SC-8 (1) - Cryptographic or Alternate Physical Protection [FSv1.1]

Control requirements

SC-8 (1) - 0

The information system implements cryptographic mechanisms to [IBM Assignment: prevent unauthorized disclosure of information] during transmission unless otherwise protected by [IBM Assignment: none].

Additional IBM Cloud for Financial Services specifications

• The organization must encrypt customer data in transit regardless of the transport mechanism and/or digital media type used, except in the cases of DNS, NTP, BGP, ICMP, ARP, DHCP, TFTP, NFS v3, heartbeat, SNMP read-only, and logging (such as rsyslog/fluentd) traffic assessed as very low risk from a confidentiality/integrity standpoint. For web-based applications, the organization will ensure that transmitted data is protected in accordance with the recommendations of the Open Web Application Security Project (OWASP).

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• Connecting application provider to the management VPC
• Consumer connectivity to workload VPC
• Creating and connecting the management and workload VPCs
• Data encryption in transit

NIST supplemental guidance

Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.