NIST SP 800-171 & CMMC 2.0 Control 3.13.8 Requirement:

Implement cryptographic mechanisms to prevent unauthorized disclosure of “Controlled Unclassified Information” (CUI) during transmission unless otherwise protected by alternative physical safeguards.

NIST SP 800-171 & CMMC 2.0 3.13.8 Requirement Explanation:

Only use cryptography validated through the NIST Cryptographic Module Validation Program (CMVP) to protect the confidentiality of CUI during transmission. Any other approved cryptography cannot be used because it has not been tested and validated to protect CUI. FIPS-validated cryptography is not a requirement for all information; it is only used for the protection of CUI. This encryption guideline must be followed unless an alternative physical safeguard is in place to protect CUI.

Example NIST SP 800-171 & CMMC 2.0 3.13.8 Implementation:

The intent of this practice is to ensure CUI is cryptographically protected during transit, particularly on the internet. The most common way to accomplish this is to establish a TLS tunnel between the source and destination using the most current version of TLS. When you transmit “Controlled Unclassified Information” (CUI) over a network it needs to be encrypted. Whatever technology you use to transmit (e.g., SFTP) it needs to be validated by the NIST Cryptographic Module Validation Program. You can see if the cryptography is validated by searching for it on the NIST CMVP page.

NIST SP 800-171 & CMMC 2.0 3.13.8 Scenario(s):

- Scenario 1:

You have digital files containing “Controlled Unclassified Information” (CUI). Your employees need to send these back and forth to each other. To facilitate this you set up an SFTP server that uses FIPS validated encryption.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.