Reference: CMMC 2.0
Family: SC
Level Introduced: 2
Title: Data in Transit
Practice:
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
CMMC Clarification:
Only use cryptography validated through the NIST Cryptographic Module Validation Program (CMVP) to protect the confidentiality of CUI during transmission. Any other approved cryptography cannot be used since it has not been tested and validated to protect CUI. FIPS-validated cryptography is not a requirement for all information, it is only used for the protection of CUI. This encryption guideline must be followed unless an alternative physical safeguard is in place to protect CUI.
Example
You are an IT administrator responsible for employing encryption on all devices that contains CUI for your organization. You install a Secure FTP server to allow CUI to be transmitted in a compliant manner. You verify that the server is using a FIPS-validated encryption module by checking the NIST Cryptographic Module Validation Program website. You turn on the "FIPS Compliance" setting for the server during configuration since that is what is required for this product in order to use only FIPS-validated cryptography.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.