Title

For those instances where the organization requires encrypted traffic to be visible to information system monitoring tools, the application transmitting the encrypted traffic must make provisions to allow that traffic to be visible to specific system monitoring. (Cat II impact)

Discussion

There is a recognized need to balance encrypting traffic versus the need to have insight into the traffic from a monitoring perspective. For some organizations, the need to ensure the confidentiality of traffic is paramount; for others, the mission-assurance concerns are greater. Rationale for non-applicability: The mobile application resides at a network endpoint. If it performs end-to-end encryption, then network traffic will not be visible to intermediate devices. IF there is a requirement for monitoring of this traffic, keys must be shared with the intermediate device. Achieving this capability is outside the scope of the mobile application, as the necessary modifications must be made to the intermediate device, not the end points.

Check Content

This requirement is NA for the MAPP SRG.

Fix Text

The requirement is NA. No fix is required.

Additional Identifiers

Rule ID: SV-47004r1_rule

Vulnerability ID: V-35717

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.