SI-4(10)—System Monitoring | Visibility of Encrypted Communications
>Control Description
>DoD Impact Level Requirements
Additional Requirements and Guidance
SI-4 (10) Requirement: The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).
>Discussion
Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies and procedures govern visibility of encrypted communications?
- •Who is responsible for monitoring system and information integrity?
- •How frequently are integrity monitoring processes reviewed and updated?
Technical Implementation:
- •What technical controls detect and respond to visibility of encrypted communications issues?
- •How are integrity violations identified and reported?
- •What automated tools support system and information integrity monitoring?
- •What systems and events are monitored for integrity violations?
Evidence & Documentation:
- •Can you provide recent integrity monitoring reports or alerts?
- •What logs demonstrate that SI-4(10) is actively implemented?
- •Where is evidence of integrity monitoring maintained and for how long?
- •Can you provide examples of integrity monitoring alerts and responses?
Ask AI
Configure your API key to use AI features.