Requirement text: SC.3.185: Implement cryptographic mechanisms to prevent unauthorized disclosure
of CUI during transmission unless otherwise protected by alternative physical safeguards.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement applies to internal and external networks and any system components that
can transmit information including servers, notebook computers, desktop computers,
mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths
outside the physical protection of controlled boundaries are susceptible to both interception
and modification. Organizations relying on commercial providers offering transmission
services as commodity services rather than as fully dedicated services (i.e., services which
can be highly specialized to individual customer needs), may find it difficult to obtain the
necessary assurances regarding the implementation of the controls for transmission
confidentiality. In such situations, organizations determine what types of confidentiality
services are available in commercial telecommunication service packages. If it is infeasible
or impractical to obtain the necessary safeguards and assurances of the effectiveness of the
safeguards through appropriate contracting vehicles, organizations implement
compensating safeguards or explicitly accept the additional risk. An example of an
alternative physical safeguard is a protected distribution system (PDS) where the
distribution medium is protected against electronic or physical intercept, thereby ensuring
the confidentiality of the information being transmitted.
CMMC CLARIFICATION
Only use FIPS-validated cryptography to protect the confidentiality of CUI during
transmission since it has been tested and validated to meet FIPS 140-3 requirements. Any
other approved cryptography cannot be used since it has not been tested and validated to
protect CUI. FIPS-validated cryptography is not a requirement for all information, it is only
used for the protection of CUI. This encryption guideline must be followed unless an
alternative physical safeguard is in place to protect CUI.
Example
You are an IT administrator responsible for employing encryption on all devices that
contains CUI for your organization. You install a Secure FTP server to allow CUI to be
transmitted in a compliant manner. You verify that the server is using a FIPS-validated
encryption module by checking the NIST Cryptographic Module Validation Program website.
You turn on the “FIPS Compliance” setting for the server during configuration since that is
what is required for this product in order to use only FIPS-validated cryptography.
References
• NIST SP 800-171 Rev 1 3.13.8
• NIST CSF v1.1 PR.AC-2
• CERT RMM v1.2 KIM:SG4.SP1
• NIST SP 800-53 Rev 4 SC-8(1)