← Controls / SC

SC-13 Use Of Cryptography

System and Communications Protection

Low Moderate High

Description

For information requiring cryptographic protection, the information system implements cryptographic mechanisms that comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Supplemental Guidance

The applicable federal standard for employing cryptography in nonnational security information systems is FIPS 140-2 (as amended). Validation certificates issued by the NIST Cryptographic Module Validation Program (including FIPS 140-1, FIPS 140-2, and future amendments) remain in effect and the modules remain available for continued use and purchase until a validation certificate is specifically revoked. NIST Special Publications 800-56 and 800-57 provide guidance on cryptographic key establishment and cryptographic key management. Additional information on the use of validated cryptography is available at http://csrc.nist.gov/cryptval.

Changes from Rev 4

Control text adds 'need to determine cryptographic protection in addition to implementing' Single previous parameter split into two separate parameters: Determine the specific cryptographic uses and types of cryptography for each specified cryptographic use

Enhancements

(0) None.

MITRE ATT&CK Techniques (5)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Credential Access 1 Collection 3 Exfiltration 2

Credential Access

T1557.004

Compliance Mappings

ISO 27001:2022

A.8.24

ISO 27002:2022

8.24

CIS Controls v8

CIS 16.11

NIST CSF 2.0

PR.DS-02

SOC 2 TSC

CC6.1CC6.6-POF2CC6.7

PCI DSS v4.0.1

2.2.73.54.14.2

CSA CCM v4

CEK-01CEK-03CEK-04CEK-05CEK-06CEK-07CEK-10DSP-10LOG-10UEM-08

CSA AICM v1

AIS-14CEK-01CEK-03CEK-04CEK-05CEK-06CEK-07CEK-10DSP-10DSP-22LOG-10MDS-06UEM-08

FINOS CCC

CCC-C01

NIS2 Directive

Art. 21(2)(h)Art. 21(2)(j)

PRA Operational Resilience

SS2/21-11.1

MAS TRM

1014

APRA CPS 234

Para 22-23

BSI IT-Grundschutz

CON.1

ANSSI

Hygiene.12Hygiene.19RGS.2.3SecNumCloud.11.1

FINMA Circular 2023/1

IV.C(63)IV.C(64)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(a)Art.5(1)(f)Rec.83

EU DORA

Art.9(3)

BIO2

8.24

RBI CSF

ITGRCA.16

FISC Security Guidelines

FISC.T11FISC.T12FISC.T4FISC.T8

LGPD + BCB 4893

BCB.Art.3BCB.OpenFinanceBCB.PIXLGPD.Art.46

HKMA TM-E-1

TME1.10.1TME1.10.2TME1.10.3TME1.11.2TME1.8.5TME1.9.1TME1.9.3

MLPS 2.0

8.1.10.78.1.2.28.1.4.8

DNB Good Practice

DNB.18.3DNB.18.5

EU CRA

CRA.I.2e

SWIFT CSCF

SWIFT.2.1SWIFT.2.4A

SAMA CSF

3.44.3

NCA ECC

2-42-8

UAE IA

T8

CBB TM

TM-9

Qatar NIA

CS

CBUAE

CR-5CR-8

CBE CSF

CTO-2CTO-3CTO-5

SA JS2

JS2-8.3

CBN CSF

Part3.3Part3.4Part5.2

BoG CISD

CISD-IXCISD-VICISD-XI

POPIA

s19

BoM CTRM

3.133.4

IOSCO Cyber Resilience

PROT-3

BCBS 239

Principle 11Principle 3

CPMI-IOSCO PFMI

CG.PRPFMI.P22

FFIEC IS

II.C.13(b)II.C.15(c)II.C.16II.C.19

NYDFS 500

500.15

HIPAA Security Rule

§164.312(a)(1)§164.312(a)(2)(iv)§164.312(e)(1)§164.312(e)(2)(ii)

ECB CROE

CROE.2.3.3

EBA ICT Guidelines

3.8(b)

SEBI CSCRF

DATALOCEMAIL-SECPR.DS

BOT Cyber Resilience

Ch2.3Ch2.7Ch9.1

CMMC 2.0

SC

NERC CIP

CIP-012-1

10 CFR 73.54

RG5.71-A-SC

IEEE 1686-2022

5.5

API 1164

Sec 8

IAEA NSS 17-T

Sec 5.6

PCI PTS v6

CDEJ

FIPS 140-3

FIPS 140-3 §7.2FIPS 140-3 §7.3FIPS 140-3 §7.9

CBEST

CBEST.9

PCI HSM

3459

Common Criteria

CC Part 2 — FCS

ISAE 3402

Clause 4

Solvency II

DR.266-DataSecEIOPA-ICT-4.7

Lloyd's Minimum Standards

BP2.1

NAIC Insurance Data Security

4-encryption4B

FCA SYSC 13

SYSC 13.7.3

HITRUST CSF v11

01.c10.c

FDA 21 CFR Part 11

§11.30§11.300(d)

FDA Cybersecurity Guidance

SA-2

ISO 27799

10.113.2H.2H.5

NHS DSPT

NDG-1.1NDG-9.6

OWASP MASVS v2.1

MASVS-CRYPTO-1MASVS-NETWORK-1MASVS-AUTH-2MASVS-RESILIENCE-2MASVS-RESILIENCE-3MASVS-RESILIENCE-4

CCSS v9.0

1.01.21.01.61.02.11.02.21.03.1

MiCA

Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.76(1)

Basel SCO60

SCO60.11SCO60.21SCO60.23SCO60.51SCO60.61SCO60.63SCO60.64SCO60.66SCO60.71

BSSC Standards

NOS-08KMS-01KMS-02KMS-03KMS-08GSP-13

SEC Custody (Digital Assets)

SEC-CD-02SEC-CD-03SEC-CD-06SEC-CD-07SEC-CD-08

ISO 17799 (legacy)

None.

COBIT 4.1 (legacy)

DS5.8