Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements [FedRAMP Assignment: (L)(M)(H) FIPS-validated or NSA-approved cryptography] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
NIST 800-53 (r4) Supplemental Guidance:
Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related controls: AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7.
NIST 800-53 (r5) Discussion:
Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
38North Guidance:
Meets Minimum Requirement:
All cryptographic use cases employed by system components (e.g., data at rest, data in transit, remote access/authentication, digital signatures, hashes, random number generation, etc.) must leverage encryption modules, libraries, or packages that have been assessed and certified by the Federal Government via FIPS 140-2 Cryptographic Module Validation Program (CMVP).
If any service components rely on cryptographic libraries or COTS/OSS not found in the CMVP database (Please see link above), FIPS 140-2 certification will be required for the module or it will need to be replaced with a certified version.
All cryptography must be implemented using FIPS validated cryptographic modules
Validation must be completed and an active certificate issued by NIST’s Cryptographic Module Validation Program (CMVP) prior to module deployment in FedRAMP boundary
CMVP certificates may be issued under FIPS 140-2 or 140-3 standards
Active CMVP certificate numbers must be documented in https://github.ibm.com/ibmcloud/governed-content/tree/main/baselines/fips140
All implementations must be validated, including hardware, software, and hybrid
Only the module implementing the algorithms is validated NOT the application calling the module
Cryptography normally used for protection of data at rest, protection of data in transit, authentication, secure hashing
Supplier of implementation responsible for validation. CSP responsible for all internal code and OSS sourced from community
Best Practice:
None
Unofficial FedRAMP Guidance:
Use of non-FIPS 140-2 validated cryptographic modules is a SHOWSTOPPER.
Assessment Evidence:
System component configurations showing FIPS mode enablement (e.g., Operating systems, applications, VPNs, etc.).
List of FIPS 140-2 validated cryptographic modules used for cryptography within the authorization boundary (include CMVP certificate # - Cryptographic Module Validation Program (CMVP))
CSP Implementation Tips:
Amazon Web Services (AWS):
Ensure encryption is enabled for Elastic Load Balancing (ELB). Use AWS Certificate Manager to manage, provisions and deploy public and private SSL/TLS certificates with AWS services and internal resources (Data in Transit)
Application load balancer automatically redirects unencrypted HTTP requests to HTTPS.
Enable encryption for AWS CloudTrail trails.
Ensure encryption is enabled for Amazon CloudWatch Log Groups
Microsoft Azure:
Google Cloud Platform: TBD
Page updated
Report abuse