Back

Define the cryptographic module security functions and the cryptographic module operational modes.


CONTROL ID
06542
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Manage the use of encryption controls and cryptographic controls., CC ID: 00570

This Control has the following implementation support Control(s):
  • Define the cryptographic boundaries., CC ID: 06543
  • Establish and maintain the documentation requirements for cryptographic modules., CC ID: 06544
  • Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces., CC ID: 06545
  • Implement the documented cryptographic module security functions., CC ID: 06755
  • Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules., CC ID: 06547


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • There should be documented guidelines for the use of cryptography across the organization, which covers the selection of approved cryptographic algorithms (e.g., Advanced Encryption Standard for confidentiality, and Secure Hash Algorithm for integrity). (CF.08.04.02c, The Standard of Good Practice for Information Security)
  • There should be documented guidelines for the use of cryptography across the organization, which covers the selection of approved cryptographic algorithms (e.g., Advanced Encryption Standard for confidentiality, and Secure Hash Algorithm for integrity). (CF.08.04.02c, The Standard of Good Practice for Information Security, 2013)
  • Single-factor cryptographic device authenticators SHOULD require a physical input (e.g., the pressing of a button) in order to operate. This provides defense against unintended operation of the device, which might occur if the endpoint to which it is connected is compromised. (5.1.7.1 ¶ 3, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Cryptographic modules shall implement at least one approved security function in an approved mode of operation, and non-approved security functions may be used for non-approved modes of operations. The operator shall have the ability to determine when an approved mode of operation is selected. For s… (§ 4.1 ¶ 1, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • Wireless device communications should be encrypted and integrity-protected. The encryption must not degrade the operational performance of the end device. Encryption at OSI Layer 2 should be considered, rather than at Layer 3 to reduce encryption latency. The use of hardware accelerators to perform … (§ 6.2.1.5 ICS-specific Recommendations and Guidance ¶ 1 Bullet 6, Guide to Industrial Control Systems (ICS) Security, Revision 2)