NIST 800-53 r5 · Controls catalogue · Family SC
SC-8Transmission Confidentiality and Integrity
Protect the {{ insert: param, sc-08_odp }} of transmitted information.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (1)
- aws-config-elb-tls-https-listeners-only ELB / ALB listeners use HTTPS or TLS AWS::ElasticLoadBalancingV2::Listener partial
ATT&CK techniques this control mitigates (19)
- T1020.001 Traffic Duplication Exfiltration
- T1040 Network Sniffing Credential Access, Discovery
- T1090 Proxy Command And Control
- T1090.004 Domain Fronting Command And Control
- T1550.001 Application Access Token Lateral Movement
- T1550.004 Web Session Cookie Lateral Movement
- T1552.007 Container API Credential Access
- T1557 Adversary-in-the-Middle Credential Access, Collection
- T1557.001 Name Resolution Poisoning and SMB Relay Credential Access, Collection
- T1557.002 ARP Cache Poisoning Credential Access, Collection
- T1557.003 DHCP Spoofing Credential Access, Collection
- T1557.004 Evil Twin Credential Access, Collection
- T1602 Data from Configuration Repository Collection
- T1602.001 SNMP (MIB Dump) Collection
- T1602.002 Network Device Configuration Dump Collection
- T1622 Debugger Evasion Stealth, Discovery
- T1685 Disable or Modify Tools Defense Impairment
- T1688 Safe Mode Boot Defense Impairment
- T1689 Downgrade Attack Defense Impairment
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-319 | Cleartext Transmission of Sensitive Information | 1,042 | The control explicitly requires confidentiality protection for transmitted information, preventing cleartext exposure of sensitive data. |
CWE-300 | Channel Accessible by Non-Endpoint | 53 | Confidentiality and integrity protections on the transmission channel directly reduce the ability of non-endpoint actors to access or tamper with the data. |
CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | 52 | Enforcing confidentiality on transmitted sensitive cookies requires the Secure attribute, preventing exposure on insecure channels. |
CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | 36 | The control directly mandates integrity protection for transmitted information, addressing failures to enforce message integrity in transit. |
CWE-523 | Unprotected Transport of Credentials | 20 | Requiring protected transport for credentials directly mitigates unprotected credential transmission over networks. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2022-3365 | 5.1 | 9.8 | 0.5260 | good |
CVE-2025-34271 | 2.0 | 9.8 | 0.0106 | good |
CVE-2025-2859 | 2.0 | 9.8 | 0.0034 | good |
CVE-2025-63210 | 2.0 | 9.8 | 0.0014 | good |
CVE-2025-13926 | 2.0 | 9.8 | 0.0009 | good |
CVE-2026-42363 | 1.9 | 9.3 | 0.0003 | good |
CVE-2026-7161 | 1.9 | 9.3 | 0.0004 | good |
CVE-2024-1509 | 1.8 | 9.1 | 0.0009 | good |
CVE-2026-24060 | 1.8 | 9.1 | 0.0002 | good |
CVE-2025-0556 | 1.8 | 8.8 | 0.0015 | good |
CVE-2025-68637 | 1.8 | 9.1 | 0.0006 | good |
CVE-2025-21450 | 1.8 | 9.1 | 0.0020 | good |
CVE-2024-47519 | 1.7 | 8.3 | 0.0008 | good |
CVE-2025-10174 | 1.7 | 8.3 | 0.0002 | good |
CVE-2025-2190 | 1.6 | 8.1 | 0.0015 | good |
CVE-2024-36553 | 1.6 | 8.1 | 0.0009 | good |
CVE-2025-23206 | 1.6 | 8.1 | 0.0007 | good |
CVE-2024-13872 | 1.6 | 7.5 | 0.0138 | good |
CVE-2026-30792 | 1.6 | 8.1 | 0.0007 | good |
CVE-2025-67752 | 1.6 | 8.1 | 0.0001 | good |
CVE-2026-32105 | 1.5 | 7.7 | 0.0004 | good |
CVE-2025-1060 | 1.5 | 7.5 | 0.0016 | good |
CVE-2025-2861 | 1.5 | 7.5 | 0.0017 | good |
CVE-2025-26473 | 1.5 | 7.5 | 0.0022 | good |
CVE-2021-41719 | 1.5 | 7.5 | 0.0031 | good |