Table Of Contents
As cloud service providers navigate FedRAMP, and specifically Revision 5, three security controls have emerged as focal points requiring clear understanding: AC-4(4) Information Flow Enforcement, AU-11 Audit Record Retention, and SI-4(10) Visibility of Encrypted Communications. These controls are representative of changes/updates in federal cloud security requirements.
Why These Controls?
Executive Order 14028 and supporting memorandums (M-21-31 and M-22-09) have shifted federal cybersecurity toward a more mature Investigative and Remediation capability and Zero Trust Architecture.
Let’s talk about encrypted data in transit:
The core principle: never trust, always verify—even encrypted traffic. This means that the traditional approach of encrypting data and assuming that it’s safe is no longer sufficient. Federal agencies need visibility into what’s happening inside those encrypted channels.
The following two controls work together to create a comprehensive security posture where:
- AC-4 (4): Encrypted traffic cannot simply bypass security controls without some level of scrutiny.
- SI-4 (10): All encrypted communication remains visible to monitoring tools.
Not sure which inspection model applies to your CSO? IaaS, PaaS, and SaaS implementations support AC-4(4) and SI-4(10) in very different ways. A quick architecture review can prevent misalignment later in SSP review or assessment. Get the Rev. 5 encrypted traffic architecture overview by speaking with our team today.
AC-4(4): Information Flow Enforcement – Flow Control of Encrypted Information
What This Control Requires
AC-4(4) addresses a critical vulnerability: malicious actors hiding their activities inside encrypted traffic to bypass security controls. This control, added to the FedRAMP High baseline in Rev 5, requires CSPs to support methods used by agency customers preventing encrypted information from bypassing information flow control mechanisms specifically between the agency networks and the Cloud Service Offering (CSO) boundary.
The fundamental requirement: Agencies must choose one or more of the following approaches:
- Decrypt the information before it passes through security controls
- Block the flow of encrypted information that cannot be inspected
- Terminate communications sessions that attempt to transmit uninspected encrypted information
The implementation may look different based on the CSO platform type (IaaS, PaaS, or SaaS) and the use case of the agency customer. Let’s look at methods CSPs may use to support their agency customers with this requirement.
Key Management Solution
Customer-Managed Keys (BYOK/HYOK) – The agency customer maintains control of encryption keys, which are shared with inspection tools under their authority/control while data is transmitted to and from the CSO.
Key Escrow Arrangements Between CSP and Agency Customer
- Encryption keys stored in secure, auditable escrow
- Agency has documented access procedures
- Supports compliance requirements like FedRAMP
Traffic Inspection Architectures
TLS/SSL Inspection Proxies
- Deploy inline inspection appliances in the CSP environment
- Decrypt, inspect, and re-encrypt traffic flows
- Requires trust certificates and key management
Virtual Security Appliances
- Agency deploys its own inspection tools (IDS/IPS, DLP) within CSP infrastructure
- Traffic routed through agency-controlled inspection points
- Maintains agency’s security boundaries
Implementation Considerations
- Certificate management: You’ll need a robust PKI strategy to support decrypt-inspect-re-encrypt operations
- Performance impact: Deep packet inspection adds latency; plan capacity accordingly
- Tool selection: Choose firewalls, WAFs, and proxies that support SSL/TLS decryption
- Documentation: Clearly document your approach in your System Security Plan (SSP). Also, document any agency customer responsibilities having to do with AC-4 (4).
SI-4(10): Information System Monitoring – Visibility of Encrypted Communications
What This Control Requires
SI-4(10), also added to the High baseline in Rev 5, complements AC-4(4) by ensuring that encrypted communications traffic is visible to monitoring tools and mechanisms. While AC-4(4) focuses on enforcement and prevention, SI-4(10) emphasizes detection and visibility.
The fundamental requirement: Make provisions so that organization-defined encrypted communications traffic is visible to organization-defined system monitoring tools and mechanisms.
Key Clarifications
Like the previous AC-4 (4) security control, CSPs are only required to ensure their implementation supports their agency customers’ need for visibility into their encrypted communications traffic, primarily between the agency network and the CSO boundary. This may require further architecture conversations between CSPs and their agency customers.
Also, similar to AC-4 (4), the implementation may look different based on the CSO platform type (IaaS, PaaS, or SaaS) and the use case of the agency customer. Here are some methods that enable CSPs to support their agency customers with this visibility requirement:
Agency inspection of their own inline traffic (between agency network and CSO boundary)
- CSPs to ensure they’re not blocking HTTP traffic through the enforcement of HSTS or other mechanisms.
Traffic Flow Monitoring:
- Track source and destination IPs, ports, and protocols
- Baseline traffic patterns and identify anomalous traffic behavior
- No decryption required
TLS/SSL Metadata Inspection:
- Examine certificate details, cipher suites, and TLS versions
- Identify and report on suspicious TLS traffic
- Monitor certificate validity and chains of trust
Key Clarifications
Balancing encryption with monitoring: The control acknowledges the need to balance data confidentiality (encryption) with security monitoring (visibility). This isn’t about choosing one over the other, it’s about implementing both. Data should remain encrypted in transit and at rest, but your security tools must still be able to analyze that data for anomalies or potential bad traffic behavior.
Now, let’s consider log retention:
AU-11: Audit Record Retention
What This Control Requires
AU-11 is not new to Rev 5, but it remains a control that many organizations misunderstand. It applies to both Moderate and High baselines and requires organizations to retain audit records for a specified time period until it’s determined they’re no longer needed.
M-21-31 Appendix C has specific retention requirements for audit records. These retention requirements are directed towards federal agencies, not CSPs. CSPs must define and follow their own retention requirement policies related to auditing of their CSO; that is, unless the CSO is used to retain federal agency audit records.
If CSPs capture audit records for their agency customers, they are not specifically required to retain those audit records; however, they must possess the capability to forward the logs to agencies. CSPs can offload agency customer audit records to their agency customers using technical methods, such as an API. This absolves the CSP from the federal retention requirements. CSPs should thoroughly document this implementation (their responsibility and their agency customer’s responsibility) in their System Security Plans.
FedRAMP Rev. 5 Raises Hard Architecture Questions
If you’re navigating encrypted traffic inspection, agency visibility boundaries, or audit log responsibilities, we can help you pressure-test your approach before it shows up in your SSP or assessor feedback.
Talk to a FedRAMP engineering advisor today.
About the Author
