03.13.11: Cryptographic Protection
Control Familly: System and Communications Protection
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
FIPS 140-3 [38]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.13.11
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
SC-13
Implement the following types of cryptography to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography].
Discussion:
Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. FIPS-validated cryptography is recommended for the protection of CUI.
Assessment Methods and Objectives
Examine [SELECT FROM: system and communications protection policy and procedures; procedures for cryptographic protection; system design documentation; system configuration settings; cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit records; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with responsibilities for cryptographic protection; personnel with information security responsibilities; system developers; system administrators]
Test [SELECT FROM: mechanisms for supporting or implementing cryptographic protection]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.13.11.ODP[01]: the types of cryptography for protecting the confidentiality of CUI are defined.
A.03.13.11: the following types of cryptography are implemented to protect the confidentiality of CUI: <A.03.13.11.ODP[01]: types of cryptography>.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A