NIST SP 800-171 / CMMC 2.0 Level 2 control SC.L2-3.13.1 requires organizations to employ cryptographic mechanisms to prevent unauthorized access to Controlled Unclassified Information (CUI) in transit (and where applicable at rest) β this post shows how to run a practical gap assessment and build a prioritized remediation roadmap that a small business can implement and evidence for compliance.
Gap assessment approach β scope, evidence, and mapping
Begin with scoping: identify where CUI is created, processed, stored, and transmitted. Create a simple data-flow diagram that lists systems (workstations, servers, SaaS apps, mobile devices), network segments (VPN, remote access, DMZ), storage locations (on-prem SAN, cloud object storage, backups), and interfaces with third parties. Map each data flow to whether it carries CUI and whether cryptographic protections currently exist. Evidence types to collect: TLS/SSH certificate details, VPN configs, disk encryption status, cloud bucket encryption settings, email encryption controls, and key-management procedures.
Step 1 β Inventory and classification
For small businesses, practical inventory can be done using a spreadsheet or a lightweight CMDB. Columns should include asset owner, system role, CUI types handled, transmission paths, current encryption mechanism (e.g., TLS 1.2+, IPsec, S/MIME), and any compensating controls. Example: a consultantβs laptop (Asset A) stores CUI locally and syncs to OneDrive β identify whether OneDrive is configured with customer-managed keys (CMK) and whether BitLocker/FileVault is enabled on the device (use "manage-bde -status" on Windows and "fdesetup status" on macOS to collect evidence).
Step 2 β Technical control verification
Verify cryptography configurations with targeted tests and configuration checks. Test TLS endpoints with SSL Labs or command-line tools (openssl s_client -connect host:443 -servername host) to confirm TLS 1.2 or 1.3, disablement of TLS 1.0/1.1, and that only strong cipher suites are enabled (prefer ECDHE with AES-GCM or ChaCha20-Poly1305; example TLS1.2 suite: ECDHE-ECDSA-AES256-GCM-SHA384; for TLS1.3 prefer the standard algorithms). Review server certificates (valid CA, key sizes >=2048-bit RSA or 256-bit ECC) and OCSP/CRL/Stapling settings. Check VPN configs to ensure IPsec/IKEv2 with AES-256 and SHA-2 or modern TLS VPNs with strong key exchange. For stored CUI, verify full-disk or volume encryption: BitLocker with AES-XTS 256, FileVault enabled, or cloud provider SSE with CMKs.
Step 3 β Key management and FIPS considerations
Key management is the most common gap. Assess where keys and secrets are generated, stored, rotated, and backed up. Small businesses should consider managed KMS/HSM options (AWS KMS with HSM-backed keys, Azure Key Vault, or on-prem HSMs for high assurance). Check for use of FIPS 140-2/140-3 validated modules where contract language or government customers require it. Document key lifecycles, rotation frequency (e.g., certificates rotated before expiration and symmetric keys rotated annually or per policy), access controls to key material, and logging of key usage. Evidence: KMS access policies, Cloud KMS key metadata, HSM audit logs, and rotation procedures.
Prioritized remediation roadmap β quick wins to long-term fixes
Organize remediation into three tiers: Quick Wins (0β30 days), Mid-Term (30β90 days), and Long-Term (>90 days). Quick wins include enabling full-disk encryption on all endpoints (BitLocker/FileVault), enforcing TLS 1.2+ on public endpoints, disabling weak ciphers, and applying certificate inventory and expiry tracking. Mid-term tasks include implementing or migrating to a managed KMS/HSM, configuring email protections (S/MIME or secure portals) for CUI exchange, and ensuring cloud storage uses SSE with CMKs. Long-term projects are deploying central certificate management, integrating MDM for mobile encryption enforcement, formalizing key management policies, and possibly obtaining FIPS-validated modules for specific applications.
Remediation project plan example for a small defense subcontractor
Example timeline: Week 1β2: Inventory and evidence collection; Week 3: Enable disk encryption across laptops and enforce MDM; Week 4β6: Harden public-facing services (TLS1.3 or TLS1.2 with secure ciphers), fix weak endpoints; Month 2β3: Deploy AWS KMS and migrate server-side keys, roll out VPN configuration updates to remote staff; Month 4β6: Formalize Key Management SOP, run penetration tests, and collect audit logs for attestation. Assign owners, acceptance criteria, and evidence artifacts for each task (screenshots, config files, scan results, ticket numbers).
Compliance tips, tools, and best practices
Use practical tools: SSL Labs, sslyze, nmap --script ssl-enum-ciphers, OpenSSL, certbot for automated certificates, manage-bde/fdesetup, AWS/Azure CLI for KMS checks, and cloud-native compliance reports. Maintain a certificate and key inventory (dates, thumbprints, owner). Document cryptographic policy (accepted algorithms, key lengths, rotation windows) and include it in your System Security Plan (SSP). For small teams, prefer managed services for key management and certificate automation to reduce operational burden. Keep evidence in a compliance repository: screenshots, CLI outputs, policy documents, and change-control tickets.
Risks of non-implementation
Failing to implement SC.L2-3.13.1 exposes CUI to interception, tampering, and exfiltration. Practical consequences include loss of contracts (DoD prime suspensions), financial penalties, reputational damage, and legal liability for data breaches. Technical risks include man-in-the-middle attacks on outdated TLS, stolen unencrypted laptop data, cloud bucket exposures without server-side encryption, and key compromise when unmanaged secrets are stored in plain text β each of these is commonly discovered during DoD assessments and will drive required remediation timelines that can be costly if left until an audit.
In summary, run a focused gap assessment by scoping CUI flows, verifying cryptographic controls with technical tests, auditing key management practices, and then implement a prioritized remediation roadmap that balances quick wins with longer-term improvements like managed KMS/HSM and formalized policies β collect explicit evidence at every step so you can demonstrate compliance with SC.L2-3.13.1 in your SSP and during audits.
