SC.L2-3.13.8 — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
What this control requires
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
Source: CMMC L2 v2.13 SC.L2-3.13.8 / NIST SP 800-171 R2 3.13.8 (official control text).
Why this matters
Controlled Unclassified Information crossing networks—whether internal WiFi, the public internet, or connections to partners—can be intercepted, read, or altered in transit. This control requires encrypting CUI during transmission to render intercepted data useless to adversaries. Without encryption, emails, file transfers, remote desktop sessions, and API calls expose sensitive data to nation-state actors, competitors, and opportunistic attackers. The only exception is when the physical transmission medium itself is fully secured, such as a locked conduit between buildings on a controlled campus—a rare and expensive alternative.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on SC.L2-3.13.8.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →