📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / SC

SC-13 Cryptographic Protection

Family SC
Baselines moderate
Mapped KSIs 2

Control statement

a. Determine the {{ insert: param, sc-13_odp.01 }} ; and
    b. Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}.
        Guidance: This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

* Encryption of data
* Decryption of data
* Generation of one time passwords (OTPs) for MFA
* Protocols such as TLS, SSH, and HTTPS




The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

https://csrc.nist.gov/projects/cryptographic-module-validation-program
        Guidance: For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

https://www.niap-ccevs.org/Product/index.cfm
        Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.
        Guidance: Moving to non-FIPS CM or product is acceptable when:

* FIPS validated version has a known vulnerability
* Feature with vulnerability is in use
* Non-FIPS version fixes the vulnerability
* Non-FIPS version is submitted to NIST for FIPS validation
* POA&M is added to track approval, and deployment when ready

        Guidance: At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-SVC-02Network Encryption
Encrypt or otherwise secure network traffic.
Service Configuration
KSI-SVC-05Resource Integrity
Use cryptographic methods to validate the integrity of machine-based information resources.
Service Configuration