home || catalog: SP800-53rev3 / class: Technical / family: (SC) System and Communications Protection ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC

SC-01
SC-02
SC-03
SC-04
SC-05
SC-06
SC-07
SC-08
SC-09 *
SC-10
SC-11
SC-12
SC-13
SC-14
SC-15
SC-16
SC-17
SC-18
SC-19
SC-20
SC-21
SC-22
SC-23
SC-24
SC-25
SC-26
SC-27
SC-28
SC-29
SC-30
SC-31
SC-32
SC-33

SI
MMMMM

  SC-09: Transmission Confidentiality  

base control objective:
The information system protects the confidentiality of transmitted information.

supplemental objective information:
This control applies to communications across internal and external networks. If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.

enhancements to the base objective:

(1) The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.
Enhancement Supplemental Guidance: Alternative physical protection measures include, for example, protected distribution systems.

(2) The information system maintains the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.
Enhancement Supplemental Guidance: Information can be intentionally and/or maliciously disclosed at data aggregation or protocol transformation points, compromising the confidentiality of the information.

(3) The organization employs FIPS-validated cryptography to protect Controlled Unclassified Information (CUI) during transmission.
Enhancement Supplemental Guidance: This control is typically applied when organizational information is transmitted across external networks. External networks are networks outside of organizational control.

(4) The organization employs NSA-approved cryptography to protect classified, national security information when the network used to transmit the information is at a lower classification level than the information being transmitted.

(5) The organization employs, at a minimum, FIPS-validated cryptography to protect information in a network at the same classification level when such information must be separated from individuals who lack the necessary access approvals.

(6) The organization employs NSA-approved cryptography to protect classified, national security information during transmission.

(7) The organization employs NSA-approved cryptography to protect Sources and Methods Information (SAMI) during transmission if the information is accessed by individuals without an appropriate security clearance.

mapping to FIPS199 baseline:

  LOW: null     MOD: base (1)     HIGH: base (1)  

related (regimented) controls:

AC-17   Remote Access
PE-04   Access Control for Transmission Medium

documents referenced in SP800-53rev3 for SC-09:

Document Date Status Title
NIST SP800-113 July, 2008 current   Guide to SSL VPNs
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-45 August, 2006 DRAFT   Guidelines on Electronic Mail Security
NIST SP800-49 November, 2002 current   Federal S/MIME V3 Client Profile
NIST SP800-52 June, 2005 current   Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
NIST SP800-54 September, 2006 DRAFT   Border Gateway Protocol Security
NIST SP800-57, part1 August, 2005 current   Recommendation for Key Management, part 1
NIST SP800-57, part2 August, 2005 current   Recommendation for Key Management, part 2
NIST SP800-58 January, 2005 current   Security Considerations for Voice Over IP Systems
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-77 December, 2005 current   Guide to IPsec VPNs
NIST SP800-95 August, 2006 DRAFT   Guide to Secure Web Services
NIST SP800-97 SP800-97 DRAFT   Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i

Search SP800-53rev3 catalog: