Skip to main content

CRY-01: Use of Cryptographic Controls

CRY 10 — Critical Govern

Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.

Control Question: Does the organization facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies?

General (56)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.1 CC6.1-POF10 CC6.1-POF11 CC6.6-POF2 CC6.7-POF2 CC6.7-POF3
CIS CSC 8.1 3.6 3.9 3.10 3.11
CIS CSC 8.1 IG1 3.6
CIS CSC 8.1 IG2 3.6 3.9 3.10
CIS CSC 8.1 IG3 3.6 3.9 3.10
CSA CCM 4 CEK-01 CEK-02 CEK-03 CEK-04 DSP-10 LOG-10 LOG-11
CSA IoT SCF 2 CLS-01 IAM-12 IOT-10 SAP-07 SWS-08
GovRAMP Core SC-13
GovRAMP Low SC-13
GovRAMP Low+ SC-13
GovRAMP Moderate SC-08(01) SC-13
GovRAMP High SC-08(01) SC-13
IEC 62443-4-2 2019 CR 4.1 (8.3.1(a)) CR 4.3 (8.5.1)
IMO Maritime Cyber Risk Management 3.5.3.4
ISO 27002 2022 8.24 8.26
ISO 27017 2015 10.1.1 14.1.2
MITRE ATT&CK 10 T1005, T1025, T1041, T1048.003
MPA Content Security Program 5.1 TS-1.0 TS-1.9 TS-1.15 TS-3.0
NAIC Insurance Data Security Model Law (MDL-668) 4.D(2)(d)
NIST Privacy Framework 1.0 PR.DS-P1 PR.DS-P2
NIST 800-53 R4 SC-8(1) SC-8(2) SC-13 SC-13(1) SI-7(6)
NIST 800-53 R4 (low) SC-13
NIST 800-53 R4 (moderate) SC-8(1) SC-13
NIST 800-53 R4 (high) SC-8(1) SC-13
NIST 800-53 R5 (source) SC-8(1) SC-8(2) SC-13 SI-7(6)
NIST 800-53B R5 (low) (source) SC-13
NIST 800-53B R5 (moderate) (source) SC-8(1) SC-13
NIST 800-53B R5 (high) (source) SC-8(1) SC-13
NIST 800-53 R5 (NOC) (source) SC-8(2) SI-7(6)
NIST 800-82 R3 LOW OT Overlay SC-13
NIST 800-82 R3 MODERATE OT Overlay SC-8(1) SC-13
NIST 800-82 R3 HIGH OT Overlay SC-8(1) SC-13
NIST 800-171 R2 (source) 3.13.11
NIST 800-171A (source) 3.13.8[a] 3.13.11
NIST 800-171 R3 (source) 03.13.08 03.13.11
NIST 800-171A R3 (source) A.03.13.08[01] A.03.13.08[02] A.03.13.11 A.03.13.11.ODP[01]
NIST 800-207 NIST Tenet 2
NIST CSF 2.0 (source) PR.DS-01 PR.DS-02 PR.DS-10
OWASP Top 10 2021 A02:2021
PCI DSS 4.0.1 (source) 2.2.7 3.3.2 8.3.2 12.3.3
PCI DSS 4.0.1 SAQ A-EP (source) 2.2.7 8.3.2
PCI DSS 4.0.1 SAQ B-IP (source) 2.2.7
PCI DSS 4.0.1 SAQ C (source) 2.2.7 8.3.2
PCI DSS 4.0.1 SAQ C-VT (source) 2.2.7
PCI DSS 4.0.1 SAQ D Merchant (source) 2.2.7 3.3.2 8.3.2 12.3.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 2.2.7 3.3.2 8.3.2 12.3.3
