>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.13.8System and Communications Protection - Derived

Derived Requirement

>Control Description

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

>Discussion

This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality.

In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.

See [NIST CRYPTO].

>Cross-Framework Mappings

CMMC

SC.L2-3.13.8
Compare

SCF

CRY-01.1
Compare
CRY-03
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern implementation of cryptographic mechanisms?
  • What procedures ensure FIPS-validated cryptography is used?
  • Who approves cryptographic technologies and implementations?
  • How often is cryptographic implementation reviewed?
  • What governance ensures appropriate cryptographic protection?

Technical Implementation:

  • What FIPS 140-2 validated cryptography is implemented?
  • How do you enforce cryptographic protection for CUI?
  • What encryption is used for data in transit and at rest?
  • How do you manage cryptographic keys?
  • What monitoring ensures cryptographic controls are active?

Evidence & Documentation:

  • Can you provide FIPS 140-2 validation certificates?
  • What documentation shows cryptographic implementations?
  • Can you demonstrate encryption usage across systems?
  • What evidence proves cryptographic protection adequacy?
  • What audit findings verify cryptographic compliance?

Ask AI

Configure your API key to use AI features.