3.13.8 — Encrypt in Transit

The One-Liner

CUI sent in clear text across any network — internal or external — is CUI exposed to anyone who can intercept it.

What It Says

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

What It Actually Means

Every path CUI travels must be encrypted:

• Web traffic — HTTPS (TLS 1.2+) on every web application handling CUI. No HTTP.
• Email — TLS for SMTP transport. Consider S/MIME or message encryption for CUI attachments.
• File transfers — SFTP, not FTP. SCP, not RCP.
• Remote access — VPN with encryption (covered by 3.1.13)
• Internal network — even traffic between CUI systems on the same network should be encrypted if it carries CUI

The encryption must be FIPS-validated per requirement 3.13.11. This means the TLS library, the VPN module, and the email encryption all need FIPS 140 validation certificates.

Alternative physical safeguards: The requirement allows physical protection instead of encryption — like a dedicated fiber link in a physically secured conduit. But for most organizations, encryption is far simpler and cheaper.

The assessor will check your TLS configuration, email transport rules, and file transfer methods.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are cryptographic mechanisms identified for protecting CUI in transit?	Documented list of encryption methods for each transmission path
2	Are cryptographic mechanisms implemented?	TLS 1.2+ on web, SMTP TLS for email, SFTP for file transfers, VPN encryption
3	Are the mechanisms FIPS-validated?	Validation certificates available for each encryption module

---

What to Have Ready on Assessment Day

Documents they’ll review: System and communications protection policy; system security plan; system design documentation; system configuration settings showing encryption for transit; cryptographic module validation certificates

People they’ll talk to: System or network administrators; personnel with information security responsibilities; system developers

Live demos they’ll ask for: Mechanisms implementing encryption of CUI in transit; TLS configuration; email transport encryption

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “What encryption methods do you use for CUI in transit?”
• “Show me the TLS configuration on a web application — what version and cipher suites?”
• “Are your email transport rules configured to require TLS? Show me.”
• “Do you use FTP anywhere? Has it been replaced with SFTP?”
• “Is internal network traffic encrypted or only external?”
• “Show me the FIPS validation certificates for your encryption modules.”

Real-World Example

A contractor maps all CUI transmission paths: web apps (TLS 1.3 via Azure App Service), email (Exchange Online with TLS 1.2 enforced via connector rules — messages to domains that don’t support TLS are held, not sent in clear text), file transfers (SFTP only — FTP disabled), VPN (IKEv2 with AES-256). Internal traffic between the CUI file server and workstations uses SMB 3.0 with encryption enabled. The assessor tests: tries to connect to the web app over HTTP (redirected to HTTPS), checks the TLS certificate (TLS 1.3, ECDHE-RSA-AES256), and reviews the Exchange connector showing opportunistic TLS upgraded to mandatory TLS for partner domains.

---

Where Companies Trip Up

HTTP on internal apps. ‘It’s internal so it doesn’t need HTTPS.’ Wrong. Any path CUI travels needs encryption.

Email TLS not enforced. Opportunistic TLS means the system tries TLS but falls back to plain text if the recipient doesn’t support it. For CUI email, enforce TLS — hold messages that can’t be encrypted.

FTP still in use. Legacy file transfer using FTP. Replace with SFTP or SCP.

Old TLS versions. TLS 1.0 and 1.1 are deprecated and vulnerable. Disable them. TLS 1.2 minimum, 1.3 preferred.

SMB without encryption. Internal file shares using SMBv1 or SMBv2 without encryption. Enable SMB 3.0 encryption.

---

How to Talk About This

To a CEO or Board

All CUI in transit is encrypted — web, email, file transfers, remote access, and internal network. No sensitive data travels in clear text on any network.

To an Engineering Team

TLS 1.2+ on all web services (1.3 preferred). Exchange: mandatory TLS connectors for CUI recipients. SFTP only — FTP disabled globally. VPN: IKEv2/AES-256. SMB 3.0 encryption on CUI file shares. All modules FIPS-validated. HTTP-to-HTTPS redirect on all services.

---

Connected Requirements

Requirement	Why it matters here
3.13.11 — FIPS or It Doesn’t Count	The encryption modules used here must be FIPS-validated
3.1.13 — Encrypt Remote Sessions	Encryption specifically for remote access sessions
3.13.16 — Encrypt CUI at Rest	Companion requirement — this is transit, that’s storage
3.8.6 — Encrypt Media in Transit	Encryption for physical media being transported

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: SC.L2-3.13.8 | SPRS Weight: 3 points | POA&M Eligible: No