NIST 800-171 - Encryption in Transit (3.13.8)

Overview:
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Action Items:
3.13.8[a]
Determine if: cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.

3.13.8[b]
Determine if: alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified.

3.13.8[c]
Determine if: either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: System and communications protection policy; procedures addressing transmission confidentiality and integrity; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

2
Interview: System or network administrators; personnel with information security responsibilities; system developer].

3
Test: Cryptographic mechanisms or mechanisms supporting or implementing transmission confidentiality; organizational processes for defining and implementing alternative physical safeguards].

Related Documents (document name and content will vary by organization):
1) System and communications protection policy
2) procedures addressing transmission confidentiality and integrity
3) system security plan
4) system design documentation
5) system configuration settings and associated documentation
6) system audit logs and records
7) other relevant documents or records

Additional Guidance:
This requirement applies to internal and external networks and any system components that can transmit information including, for example, servers, mobile devices, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of a controlled boundary are susceptible to interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed safeguards for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See NIST Cryptographic Standards.