NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-13 — Cryptographic Protection

Determine the {{ insert: param, sc-13_odp.01 }} ; and Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}.

CMMC Practice Mapping

SC.L2-3.13.11

NIST 800-171 Mapping

3.13.11

Related Controls

Supplemental Guidance

Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Practitioner Notes

Use encryption wherever your organization requires confidentiality or integrity protection — at rest, in transit, for authentication. Do not roll your own cryptography; use established, validated algorithms.

Example 1: Use FIPS 140-2 validated cryptographic modules for all encryption. On Windows, enable FIPS mode via GPO (Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > "System cryptography: Use FIPS compliant algorithms"). This ensures Windows uses validated implementations of AES, SHA-256, and RSA.

Example 2: Configure your VPN, TLS, and disk encryption to use only approved algorithms — AES-256 for encryption, SHA-256 or SHA-384 for hashing, RSA-2048+ or ECDSA P-256+ for key exchange. Document these choices in your System Security Plan.