NIST 800-171 3.8.6: Encrypt CUI During Transport
Controlled Unclassified Information (CUI) traveling across networks is vulnerable without encryption. NIST SP 800-171 control 3.8.6 requires cryptographic mechanisms to protect CUI confidentiality during transport—unless physical safeguards provide equivalent protection. This control is non-negotiable for defense contractors and federal subcontractors.
What this means
You must deploy cryptographic encryption for any CUI moving across network boundaries, removable media, or external connections. The requirement applies to data in motion unless your organization demonstrates that alternative physical controls (like isolated networks or air-gapped systems) provide equal confidentiality protection. Encryption standards should align with NIST-approved algorithms and key management practices.
How to comply
- 1.Inventory all systems and data flows that transmit CUI across networks or external interfaces.
- 2.Select NIST-approved encryption algorithms (AES, TLS 1.2+, or equivalent) for transport layer security.
- 3.Implement TLS/SSL for web and email traffic, VPN for remote access, and encrypted protocols for file transfer.
- 4.Deploy encryption for CUI on removable media and external storage devices.
- 5.Establish and maintain cryptographic key management procedures, including secure generation, storage, and rotation.
- 6.Configure network devices (firewalls, gateways) to enforce encrypted transport policies.
- 7.Document alternative physical safeguards if used instead of cryptography, with risk assessments.
- 8.Test encryption configurations quarterly and after system changes.
- 9.Train staff on secure transmission practices and prohibition of unencrypted CUI transfer.
Evidence auditors look for
- TLS certificate configuration reports showing NIST-approved cipher suites on all external-facing systems.
- VPN deployment logs and encryption protocol specifications for remote access.
- Network traffic analysis confirming encrypted tunnels for CUI transmission.
- Cryptographic key management policy and key lifecycle audit logs.
- Endpoint encryption software audit showing all devices transmitting CUI have encryption enabled.
- Email security gateway logs showing TLS encryption for outbound CUI messages.
- Risk assessment documents justifying physical safeguards where cryptographic encryption is not deployed.
- Annual encryption strength validation reports and algorithm compliance certifications.
- System configuration baselines documenting encrypted transport requirements.
- Security awareness training attendance records covering secure CUI transmission protocols.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates CUI encryption compliance verification by scanning network configurations, TLS settings, and key management policies against NIST 800-171 3.8.6 requirements—eliminating manual audits and flagging encryption gaps across your entire infrastructure.
See how GRCWatch handles this control automatically
Start free trial