Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.8 ā Implement cryptographic mechanisms to prevent unauthorized disclosure of āControlled Unclassified Informationā (CUI) during transmission unless otherwise protected by alternative physical safeguards.
Understanding the Requirement
This control requires SMBs to identify and apply cryptographic protections (or approved physical alternatives) to stop unauthorized disclosure of CUI while it is being transmitted. You must identify which cryptographic mechanisms are appropriate, identify any acceptable alternative physical safeguards, and then implement either the validated cryptography or those physical protections. Only cryptography validated through the NIST Cryptographic Module Validation Program (CMVP) is acceptable for protecting CUI in transit under this framework (NIST SP 800-171 REV.2 / CMMC 2.0 Level 2), unless an alternative physical safeguard is documented and in place.
Technical Implementation
-
Map data flows and label CUI. Start by inventorying where CUI is created, transmitted, and received (email, file transfer, web forms, APIs). Document every network path and pick the systems and people responsible for those flows so you can enforce protections.
-
Use CMVP-validated cryptographic modules. For any solution that encrypts CUI in transit (TLS, SFTP, VPN, IPsec), verify the underlying crypto module is listed by the NIST CMVP. For TLS, use the latest secure version and configure strong cipher suites that rely on validated modules; avoid deprecated algorithms and protocols.
-
Deploy secure transport protocols with secure configuration. Implement TLS with proper certificate management (trusted CAs, certificate pinning where appropriate), enforce HTTPS for web access, use SFTP or FTPS with validated modules for file transfers, and require VPNs that use validated crypto for remote administrative or site-to-site traffic.
-
Manage keys and certificates properly. Establish procedures for key generation, storage, rotation, revocation, and destruction. Protect private keys with hardware security modules (HSMs) or platform-provided key stores where possible, and document roles for key custodians and administrators.
-
Log, monitor, and enforce the policy. Create and enforce a transmission policy that mandates use of validated cryptography for CUI. Instrument systems to log failed connections, certificate errors, and anomalous transfer patterns; review logs regularly and escalate incidents to system/network administrators and security personnel.
-
Document alternative physical safeguards. If you choose non-cryptographic protections (e.g., air-gapped transfers, couriered encrypted media with tamper-evident seals), document why they are sufficient, how they prevent disclosure during transit, and the controls for handling and chain of custody.
Example in a Small or Medium Business
Acme Engineering handles CUI files sent between remote engineers and the central office. The IT manager catalogs each file type that contains CUI and identifies the common transfer methods: internal web portal, email attachments, and developer SFTP. For the web portal, Acme configures HTTPS using TLS with a CMVP-validated TLS library, sets HSTS, and disables weak ciphers. For file transfers, they deploy an SFTP server whose cryptographic module appears on the NIST CMVP list and require employee SFTP clients that are configured to use that validated module. They implement a certificate lifecycle processāissuing, rotating, and revoking certificatesāand store private keys on company-managed systems with restricted access. Training for staff covers when to use the secure portal versus physical media, and the company documents an alternative physical safeguard procedure (encrypted USBs transported by two-person custody) for situations where network transfer is impractical. Finally, network administrators enable logging and periodic reviews to confirm that all CUI transfers use approved mechanisms and that any exceptions are documented and approved by security leadership.
Summary
To meet SC.L2-3.13.8 SMBs must identify CUI flows, select and deploy CMVP-validated cryptographic mechanisms (or documented physical alternatives), and operationalize those protections through strong configuration, key management, logging, and policy enforcement. Combined, these policy and technical measures ensure CUI is protected from unauthorized disclosure while in transit and that any deviations are controlled and auditable.
