πΌ SC-8 Transmission Confidentiality and Integrity (L)(M)(H)
- Contextual name: πΌ SC-8 Transmission Confidentiality and Integrity (L)(M)(H)
- ID:
/frameworks/fedramp-moderate-security-controls/sc/08 - Located in: πΌ System and Communications Protection
Descriptionβ
Protect the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
SC-8 Additional FedRAMP Requirements and Guidance:
Guidance: For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.
For clarity, this control applies to all data in transit. Examples include the following data flows:
-
Crossing the system boundary
-
Between compute instances - including containers
-
From a compute instance to storage
-
Replication between availability zones
-
Transmission of backups to storage
-
From a load balancer to a compute instance
-
Flows from management tools required for their work - e.g. log collection, scanning, etc.
The following applies only when choosing SC-8 (5) in lieu of SC-8 (1)
FedRAMP-Defined Assignment / Selection Parameters
SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]
SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]
Guidance: SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.
Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).
Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3). Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP. CNSSI No.7003 can be accessed here: https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf.
DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here: https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf
Similarβ
- Sections
/frameworks/fedramp-high-security-controls/sc/08
- Internal
- ID:
dec-c-cf6a8301
- ID:
Similar Sections (Take Policies From)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ FedRAMP High Security Controls β πΌ SC-8 Transmission Confidentiality and Integrity (L)(M)(H) | 1 | 6 | 10 |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ SC-8(1) Cryptographic Protection (L)(M)(H) | 10 |
Policies (8)β
| Policy | Logic Count | Flags |
|---|---|---|
| π AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication π’ | 1 | π’ x6 |
| π AWS S3 Bucket Policy is not set to deny HTTP requests π’ | 1 | π’ x6 |
| π Azure App Service FTP deployments are not disabled π’ | 1 | π’ x6 |
| π Azure App Service HTTPS Only configuration is not enabled π’ | 1 | π’ x6 |
| π Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON π’ | 1 | π’ x6 |
| π Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled π’ | 1 | π’ x6 |
| π Azure Storage Account Secure Transfer Required is not enabled π’ | 1 | π’ x6 |