| Review the SharePoint server to ensure cryptographic mechanisms preventing the unauthorized disclosure of information during transmission are employed, unless the transmitted data is otherwise protected by alternative physical measures.
In SharePoint Central Administration, click Application Management.
On the Application Management page, in the Web Applications list, click Manage web applications.
On the Web Applications Management page, verify that each Web Application URL begins with https.
If the URL does not begin with https, this is a finding.
If SharePoint communications between all components and clients are protected by alternative physical measures that have been approved by the AO, this is not a finding.