Level 2
Description:
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO].
Priority: High
Domain: SYSTEM AND COMMUNICATIONS PROTECTION (SC)
Category: Encryption
Services Associated with AWS:
- AWS Key Management Service (KMS)
- AWS Certificate Manager
- Amazon Macie
- AWS Secrets Manager
- AWS Shield
- AWS WAF
- AWS Security Hub
- Amazon Connect
- AWS Direct Connect
- AWS Transit Gateway
Services Associated with Azure:
- Azure Key Vault
- Azure Certificate Manager
- Azure Traffic Manager
- Azure Application Gateway
- Azure Front Door
- Azure Virtual WAN
- Azure ExpressRoute
- Azure VPN Gateway
- Azure Bastion
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screenshot of configuration settings
- Technical: screenshot of cryptography in use
Possible Technology Considerations
- Secure Baseline Configurations (SBC)
- Cryptographic Solution (data in transit)
What needs to be answered?
Are cryptographic mechanisms used to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures? Are all alternative physical safeguards used to provide confidentiality of CUI during transmission documented?
Checks for AWS
- Transmission Security Check
Description: This check ensures that cryptographic mechanisms are implemented to prevent unauthorized disclosure of Controlled Unclassified Information (CUI) during transmission, barring the presence of alternative physical safeguards. - Check for Alternative Physical Safeguards
Description: This check verifies the existence of alternative physical safeguards when cryptographic mechanisms are not feasible for the prevention of unauthorized disclosure of CUI during transmission. - Evaluation of Telecommunication Service Packages
Description: This check ensures that organizations determine what types of confidentiality services are available in commercial telecommunication service packages to provide necessary safeguards for the transmission of CUI.
Checks for Azure
- Transmission Security Check
- Description: This policy ensures that all transmission methods used for transferring Controlled Unclassified Information (CUI) are done via encrypted mechanisms. Encryption is implemented to prevent unauthorized disclosure of CUI during transmission, providing an essential safeguard for data in transit.
- Check for Alternative Physical Safeguards
- Description: This policy verifies the existence of alternative physical safeguards when cryptographic mechanisms are not feasible or practical for the prevention of unauthorized disclosure of CUI during transmission. In situations where encryption may not be possible, organizations must implement other physical safeguards to ensure the confidentiality of data being transmitted.
- Evaluation of Telecommunication Service Packages
- Description: This policy ensures that organizations evaluate and determine the types of confidentiality services available in commercial telecommunication service packages. By doing so, they can assess whether these services provide the necessary safeguards required for the secure transmission of CUI. Organizations need to make informed decisions about the telecommunication services they use based on the level of protection offered for data in transit.
More Details:
All transmission methods used for transferring CUI are done via encrypted mechanisms.