SPARTA CM0050
SWIFT CSF 2023 2.1 2.4A 2.6 5.2
TISAX ISA 6 5.1.1
UL 2900-1 2017 10.3
UN R155 7.3.8
UN ECE WP.29 7.3.8
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) CRY-01
SCF CORE ESP Level 1 Foundational CRY-01
SCF CORE ESP Level 2 Critical Infrastructure CRY-01
SCF CORE ESP Level 3 Advanced Threats CRY-01
US (39)
Framework Mapping Values
US C2M2 2.1 ARCHITECTURE-5.B.MIL2 ARCHITECTURE-5.C.MIL2 ARCHITECTURE-5.D.MIL2 ARCHITECTURE-5.G.MIL3
US CERT RMM 1.2 KIM:SG4.SP1
US CISA CPG 2022 2.K
US CJIS Security Policy 5.9.3 (source) 5.10.1.2 5.10.1.2.1
US CMMC 2.0 Level 2 (source) SC.L2-3.13.11
US CMMC 2.0 Level 3 (source) SC.L2-3.13.11
US CMS MARS-E 2.0 SC-8(2) SC-13
US DoD Zero Trust Execution Roadmap 4.5
US DoD Zero Trust Reference Architecture 2.0 5.1
US DHS CISA SSDAF 1.e
US DHS ZTCF DPR-01 DPR-02 DPR-04
US EO 14028 4e(i)(E)
US FDA 21 CFR Part 11 11.10 11.10(c)
US FedRAMP R4 SC-8(1) SC-13
US FedRAMP R4 (low) SC-13
US FedRAMP R4 (moderate) SC-8(1) SC-13
US FedRAMP R4 (high) SC-8(1) SC-13
US FedRAMP R4 (LI-SaaS) SC-13
US FedRAMP R5 (source) SC-8(1) SC-13
US FedRAMP R5 (low) (source) SC-8(1) SC-13
US FedRAMP R5 (moderate) (source) SC-8(1) SC-13
US FedRAMP R5 (high) (source) SC-8(1) SC-13
US FedRAMP R5 (LI-SaaS) (source) SC-8(1) SC-13
US GLBA CFR 314 2023 (source) 314.4(c)(3)
US HIPAA Administrative Simplification 2013 (source) 164.312(a)(2)(iv) 164.312(e)(2)(ii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.312(a)(2)(iv) 164.312(e)(2)(ii)
US HIPAA HICP Medium Practice 1.M.C 2.M.A 4.M.C 9.M.B
US HIPAA HICP Large Practice 1.M.C 2.M.A 4.M.C 9.M.B 1.L.A 1.L.B
US IRS 1075 2.E.3 SC-13
US ITAR Part 120 120.54(a)(5)
US NERC CIP 2024 (source) CIP-006-6 1.10
US NISPOM 2020 9-400
US NNPI (unclass) 18.1 18.2 18.3 19.1 19.2 19.3
US SSA EIESR 8.0 5.8
US - CA CCPA 2025 7123(c)(2)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.11(b)(2) 500.15(a) 500.15(b)
US - TX DIR Control Standards 2.0 SC-13
US - TX TX-RAMP Level 2 SC-13
US - VT Act 171 of 2018 2447(c)(3) 2447(c)(5)
EMEA (17)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.4.4(36)(f)
EMEA EU GDPR (source) 32.1(a)
EMEA EU NIS2 21.2(h)
EMEA EU NIS2 Annex 9.1 9.2(a) 9.2(b)
