Skip to content

SC.L2-3.13.8 Data in Transit

System and Communications Protection 8 of 16 in family

Encrypt in Transit.

Encrypt CUI during transmission — TLS, VPN, encrypted email — unless the path is protected by an approved physical alternative.

The one-liner

CUI sent in clear text across any network — internal or external — is CUI exposed to anyone who can intercept it.

Practice names: DoD CIO CMMC Model Overview v2.0 (CC BY 4.0).

3.13.8 — Encrypt in Transit

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Encrypt every path CUI travels. The strong default is encryption everywhere — the only exceptions are paths protected by an approved alternative safeguard (covered below):

  • Web traffic — HTTPS (TLS 1.2+) on every web application handling CUI. No HTTP.
  • Email — TLS for SMTP transport. Consider S/MIME or message encryption for CUI attachments.
  • File transfers — SFTP, not FTP. SCP, not RCP.
  • Remote access — VPN with encryption (covered by 3.1.13)
  • Internal network — even traffic between CUI systems on the same network should be encrypted if it carries CUI
  • Output and imaging devices — printers, copiers, scanners, and fax machines are transmitting components too; scan-to-email and network printing of CUI ride the network and fall in scope for transit encryption

The encryption must be FIPS-validated per requirement 3.13.11. This means the TLS library, the VPN module, and the email encryption all need FIPS 140 validation certificates.

VPNs, specifically. NIST SP 800-77 and 800-113 split VPNs into two families. IPsec VPNs operate at the network layer and come in gateway-to-gateway (site-to-site) and remote-access architectures; SSL/TLS VPNs come as portal types (browser-based reach into specific applications) and tunnel types (a broader client tunnel). Whichever you run, configure it to use only FIPS-approved algorithms — the AES family, not the deprecated 3DES/TDEA — and make sure the underlying module carries a FIPS validation per 3.13.11.

When encryption isn’t required. The requirement lets an approved alternative stand in for encryption on a given path. Two are recognized:

  • A protected distribution system (PDS) — a transmission path carried entirely within a controlled facility, such as a dedicated fiber link in a physically secured conduit.
  • Common-carrier MPLS — where transmission rides a Multiprotocol Label Switching (MPLS) service provided by a common carrier, the MPLS separation is treated as sufficient protection. Encryption is still preferred, but it is not required on that path.

Both carve-outs are real but narrow. For most organizations, encrypting the path is simpler and cheaper than documenting and defending an alternative — so treat encryption as the default and reach for a carve-out only where it genuinely fits.

The assessor will check your TLS configuration, email transport rules, and file transfer methods.


Your assessor needs a “yes” to every row:

#QuestionWhat “yes” looks like
1Are cryptographic mechanisms identified for protecting CUI in transit?Documented list of encryption methods for each transmission path
2Are alternative physical safeguards identified for any path not protected by cryptography?Documented physical safeguards (e.g., protected distribution system, hand-carry in a locked container) for transmission paths where encryption isn’t used — or a documented statement that cryptography covers every CUI path
3Are cryptographic mechanisms implemented?TLS 1.2+ on web, SMTP TLS for email, SFTP for file transfers, VPN encryption
4Are the mechanisms FIPS-validated?Validation certificates available for each encryption module

Documents they’ll review: System and communications protection policy; system security plan; system design documentation; system configuration settings showing encryption for transit; cryptographic module validation certificates

People they’ll talk to: System or network administrators; personnel with information security responsibilities; system developers

Live demos they’ll ask for: Mechanisms implementing encryption of CUI in transit; TLS configuration; email transport encryption


These are the actual questions. Have answers ready.

  • “What encryption methods do you use for CUI in transit?”
  • “Show me the TLS configuration on a web application — what version and cipher suites?”
  • “Are your email transport rules configured to require TLS? Show me.”
  • “Do you use FTP anywhere? Has it been replaced with SFTP?”
  • “Is internal network traffic encrypted or only external?”
  • “Show me the FIPS validation certificates for your encryption modules.”

HTTP on internal apps. ‘It’s internal so it doesn’t need HTTPS.’ Wrong. Any path CUI travels needs encryption.

Email TLS not enforced. Opportunistic TLS means the system tries TLS but falls back to plain text if the recipient doesn’t support it. For CUI email, enforce TLS — hold messages that can’t be encrypted.

FTP still in use. Legacy file transfer using FTP. Replace with SFTP or SCP.

Old TLS versions. TLS 1.0 and 1.1 are deprecated and vulnerable. Disable them. TLS 1.2 minimum, 1.3 preferred.

SMB without encryption. Internal file shares using SMBv1 or SMBv2 without encryption. Enable SMB 3.0 encryption.



RequirementWhy it matters here
3.13.11 — FIPS or It Doesn’t CountThe encryption modules used here must be FIPS-validated
3.1.13 — Encrypt Remote SessionsEncryption specifically for remote access sessions
3.13.16 — Encrypt CUI at RestCompanion requirement — this is transit, that’s storage
3.8.6 — Encrypt Media in TransitEncryption for physical media being transported