Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system protects the [FedRAMP Assignment: (M)(H) confidentiality AND integrity] of transmitted information.
NIST 800-53 (r4) Supplemental Guidance:
This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4.
NIST 800-53 (r5) Discussion:
Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques. Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.
38North Guidance:
Meets Minimum Requirement:
Encrypt all data transmitted internal and external to the authorization boundary via FIPS 140-2 validated cryptographic modules as appropriate.
Employ TLS v1.2 (or better) for all web communications.
Best Practice:
Employ VPNs (e.g., IPSec, TLS, etc.) for all remote access and connections between disparate networks.
Use the current version of secure transport protocols.
Review NIST SP 800-52 Rev. 2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations for guidance on selecting FIPS-based cipher suites for TLS implementations.
Unofficial FedRAMP Guidance:
This control permits the use of physical and non-cryptographic protection mechanisms. However, assessors typically focus on logical protection mechanisms and the use of FIPS 140-2 validated cryptographic modules.
Assessment Evidence:
List of FIPS 140-2 validated cryptographic modules (include CMVP certificate # - Cryptographic Module Validation Program (CMVP)) used in the environment for encrypting data in transit (e.g., end user access / data flow).
Configuration settings showing the enablement of FIPS mode on system components.
Configuration settings showing usage of secure transport protocols and VPN technologies.
Installed TLS certificates.
CSP Implementation Tips:
Amazon Web Services (AWS):
Utilize FIPS endpoints.
Utilize instance types (e.g., Amazon EC2 Nitro System-based instances, etc.) that encrypt data in transit by default.
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse