SC-08 Transmission Integrity

System and Communications Protection

Low Moderate High

Description

The information system protects the integrity of transmitted information.

Supplemental Guidance

If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission integrity. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. NIST Special Publication 800-52 provides guidance on protecting transmission integrity using Transport Layer Security (TLS). NIST Special Publication 800-77 provides guidance on protecting transmission integrity using IPsec. NIST Special Publication 800-81 provides guidance on Domain Name System (DNS) message authentication and integrity verification. NSTISSI No. 7003 contains guidance on the use of Protective Distribution Systems.

MITRE ATT&CK Techniques (20)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Defense Evasion 7 Credential Access 7 Discovery 2 Lateral Movement 2 Collection 8 Command & Control 2 Exfiltration 1

Compliance Mappings

ISO 27001:2022

A.5.14A.8.20A.8.21

ISO 27002:2022

5.148.208.21

CIS Controls v8

CIS 12.3CIS 12.6CIS 3CIS 3.10

NIST CSF 2.0

PR.DS-02

SOC 2 TSC

CC6.1CC6.7

PCI DSS v4.0.1

2.2.74.14.2

CSA CCM v4

CEK-03DSP-10DSP-17IPY-03IVS-03

CSA AICM v1

CEK-03DSP-10DSP-17I&S-03IPY-03

FINOS CCC

CCC-C01

IEC 62443

3-3 SR 3.13-3 SR 4.1

NIS2 Directive

Art. 21(2)(h)Art. 21(2)(j)

PRA Operational Resilience

SS2/21-11.1

MAS TRM

1014

APRA CPS 234

Para 22-23

BSI IT-Grundschutz

APP.3.1CON.1

ANSSI

Hygiene.24RGS.2.3SecNumCloud.11.1SecNumCloud.14.2

FINMA Circular 2023/1

IV.C(63)IV.D(78)IV.D(81)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(a)Art.5(1)(f)Rec.83

EU DORA

Art.9(3)Art.9(4)(a)

BIO2

5.148.208.21

RBI CSF

Annex1.4Annex1.10ITGRCA.16

FISC Security Guidelines

FISC.T10FISC.T11FISC.T12FISC.T4FISC.T8

LGPD + BCB 4893

BCB.Art.14BCB.Art.3BCB.OpenFinanceBCB.PIXLGPD.Art.33-36LGPD.Art.46

HKMA TM-E-1

TME1.10.1TME1.10.2TME1.10.3TME1.11.2TME1.8.5TME1.9.1

MLPS 2.0

8.1.2.28.1.4.78.1.4.88.4

DNB Good Practice

DNB.12.3DNB.18.4DNB.18.5

EU CRA

CRA.I.2eCRA.I.2fCRA.II.7

SWIFT CSCF

SWIFT.2.1SWIFT.2.4ASWIFT.2.5ASWIFT.2.6

SAMA CSF

3.33.43.84.3

NCA ECC

2-42-52-8

UAE IA

CBB TM

TM-8TM-9

Qatar NIA

CBUAE

CR-5CR-8

CBE CSF

CTO-2CTO-3CTO-5CTO-6CTO-8

SA JS2

JS2-7.2JS2-8.2JS2-8.3

CBN CSF

Part3.3Part3.4Part5.2

BoG CISD

CISD-IXCISD-VICISD-VIIICISD-XICISD-XIICISD-XIII

POPIA

s19

BoM CTRM

3.103.133.23.4

IOSCO Cyber Resilience

PROT-3RR-3

BCBS 239

Principle 11Principle 3

CPMI-IOSCO PFMI

CG.PRPFMI.P17PFMI.P22

FFIEC IS

II.C.13II.C.13(b)II.C.15(c)II.C.16II.C.19II.C.6II.C.9

NYDFS 500

500.15

HIPAA Security Rule

§164.312(c)(1)§164.312(c)(2)§164.312(e)(1)§164.312(e)(2)(i)§164.312(e)(2)(ii)

ECB CROE

CROE.2.3.3CROE.2.3.5

EBA ICT Guidelines

3.8(b)

SEBI CSCRF

EMAIL-SECPR.CSPR.DSPR.NS

BOT Cyber Resilience

Ch2.3Ch2.4Ch2.7Ch9.1

CMMC 2.0

NERC CIP

CIP-012-1

10 CFR 73.54

RG5.71-A-SC

IEEE 1686-2022

5.5

FERC CIP Orders

Order 2222

API 1164

Sec 8

IAEA NSS 17-T

Sec 5.6

PCI PTS v6

EIJ

CBEST

CBEST.9

TIBER-EU

TIBER.CONF

PCI HSM

Common Criteria

CC Part 2 — FCSCC Part 2 — FDPCC Part 2 — FPT

ISAE 3402

Clause 4

Solvency II

Art.49(3)DR.266-DataSecEIOPA-Cloud-GL9EIOPA-ICT-4.6EIOPA-ICT-4.7

Lloyd's Minimum Standards

BP2.1BP2.2MS13.2MS6.1MS8.9

NAIC Insurance Data Security

4-encryption4B

FCA SYSC 13

SYSC 13.7.3

HITRUST CSF v11

01.b09.e09.f10.c

FDA 21 CFR Part 11

§11.30§11.300(d)§11.70

FDA Cybersecurity Guidance

SA-2SA-4

ISO 27799

10.113.113.2H.2H.5

NHS DSPT

NDG-1.1NDG-9.2NDG-9.4NDG-9.6

OWASP MASVS v2.1

MASVS-NETWORK-1MASVS-NETWORK-2

CCSS v9.0

1.01.41.06.4

MiCA

Art.76(1)Art.97(1)

Basel SCO60

SCO60.71

BSSC Standards

NOS-04TIS-05GSP-13

ISO 17799 (legacy)

10.6.110.8.110.9.1

COBIT 4.1 (legacy)

AC6