CMMCDocs.comHome / Glossary / SC.L2-3.13.8
SC.L2-3.13.8
Also known as: Encrypt CUI in transit requirement
The NIST SP 800-171 requirement that mandates the contractor implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission.
SC.L2-3.13.8 requires the contractor to 'implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.' In practice, this is the encrypt-CUI-in-transit requirement.
Acceptable cryptographic mechanisms include TLS 1.2 or higher, IPsec VPN tunnels, S/MIME for email, and similar. The cryptographic module performing the encryption must be FIPS-validated under SC.L2-3.13.11.
A C3PAO will ask for the list of in-transit encryption mechanisms in use, their CMVP certificate numbers, and evidence that CUI never traverses an unencrypted path.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account