>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-28(1)Protection of Information at Rest | Cryptographic Protection

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on organization-defined system components or media: organization-defined information.

>DoD Impact Level Requirements

FedRAMP Parameter Values

SC-28 (1)-1 [all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels]

Additional Requirements and Guidance

SC-28 (1) Guidance: Organizations should select a mode of protection that is targeted towards the relevant threat scenarios. Examples: A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked. B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage. C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

>Discussion

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.

>Programmatic Queries

Beta

Related Services

KMS
EBS Encryption
RDS Encryption

CLI Commands

Create customer-managed KMS key for at-rest encryption
aws kms create-key --description 'KMS key for protecting data at rest' --key-usage ENCRYPT_DECRYPT
Enable default EBS encryption for all volumes in account
aws ec2 enable-ebs-encryption-by-default --region us-east-1
Create encrypted RDS instance with customer-managed key
aws rds create-db-instance --db-instance-identifier secure-database --db-instance-class db.t3.micro --engine postgres --allocated-storage 100 --storage-encrypted --kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Enable S3 default encryption for bucket with KMS key
aws s3api put-bucket-encryption --bucket data-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"}}]}'
Open AWS ConsoleDocumentation

>Related Controls

AC-19
SC-12
SC-13

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of cryptographic protection?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-28(1)?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is cryptographic protection technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that cryptographic protection remains effective as the system evolves?
  • What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-28(1)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.