NIST 800-53 r5 · Controls catalogue · Family SC

SC-13Cryptographic Protection

Determine the {{ insert: param, sc-13_odp.01 }} ; and Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}.

Last updated: 19 May 2026 14:18 UTC

Implementations targeting this control (30)

aws-config-ec2-ebs-encryption-by-default EBS encryption by default is enabled AWS::EC2::Volume partial protect enforce CIS v5 §5.1.1CIS v3 §2.2.1Hub EC2.7
aws-config-encrypted-volumes EBS volumes are encrypted at rest AWS::EC2::Volume partial protect enforce
aws-config-rds-storage-encrypted RDS storage is encrypted AWS::RDS::DBInstance partial protect enforce CIS v5 §2.2.1CIS v3 §2.3.1Hub RDS.3
aws-config-s3-bucket-server-side-encryption-enabled S3 bucket has default server-side encryption AWS::S3::Bucket partial protect enforce
aws-config-efs-encrypted-check EFS file system is encrypted AWS::EFS::FileSystem partial protect enforce CIS v5 §2.3.1CIS v3 §2.4.1Hub EFS.8
aws-config-sns-encrypted-kms SNS topic uses KMS encryption at rest AWS::SNS::Topic partial protect enforce
aws-config-elb-tls-https-listeners-only ELB / ALB listeners use HTTPS or TLS AWS::ElasticLoadBalancingV2::Listener partial protect enforce
aws-config-alb-http-to-https-redirection-check Alb Http To Https Redirection Check AWS::ElasticLoadBalancingV2::LoadBalancer partial protect enforce
aws-config-api-gw-cache-enabled-and-encrypted Api Gw Cache Enabled And Encrypted AWS::ApiGateway::Stage partial protect enforce
aws-config-api-gw-ssl-enabled Api Gw Ssl Enabled AWS::ApiGateway::Stage partial protect enforce
aws-config-cloud-trail-encryption-enabled Cloud Trail Encryption Enabled AWS::CloudTrail::Trail partial detect enforce CIS §3.5Hub CloudTrail.2
aws-config-codebuild-project-artifact-encryption Codebuild Project Artifact Encryption AWS::CodeBuild::Project partial protect enforce
aws-config-dynamodb-table-encrypted-kms Dynamodb Table Encrypted Kms AWS::DynamoDB::Table partial protect enforce
aws-config-elasticsearch-encrypted-at-rest Elasticsearch Encrypted At Rest AWS::OpenSearchService::Domain partial protect enforce
aws-config-elasticsearch-node-to-node-encryption-check Elasticsearch Node To Node Encryption Check AWS::OpenSearchService::Domain partial protect enforce
aws-config-elb-acm-certificate-required Elb Acm Certificate Required AWS::ElasticLoadBalancing::LoadBalancer partial protect enforce
aws-config-elbv2-acm-certificate-required Elbv2 Acm Certificate Required AWS::ElasticLoadBalancingV2::LoadBalancer partial protect enforce
aws-config-kinesis-stream-encrypted Kinesis Stream Encrypted AWS::Kinesis::Stream partial protect enforce
aws-config-opensearch-encrypted-at-rest Opensearch Encrypted At Rest AWS::OpenSearchService::Domain partial protect enforce
aws-config-opensearch-https-required Opensearch Https Required AWS::OpenSearchService::Domain partial protect enforce
aws-config-opensearch-node-to-node-encryption-check Opensearch Node To Node Encryption Check AWS::OpenSearchService::Domain partial protect enforce
aws-config-rds-snapshot-encrypted Rds Snapshot Encrypted AWS::RDS::DBInstance partial recover enforce
aws-config-redshift-cluster-configuration-check Redshift Cluster Configuration Check AWS::Redshift::Cluster partial protect enforce
aws-config-redshift-cluster-kms-enabled Redshift Cluster Kms Enabled AWS::Redshift::Cluster partial protect enforce
aws-config-redshift-require-tls-ssl Redshift Require Tls Ssl AWS::Redshift::Cluster partial protect enforce
aws-config-s3-bucket-ssl-requests-only S3 Bucket Ssl Requests Only AWS::S3::Bucket partial protect enforce CIS §2.1.1Hub S3.5
aws-config-s3-default-encryption-kms S3 Default Encryption Kms AWS::S3::Bucket partial protect enforce
aws-config-sagemaker-endpoint-configuration-kms-key-configured Sagemaker Endpoint Configuration Kms Key Configured AWS::SageMaker::NotebookInstance partial protect enforce
aws-config-sagemaker-notebook-instance-kms-key-configured Sagemaker Notebook Instance Kms Key Configured AWS::SageMaker::NotebookInstance partial protect enforce
aws-config-secretsmanager-using-cmk Secretsmanager Using Cmk AWS::SecretsManager::Secret partial protect enforce

ATT&CK techniques this control mitigates (5)

T1005 Data from Local System Collection
T1025 Data from Removable Media Collection
T1041 Exfiltration Over C2 Channel Exfiltration
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
T1557.004 Evil Twin Credential Access, Collection

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-319`	Cleartext Transmission of Sensitive Information	1,051	Requires cryptography for transmission uses, eliminating cleartext exposure of sensitive data in transit.
`CWE-327`	Use of a Broken or Risky Cryptographic Algorithm	739	Enforces approved cryptographic algorithms for each use case, blocking use of broken or risky algorithms.
`CWE-311`	Missing Encryption of Sensitive Data	552	Mandates encryption for specified data uses, directly preventing missing encryption of sensitive information.
`CWE-326`	Inadequate Encryption Strength	516	Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength.
`CWE-328`	Use of Weak Hash	62	Requires appropriate hash functions for cryptographic uses, preventing reliance on weak hashes.
`CWE-1240`	Use of a Cryptographic Primitive with a Risky Implementation	16	Requires specific, validated cryptographic primitives, reducing use of risky or improperly implemented primitives.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2024-4282`	2.0	9.8	0.0011	good
`CVE-2026-28252`	2.0	9.8	0.0004	good
`CVE-2026-22585`	2.0	9.8	0.0001	good
`CVE-2025-15385`	2.0	9.8	0.0004	good
`CVE-2024-58041`	1.8	9.1	0.0004	good
`CVE-2026-23687`	1.8	8.8	0.0002	good
`CVE-2019-25651`	1.7	8.3	0.0001	good
`CVE-2023-24012`	1.6	8.2	0.0012	good
`CVE-2026-28678`	1.6	8.1	0.0003	good
`CVE-2026-1529`	1.6	8.1	0.0001	good
`CVE-2024-51346`	1.5	7.7	0.0002	good
`CVE-2024-8603`	1.5	7.5	0.0006	good
`CVE-2024-54089`	1.5	7.5	0.0003	good
`CVE-2026-33488`	1.5	7.4	0.0004	good
`CVE-2025-68931`	1.5	7.5	0.0004	good
`CVE-2026-3598`	1.5	7.5	0.0002	good
`CVE-2026-30791`	1.5	7.5	0.0002	good
`CVE-2025-66597`	1.5	7.5	0.0002	good
`CVE-2026-27519`	1.5	7.5	0.0002	good
`CVE-2026-28479`	1.5	7.5	0.0002	good
`CVE-2024-38320`	1.2	5.9	0.0006	good
`CVE-2024-41763`	1.2	5.9	0.0005	good
`CVE-2024-45643`	1.2	5.9	0.0005	good
`CVE-2024-22347`	1.2	5.9	0.0002	good
`CVE-2025-64647`	1.2	5.9	0.0001	good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9