Back

Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces.


CONTROL ID
06545
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define the cryptographic module security functions and the cryptographic module operational modes., CC ID: 06542

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Ensuring key-generating equipment is physically and logically secure from construction through receipt, installation, operation, and removal from service. (Critical components of information security 14) (iv) k., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Verify that the architecture treats client-side secrets--such as symmetric keys, passwords, or API tokens--as insecure and never uses them to protect or access sensitive data. (1.6.4, Application Security Verification Standard 4.0.3, 4.0.3)
  • Communication between the claimant and verifier SHALL be via an authenticated protected channel to provide confidentiality of the authenticator output and resistance to MitM attacks. All cryptographic device authenticators used at AAL3 SHALL be verifier impersonation resistant as described in Sectio… (4.3.2 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • CSPs SHOULD, where practical, accommodate the use of subscriber-provided authenticators in order to relieve the burden to the subscriber of managing a large number of authenticators. Binding of these authenticators SHALL be done as described in Section 6.1.2.1. In situations where the authenticator … (6.1.3 ¶ 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Cryptographic modules shall restrict physical access points and information flow to the entry and exit physical ports and logical interfaces. The interfaces shall be logically distinct, however, they may share one physical port or may use one or more physical ports. Cryptographic modules shall have … (§ 4.2, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)