System and Communications Protection 3.13.8 (3.13.8)

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to encrypt Controlled Unclassified Information (CUI) when it is being transmitted over networks or communication channels, unless the transmission is protected by alternative physical safeguards like secure cables or conduits. The requirement applies to all devices and systems that can send information, including computers, mobile devices, printers, and network equipment. Organizations must ensure CUI cannot be intercepted or read by unauthorized parties during transmission across both internal networks and external connections like the internet.

Control Intent

Prevent unauthorized disclosure of CUI during transmission by ensuring confidentiality through cryptographic protection or equivalent physical safeguards.

Who This Control Applies To

  • All systems and devices that transmit CUI including servers, workstations, laptops, mobile devices, network infrastructure, printers, copiers, scanners, and facsimile machines
  • Internal network communications between systems processing CUI
  • External network communications including internet connections, VPNs, email, file transfers, and cloud services
  • Wireless networks and communications
  • Remote access connections
  • Any communication path where CUI traverses outside physically protected boundaries

Not Applicable When

  • The organization does not process, store, or transmit CUI
  • All CUI transmission occurs exclusively within a certified Protected Distribution System (PDS) that provides physical protection against interception
  • Transmission occurs over dedicated point-to-point physical connections that are continuously under organizational physical control and protection
  • The system or device never transmits CUI over any network or communication channel

Key Objectives

  • 1Protect CUI from interception and unauthorized disclosure during network transmission
  • 2Ensure cryptographic mechanisms are implemented for all transmission paths outside physically controlled boundaries
  • 3Provide equivalent protection through alternative physical safeguards when cryptographic mechanisms are not feasible
  • 4Prevent unauthorized access to CUI transmitted across internal and external networks

Sample Self-Assessment Questions (Partial)

Does your organization transmit CUI over any networks (internal or external)?

What types of devices transmit CUI in your environment (computers, mobile devices, printers, etc.)?

Implementation Approaches (High-Level)

TLS/SSL for Web and Application Traffic

Implement Transport Layer Security (TLS) 1.2 or higher for all web applications, APIs, and application-layer protocols transmitting CUI. Disable older protocols (SSL, TLS 1.0/1.1) and weak cipher suites.

VPN for Remote Access and Site-to-Site Connections

Implement Virtual Private Network (VPN) solutions using strong encryption (IPsec, SSL/TLS VPN) for all remote access to CUI and for site-to-site connections between locations.

Email Encryption (TLS and S/MIME or PGP)

Implement opportunistic TLS for email transport encryption and end-to-end encryption (S/MIME or PGP) for email content containing CUI. Enforce encryption requirements through email gateway policies.

Encrypted File Transfer Protocols

Implement secure file transfer protocols (SFTP, FTPS, HTTPS) for all file transfers containing CUI. Disable insecure protocols (FTP, HTTP) for CUI transmission.

Wireless Network Encryption (WPA2/WPA3 Enterprise)

Implement WPA2-Enterprise or WPA3-Enterprise encryption for all wireless networks that may transmit CUI. Use 802.1X authentication with strong encryption algorithms.

Network Segmentation with Encrypted Tunnels

Implement network segmentation with encrypted tunnels (IPsec, MACsec, encrypted VLANs) between network segments carrying CUI, especially across untrusted or shared infrastructure.

Protected Distribution System (PDS)

Implement a Protected Distribution System providing continuous physical protection of CUI transmission medium against electronic or physical intercept as an alternative to cryptographic mechanisms.

Encrypted Backup and Replication Traffic

Implement encryption for all backup, replication, and disaster recovery traffic containing CUI, whether transmitted over local networks or to remote sites.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If encryption cannot be immediately implemented across all transmission paths, prioritize based on risk: external transmissions first, then internal high-risk paths Document specific transmission paths that lack encryption and the timeline for implementation Identify technical barriers to encryption (legacy systems, incompatible protocols) and plan for system upgrades or replacements For legacy systems that cannot support modern encryption, document compensating controls such as network segmentation, enhanced monitoring, or physical isolation If relying on commercial telecommunications providers, document efforts to obtain encryption assurances and any gaps requiring compensating controls Establish interim monitoring and alerting for unencrypted CUI transmission while permanent encryption solutions are implemented Create a phased implementation plan addressing different transmission types (remote access, email, file transfer, internal network) with specific milestones Document any risk acceptances for transmission paths where encryption is technically infeasible, including business justification and compensating controls Plan for encryption key management infrastructure if not already in place Include testing and validation activities in the POA&M to confirm encryption is properly configured and functioning Address training needs for personnel responsible for configuring and maintaining encryption mechanisms Consider quick wins such as enforcing VPN for remote access or enabling TLS for web applications while longer-term solutions are developed Ensure POA&M includes regular review points to reassess encryption coverage as systems and transmission paths change

Related CMMC Controls

3.13.113.13.163.1.133.1.183.1.193.5.43.14.13.14.23.14.43.14.63.14.7

Frequently Asked Questions

Does this control require encryption for CUI transmitted over internal networks, or only external networks?

This control applies to both internal and external networks. While external networks (like the internet) are higher risk, internal networks are also susceptible to interception and must be protected unless they are within a Protected Distribution System or other physical safeguard. The control text explicitly states it applies to internal and external networks.

Can we use a Protected Distribution System (PDS) instead of encryption for CUI transmission?

Yes, the control allows for alternative physical safeguards such as a Protected Distribution System where the distribution medium is protected against electronic or physical intercept. However, implementing a compliant PDS requires significant physical security measures including hardened conduits, continuous monitoring, and regular validation. Most organizations find encryption more practical and cost-effective than PDS implementation.

What encryption protocols and key lengths are acceptable for this control?

While the control does not specify exact protocols, NIST guidance (NIST SP 800-52, 800-77, 800-113) recommends TLS 1.2 or higher for transport encryption, AES-256 for symmetric encryption, and RSA 2048-bit or higher for asymmetric encryption. Deprecated protocols like SSL, TLS 1.0/1.1, DES, 3DES, and RC4 should not be used. Organizations should follow current NIST cryptographic standards and disable weak cipher suites.

Do printers and copiers need to use encryption when transmitting over the network?

Yes, multifunction devices like printers, copiers, scanners, and fax machines are explicitly mentioned in the control text. If these devices transmit CUI over the network (such as scan-to-email, network printing, or document storage), those transmissions must be encrypted. This typically requires configuring devices to use encrypted protocols like HTTPS, SMTPS, or IPsec, and may require firmware updates on older devices.

If we use a cloud service provider, who is responsible for encryption during transmission?

Responsibility depends on the service model and contract. For SaaS applications, the provider typically handles transmission encryption, but you must verify this through contracts and validate their implementation. For IaaS/PaaS, you may share responsibility - the provider encrypts their infrastructure, but you must configure encryption for your applications and data. Always obtain documented assurances from providers and validate that encryption meets NIST standards. If adequate assurances cannot be obtained, implement compensating controls or consider alternative providers.

What should we do if we have legacy systems that cannot support modern encryption protocols?

Legacy systems that cannot support current encryption standards create a compliance gap. Options include: (1) upgrading or replacing the systems, (2) implementing network-layer encryption (VPN, IPsec tunnels) to protect traffic from legacy systems, (3) isolating legacy systems on physically protected network segments, (4) implementing a Protected Distribution System for legacy system connections, or (5) documenting a risk acceptance with compensating controls in a POA&M. Simply accepting unencrypted transmission without compensating controls or a formal risk acceptance is not compliant.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.