>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-8(1)Transmission Confidentiality and Integrity | Cryptographic Protection

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.

>DoD Impact Level Requirements

FedRAMP Parameter Values

SC-8 (1) [prevent unauthorized disclosure of information AND detect changes to information]

Additional Requirements and Guidance

SC-8 (1) Requirement: Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control. SC-8 (1) Guidance: See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment" SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged. SC-8 (1) Guidance: Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.) SC-8 (1) Guidance: When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

>Discussion

Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes.

>Programmatic Queries

Beta

Related Services

ACM
KMS
CloudFront

CLI Commands

Request or import SSL/TLS certificate from AWS Certificate Manager
aws acm request-certificate --domain-name example.com --validation-method DNS --tags Key=Environment,Value=Production
Create KMS key for encryption of data in transit
aws kms create-key --description 'KMS key for transmission encryption' --key-usage ENCRYPT_DECRYPT
Configure CloudFront distribution with encryption enforcement
aws cloudfront create-distribution --distribution-config file://cloudfront-config.json --requires-https-on-origin
Enable TLS version enforcement for API Gateway
aws apigateway update-stage --rest-api-id api-12345678 --stage-name prod --patch-operations op=replace,path=/*/securityPolicy,value=TLS_1_2
Open AWS ConsoleDocumentation

>Related Controls

SC-12
SC-13

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of cryptographic protection?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-8(1)?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is cryptographic protection technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that cryptographic protection remains effective as the system evolves?
  • What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-8(1)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.