NIST 800-53 r5 · Controls catalogue · Family SC
SC-8Transmission Confidentiality and Integrity
Protect the {{ insert: param, sc-08_odp }} of transmitted information.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 2 mapping(s) from 2 framework(s): CSF 2.0 1 (full) · ASVS 5.0 1 (partial)
Implementations targeting this control (10)
- aws-config-elb-tls-https-listeners-only ELB / ALB listeners use HTTPS or TLS AWS::ElasticLoadBalancingV2::Listener partial protect enforce
- aws-config-alb-http-to-https-redirection-check Alb Http To Https Redirection Check AWS::ElasticLoadBalancingV2::LoadBalancer partial protect enforce
- aws-config-api-gw-ssl-enabled Api Gw Ssl Enabled AWS::ApiGateway::Stage partial protect enforce
- aws-config-elasticsearch-node-to-node-encryption-check Elasticsearch Node To Node Encryption Check AWS::OpenSearchService::Domain partial protect enforce
- aws-config-elb-acm-certificate-required Elb Acm Certificate Required AWS::ElasticLoadBalancing::LoadBalancer partial protect enforce
- aws-config-elbv2-acm-certificate-required Elbv2 Acm Certificate Required AWS::ElasticLoadBalancingV2::LoadBalancer partial protect enforce
- aws-config-opensearch-https-required Opensearch Https Required AWS::OpenSearchService::Domain partial protect enforce
- aws-config-opensearch-node-to-node-encryption-check Opensearch Node To Node Encryption Check AWS::OpenSearchService::Domain partial protect enforce
- aws-config-redshift-require-tls-ssl Redshift Require Tls Ssl AWS::Redshift::Cluster partial protect enforce
- aws-config-s3-bucket-ssl-requests-only S3 Bucket Ssl Requests Only AWS::S3::Bucket partial protect enforce CIS §2.1.1Hub S3.5
ATT&CK techniques this control mitigates (19)
- T1020.001 Traffic Duplication Exfiltration
- T1040 Network Sniffing Credential Access, Discovery
- T1090 Proxy Command And Control
- T1090.004 Domain Fronting Command And Control
- T1550.001 Application Access Token Lateral Movement
- T1550.004 Web Session Cookie Lateral Movement
- T1552.007 Container API Credential Access
- T1557 Adversary-in-the-Middle Credential Access, Collection
- T1557.001 Name Resolution Poisoning and SMB Relay Credential Access, Collection
- T1557.002 ARP Cache Poisoning Credential Access, Collection
- T1557.003 DHCP Spoofing Credential Access, Collection
- T1557.004 Evil Twin Credential Access, Collection
- T1602 Data from Configuration Repository Collection
- T1602.001 SNMP (MIB Dump) Collection
- T1602.002 Network Device Configuration Dump Collection
- T1622 Debugger Evasion Stealth, Discovery
- T1685 Disable or Modify Tools Defense Impairment
- T1688 Safe Mode Boot Defense Impairment
- T1689 Downgrade Attack Defense Impairment
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-319 | Cleartext Transmission of Sensitive Information | 1,076 | The control explicitly requires confidentiality protection for transmitted information, preventing cleartext exposure of sensitive data. |
CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | 60 | Enforcing confidentiality on transmitted sensitive cookies requires the Secure attribute, preventing exposure on insecure channels. |
CWE-300 | Channel Accessible by Non-Endpoint | 54 | Confidentiality and integrity protections on the transmission channel directly reduce the ability of non-endpoint actors to access or tamper with the data. |
CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | 40 | The control directly mandates integrity protection for transmitted information, addressing failures to enforce message integrity in transit. |
CWE-523 | Unprotected Transport of Credentials | 23 | Requiring protected transport for credentials directly mitigates unprotected credential transmission over networks. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-48928 KEV UPD | 10.0 | 4.0 | 0.0037 | good |
CVE-2022-3365 | 7.0 | 9.8 | 0.0204 | good |
CVE-2025-34271 | 7.0 | 9.8 | 0.0068 | good |
CVE-2025-2859 | 7.0 | 9.8 | 0.0041 | good |
CVE-2025-63210 | 7.0 | 9.8 | 0.0050 | good |
CVE-2025-13926 | 7.0 | 9.8 | 0.0044 | good |
CVE-2026-42363 | 7.0 | 9.3 | 0.0019 | good |
CVE-2026-7161 UPD | 7.0 | 9.3 | 0.0021 | good |
CVE-2024-1509 | 7.0 | 9.1 | 0.0034 | good |
CVE-2026-24060 | 7.0 | 9.1 | 0.0020 | good |
CVE-2025-2311 UPD | 7.0 | 9.0 | 0.0016 | good |
CVE-2025-68637 | 7.0 | 9.1 | 0.0022 | good |
CVE-2025-21450 UPD | 7.0 | 9.1 | 0.0029 | good |
CVE-2024-3596 | 7.0 | 9.0 | 0.1486 | good |
CVE-2025-32444 UPD | 7.0 | 10.0 | 0.0148 | good |
CVE-2025-26199 UPD | 7.0 | 9.8 | 0.0049 | good |
CVE-2026-34486 UPD | 6.0 | 7.5 | 0.1583 | good |
CVE-2023-25437 | 6.0 | 8.8 | 0.1411 | good |
CVE-2022-45124 | 6.0 | 7.5 | 0.1450 | good |
CVE-2025-0556 | 5.5 | 8.8 | 0.0029 | good |
CVE-2024-47519 | 5.5 | 8.3 | 0.0033 | good |
CVE-2025-2190 | 5.5 | 8.1 | 0.0031 | good |
CVE-2024-36553 | 5.5 | 8.1 | 0.0029 | good |
CVE-2025-23206 | 5.5 | 8.1 | 0.0031 | good |
CVE-2024-13872 | 5.5 | 7.5 | 0.0023 | good |