SC-8: Transmission Confidentiality and Integrity
Control Family:
CSF v1.1 References:
PF v1.0 References:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SC-8: Transmission Confidentiality And Integrity
Control Statement
Protect the [Assignment (one or more): confidentiality, integrity] of transmitted information.
Supplemental Guidance
Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.
Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.
Control Enhancements
SC-8(1): Cryptographic Protection
Baseline(s):
- Moderate
- High
Implement cryptographic mechanisms to [Assignment (one or more): prevent unauthorized disclosure of information, detect changes to information] during transmission.
SC-8(2): Pre- and Post-transmission Handling
Baseline(s):
Maintain the [Assignment (one or more): confidentiality, integrity] of information during preparation for transmission and during reception.
SC-8(3): Cryptographic Protection for Message Externals
Baseline(s):
Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls].
SC-8(4): Conceal or Randomize Communications
Baseline(s):
Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls].
SC-8(5): Protected Distribution System
Baseline(s):
Implement [Assignment: organization-defined protected distribution system] to [Assignment (one or more): prevent unauthorized disclosure of information, detect changes to information] during transmission.