SC-13 Use Of Cryptography

Control: For information requiring cryptographic protection, the information system implements cryptographic mechanisms that comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Supplemental Guidance: The applicable federal standard for employing cryptography in nonnational security information systems is FIPS 140-2 (as amended). Validation certificates issued by the NIST Cryptographic Module Validation Program (including FIPS 140-1, FIPS 140-2, and future amendments) remain in effect and the modules remain available for continued use and purchase until a validation certificate is specifically revoked. NIST Special Publications 800-56 and 800-57 provide guidance on cryptographic key establishment and cryptographic key management. Additional information on the use of validated cryptography is available at

Control Enhancements: (0) None.

Baseline: LOW SC-13 MOD SC-13 HIGH SC-13

Family: System And Communications Protection

Class: Technical

ISO 17799 mapping: None.

COBIT 4.1 mapping: DS5.8

PCI-DSS v2 mapping: 3.6, 4.1.c