SC.L2-3.13.8 · NIST SP 800-171 3.13.8

Data In Transit

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

3 points if not metMust be fully met, cannot POA&M3 assessment objectives

What an assessor scores, the objectives

SC.L2-3.13.8 is met only when every one of these 3 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified
  • b.alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified
  • c.either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For SC.L2-3.13.8, an assessor uses these:

Examine

System and communications protection policy; procedures addressing transmission confidentiality and integrity; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records

Interview

System or network administrators; personnel with information security responsibilities; system developer

Test

Cryptographic mechanisms or mechanisms supporting or implementing transmission confidentiality; organizational processes for defining and implementing alternative physical safeguards

What it means, in context

This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines . Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packag es. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.

The intent of this requirement is to ensure CUI is cryptographically protected during transit, particularly on the internet. The most common way to accomplish this is to establish a TLS tunnel between the source and destination using the most current version of TLS. This requirement does not specify a mutually authenticated handshake, but mutual authentication is the most secure approach to creating a tunnel. Because the use of cryptography in this requirement is to protect the confidentiality of CUI , the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. This requirement, SC.L2-3.13.8, requires cryptographic mechanisms be used to prevent the disclosure of CUI in-transit and leverages SC.L2-3.13.11, which specifies that the algorithms used must be FIPS-validated cryptography. Example You are a system administrator responsible for configuring encryption on all devices that contain CUI. Because your users regularly store CUI on laptops and take them out of the office, you encrypt the hard drives with a FIPS -validated encryption tool built into the operating system. For users who need to share CUI, you install a Secure FTP server to allow CUI to be transmitted in a compliant manner [a]. You verify that the server is using a FIPS- validated encryption module by checking the NIST Cryptographic Module Validation Program website [c]. You turn on the “FIPS Compliance” setting for the server during configuration because that is what is required for this product in order to use only FIPS - validated cryptography [c]. Potential Assessment Considerations • Are cryptographic mechanisms used to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative phy sical measures (e.g., PDS) [c]?

What passing evidence looks like

CUI in transit encrypted or otherwise physically protected: TLS on the cloud paths, the VPN on network paths, named per path in one note.

Common ways contractors fail SC.L2-3.13.8

  • !Three points. Walk your step 2 flows: for each path CUI travels, name the encryption. The unencrypted path that fails this is usually email to a partner without enforced TLS or a legacy FTP transfer.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove SC.L2-3.13.8, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

SC.L2-3.13.8 questions, answered

How many points is CMMC requirement SC.L2-3.13.8 worth?+

SC.L2-3.13.8 is worth 3 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 3 from your total of 110.

Can SC.L2-3.13.8 be placed on a POA&M?+

No. SC.L2-3.13.8 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does SC.L2-3.13.8 belong to?+

SC.L2-3.13.8 is in the System & Communications Protection (SC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.13.8