>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SI-4 (10)System Monitoring | Visibility of Encrypted Communications

High

>Control Description

Make provisions so that organization-defined encrypted communications traffic is visible to organization-defined system monitoring tools and mechanisms.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

SI-4 (10) Requirement: The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf). Implementation of this control by service providers should specifically support the methods used by agency customers to provide visibility into their encrypted communications between agency networks and the cloud service boundary so that the confidentiality, integrity, or availability of federal customer within the boundary of the cloud service is not negatively impacted. This additional requirement should be automatically updated if M-21-31 or M-22-09 is rescinded, updated, or replaced.

>Discussion

Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies and procedures govern visibility of encrypted communications?
  • Who is responsible for monitoring system and information integrity?
  • How frequently are integrity monitoring processes reviewed and updated?

Technical Implementation:

  • What technical controls detect and respond to visibility of encrypted communications issues?
  • How are integrity violations identified and reported?
  • What automated tools support system and information integrity monitoring?
  • What systems and events are monitored for integrity violations?

Evidence & Documentation:

  • Can you provide recent integrity monitoring reports or alerts?
  • What logs demonstrate that SI-4(10) is actively implemented?
  • Where is evidence of integrity monitoring maintained and for how long?
  • Can you provide examples of integrity monitoring alerts and responses?

Ask AI

Configure your API key to use AI features.