Device Class 1: Transmission Confidentiality And Integrity

Control ID: SC-8 Transmission Confidentiality And Integrity

Family: System and Communications Protection

Source: NIST 800-53r4

Control: The information system protects the integrity of transmitted information.

Supplemental Guidance:
This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g.,servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission integrity. In such situations, organizations determine what types of integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.

Related Controls: AC-17, PE-4

Control Enhancements:
(1) Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection
The information system implements cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.
Related Controls: SC-13

References: N/A

Mechanisms:

Role-based access control as specified in the Access Control family with cryptographically-enforced integrity checking:

VPN or SSL with 128-bit security symmetric cryptography for two-way information flows using strong password or X.509 certificates for integrity protection.
IEEE 1609.2 authentication for incoming information flows

Protocol Implementation Conformance Statements:

ID	Statement	Status	Reference	Notes
SC-8/1	Support IEEE 1609.2	O1
SC-8/1.1	Support signing messages with IEEE 1609.2 certificates	AC-3/1:O2	IEEE 1609.2 + appropriate certificate management documents; AC3/1.1	IEEE 1609.2 PIC statement should also be provided
SC-8/1.2	Support verifying messages signed by IEEE 1609.2 certificates	AC-3/1:O2	IEEE 1609.2 + appropriate certificate management documents; AC-3/1.2	IEEE 1609.2 PIC statement should also be provided. Does this on its own support managing trusted root certs or is there a separate control for that?
SC-8/2	Support TLS-based access control	O1	RFC 5246; AC-3/2
SC-8/2.1	Support server-side TLS operations	AC-3/2:O3	RFC 5246, appropriate root cert management docs; AC-3/2.1	TLS PIC statement should also be provided
SC-8/2.2	Support client-side TLS operations and reject communications from servers that do not have a valid certificate	AC-3/2:O3	RFC 5246, appropriate root cert management docs; AC-3/2.2	TLS PIC statement should also be provided