SC-28(1)

Requirement

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].

Discussion

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and communications protection policy; procedures addressing the protection of information at rest; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit records; system security plan; other relevant documents or records].

Interview

[SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer].

Test

[SELECT FROM: Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest].

ID	Assessment Objectives
SC-28(01)[01]	cryptographic mechanisms are implemented to prevent unauthorized disclosure of <SC-28(01)_ODP[01] information> at rest on <SC-28(01)_ODP[02] system components or media>;
SC-28(01)[02]	cryptographic mechanisms are implemented to prevent unauthorized modification of <SC-28(01)_ODP[01] information> at rest on <SC-28(01)_ODP[02] system components or media>.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!