GRCWatch
Sign inStart free trial

CIS Controls 3.10: Encrypt Sensitive Data in Transit

Unencrypted data traveling across networks is vulnerable to interception and theft. CIS Control 3.10 requires encrypting all sensitive data in transit using protocols like TLS and OpenSSH. This fundamental control protects customer data, intellectual property, and compliance standing.

What this means

This control mandates that any sensitive information—including credentials, payment data, and personal information—must be encrypted when transmitted over networks. Implementation focuses on industry-standard encryption protocols (Transport Layer Security for web traffic and OpenSSH for remote access) to prevent unauthorized access, eavesdropping, and man-in-the-middle attacks. The goal is ensuring data remains confidential and unaltered during transmission between systems, applications, and users.

How to comply

  1. 1.Deploy TLS 1.2 or higher for all web applications and APIs handling sensitive data
  2. 2.Configure HTTPS as the default protocol and redirect all HTTP traffic to encrypted connections
  3. 3.Implement OpenSSH with strong key-based authentication for remote server access
  4. 4.Enforce encrypted protocols (SFTP, SCP) instead of unencrypted alternatives (FTP, Telnet)
  5. 5.Maintain current SSL/TLS certificates with proper validity periods and renewal processes
  6. 6.Disable weak cipher suites and deprecated encryption protocols in production systems
  7. 7.Monitor and audit encrypted connections for anomalies and failed handshakes
  8. 8.Document all systems and data flows requiring encryption in your data inventory

Evidence auditors look for

  • SSL/TLS certificate inventory with expiration dates and cipher strength documentation
  • Web application security scan results confirming HTTPS enforcement and no mixed content
  • SSH server configuration files showing TLS 1.2+ enforcement and weak ciphers disabled
  • Network traffic logs demonstrating encrypted protocol usage for sensitive data transfers
  • VPN or secure tunnel configurations for remote access and third-party integrations
  • Email encryption implementation details (TLS for SMTP, S/MIME or PGP for content)
  • API gateway or load balancer configurations enforcing end-to-end encryption

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers unencrypted data flows in your infrastructure, flags expired certificates before they fail, and generates evidence of TLS/SSH configuration compliance—eliminating manual audits for CIS 3.10.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Controls 3.1 (Inventory of Sensitive Data)CIS Controls 3.11 (Encrypt Sensitive Data at Rest)CIS Controls 4.1 (Establish and Maintain a Secure Configuration Management Process)