EMEA EU PSD2 20 30
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Germany C5 2020 CRY-01
EMEA Israel CDMO 1.0 8.1 8.8 15.7 21.16
EMEA Saudi Arabia CSCC-1 2019 2-7 2-7-1-3
EMEA Saudi Arabia ECC-1 2018 2-8-1 2-8-2 2-8-3 2-8-3-1 2-8-4
EMEA Saudi Arabia OTCC-1 2022 2-2-1-4 2-7 2-7-1 2-7-2
EMEA Saudi Arabia SACS-002 TPC-52 TPC-54
EMEA Saudi Arabia SAMA CSF 1.0 3.3.9
EMEA South Africa 14.1 19.1 19.2
EMEA Spain CCN-STIC 825 8.4.2 [MP.COM.2] 8.4.3 [MP.COM.3] 8.5.2 [MP.SI.2] 8.7.3 [MP.INFO.3] 8.7.4 [MP.INFO.4]
EMEA UK DEFSTAN 05-138 2304 2317 2318
APAC (7)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0142 ISM-0457 ISM-0460 ISM-0471 ISM-0472 ISM-0474 ISM-0475 ISM-0476 ISM-0477 ISM-0479 ISM-0481 ISM-0499 ISM-0501 ISM-0994 ISM-0999 ISM-1080 ISM-1091 ISM-1146 ISM-1446 ISM-1629 ISM-1759 ISM-1761 ISM-1762 ISM-1763 ISM-1764 ISM-1765 ISM-1766 ISM-1767 ISM-1768 ISM-1769 ISM-1770 ISM-1771 ISM-1772
APAC India SEBI CSCRF PR.DS.S1
APAC Japan ISMAP 10.1.1 10.1.1.9.PB 14.1.2
APAC New Zealand HISF 2022 HHSP37 HML37 HSUP32
APAC New Zealand HISF Suppliers 2023 HSUP32
APAC New Zealand NZISM 3.6 8.4.13.C.01 17.1.52.C.01 17.1.52.C.02 17.1.53.C.01 17.1.53.C.02 17.1.53.C.03 17.1.53.C.04 17.1.54.C.01 17.1.55.C.01 17.1.55.C.02 17.1.55.C.03 17.1.55.C.04 17.1.56.C.01 17.1.56.C.02 17.1.57.C.01 17.2.17.C.01 17.2.18.C.01 17.2.19.C.01 17.2.20.C.01 17.2.20.C.02 17.2.21.C.01 17.2.22.C.01 17.2.22.C.02 17.2.23.C.01 17.2.24.C.01 17.2.24.C.02 17.2.24.C.03 17.2.25.C.01 17.2.26.C.01 17.2.26.C.02 17.2.26.C.03 17.2.27.C.01 17.2.27.C.02 17.2.27.C.03 17.2.28.C.01 17.3.6.C.01 17.4.16.C.01 17.4.16.C.02 17.5.6.C.01 17.6.6.C.01 17.6.7.C.01 17.7.6.C.01 17.8.10.C.01 17.8.10.C.02 17.8.11.C.01 17.8.12.C.01 17.8.13.C.01 17.8.14.C.01 17.8.15.C.01 17.8.16.C.01 17.8.17.C.01 17.9.24.C.01 17.9.24.C.02 17.9.24.C.03 17.9.25.C.01 17.9.26.C.01 17.9.26.C.02 17.9.27.C.01 17.9.27.C.02 17.9.27.C.03 17.9.28.C.01 17.9.29.C.01 17.9.30.C.01 17.9.30.C.02 17.9.31.C.01 17.9.32.C.01 17.9.32.C.02 17.9.32.C.03
APAC Singapore MAS TRM 2021 10.1.1 10.1.2 10.1.3 10.1.4 10.1.5
Americas (3)
Framework Mapping Values
Americas Bermuda BMACCC 6.22
Americas Canada OSFI B-13 3.2.2
Americas Canada ITSP-10-171 03.13.08 03.13.11

