CMMC Requirement SC.L2-3.13.8 – Data in Transit: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
This article provides guidance on protecting data in transit in or out of the Amazon Web Services (AWS) environment. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This article describes best practices for data security and encryption within Microsoft’s Azure environment. This article provides a simple explanation of TLS, along with its use cases. Learn more about the challenge and importance of applied cryptography to your organization This NIST Special Publication offers recommendations for designing, configuring, and managing SSL VPN solutions. This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage. This whitepaper outlines the challenges and solutions of data security.
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.
Further Discussion
The intent of this requirement is to ensure CUI is cryptographically protected during transit, particularly on the internet. The most common way to accomplish this is to establish a TLS tunnel between the source and destination using the most current version of TLS. This requirement does not specify a mutually authenticated handshake, but mutual authentication is the most secure approach to creating a tunnel.
Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.
This requirement, SC.L2-3.13.8, requires cryptographic mechanisms be used to prevent the disclosure of CUI in-transit and leverages SC.L2-3.13.11, which specifies that the algorithms used must be FIPS-validated cryptography.