KSI-SVC-SNT—Securing Network Traffic
Formerly KSI-SVC-02
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express transport security through certificate management dashboards — certificate inventories with rotation schedules tracked automatically, network encryption maps showing coverage across all paths, and certificate monitoring tools alerting on approaching expirations. Transport security is actively managed, not just configured.
Network Traffic Flow Diagram
Architecture expressing all network traffic paths with encryption status per segment
Certificate Management
How certificates are managed across their lifecycle — issuance, rotation, revocation tracked automatically
Network Encryption Standards
Human-readable standards for network traffic encryption including minimum TLS versions and approved cipher suites
>Programmatic Queries
CLI Commands
aws acm list-certificates --query "CertificateSummaryList[].{Domain:DomainName,Status:Status,InUse:InUseBy | length(@)}" --output tableaws acm describe-certificate --certificate-arn <cert-arn> --query "Certificate.{Domain:DomainName,Status:Status,NotAfter:NotAfter,KeyAlgorithm:KeyAlgorithm}" --output table>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Is all network traffic encrypted — including internal service-to-service traffic, database connections, management plane traffic, and backup replication?
- •Are there any network paths where traffic is unencrypted (e.g., within a VPC, between containers on the same host, legacy protocol connections), and how are those exceptions documented?
- •Does encryption cover all protocols in use — HTTPS, gRPC, database-specific TLS, DNS-over-HTTPS/TLS, and email transmission?
- •How do you ensure network encryption extends to traffic involving third-party services and integrations within the authorization boundary?
Automation & Validation:
- •What automated checks detect unencrypted network traffic — network flow analysis, TLS configuration scanning, or protocol-level inspection?
- •How do you validate that encryption configurations meet minimum standards (TLS 1.2+, strong cipher suites, no deprecated protocols) across all services?
- •What happens if an unencrypted communication path is detected — is it automatically blocked, or only alerted?
- •How do you detect certificate expiration or TLS misconfiguration that could cause encrypted connections to fail or downgrade?
Inventory & Integration:
- •What tools enforce network encryption across your stack (load balancers, service mesh, API gateways, database TLS configuration)?
- •How do you maintain an inventory of all TLS certificates, their expiration dates, and the services they protect?
- •How does your certificate management integrate with automated renewal (Let's Encrypt, ACM, cert-manager) to prevent expiration-related outages?
- •Are TLS configurations for all services defined as code and enforced through automated deployment?
Continuous Evidence & Schedules:
- •How do you demonstrate that all network traffic has been encrypted over the past 90 days — through flow log analysis, TLS scan results, or monitoring data?
- •Is TLS configuration and certificate status data available via API or dashboard for ongoing assessment?
- •How do you detect TLS configuration regression — for example, when a service update inadvertently enables a deprecated cipher suite?
- •What evidence shows encryption protocol versions and cipher suites are reviewed and updated as security standards evolve?
Update History
Ask AI
Configure your API key to use AI features.