>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-28 (01)Protection of Information at Rest | Cryptographic Protection

Low
Moderate
High

>Control Description

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on organization-defined system components or media: organization-defined information.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

SC-28 (1) Guidance: Organizations should select a mode of protection that is targeted towards the relevant threat scenarios. Examples: A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked. B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage. C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

>Discussion

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of cryptographic protection?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-28(1)?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is cryptographic protection technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that cryptographic protection remains effective as the system evolves?
  • What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-28(1)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.