GRCWatch
Sign inStart free trial

SC.L2-3.13.8: Protect Data in Transit with Cryptography

Data in transit is a critical vulnerability window for CUI exposure. SC.L2-3.13.8 requires you to implement cryptographic mechanisms that prevent unauthorized disclosure when sensitive information moves across networks. Without encryption safeguards, your organization faces regulatory penalties and breach liability.

What this means

This control mandates the use of cryptographic mechanisms—such as TLS, IPsec, or VPN protocols—to encrypt Controlled Unclassified Information (CUI) as it travels across networks or wireless communications. You must protect data in transit unless alternative physical safeguards (air-gapped networks, dedicated secure conduits) provide equivalent protection. The goal is to ensure that even if data is intercepted, it remains unreadable without proper decryption keys.

How to comply

  1. 1.Identify all systems and network paths where CUI is transmitted, including internal networks, cloud connections, and third-party integrations.
  2. 2.Deploy encryption protocols (TLS 1.2+, IPsec, SSH) on all data-in-transit channels that carry CUI.
  3. 3.Implement certificate management and key rotation procedures to maintain cryptographic validity.
  4. 4.Disable weak or legacy encryption standards (SSL 3.0, TLS 1.0) that no longer meet security standards.
  5. 5.Configure firewalls and network devices to enforce encrypted tunnels for sensitive data flows.
  6. 6.Test encrypted connections using tools like nmap or Qualys to verify encryption is properly implemented.
  7. 7.Document all encrypted communication paths and the cryptographic standards applied to each.
  8. 8.Review vendor contracts and SaaS providers to confirm they enforce encryption for CUI in transit.

Evidence auditors look for

  • Network configuration screenshots showing TLS/IPsec enabled on critical data flows.
  • Certificate inventory and expiration tracking logs.
  • Firewall rules enforcing encryption protocols for CUI transmission.
  • Encryption strength verification reports from security scanning tools.
  • Key management policy and rotation schedule documentation.
  • Third-party security assessments confirming encrypted data handling.
  • Wireshark or packet capture analysis proving no unencrypted CUI leaves the network.
  • Email gateway and file transfer logs showing encrypted channels in use.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch's automated encryption discovery scans your network to identify unencrypted CUI flows, generates compliant TLS/IPsec configurations, and tracks certificate expiration—turning manual compliance audits into continuous monitoring.

See how GRCWatch handles this control automatically

Start free trial

Related controls

SC.L2-3.13.1 (Authorized Communications)SC.L2-3.13.11 (Cryptographic Key Management)SI.L2-3.14.1 (Information System Monitoring)CM.L2-3.11.2 (Access Control)SI.L2-3.14.2 (Information Output)