Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization ensures that cryptographic mechanisms used to provide [FedRAMP Assignment: (H) All security safeguards that rely on cryptography] are under configuration management.
NIST 800-53 (r4) Supplemental Guidance:
Regardless of the cryptographic means employed (e.g., public key, private key, shared secrets), organizations ensure that there are processes and procedures in place to effectively manage those means. For example, if devices use certificates as a basis for identification and authentication, there needs to be a process in place to address the expiration of those certificates. Related control: SC-13.
NIST 800-53 (r5) Discussion:
The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates.
38North Guidance:
Meets Minimum Requirement:
Cryptographic mechanisms (as listed in SC-13) must be configuration-controlled (e.g., FIPS-validated modules embedded in the OS, expiration of certificates used for identification and authentication, etc.)
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Change tickets for changes to cryptographic mechanisms showing CM process was followed (e.g., hardening of FIPS encryption modules for system components)
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse