Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [FedRAMP Assignment: (M) organization-defined information system components; (H) all information system components storing customer data deemed sensitive].
NIST 800-53 (r4) Supplemental Guidance:
Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12.
NIST 800-53 (r5) Discussion:
The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.
38North Guidance:
Meets Minimum Requirement:
Ensure FIPS 140-2 validated cryptographic algorithms and modules are used for all cryptographic use cases involving federal data/metadata at rest. FIPS 140-2 Compliant is not sufficient. FIPS Validation means a product has undergone and passed detailed conformance testing at an accredited national laboratory. FIPS Compliance means that different components of a product have received FIPS validation, but the product in its entirety has not passed testing or has not been tested at all.
Identify all non-validated cryptographic modules in use.
Full Disk Encryption (FDE) should suffice for FedRAMP. However, customers may have organizationally-defined requirements for application-level encryption.
Best Practice:
Whenever technically and financially feasible, CSP's should encrypt all data in their system using FIPS 140-2 validated cryptographic modules. In addition to FDE, CSPs should utilize encryption at each layer in the technology stack (e.g., File/Volume/Object, Database, Application).
Utilize Transparent Data Encryption (TDE) for databases.
Encrypt Amazon EC2 Instance Stores (Amazon EC2 Instance Store). By default, an instance type that includes an NVMe instance store encrypts data at rest using an XTS-AES-256 block cipher.
Utilize cloud-native solutions for encryption and key management.
Unofficial FedRAMP Guidance:
Cryptographic mechanisms may also include data integrity checks (e.g., MAC/HMAC, Digital Signatures, Authenticated Encryption).
Use of non-FIPS 140-2 validated cryptographic modules is a SHOWSTOPPER.
Assessment Evidence:
Screenshots of configuration settings for storage devices (e.g., file, block volume, object, database, cache, container, etc.) showing that encryption is enabled.
List of Cryptographic Module Validation Program (CMVP) Certificate Numbers for all employed FIPS 140-2 validated modules. (Cryptographic Module Validation Program | CSRC).
Screenshots of Operating System and application configuration settings showing that FIPS mode is enabled.
CSP Implementation Tips - Data at Rest Encryption:
Amazon Web Services (AWS):
Useful Links:
EKS customers who use EC2 can configure encryption for the EBS volumes used by their EC2 instances. Customers choosing to mount storage services to their container or EC2 instance are responsible for ensuring the storage is configured for encryption of data at rest.
Customers who use EKS/Fargate platform version 1.4 or later get encryption at rest for the ephemeral task storage by default, no configuration required.
The control plane data in the EKS service account is stored in an encrypted AWS-managed database. Customers cannot configure this database, which serves the backend of the Kubernetes cluster.
Microsoft Azure:
Google Cloud Platform:
Page updated
Report abuse