800-53|SC-8

Title

TRANSMISSION CONFIDENTIALITY AND INTEGRITY

Description

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.

Supplemental

This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.

Reference Item Details

Related: AC-17,PE-4

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2.6 Ensure 'Enable RPC encryption' is set to EnabledWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.1.2.6 Ensure 'Enable RPC encryption' is set to EnabledWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.1.3.9.9 Configure 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.2 Set 'Network security: Minimum session security for NTLM SSP based servers' to 'Require NTLMv2 session security'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.7 Set 'Network security: Minimum session security for NTLM SSP based clients' to 'Require NTLMv2 session security'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.15 Set 'Network Security: Configure encryption types allowed for Kerberos' to 'RC4\AES128\AES256\Future types'WindowsCIS Windows 8 L1 v1.0.0
1.1.4 Ensure that the --kubelet-https argument is set to trueUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.4 Ensure that the --kubelet-https argument is set to trueUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.5 Ensure that the --kubelet-https argument is set to trueUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.6 Ensure that the --secure-port argument is not set to 0UnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.7 Ensure that the --secure-port argument is not set to 0UnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.7 Ensure that the --secure-port argument is not set to 0UnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.8 Ensure that the --secure-port argument is not set to 0UnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.20 Ensure that the --kubelet-https argument is set to trueUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - certUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - keyUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.29 Ensure that the --client-ca-file argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.31 Ensure that the --etcd-cafile argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - HTTPSWindowsCIS Microsoft SharePoint 2019 OS v1.0.0
1.2 Ensure that the SharePoint Central Administration Site is TLS-enabled - Port 443WindowsCIS Microsoft SharePoint 2019 OS v1.0.0
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.16 Ensure that the --secure-port argument is not set to 0UnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.16 Ensure that the --secure-port argument is not set to 0UnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.18 Ensure that the --secure-port argument is not set to 0OpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.19 Ensure that the --secure-port argument is not set to 0UnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.24 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriateUnixCIS Kubernetes v1.10.0 L1 Master
1.2.25 Ensure that the --client-ca-file argument is set as appropriateUnixCIS Kubernetes v1.10.0 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - certUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - certUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - keyUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.10 Ensure system-wide crypto policy is not legacyUnixCIS CentOS Linux 8 Server L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacyUnixCIS Fedora 28 Family Linux Server L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacyUnixCIS CentOS Linux 8 Workstation L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacyUnixCIS Fedora 28 Family Linux Workstation L1 v2.0.0
1.10.1 (L1) Ensure 'Allow Basic authentication for HTTP' is set to 'Disabled'WindowsCIS Microsoft Edge v3.0.0 L1
1.10.3 (L2) Ensure 'Supported authentication schemes' is set to 'Enabled: ntlm, negotiate'WindowsCIS Microsoft Edge v3.0.0 L2
1.12 Ensure 'Internet-facing receive connectors' is set to 'Tls, BasicAuth, BasicAuthRequireTLS'WindowsCIS Microsoft Exchange Server 2019 L1 Edge v1.0.0
1.13.2.3 Ensure 'Do not provide Continue option on Encryption warning dialog boxes' is set to EnabledWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.3 Ensure 'Do not provide Continue option on Encryption warning dialog boxes' is set to EnabledWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.6 Ensure 'S/MIME interoperability with external clients' is set to Enabled:Handle internallyWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.6 Ensure 'S/MIME interoperability with external clients' is set to Enabled:Handle internallyWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.7 Ensure 'S/MIME receipt requests behavior' is set to Enabled:Never send S/MIME receiptsWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.7 Ensure 'S/MIME receipt requests behavior' is set to Enabled:Never send S/MIME receiptsWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.8 Ensure 'Send all signed messages as clear signed messages' is set to EnabledWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.8 Ensure 'Send all signed messages as clear signed messages' is set to EnabledWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.9 Ensure 'Signature Warning' is set to Enabled:Always warn about invalid signaturesWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.9 Ensure 'Signature Warning' is set to Enabled:Always warn about invalid signaturesWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.8 Ensure 'Do not automatically sign replies' is set to EnabledWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.8 Ensure 'Do not automatically sign replies' is set to EnabledWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.17 Ensure CloudFront to Origin connection is configured using TLS1.1+ as the SSL\TLS protocolamazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0