3.13.8 — Encrypt in Transit
What It Says
Section titled “What It Says”Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
What It Actually Means
Section titled “What It Actually Means”Encrypt every path CUI travels. The strong default is encryption everywhere — the only exceptions are paths protected by an approved alternative safeguard (covered below):
- Web traffic — HTTPS (TLS 1.2+) on every web application handling CUI. No HTTP.
- Email — TLS for SMTP transport. Consider S/MIME or message encryption for CUI attachments.
- File transfers — SFTP, not FTP. SCP, not RCP.
- Remote access — VPN with encryption (covered by 3.1.13)
- Internal network — even traffic between CUI systems on the same network should be encrypted if it carries CUI
- Output and imaging devices — printers, copiers, scanners, and fax machines are transmitting components too; scan-to-email and network printing of CUI ride the network and fall in scope for transit encryption
The encryption must be FIPS-validated per requirement 3.13.11. This means the TLS library, the VPN module, and the email encryption all need FIPS 140 validation certificates.
VPNs, specifically. NIST SP 800-77 and 800-113 split VPNs into two families. IPsec VPNs operate at the network layer and come in gateway-to-gateway (site-to-site) and remote-access architectures; SSL/TLS VPNs come as portal types (browser-based reach into specific applications) and tunnel types (a broader client tunnel). Whichever you run, configure it to use only FIPS-approved algorithms — the AES family, not the deprecated 3DES/TDEA — and make sure the underlying module carries a FIPS validation per 3.13.11.
When encryption isn’t required. The requirement lets an approved alternative stand in for encryption on a given path. Two are recognized:
- A protected distribution system (PDS) — a transmission path carried entirely within a controlled facility, such as a dedicated fiber link in a physically secured conduit.
- Common-carrier MPLS — where transmission rides a Multiprotocol Label Switching (MPLS) service provided by a common carrier, the MPLS separation is treated as sufficient protection. Encryption is still preferred, but it is not required on that path.
Both carve-outs are real but narrow. For most organizations, encrypting the path is simpler and cheaper than documenting and defending an alternative — so treat encryption as the default and reach for a carve-out only where it genuinely fits.
The assessor will check your TLS configuration, email transport rules, and file transfer methods.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Are cryptographic mechanisms identified for protecting CUI in transit? | Documented list of encryption methods for each transmission path |
| 2 | Are alternative physical safeguards identified for any path not protected by cryptography? | Documented physical safeguards (e.g., protected distribution system, hand-carry in a locked container) for transmission paths where encryption isn’t used — or a documented statement that cryptography covers every CUI path |
| 3 | Are cryptographic mechanisms implemented? | TLS 1.2+ on web, SMTP TLS for email, SFTP for file transfers, VPN encryption |
| 4 | Are the mechanisms FIPS-validated? | Validation certificates available for each encryption module |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: System and communications protection policy; system security plan; system design documentation; system configuration settings showing encryption for transit; cryptographic module validation certificates
People they’ll talk to: System or network administrators; personnel with information security responsibilities; system developers
Live demos they’ll ask for: Mechanisms implementing encryption of CUI in transit; TLS configuration; email transport encryption
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “What encryption methods do you use for CUI in transit?”
- “Show me the TLS configuration on a web application — what version and cipher suites?”
- “Are your email transport rules configured to require TLS? Show me.”
- “Do you use FTP anywhere? Has it been replaced with SFTP?”
- “Is internal network traffic encrypted or only external?”
- “Show me the FIPS validation certificates for your encryption modules.”
Where Companies Trip Up
Section titled “Where Companies Trip Up”HTTP on internal apps. ‘It’s internal so it doesn’t need HTTPS.’ Wrong. Any path CUI travels needs encryption.
Email TLS not enforced. Opportunistic TLS means the system tries TLS but falls back to plain text if the recipient doesn’t support it. For CUI email, enforce TLS — hold messages that can’t be encrypted.
FTP still in use. Legacy file transfer using FTP. Replace with SFTP or SCP.
Old TLS versions. TLS 1.0 and 1.1 are deprecated and vulnerable. Disable them. TLS 1.2 minimum, 1.3 preferred.
SMB without encryption. Internal file shares using SMBv1 or SMBv2 without encryption. Enable SMB 3.0 encryption.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.13.11 — FIPS or It Doesn’t Count | The encryption modules used here must be FIPS-validated |
| 3.1.13 — Encrypt Remote Sessions | Encryption specifically for remote access sessions |
| 3.13.16 — Encrypt CUI at Rest | Companion requirement — this is transit, that’s storage |
| 3.8.6 — Encrypt Media in Transit | Encryption for physical media being transported |