>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-8 (01)Transmission Confidentiality and Integrity | Cryptographic Protection

Low
Moderate
High

>Control Description

Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.

>FedRAMP Baseline Requirements

Parameter Values

Additional Requirements and Guidance

SC-8 (1) Requirement: Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control. SC-8 (1) Guidance: See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment" SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged. SC-8 (1) Guidance: Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.) SC-8 (1) Guidance: When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

>Discussion

Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of cryptographic protection?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-8(1)?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is cryptographic protection technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that cryptographic protection remains effective as the system evolves?
  • What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-8(1)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.