PR.DS-02 Data-in-Transit Protection - NIST CSF 2.0 Checklist

PR.DS-02 requires organizations to the confidentiality, integrity and availability of data-in-transit are protected. This NIST CSF 2.0 control falls under the Protect (PR) function and the Data Security category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: PR.DS-02
Title: Data-in-Transit Protection
Function: Protect (PR)
Category: Data Security
Framework: NIST CSF 2.0

The confidentiality, integrity and availability of data-in-transit are protected.

The confidentiality, integrity and availability of data-in-transit are protected. This covers encryption and integrity controls for data moving across networks including internal, external and wireless communications.

Why This Matters

Unencrypted data in transit can be intercepted through man-in-the-middle attacks, network sniffing and compromised network infrastructure. TLS enforcement prevents passive and active eavesdropping.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of PR.DS-02.

Enforce TLS 1.2 or higher for all web traffic and API communications
Disable legacy protocols such as SSLv3 and TLS 1.0 on all systems
Implement certificate pinning for critical application connections
Encrypt internal network traffic for sensitive data transfers
Use VPN or encrypted tunnels for remote access connections
Monitor for certificate expiration and misconfiguration

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with PR.DS-02 during an audit.

TLS configuration scan reports showing protocol versions in use
SSL/TLS certificate inventory with expiration tracking
VPN configuration documentation
Network architecture diagrams showing encrypted segments

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with PR.DS-02.

TLS 1.0 and 1.1 remain enabled on legacy systems
Internal east-west traffic between servers is unencrypted
SSL certificate monitoring is manual and certificates expire without notice

FAQ

What does PR.DS-02 require?

PR.DS-02 (Data-in-Transit Protection) requires that the confidentiality, integrity and availability of data-in-transit are protected. This covers encryption and integrity controls for data moving across networks including internal, external and wireless communications. This control is part of the NIST CSF 2.0 Protect function under the Data Security category.

How do I prove compliance with PR.DS-02?

To demonstrate compliance with PR.DS-02, prepare the following evidence: TLS configuration scan reports showing protocol versions in use; SSL/TLS certificate inventory with expiration tracking; VPN configuration documentation. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment