GRCWatch
Sign inStart free trial

NIST PR.DS-2: Protect Data in Transit

Data in transit is vulnerable to interception, eavesdropping, and man-in-the-middle attacks. NIST Cybersecurity Framework control PR.DS-2 requires your organization to implement encryption and security measures for all data moving across networks. This control is foundational for protecting sensitive customer, employee, and operational data.

What this means

PR.DS-2 requires that data transmitted across networks—whether internal, cloud-based, or third-party integrations—be protected from unauthorized access and modification. This means encrypting data in flight using industry-standard protocols (TLS, HTTPS, VPNs), securing API communications, and ensuring that network channels maintain data confidentiality and integrity throughout transmission.

How to comply

  1. 1.Implement TLS 1.2 or higher for all web and API communications
  2. 2.Enforce HTTPS across all internal and external-facing applications
  3. 3.Use VPNs or encrypted tunnels for remote access and inter-office data transfers
  4. 4.Apply encryption to email communications (TLS, S/MIME, PGP)
  5. 5.Secure database replication and backup transmissions with encryption protocols
  6. 6.Disable deprecated protocols (SSL 3.0, TLS 1.0, TLS 1.1) and weak ciphers
  7. 7.Require certificate pinning or validation for third-party API integrations
  8. 8.Monitor and log all encrypted connections for anomalies
  9. 9.Document encryption methods, key management processes, and certificate rotation schedules
  10. 10.Test encryption effectiveness through network traffic analysis and penetration testing

Evidence auditors look for

  • Network packet captures showing TLS encryption in active use
  • SSL/TLS certificate inventory with expiration and strength documentation
  • Firewall and proxy logs confirming blocked unencrypted protocols
  • VPN configuration files and access logs for remote workers
  • Email gateway reports showing percentage of encrypted messages
  • API gateway logs with HTTPS/TLS connection details
  • Vulnerability scans confirming no weak cipher suites or deprecated protocols
  • Encryption key management policy and rotation logs
  • Network segmentation diagrams identifying encrypted channels
  • Penetration test results validating data-in-transit protection
  • Third-party vendor encryption agreements and configurations

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers and monitors all unencrypted network flows, alerts you when certificates expire or weak ciphers are detected, and generates audit-ready encryption inventories—eliminating manual traffic analysis and security scanning for PR.DS-2 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PR.DS-1 (Data at Rest Protection)PR.PT-4 (Communications and Control Network Protection)DE.AE-1 (Abnormal Activity Detection)