Guidelines: Secure File Transfer (SFTP) and FTP/s Integration

These guidelines do not apply to SFTP and FTP/S implementations created prior to the release of these guidelines.  These guidelines do not apply to information systems used solely within an agency; however, agencies are encouraged to adopt these guidelines concerning their internal systems.

General Guidelines

1. SFTP and FTP/S implementations should include:
   • Mechanisms for data and/or file validation.
   • Method to ensure complete file transmission and/or receipt.
   • Archival of historical data and/or files.
   • Lowest possible number of file destination end points.
   • Lowest possible number of authorized users and highest possible access restrictions.
2. SFTP and FTP/S implementations should be platform independent.
3. Data/files transferred using SFTP and FTP/S must comply with policy 141.10 Securing Information Technology Assets.

While SFTP and FTP/S are authorized methods of integration, agencies are strongly encouraged to use other integration methods such as Web Services / APIs.   The use of SFTP and FTP/S is strongly discouraged as a method of integration because:

• There is no native ability to validate data.
• Data transfers can be unreliable without verification of receipt.
• They require a separate process for ingestion.
• Lack of inherent archival functions.
• Lack of lifecycle management.
• They promote data replication and increases the data footprint.
• They require more compute and storage resources than other methods of integration.
• They carry an increased administrative burden and requires more administrative resources than other methods of integration.
• They increase manual processes that also increase the risk of errors.
• Implementations may not be platform independent.
• They increase security risk and threatscape.
• They may limit the amount of data that can be transferred at one time based on file size limitations.