Homexnetd.com
xnetd.com

3.13 SYSTEM AND COMMUNICATIONS PROTECTION

3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards | NIST 800-171 control 3.13.8 safeguards sensitive Controlled Unclassified Information (CUI) during transfer. Encryption scrambles CUI, making it unreadable to anyone who intercepts it. This reduces the risk of unauthorized disclosure. Organizations are responsible for implementing encryption or approved physical protections. Examples include securing Wi-Fi networks and using Virtual Private Networks (VPNs).

3.13 SYSTEM AND COMMUNICATIONS PROTECTION
Back to "3.13 SYSTEM AND COMMUNICATIONS PROTECTION"
3.13 SYSTEM AND COMMUNICATIONS PROTECTION
🖨️

3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards

By wnoble2005@gmail.com (William Noble) 📅 2024-03-03
NIST 800-171 control 3.13.8 safeguards sensitive Controlled Unclassified Information (CUI) during transfer. Encryption scrambles CUI, making it unreadable to anyone who intercepts it. This reduces the risk of unauthorized disclosure. Organizations are responsible for implementing encryption or approved physical protections. Examples include securing Wi-Fi networks and using Virtual Private Networks (VPNs).



This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO].

Benefits:

Confidentiality: Encryption ensures only authorized parties can access CUI, even if it's intercepted during transmission. This minimizes the risk of data breaches and protects sensitive information.

Compliance: Implementing encryption demonstrates adherence to NIST 800-171, a requirement for organizations handling CUI on behalf of the U.S. government.

Trustworthiness: Strong encryption fosters trust with partners and stakeholders by showcasing your commitment to data security.

Accountability:

Senior Management: Sets the overall security direction, allocates resources for implementing cryptographic solutions (e.g., encryption tools, FIPS-validated algorithms) and ensures compliance with the control. They are responsible for holding IT security teams and system owners accountable.


IT Security Team: Implements and manages cryptographic mechanisms. This includes selecting encryption solutions, configuring them for CUI transmission, and ensuring ongoing maintenance. They advise system owners on secure configurations and train users on proper data handling.

System Owners: Are responsible for ensuring their systems comply with 3.13.8. They work with the IT security team to implement appropriate cryptographic controls for their systems and conduct risk assessments to identify situations where alternative physical safeguards might be necessary (e.g., a secure, physically protected cable for short-distance data transfer).

Individual Users: Must be aware of their role in protecting CUI. This includes using approved encryption tools and following established procedures for transmitting CUI. Training on these procedures is crucial.

Implementation:

Encryption Technologies: Secure Socket Layer (SSL)/Transport Layer Security (TLS) are common choices for encrypting internet traffic. For specific applications, file-level encryption or disk encryption might be used.

FIPS Compliance: The National Institute of Standards and Technology (NIST) publishes approved encryption algorithms. Choosing FIPS-validated options ensures the strongest protection.

Alternative Safeguards: In rare cases, physical safeguards like secure, shielded cables might replace encryption for very short transmissions within a controlled environment.

Go to docs.google.com

About "3.13.8 Implement cryptogr...uards" 🡃
Category:Cybersecurity Maturity Model
Family:System and Communications Protection (AC 3.13)
Type:Derived Security Requirements
#CybersecurityMaturityModel #DerivedSecurityRequirements
⬅ Back to 3.13 SYSTEM AND COMMUNICATIONS PROTECTION

More on q4q.com

Q4Q Technical Solutions

© q4q.com 1999-2024