Use pre-existent mechanisms
Summary
The systems cryptographic functions must be implemented with pre-existing and up-to-date cryptographic mechanisms.
Description
The systems cryptographic functions are essential for maintaining the confidentiality and integrity of transactions and communications. Therefore, these functions must be based on pre-existent, tested, approved and secure mechanisms.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-20. Encryption brute forcing
- CIS-3_6. Encrypt data on end-user devices
- CIS-16_11. Leverage vetted modules or services for application security components
- CWE™-326. Inadequate encryption strength
- CWE™-327. Use of a broken or risky cryptographic algorithm
- HIPAA-164_312_a_2_iv. Encryption and decryption (addressable)
- NIST 800-53-IA-7. Cryptographic module authentication
- OWASP TOP 10-A4. Insecure design
- NYDFS-500_15. Encryption of nonpublic information
- CMMC-AC_L1-3_1_2. Transaction & function control
- CMMC-AC_L2-3_1_13. Remote access confidentiality
- CMMC-SC_L1-3_13_1. Boundary protection
- CMMC-SC_L2-3_13_8. Data in transit
- CMMC-SC_L2-3_13_15. Communications authenticity
- HITRUST CSF-06_f. Regulation of cryptographic controls
- HITRUST CSF-09_m. Network controls
- HITRUST CSF-09_s. Information exchange policies and procedures
- HITRUST CSF-09_y. On-line transactions
- HITRUST CSF-10_d. Message integrity
- HITRUST CSF-10_f. Policy on the use of cryptographic controls
- FedRAMP-CM-3_6. Baseline configuration - Cryptography management
- FedRAMP-SC-8_1. Cryptographic or alternate physical protection
- ISA/IEC 62443-SI-3_1. Communication integrity
- OSSTMM3-10_7_2. Telecommunications security (controls verification) - Confidentiality
- OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality
- NIST SSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- PTES-4_5_3. Threat capability analysis - Communication mechanisms
- MVSP-2_8. Application design controls - Encryption
- BSAFSS-EN_2-5. Avoid weak encryption
- NIST 800-171-1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
- OWASP ASVS-1_9_1. Communications architecture
- OWASP ASVS-6_2_2. Algorithms
- OWASP ASVS-8_3_7. Sensitive private data
- C2M2-9_5_d. Implement data security for cybersecurity architecture
- PCI DSS-9_4_3. Media is secured and tracked when transported
- OWASP ASVS-2_8_3. One time verifier
- CASA-1_9_1. Communications Architecture
- CASA-6_2_2. Algorithms
- FISMA-IA-7. Cryptographic module authentication
Vulnerabilities
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.