myctrl.tools
Compare

SC-8Transmission Confidentiality And Integrity

MODERATE
HIGH

>Control Description

Protect the confidentiality; integrity of transmitted information.

>Kubernetes Implementation Guidance

What This Control Means in Practice

In containerized and Kubernetes environments, SC-8 applies to all network communication paths — not just traditional north-south (ingress/egress) traffic, but also east-west traffic between pods, services, and cluster components. Key transmission paths to protect in Kubernetes: • Pod-to-pod communication (east-west traffic within the cluster) • Ingress controller to backend services (north-south traffic termination) • Kubernetes API server communication (kubectl, kubelet, controller-manager) • etcd cluster peer and client communication • Container image pulls from registries • Service mesh data plane traffic (sidecar proxy communication) • Log and metric collection pipelines (Fluentd/Promtail to aggregators) Service meshes (Istio, Linkerd) are the primary mechanism for achieving SC-8 compliance in Kubernetes, providing automatic mutual TLS (mTLS) for all pod-to-pod communication without application changes.

Implementation Examples

Setting PeerAuthentication to STRICT mode in the istio-system namespace enforces mutual TLS for all pod-to-pod communication cluster-wide. This ensures both confidentiality and integrity of transmitted information between services, satisfying SC-8 for east-west traffic. In STRICT mode, any plaintext communication between meshed services is rejected.

# Enforce mTLS for all pod-to-pod communication
# Source: Istio Security Best Practices
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
Source: Istio Security Documentation — PeerAuthentication

How to Validate

# Verify mTLS enforcement across the cluster kubectl get peerauthentication -A # Expected: STRICT mode in istio-system (or per-namespace) # Check for pods without sidecar injection (mTLS gaps) kubectl get pods -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}: {range .spec.containers[*]}{.name} {end}{"\n"}{end}' | grep -v istio-proxy # Verify NetworkPolicies exist in all namespaces kubectl get networkpolicies -A # Test TLS configuration on Ingress endpoints openssl s_client -connect app.example.gov:443 -tls1_2 </dev/null 2>/dev/null | grep -E 'Protocol|Cipher|Verify' # Verify API server TLS settings kubectl get --raw /healthz --server https://$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}' | sed 's|https://||') -v=6 2>&1 | grep TLS # Check container registry TLS (pull from registry and verify cert) skopeo inspect --tls-verify=true docker://registry.example.gov/app:latest # Verify Istio mTLS status for specific workloads istioctl x describe pod <pod-name> -n <namespace> # Check certificate rotation in service mesh istioctl proxy-config secret <pod-name> -n <namespace> -o json | jq '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 -d | openssl x509 -noout -dates

>Control Enhancements(5)

SC-8(1)
SC-8(2)
SC-8(3)
SC-8(4)
SC-8(5)

>Cross-Framework Mappings

SOC 2 TSC

CC6.7
Compare

SCF

CRY-03
Compare
CRY-04
Compare

>Programmatic Queries

Beta

Related Services

ACM
CloudFront
ELB

CLI Commands

List ACM certificates
aws acm list-certificates
Check certificate details
aws acm describe-certificate --certificate-arn ARN
Check ALB listener SSL policy
aws elbv2 describe-listeners --load-balancer-arn ARN
Check S3 bucket encryption
aws s3api get-bucket-encryption --bucket BUCKET_NAME
Open AWS ConsoleDocumentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

IstioLinkerdConsul ConnectAWSMicrosoft AzureZscaler Zero Trust ExchangePalo Alto Networks

>Supplemental Guidance

Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means.

Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity.

In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.

>Related Controls

AC-17
AC-18
AU-10
IA-3
IA-8
IA-9
MA-4
PE-4
SA-4
SA-8
SC-7
SC-16
SC-20
SC-23
SC-28

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of transmission confidentiality and integrity?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-8?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is transmission confidentiality and integrity technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that transmission confidentiality and integrity remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?
  • What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-8?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.