03.13.08: Transmission and Storage Confidentiality
Control Familly: System and Communications Protection
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
FIPS 140-3 [38]
FIPS 197 [68]
SP 800-46 [14]
SP 800-52 [69]
SP 800-56A [73]
SP 800-56B [74]
SP 800-56C [75]
SP 800-57-1 [15]
SP 800-57-2 [16]
SP 800-57-3 [17]
SP 800-77 [18]
SP 800-111 [51]
SP 800-113 [19]
SP 800-114 [20]
SP 800-121 [21]
SP 800-124 [28]
SP 800-177 [70]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.13.08
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
SC-08
SC-08(01)
SC-28
SC-28(01)
Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI during transmission and while in storage.
Discussion:
This requirement applies to internal and external networks and any system components that can transmit CUI, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are susceptible to interception and modification. Encryption protects CUI from unauthorized disclosure during transmission and while in storage. Cryptographic mechanisms that protect the confidentiality of CUI during transmission include TLS and IPsec. Information in storage (i.e., information at rest) refers to the state of CUI when it is not in process or in transit and resides on internal or external storage devices, storage area network devices, and databases. Protecting CUI in storage does not focus on the type of storage device or the frequency of access to that device but rather on the state of the information. This requirement relates to 03.13.11.
Assessment Methods and Objectives
Examine [SELECT FROM: system and communications protection policy and procedures; procedures for transmission confidentiality; procedures for the protection of information at rest; system design documentation; system configuration settings; cryptographic mechanisms and associated configuration documentation; information in storage requiring confidentiality protection; system audit records; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with information security responsibilities; system developers; system administrators]
Test [SELECT FROM: mechanisms for supporting or implementing transmission confidentiality; cryptographic mechanisms for supporting or implementing transmission confidentiality; mechanisms for supporting or implementing confidentiality protection for information in storage; cryptographic mechanisms for implementing confidentiality protections for information in storage]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.13.08[01]: cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI during transmission.
A.03.13.08[02]: cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI while in storage.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A