Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements cryptographic mechanisms to [FedRAMP Assignment: (M)(H) prevent unauthorized disclosure of information AND detect changes to information] during transmission unless otherwise protected by [FedRAMP Assignment: (M)(H) a hardened or alarmed carrier Protective Distribution System (PDS)].
NIST 800-53 (r4) Supplemental Guidance:
Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13.
NIST 800-53 (r5) Discussion:
Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes.
38North Guidance:
Meets Minimum Requirement:
Encrypt all data transmitted internal and external to the authorization boundary via FIPS 140-2 validated cryptographic modules as appropriate.
Employ TLS v1.2 (or better) for all web communications.
Best Practice:
Employ VPNs (e.g., IPSec, TLS, etc.) for all remote access and connections between disparate networks.
Use the current version of secure transport protocols.
For microservice architectures, utilize a service mesh to facilitate encryption of data in transit.
Review NIST SP 800-52 Rev. 2 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations for guidance on selecting FIPS-based cipher suites for TLS implementations.
Unofficial FedRAMP Guidance:
FIPS 140-2 validated TLS implementations may not be necessary in select situations where customer data is not involved.
Assessment Evidence:
List of FIPS 140-2 validated cryptographic modules (include CMVP certificate # - Cryptographic Module Validation Program (CMVP)) used in the environment for encrypting data in transit (e.g., end user access / data flow).
Configuration settings showing the enablement of FIPS mode on system components.
Configuration settings showing usage of secure transport protocols and VPN technologies.
Installed TLS certificates.
CSP Implementation Tips:
Amazon Web Services (AWS):
Utilize FIPS endpoints.
Utilize instance types (e.g., Amazon EC2 Nitro System-based instances, etc.) that encrypt data in transit by default.
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse