CMMC Level 2
Control 3.13.8
Implement Cryptographic Mechanisms for CUI in Transit
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
What This Means in Plain English
All CUI transmitted over networks must be encrypted. Whether data is moving across the internet or between internal systems, encryption must protect it from interception and eavesdropping.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- TLS 1.2+ enforced on all web applications and email transport
- IPSec VPN encryption for all site-to-site and remote access connections
- SMTP TLS enforced for email transmission containing CUI
- LDAPS required for all directory service communications
- FortiGate enforcing encryption standards on all traffic traversing network boundaries
Assessment Guidance
Assessors will test that all data transmission channels use encryption, verify TLS versions on web servers and email, check VPN encryption algorithms, and confirm that unencrypted protocols are disabled for CUI transmission.
Common Implementation Gaps
- CUI transmitted via unencrypted email (no TLS enforcement)
- Internal network traffic unencrypted between systems
- Deprecated encryption protocols still in use (SSL 3.0, TLS 1.0)
- FTP used instead of SFTP/FTPS for file transfers
- Telnet used for network device management instead of SSH
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | SC-8, SC-8(1) |
| HIPAA | 164.312(e)(1) - Transmission Security |
| PCI DSS | Req 4.1 - Use strong cryptography to safeguard sensitive cardholder data during transmission |
Need Help Implementing 3.13.8?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment