This post shows how small and mid-sized organizations can build a VPN encryption strategy to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control AC.L2-3.1.13 by selecting appropriate VPN technologies (IPsec vs SSL/TLS), applying concrete cryptographic settings, and operationalizing controls to protect Controlled Unclassified Information (CUI) in transit.
What AC.L2-3.1.13 requires and the compliance objective
At its core, AC.L2-3.1.13 requires that organizations protect the confidentiality of CUI during transmission. For practitioners this translates to: (1) identifying all flows that carry CUI, (2) ensuring those flows traverse encrypted tunnels, and (3) using strong, NIST-aligned cryptographic mechanisms and controls (key management, authentication, logging) so encryption is effective and auditable. Implementation notes: document which VPN types you use for each use case (site-to-site, remote access, cloud connect), cite the NIST guidance you follow (for example NIST SP 800-52 for TLS and NIST SP 800-77 for IPsec best practices), and record decisions in a System Security Plan (SSP) and Configuration Management database.
IPsec vs SSL/TLS — which fits your use cases?
IPsec: best for site-to-site and fixed tunnels
IPsec (IKEv2 + ESP) is typically the right choice for persistent site-to-site tunnels and secure network-to-network links (office-to-cloud, datacenter-to-cloud). Advantages: strong network-layer protection, predictable routing, and broad support in routers and firewalls. Recommended configuration for compliance: IKEv2, AES-GCM (256-bit preferred) for ESP, IKE authentication via X.509 certificates or ECDSA, Diffie-Hellman groups offering PFS (use ECDH groups such as curve25519/X25519 or group 19/20), and use SHA-2 family for integrity. Disable legacy algorithms (3DES, MD5, DES). For DoD/contract work, prefer FIPS 140-validated crypto modules where required.
TLS/SSL VPNs: flexible for remote access and BYOD
TLS-based VPNs (VPN appliances using TLS 1.2/1.3 or TLS-based solutions like OpenVPN, AnyConnect, or cloud-based SASE connectors) are often better for remote users and bring-your-own-device scenarios because they operate at the transport layer and integrate client posture checks. For compliance: require TLS 1.3 where possible (or TLS 1.2 with strict cipher suites), enable mutual authentication (client certificates + MFA), prefer AES-GCM ciphers, enable OCSP stapling, and ensure session timeouts and reauthentication policies are enforced. Avoid SSLv3 and TLS 1.0/1.1 entirely.
Practical implementation steps (actionable checklist)
1) Inventory CUI flows: list application endpoints, remote user groups, partner connections, and cloud services that touch CUI. 2) Map each flow to a VPN type: site-to-site IPsec for data center-to-cloud, TLS VPN for remote contractors. 3) Select crypto settings: TLS 1.3 or TLS 1.2 (ECDHE + AES-GCM), IKEv2 with AES-GCM and ECDHE for IPsec, minimum RSA 2048 or ECDSA P-256/384 certificates. 4) Authentication: require MFA for remote user access and use client certs for machine authentication on site-to-site links. 5) Key management: use enterprise PKI or trusted CA, automate certificate issuance and renewal, publish CRLs and enable OCSP. 6) Device posture: integrate Network Access Control (NAC) or VPN posture checks to deny access from unpatched or non-compliant endpoints. 7) Hardening: disable split tunneling where CUI is accessed, enforce least-privilege access via ACLs on the corporate network, and segment CUI resources behind application firewalls or micro-segmentation.
Real-world small business scenarios
Scenario A — 25-person engineering firm with CUI stored in an AWS VPC: use an IPsec IKEv2 site-to-site tunnel from an on-prem firewall to AWS Transit Gateway using AES-256-GCM, IKEv2, and certificates from the company’s internal PKI. Remote engineers connect with a TLS VPN client (AnyConnect/OpenVPN) configured for TLS 1.3, client certs, and conditional access (device posture check via Intune/MDM). Scenario B — small defense subcontractor sharing drawings with a prime contractor: implement a dedicated IPsec tunnel per prime (separate VTI interfaces), use per-tunnel policy-based ACLs to restrict traffic to only the required file shares, and log all successful and failed connections to a central SIEM for audit evidence.
Operational controls, monitoring, and documentation
Operationalize compliance by logging and monitoring VPN sessions (start/stop, bytes transferred, source/destination IPs), centralizing logs into a SIEM, and creating alerts for anomalous behavior (multiple failed logins, unusual geolocations). Maintain configuration baselines in your CMDB and use automated compliance scanning to detect drift (e.g., weak ciphers re-enabled). Document your encryption choices, key lifecycles, certificate authorities, and incident response procedures in the SSP and Plan of Action and Milestones (POA&M) so auditors can see the “why” and “how.”
Risks of not implementing the requirement correctly
Failing to properly encrypt CUI in transit can lead to eavesdropping, credential interception, lateral movement after compromise, contract violations, and loss of DoD or federal contracts. From a compliance standpoint, weak or misconfigured VPNs create audit findings that can escalate into Plan of Action items or even suspension from DoD programs. Practically, a successful interception of CUI can have immediate business impacts (reputational damage, competitive loss) and legal/regulatory consequences depending on contract clauses.
Compliance tips and best practices
- Adopt a defense-in-depth approach: VPN encryption + endpoint controls + segmentation. - Use TLS 1.3 where possible and enforce TLS 1.2 with approved cipher suites where legacy is necessary. - Prefer IKEv2 for IPsec; avoid legacy IKEv1 unless absolutely required. - Require MFA and, where feasible, short-lived client certificates for remote users. - Disable split tunneling for devices that access CUI; if split tunneling is necessary, tightly restrict what is allowed. - Keep VPN appliances and libraries patched and subscribe to vendor security advisories. - Maintain evidence: configuration snapshots, certificate inventories, log retention policies aligned with contract/audit expectations.
Summary: To satisfy AC.L2-3.1.13 you must identify CUI flows, select the right tunnel type for each use case, apply NIST-aligned cryptographic configurations (IKEv2 + AES-GCM for IPsec; TLS 1.3/ECDHE + AES-GCM for TLS VPNs), enforce strong authentication and endpoint posture, monitor and log activity, and document everything in your SSP/POA&M. For small businesses the pragmatic approach is site-to-site IPsec for fixed links and TLS-based remote access with client certs + MFA for personnel — combined with segmentation and monitoring to demonstrate and maintain compliance.
