What does CUI in transit mean?

Any Controlled Unclassified Information being transmitted across your network or the internet. This includes data moving between servers, from servers to client machines, and across WAN links.

Does HTTPS alone satisfy this requirement?

HTTPS is required for any web traffic touching CUI, but you also need to secure non-web protocols (SFTP instead of FTP, TLS between mail servers, VPN for remote access). It's not just web traffic.

What happens if we use a legacy system that doesn't support TLS 1.2?

You need to either upgrade the system, isolate it from CUI traffic, or run it through a gateway that terminates and re-encrypts the connection. The assessor will ask how you handle it.

SC.L2-3.13.8

SC.L2-3.13.8: CUI in Transit

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission.

CUI in transit means any Controlled Unclassified Information crossing your network boundaries or traveling over the internet. This practice requires you to encrypt that data before it leaves your system or server. For a small contractor, this typically means HTTPS everywhere, TLS 1.2 or higher on all protocols, a VPN for remote access, and SFTP instead of FTP for file transfers. The assessor will want to know not just that you encrypt, but what encryption standard you’re using and how you enforce it across all CUI-bearing systems.

What the assessor is actually evaluating

TLS version enforcement. The assessor will ask what TLS versions your web servers, mail servers, and VPNs support. TLS 1.0 and 1.1 are out. You need TLS 1.2 as a minimum, with TLS 1.3 preferred. If you’re running a mail server or proxy, you should disable anything older than 1.2. If you use a cloud platform like AWS or Microsoft Azure, they enforce this at the platform level, and you document that. If you self-host, you show the configuration files.

HTTPS on all CUI-touching systems. Every website or application that handles CUI must use HTTPS. If you have a customer portal, an internal admin tool, a help desk ticket system, or a project management tool that anyone accesses for work involving CUI, it runs on HTTPS. The assessor will browse your internal systems and verify the protocol.

VPN for remote access. If your employees or contractors work from home or travel, they need a VPN to access CUI. The VPN must use a FIPS 140-2 validated cryptographic module (or equivalent), which basically means AES or a comparable standard. Typical VPNs like Cisco AnyConnect, Palo Alto GlobalProtect, or cloud-native VPN solutions meet this. “We use a VPN” is the starting point; the assessor will ask what algorithm it uses.

Mail encryption. TLS between mail servers is standard and usually automatic with modern mail platforms. But if someone sends CUI in email, that email should be encrypted end-to-end. In Microsoft 365 GCC High or other government cloud solutions, transport-layer TLS is enforced. If you use on-premises Exchange or other mail systems, you configure TLS enforcement in your transport rules. The assessor may ask how you ensure CUI in email is not sent to external recipients without encryption.

File transfer protocols. Use SFTP, not FTP. If you upload files via a web form, use HTTPS. If you use cloud storage like OneDrive or SharePoint, encryption is built in. If you have a file server that contractors access, they should use SFTP through a VPN, not FTP in the clear.

East-west encryption. This is internal traffic between servers. If your application server talks to your database server, that communication should be encrypted, especially if CUI passes through it. This is a frequent gap in small shops. You don’t have to encrypt every internal packet, but any connection carrying CUI should use encryption. Assess which internal flows carry CUI and encrypt those.

FIPS 140-2 validated cryptography. The CMMC rule says cryptographic mechanisms. That means validated modules, not homemade crypto. AES is validated, TLS 1.2+ is validated, standard VPN algorithms are validated. If you’re asked what you use, be specific: AES-256, TLS 1.2, or the VPN’s specific ciphersuite. For firewalls, enabling FIPS mode covers most of this. The assessor wants to see that FIPS mode is on and that the configuration reflects it.

GCC High covers a lot of this naturally. If you’re on Microsoft 365 GCC High, TLS is enforced at the tenant level for all services. You still need to document this in your SSP and be able to explain it (even if you’re just reading what you wrote). Microsoft publishes a Shared Responsibility Matrix (SRM) for GCC High that maps which controls Microsoft handles and which are yours. It’s worth having bookmarked, though it doesn’t usually come up directly in assessments.

SSP example

Example SSP Language: SC.L2-3.13.8

CUI in Transit Protection. All Controlled Unclassified Information transmitted across the network or over the internet is encrypted using FIPS 140-2 validated cryptographic mechanisms. Web applications accessed by employees or contractors use HTTPS with TLS 1.2 or higher. Our email system enforces TLS 1.2 between mail servers and uses message encryption for CUI sent externally. Remote access to CUI systems requires use of our corporate VPN, which uses AES-256 encryption. File transfers to and from CUI systems use SFTP over encrypted tunnels. Database connections from application servers are encrypted using TLS 1.2. All VPN and TLS configurations are reviewed annually and updated to disable protocols older than TLS 1.2. Configuration screenshots and policy documentation are maintained by the Information Security team.

