system components.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Organization documentation addressing remote access protection mechanisms, screen shots and certificates showing that encryption modules in place for VPN, SSH, RDP, and Operating System components are indeed using FIPS 140-2 validated modules/libraries.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse