NIST 800-171 3.13.8Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards
Overview
This control requires organizations to implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. It is part of the System and Communications Protection family and is required for CMMC Level 2 certification. Defense contractors handling CUI must implement this control to protect sensitive information and demonstrate compliance during assessments.
Assessment Objectives
- 1Determine if the organization has defined policies and procedures to implement cryptographic mechanisms to prevent unauthorized disclosure of cui during transmission unless otherwise protected by alternative physical safeguards
- 2Determine if the organization implements mechanisms to implement cryptographic mechanisms to prevent unauthorized disclosure of cui during transmission unless otherwise protected by alternative physical safeguards
- 3Verify that the implementation is consistent with organizational policies and NIST 800-171 requirements
Implementation Guidance
Implement this control by establishing documented policies and procedures, deploying appropriate technical controls, and maintaining evidence of ongoing compliance. Regularly review and test the implementation to ensure effectiveness and address any gaps identified during assessments.
Common Audit Gaps
Related DFARS Clauses
Frequently Asked Questions
What is NIST 800-171 control 3.13.8?
NIST 800-171 control 3.13.8 requires organizations to implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. This control is part of the System and Communications Protection family and is required for CMMC Level 2 certification.
How do you implement NIST 800-171 3.13.8?
To implement control 3.13.8, establish documented policies, deploy technical controls to implement cryptographic mechanisms to prevent unauthorized disclosure of cui dur, and maintain evidence of compliance. Regular testing and monitoring are essential.
What evidence is needed for NIST 800-171 3.13.8?
Evidence for control 3.13.8 typically includes written policies and procedures, system configuration documentation, audit logs showing enforcement, and records of periodic reviews. Assessors will look for both documentation and technical implementation.
Related Controls
3.13.7|Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling)
System and Communications Protection
3.13.9|Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity
System and Communications Protection
3.14.1|Identify, report, and correct system flaws in a timely manner
System and Information Integrity
More in System and Communications Protection
Related Guides
Check your compliance for NIST 800-171 3.13.8
Cabrillo Club automates evidence collection and audit readiness across all 110 NIST 800-171 controls.
Join Free