ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During design of a healthcare API, developers plan to encrypt patient Social Security numbers with AES-256 before storing them in the database. Because regulations might mandate different algorithms during the system's 10-year life, which design decision will best enable cryptographic agility while minimizing future code changes?

Rely on full-disk encryption of the database server instead of field-level encryption to simplify future migrations.
Introduce a centralized cryptographic wrapper or service that selects the encryption algorithm through configuration, keeping business logic independent of specific ciphers.
Call the AES-256 encryption routine directly from every microservice to ensure consistent protection.
Apply an additional RSA-2048 encryption layer on top of AES-256 so stronger keys are already in place for the future.

Report Issue

Answer Description

Cryptographic agility means structuring the application so that cryptographic algorithms and key sizes can be replaced quickly if they become obsolete or are no longer compliant. Introducing an abstraction layer (such as a dedicated cryptographic service or well-defined interface) decouples business logic from the specific algorithm. When a new algorithm is required, the implementation behind the interface is updated or a configuration value is changed, leaving application code untouched.

Hard-coding AES-256 calls throughout the codebase tightly couples logic to one algorithm, making later changes costly. Adding RSA wrapping or relying only on full-disk encryption does not address the need to switch algorithms for field-level data and still requires code or infrastructure changes. Therefore, using a configurable cryptographic wrapper best supports future agility.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.