SC-13 - Cryptographic Protection
Control requirements
- SC-13 - 0
- The information system implements [IBM Assignment: the requirements in Supplemental Guidance for Cryptography Governance] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Additional IBM Cloud for Financial Services specifications
The organization must develop an overall cryptographic governance program that meets customer requirements and includes:
- Security requirements for cryptographic hardware and software modules
- Cryptographic key establishment and management requirements
- Cryptographic key management technology and processes used to produce, control, and distribute symmetric and asymmetric cryptographic keys
- Hash algorithms used
- Random, pseudo-random, and prime number generator algorithms used
- Cryptographic key sizes, operational lifecycles, storage, and distribution methods
- Reliance on cryptographic services including certificate authorities (CA)
Implementation guidance
See the resources that follow to learn more about how to implement this control.
IBM Cloud for Financial Services profile
The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.
- Check whether VPN for VPC has IPsec policy authentication that is set to minimum "sha256"
- Check whether OS disks are encrypted with customer-managed keys
- Check whether VPN for VPC has an IPsec policy that does not have Perfect Forward Secrecy (PFS) disabled
- Check whether App ID email dispatchers are using HTTPS only
- Check whether Cloud Object Storage is accessible only through HTTPS
- Check whether App ID user data is encrypted
- Check whether Hyper Protect DBaaS for MongoDB is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether unattached disks are encrypted with customer-managed keys
- Check whether Virtual Servers for VPC boot volumes are enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether VPN for VPC has a Dead Peer Detection policy that is set to "restart"
- Check whether Application Load Balancer for VPC is configured to convert HTTP client requests to HTTPS
- Check whether Virtual Servers for VPC is provisioned from an encrypted image
- Check whether Event Streams is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether App ID is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check that Schematics uses KYOK for Key management
- Check whether App ID webhooks are using HTTPS only
- Check whether Block Storage for VPC is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether Hyper Protect DBaaS for PostgreSQL is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether VPN for VPC has Internet Key Exchange (IKE) policy encryption that is not set to "triple_des"
- Check whether VPN for VPC has a Diffie-Hellman group set to at least group
- Check whether VPN for VPC has Internet Key Exchange (IKE) policy authentication that is set to minimum 'sha256'
- Check whether App ID redirect URIs are using HTTPS only
- Check whether Cloud Internet Services (CIS) has TLS mode set to End-to-End CA signed
- Check whether Cloud Object Storage is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether Application Load Balancer for VPC pool uses the HTTPS protocol for HTTPS listeners
- Check whether Application Load Balancer for VPC uses HTTPS (SSL & TLS) instead of HTTP
- Check whether Virtual Servers for VPC data volumes are enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether data disks are encrypted with customer-managed keys
- Check whether VPN for VPC has IPsec policy encryption that is not set to "triple_des"
NIST supplemental guidance
Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).