INF-006 Transmission Encryption
Description
All data in transit across public or untrusted networks is protected using current, approved cryptographic protocols (e.g., TLS 1.2 or later). Deprecated or weak cipher suites are disabled. Encryption configuration is reviewed at defined intervals and updated when vulnerabilities in protocols are identified.
Rationale
Unencrypted data in transit is trivially intercepted. Enforcing strong TLS prevents eavesdropping and man-in-the-middle attacks on SaaS communications.
Framework Mappings (4)
| I&S-07 | Migration to Cloud Environments | partial |
| 8.24 | Use of cryptography | partial |
| SC-13 | Cryptographic Protection | partial |
| SC-8 | Transmission Confidentiality and Integrity | full |
Evidence (2)
TLS configuration for all production-facing endpoints showing TLS 1.2 or later is enforced and deprecated cipher suites are disabled.
Example: SSL Labs scan report (or equivalent tool output such as testssl.sh) for production API and web endpoints, showing protocol version support and cipher suite configuration
Test: Run an SSL/TLS configuration scan against a sample of production endpoints (API gateway, web endpoints, inter-service communication). Verify: (1) TLS 1.2 is the minimum accepted protocol version; (2) TLS 1.0 and 1.1 return a rejected connection; (3) deprecated cipher suites (RC4, 3DES, NULL, EXPORT) are not listed as accepted; (4) the scan was run within the last 12 months or after any TLS configuration change.
Cryptographic standards policy or TLS configuration standard specifying approved protocols, minimum versions, and cipher suites for data in transit.
Example: Cryptographic Standards document or TLS Configuration Standard (version-controlled, approved within the last 12 months) referencing a named baseline such as NIST SP 800-52 or BSI TR-02102
Test: Request the cryptographic standards document. Verify: (1) approved protocol versions and cipher suites are explicitly listed; (2) deprecated protocols are explicitly prohibited; (3) a review or update trigger is defined for when protocol vulnerabilities are announced; (4) the document has been approved by a named owner.
Questions (2)
Is all data in transit across public or untrusted networks protected using TLS 1.2 or later, with deprecated cipher suites disabled?
This applies to all production-facing endpoints: APIs, web interfaces, inter-service communication, and webhook delivery. TLS 1.0 and 1.1 must be rejected.
How is the TLS configuration of production endpoints reviewed and kept current?
Automated scanning on each deployment is the preferred approach. At minimum, a full TLS scan should occur annually and after any change to load balancer, API gateway, or certificate configuration.