SC.L2-3.13.4: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission

📖 What This Means

This control requires using encryption to protect Controlled Unclassified Information (CUI) when it's being sent over networks. Think of it like putting a letter in a locked box before mailing it – even if someone intercepts it, they can't read the contents. You need to use government-approved encryption methods (like TLS 1.2 or higher for web traffic or VPNs for remote connections) whenever CUI is transmitted outside your secure network. For example, when emailing CUI to a subcontractor, you'd use encrypted email. Or when uploading CUI to a cloud system, you'd ensure the connection uses HTTPS with strong encryption.

🎯 Why It Matters

Unencrypted data transmissions are like shouting secrets across a crowded room – anyone listening can capture sensitive information. In 2020, a defense contractor had blueprints for a missile system stolen because they sent files via unencrypted FTP. The average cost of a data breach is $4.45 million (IBM 2023). For DoD contractors, leaked CUI can mean lost contracts, legal penalties, and national security risks. The CMMC requires this because the DFARS clause 252.204-7012 mandates protection of CUI in transit, and modern adversaries routinely intercept unencrypted communications.

✅ How to Implement

1. Enable TLS 1.2+ on all cloud services (AWS ALB, Azure App Gateway) – disable older protocols
2. Configure S3/Blob Storage to only allow HTTPS connections
3. Use cloud-native certificate managers (AWS ACM, Azure Key Vault) for SSL/TLS certificates
4. Implement VPN or Direct Connect for hybrid connections (AWS Client VPN, Azure P2S VPN)
5. Encrypt all API calls between cloud services using mutual TLS (mTLS)
6. Enable encryption-in-transit for database connections (AWS RDS TLS, Azure SQL SSL)
7. Document all encryption configurations in cloud security policies

⏱️

Estimated Effort

Implementation: 8-16 hours (Basic) to 40 hours (Complex legacy systems). Ongoing: 2-4 hours monthly for certificate management and testing. Skill Level: Mid-level network admin with crypto knowledge.

📋 Evidence Examples

Encryption Policy

Format: PDF/DOCX

Frequency: Annual review

Contents: Approved protocols (TLS 1.2+), cipher suites, certificate requirements, and transmission methods for CUI

Collection: Export from document management system

SSL/TLS Configuration Screenshots

Format: PNG/PDF

Frequency: After each change

Contents: Server configurations showing enabled protocols and cipher suites

Collection: Screen capture from IIS/Apache/Nginx admin consoles

VPN Configuration Documentation

Format: PDF

Frequency: Quarterly

Contents: VPN server settings showing FIPS-validated algorithms and authentication methods

Collection: Export from VPN admin console

SSL Labs Scan Results

Format: PDF

Frequency: Monthly

Contents: Recent test showing A or A+ rating for all public-facing services

Collection: Run scan at https://www.ssllabs.com/ssltest/

Certificate Inventory

Format: CSV/XLSX

Frequency: Monthly

Contents: List of all SSL/TLS certificates with expiry dates and responsible parties

Collection: Export from certificate manager or manual inventory

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For SC.L2-3.13.4 ("Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your network security architecture, including segmentation, encryption standards, VPN configuration, session management, key management, and monitoring capabilities. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"SC.L2-3.13.4 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to implement cryptographic mechanisms to prevent unauthorized disclosure of cui dur.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"SC.L2-3.13.4 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to implement cryptographic mechanisms to prevent unauthorized disclosure of cui dur.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"SC.L2-3.13.4 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Document network architecture with CUI boundary clearly marked
• Identify all encryption mechanisms (at rest and in transit)
• Specify network monitoring and IDS/IPS deployment
• Ensure this control covers all systems within your defined CUI boundary where implement cryptographic mechanisms to prevent unauthorized disclosure of cui during transmission applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 System and Communications Protection Policy
📄 Network architecture diagram
📄 Firewall rule documentation
📄 Encryption configuration documentation
📄 Evidence artifacts specific to SC.L2-3.13.4
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review network diagrams for proper segmentation, test encryption settings, verify VPN split tunneling is disabled, and check FIPS 140-2 validation of cryptographic modules.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do we have a documented policy requiring encryption for all CUI transmissions?

✅ YES → Proceed to Q2

❌ NO → GAP: Draft encryption policy using NIST SP 800-171 template. Remediate within 30 days.

Remediation:

Template available at: https://csrc.nist.gov/Projects/example-templates

Question 2: Are all external web services (including portals) using TLS 1.2 or higher with FIPS-approved cipher suites?

✅ YES → Proceed to Q3

❌ NO → GAP: Update server configurations immediately. Use Mozilla SSL Config Generator for recommended settings.

Remediation:

Test current config with: openssl s_client -connect yourdomain:443 -tls1_2

Question 3: Do we have a process to monitor and renew SSL/TLS certificates before expiration?

✅ YES → Proceed to Q4

❌ NO → GAP: Implement certificate monitoring (e.g., CertSpotter) and calendar reminders 60 days pre-expiry.

Remediation:

Free monitoring option: https://certspotter.com/

Question 4: Are all remote access solutions (VPN, RDP) using FIPS-validated encryption?

✅ YES → Proceed to Q5

❌ NO → GAP: Upgrade VPN to use AES-256-GCM and disable weak protocols. For OpenVPN: add 'tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'

Remediation:

Verify FIPS mode: Windows - Get-FipsAlgorithmPolicy; Linux - cat /proc/sys/crypto/fips_enabled

Question 5: Can we produce evidence of recent encryption testing (e.g., SSL Labs scans)?

✅ YES → COMPLIANT

❌ NO → GAP: Conduct immediate scan and schedule quarterly automated scans. Document results.

Remediation:

Quick test: nmap --script ssl-enum-ciphers -p 443 yourdomain.com

⚠️ Common Mistakes (What Auditors Flag)

1. Using outdated protocols (SSLv3, TLS 1.0/1.1)

Why this happens: Legacy system dependencies or lack of awareness

How to avoid: Run monthly scans with SSL Labs and maintain an exception log for any legacy systems

2. Self-signed certificates in production

Why this happens: Cost avoidance or temporary solutions becoming permanent

How to avoid: Use free certificates from Let's Encrypt or enterprise PKI

3. No documentation of cipher suite selections

Why this happens: Focus only on implementation, not evidence

How to avoid: Create a 'Crypto Configuration Standard' document with screenshots

4. Emailing CUI as unencrypted attachments

Why this happens: User convenience over security

How to avoid: Implement mandatory encryption plugins (e.g., Microsoft Purview Message Encryption)

5. Assuming cloud providers handle all encryption

Why this happens: Shared responsibility model misunderstanding

How to avoid: Explicitly configure encryption settings per service (e.g., AWS S3 default encryption)

📚 Parent Policy

This practice is governed by the System and Communications Protection Policy

View SC Policy →

📚 Related Controls

SC.L2-3.13.11 (Employ FIPS-validated cryptography) SC.L2-3.13.8 (Protect authenticity of communications sessions) SI.L2-3.14.4 (Monitor communications for unauthorized exfiltration)