NIST 800-171 • LEVEL 2 • SYSTEM AND COMMUNICATIONS PROTECTION

3.13.8Transmission and Storage Confidentiality

This requirement applies to internal and external networks and any system components that can transmit CUI, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are susceptible to interception and modification. Encryption protects CUI from unauthorized disclosure during transmission and while in storage. Cryptographic mechanisms that protect the confidentiality of CUI during transmission include TLS and IPsec. Information in storage (i.e., information at rest) refers to the state of CUI when it is not in process or in transit and resides on internal or external storage devices, storage area network devices, and databases. Protecting CUI in storage does not focus on the type of storage device or the frequency of access to that device but rather on the state of the information. This requirement relates to [](#/cprt/framework/version/SP_800_171_3_0_0/home?element=03.13.11) 03.13.11.

CMMC Practice Mapping

NIST 800-53 Controls

SC-8SC-8(1)

Assessment Objectives

  • cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI during transmission.
  • cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI while in storage.

Practitioner Notes

CUI needs to be encrypted whenever it is moving across a network and whenever it is sitting on a disk. If someone intercepts the traffic or steals the drive, they should not be able to read the data.

Example 1: For data in transit, enforce TLS 1.2 or higher on all web services and email. In the M365 admin center, go to Exchange admin center > Mail flow > Connectors and configure your mail flow connectors to require TLS. On IIS or your web server, disable TLS 1.0 and 1.1 via registry settings or the IIS Crypto tool.

Example 2: For data at rest, enable BitLocker Drive Encryption on all endpoints via GPO: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption. Require TPM + PIN for OS drives. Store recovery keys in Active Directory. Verify encryption status across your fleet using manage-bde -status or the BitLocker Recovery report in MBAM/Intune.

Related NIST 800-171 Requirements

3.13.1 Boundary Protection 3.13.2 Employ Architectural Designs, Software Development Techniques, and Systems Engineering Principles That Promote Effective Information Security 3.13.3 Separate User Functionality from System Management Functionality 3.13.4 Information in Shared System Resources