This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO].

Priority: High


Services Associated with AWS:

  1. AWS Key Management Service (KMS)
  2. AWS Certificate Manager
  3. Amazon Macie
  4. AWS Secrets Manager
  5. AWS Shield
  6. AWS WAF
  7. AWS Security Hub
  8. Amazon Connect
  9. AWS Direct Connect
  10. AWS Transit Gateway

Objective Evidence:

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settings
  • Technical: screenshot of cryptography in use

Possible Technology Considerations

  • Secure Baseline Configurations (SBC)
  • Cryptographic Solution (data in transit)

What needs to be answered?

  • Are cryptographic mechanisms used to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures? Are all alternative physical safeguards used to provide confidentiality of CUI during transmission documented?
  • Check Name: Transmission Security Check
    Description: This check ensures that cryptographic mechanisms are implemented to prevent unauthorized disclosure of Controlled Unclassified Information (CUI) during transmission, barring the presence of alternative physical safeguards.
  • Check Name: Check for Alternative Physical Safeguards
    Description: This check verifies the existence of alternative physical safeguards when cryptographic mechanisms are not feasible for the prevention of unauthorized disclosure of CUI during transmission.
  • Check Name: Evaluation of Telecommunication Service Packages
    Description: This check ensures that organizations determine what types of confidentiality services are available in commercial telecommunication service packages to provide necessary safeguards for the transmission of CUI.

More Details:

All transmission methods used for transferring CUI are done via encrypted mechanisms.