Device Class 2: Transmission Confidentiality And Integrity

Control ID: SC-8 Transmission Confidentiality And Integrity Family: System and Communications Protection Source: NIST 800-53r4
Control: The information system protects the confidentiality and integrity of transmitted information.
Supplemental Guidance:
This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g.,servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.

Related Controls: AC-17, PE-4
Control Enhancements:
(2) Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.
Related Controls: SC-13

(1) Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection
The information system implements cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.
Related Controls: N/A
References: N/A
Mechanisms:

  • Role-based access control as specified in the Access Control family with cryptographically-enforced integrity checking:
    • VPN or SSL with 128-bit security symmetric cryptography for two-way information flows using strong password or X.509 certificates for integrity protection
    • VPN or SSL with 128-bit security symmetric cryptography for two-way information flows using strong password or X.509 certificates for confidentiality protection
    • IEEE 1609.2 authentication for incoming information flows

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
SC-8/1 Support IEEE 1609.2 O1
SC-8/1.1 Support signing messages with IEEE 1609.2 certificates AC-3/1:O2 IEEE 1609.2 + appropriate certificate management documents; AC3/1.1 IEEE 1609.2 PIC statement should also be provided
SC-8/1.2 Support verifying messages signed by IEEE 1609.2 certificates AC-3/1:O2 IEEE 1609.2 + appropriate certificate management documents; AC-3/1.2 IEEE 1609.2 PIC statement should also be provided.
SC-8/2 Support TLS-based access control O1 TLS RFCS; AC-3/2
SC-8/2.1 Support server-side TLS operations AC-3/2:O3 TLS RFCS + appropriate root cert management docs; AC-3/2.1 TLS PIC statement should also be provided
SC-8/2.2 Support client-side TLS operations and reject communications from servers that do not have a valid certificate AC-3/2:O3 TLS RFCS + appropriate root cert management docs; AC-3/2.2 TLS PIC statement should also be provided
SC-8/3.1 Support encrypting messages with IEEE 1609.2 certificates AC-3/1:O4 IEEE 1609.2 + appropriate certificate management documents; AC3/1.1 IEEE 1609.2 PIC statement should also be provided
SC-8/3.1 Support encrypting messages with X.509 certificates AC-3/1:O4