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.

Level 1 — Performed Informally

Cryptographic Protections (CRY) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Data classification and handling criteria govern requirements to encrypt sensitive/regulated data during transmission and in storage.
  • Network communications containing sensitive/regulated data are protected using a cryptographic mechanism to prevent unauthorized disclosure of information while in transit (e.g., SSH, TLS, VPN, etc.).
  • Wireless access is protected via secure authentication and encryption.
Level 2 — Planned & Tracked

Cryptographic Protections (CRY) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Cryptographic management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cryptographic management.
  • Data classification and handling criteria govern requirements to encrypt sensitive/regulated data during transmission and in storage.
  • Decentralized technologies implement cryptographic mechanisms on endpoints to control how sensitive/regulated data is encrypted during transmission and in storage.
  • Systems, applications and services that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.
  • IT/cybersecurity personnel perform an annual review of deployed cryptographic cipher suites and protocols to identify and replace weak cryptographic cipher suites and protocols.
Level 3 — Well Defined

Cryptographic Protections (CRY) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implements Public Key Infrastructure (PKI) key management controls to protect the confidentiality, integrity and availability of keys. o Implements and maintains an internal PKI infrastructure or obtains PKI services from a reputable PKI service provider.

  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cryptographic protections.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures for cryptographic protections.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data using cryptographic protections.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including cryptographic protections.
  • Data classification and handling criteria govern requirements to encrypt sensitive/regulated data during transmission and in storage.
  • Centrally-managed technologies implement cryptographic mechanisms on endpoints to control how sensitive/regulated data is encrypted during transmission and in storage.
  • Certificate management is centrally-managed and the use of certificates is monitored.
  • Cryptographic keys are proactively managed to protect the Confidentiality, Integrity and Availability (CIA) of cryptographic capabilities.
  • Systems, applications and services that store, process or transmit sensitive/regulated data use cryptographic mechanisms to prevent unauthorized disclosure of information as an alternate to physical safeguards.
  • An IT infrastructure team, or similar function:
  • IT/cybersecurity personnel perform an annual review of deployed cryptographic cipher suites and protocols to identify and replace weak cryptographic cipher suites and protocols.
Level 4 — Quantitatively Controlled

Cryptographic Protections (CRY) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.

Assessment Objectives

  1. CRY-01_A01 cryptographic uses are identified / defined.
  2. CRY-01_A02 cryptographic mechanisms intended to prevent unauthorized disclosure of sensitive / regulated data are identified.
  3. CRY-01_A03 organization-defined types of cryptography are implemented to protect the confidentiality of sensitive / regulated data.
  4. CRY-01_A04 as necessary for compliance requirements, FIPS-validated cryptography is employed to protect the confidentiality of sensitive / regulated data.
  5. CRY-01_A05 security critical or essential software is defined.
  6. CRY-01_A06 root of trust mechanisms or cryptographic signatures are identified.
  7. CRY-01_A07 the integrity of security critical or essential software is verified using root of trust mechanisms or cryptographic signatures.
  8. CRY-01_A08 cryptographic mechanisms are implemented to prevent the unauthorized disclosure of sensitive / regulated data during transmission.
  9. CRY-01_A09 cryptographic mechanisms are implemented to prevent the unauthorized disclosure of sensitive / regulated data while in storage.
  10. CRY-01_A10 cryptographic mechanisms are implemented to detect unauthorized changes to software.
  11. CRY-01_A11 cryptographic mechanisms are implemented to detect unauthorized changes to firmware.
  12. CRY-01_A12 cryptographic mechanisms are implemented to detect unauthorized changes to information.
  13. CRY-01_A13 cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI during transmission.
  14. CRY-01_A14 cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI while in storage.
  15. CRY-01_A15 the types of cryptography for protecting the confidentiality of CUI are defined.
  16. CRY-01_A16 the following types of cryptography are implemented to protect the confidentiality of CUI: <A.03.13.11.ODP[01]: types of cryptography>.
  17. CRY-01_A17 cryptographic protections management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
  18. CRY-01_A18 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support cryptographic protections management operations.
  19. CRY-01_A19 responsibility and authority for the performance of cryptographic protections management-related activities are assigned to designated personnel.
  20. CRY-01_A20 personnel performing cryptographic protections management-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-CRY-01 Cryptographic Protections

Documented evidence of organization-approved cryptographic solutions and modules for both data at rest and in transit.

Cryptographic Protections

Technology Recommendations

Micro/Small

  • IT Asset Management (ITAM) program
  • Configuration Management (CM) program
  • Secure Baseline Configurations (SBC)

Small

  • IT Asset Management (ITAM) program
  • Configuration Management (CM) program
  • Secure Baseline Configurations (SBC)

Medium

  • IT Asset Management (ITAM) program
  • Configuration Management (CM) program
  • Secure Baseline Configurations (SBC)

Large

  • IT Asset Management (ITAM) program
  • Configuration Management (CM) program
  • Secure Baseline Configurations (SBC)

Enterprise

  • IT Asset Management (ITAM) program
  • Configuration Management (CM) program
  • Secure Baseline Configurations (SBC)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free