ISC2 Governance, Risk and Compliance (CGRC) Practice Question

While conducting the scoping and applicability analysis for a new public-facing website that publishes only publicly releasable data, the security architect reviews control SC-13 (Cryptographic Protection) from the NIST SP 800-53 moderate baseline. Which justification best supports marking this control as Not Applicable in the System Security Plan (SSP)?

The information handled has a low confidentiality impact because it is publicly releasable, so protecting it with cryptography is unnecessary.
Project funding for encryption capabilities was deferred to the next budget cycle, making near-term implementation impractical.
The commercial off-the-shelf web server software selected for the project does not support encryption without extra modules.
The cloud service provider already implements encryption for its infrastructure under a FedRAMP authorization.

Report Issue

Answer Description

SC-13 requires protecting the confidentiality and integrity of information in transit or at rest with approved cryptography. During scoping, a control may be designated Not Applicable only when the system's security categorization or design characteristics show that the control's purpose is not relevant. Because the website processes and transmits information that is already public, the confidentiality impact level is low, and there is no security objective to preserve the secrecy of the data. In that case, the requirement to apply cryptographic protection to the data can legitimately be scoped out. Relying on a cloud provider (inherited control), product limitations, or budget constraints do not eliminate the need for the control; they merely shift implementation responsibility or require alternative solutions, so those reasons would not justify an N/A determination.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.