NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-8(3) — Cryptographic Protection for Message Externals
Implement cryptographic mechanisms to protect message externals unless otherwise protected by {{ insert: param, sc-08.03_odp }}.
Supplemental Guidance
Cryptographic protection for message externals addresses protection from the unauthorized disclosure of information. Message externals include message headers and routing information. Cryptographic protection prevents the exploitation of message externals and applies to internal and external networks or links that may be visible to individuals who are not authorized users. Header and routing information is sometimes transmitted in clear text (i.e., unencrypted) because the information is not identified by organizations as having significant value or because encrypting the information can result in lower network performance or higher costs. Alternative physical controls include protected distribution systems.
Practitioner Notes
Protect the external metadata of messages — headers, routing information, addresses — not just the message content. Metadata can reveal sensitive information about who is communicating with whom.
Example 1: Use a VPN for all communications so that network observers cannot see the source and destination of individual connections. All traffic appears as encrypted VPN traffic to a single endpoint, hiding the actual communication patterns inside.
Example 2: Configure your email system to use TLS for server-to-server connections and strip internal routing headers from outbound email. Your Exchange transport rules can remove X-headers that reveal internal server names and IP addresses before messages leave your organization.