SI-4(10): Visibility of Encrypted Communications

Control Family:

System and Information Integrity

Parent Control:

SI-4: System Monitoring

CSF v1.1 References:

ID.RA-1
PR.DS-5
PR.IP-8
DE.AE-1
DE.AE-2
DE.AE-3
DE.AE-4
DE.CM-1
DE.CM-4
DE.CM-5
DE.CM-6
DE.CM-7
DE.DP-2
DE.DP-3
DE.DP-4
DE.DP-5
RS.AN-1

Threats Addressed:

Lateral Movement

Baselines:

High

Previous Version:

NIST Special Publication 800-53 Revision 4:
SI-4(10): Visibility Of Encrypted Communications

Control Statement

Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms].

Supplemental Guidance

Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.