Implement cryptographic mechanisms to prevent unauthorized disclosure of “Controlled Unclassified Information” (CUI) during transmission unless otherwise protected by alternative physical safeguards.

Only use cryptography validated through the NIST Cryptographic Module Validation Program (CMVP) to protect the confidentiality of CUI during transmission. Any other approved cryptography cannot be used because it has not been tested and validated to protect CUI. FIPS-validated cryptography is not a requirement for all information; it is only used for the protection of CUI. This encryption guideline must be followed unless an alternative physical safeguard is in place to protect CUI.

The intent of this practice is to ensure CUI is cryptographically protected during transit, particularly on the internet. The most common way to accomplish this is to establish a TLS tunnel between the source and destination using the most current version of TLS. When you transmit “Controlled Unclassified Information” (CUI) over a network it needs to be encrypted. Whatever technology you use to transmit (e.g., SFTP) it needs to be validated by the NIST Cryptographic Module Validation Program. You can see if the cryptography is validated by searching for it on the NIST CMVP page.