How to present your evidence

Prepare a document or folder showing:

Web server or reverse proxy configuration. Show the SSL/TLS settings on your IIS, Apache, nginx, or cloud load balancer. Include the certificate details, the TLS versions enabled (1.2 minimum), and the ciphersuites. Screenshot of HTTPS-only enforcement is helpful.
VPN configuration. Show the VPN client profile or server settings. List the encryption algorithm (AES-256 preferred), the protocol (IPSec, SSL, WireGuard, etc.), and proof that remote users must use it to access CUI. If you use Windows Always-On VPN or a cloud conditional access policy, show that policy.
Mail server transport rules. If you use Exchange, show the transport rule that enforces TLS. If you use Microsoft 365, show the connector settings that mandate TLS for inbound and outbound mail. Include a statement on how CUI-containing emails are handled (S/MIME or message encryption if sent outside the organization).
Firewall or proxy rules. Show any rules that block unencrypted traffic on CUI-relevant ports (80, 21, etc.) and allow only encrypted protocols (443, 990 for FTPS, 22 for SFTP).
Database or internal service encryption. For any internal system-to-system connections carrying CUI, show the encryption configuration. This could be SQL Server transparent data encryption, application connection strings that specify encrypted=yes, or SSH tunnels.
VPN or remote access policy. Show the written policy that requires remote users to connect via VPN before accessing CUI systems.

The assessor wants to see that you’ve thought about all the places CUI travels and that you have a control in place at each point.

Common failures

Legacy systems or network printers on the network. If you have an old system that doesn’t support TLS 1.2 or a network printer that sends unencrypted traffic, the assessor will flag it. The fix is to either upgrade the system, isolate it from CUI (put it on a separate vlan and don’t send CUI to it), or run it through a gateway that terminates the unencrypted connection and re-encrypts it before sending CUI.

Internal east-west traffic not encrypted. Assessors often find that a company encrypts external traffic (HTTPS, VPN) but leaves internal server-to-server connections unencrypted. If your web application talks to a database across your network and that traffic carries CUI, it should be encrypted. Identify all data flows, mark which ones carry CUI, and ensure those are encrypted.

Inability to specify what encryption is used. If the assessor asks “What’s the TLS version your mail server uses?” and you say “We’re not sure,” that’s a red flag. You need to know. Pull the configuration, run an nmap or testssl.sh scan, or ask your cloud provider. Document it.

VPN without evidence of enforcement. If you have a VPN available but users can also access CUI systems without it, that’s a gap. The requirement is that CUI in transit is encrypted. If there’s a path to CUI that bypasses the VPN or encryption, the assessor will find it.

HTTP mixed with HTTPS. If your web application loads some assets or API calls over HTTP and others over HTTPS, the assessor may find CUI disclosed on the unencrypted traffic. All traffic on a CUI-bearing system should be encrypted.

Not encrypting email attachments. If someone sends a Word document containing CUI via email without S/MIME or message encryption, the TLS link between mail servers is not enough. The assessor may ask how you prevent that. The answer is either a mail rule that blocks unencrypted sends of CUI, or user training and a documented expectation that CUI in email is encrypted end-to-end.

If you use an MSP or MSSP

If a Managed Service Provider (MSP) hosts your systems or a Managed Security Service Provider (MSSP) runs your security controls, you still own the requirement. Ask your provider:

What TLS versions do they enforce on all web, mail, and file transfer services?
What encryption algorithm does their VPN use?
Can they provide a screenshot or certificate of the encryption settings?
Do they disable TLS 1.0 and 1.1?

Include their confirmation in your SSP or as an attachment to the practice. If they can’t or won’t encrypt in transit, that’s a business risk you need to accept or mitigate by changing providers.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks and what good answers sound like

What encryption standard do you use for data in transit?

TLS 1.2 minimum across everything. [Pull up firewall TLS settings] Here's our firewall policy showing TLS 1.0 and 1.1 are disabled. Our VPN uses AES-256. Email transport rules require TLS between our server and recipients.

How do you handle remote access?

[Pull up VPN configuration] Always-on VPN for all remote users. It's enforced through Conditional Access. You can't reach CUI resources without the VPN connected. Here's the encryption settings showing AES-256.

What about your email? How is CUI protected in email?

We're on GCC High, so TLS is enforced at the tenant level for all mail transport. [Pull up Exchange transport rules] Here's the rule requiring TLS for outbound mail. If the receiving server can't negotiate TLS, the message gets held and we're notified.

Do you have any legacy systems that don't support TLS 1.2?

We had one older application that only supported TLS 1.0. We put it behind a reverse proxy that terminates TLS 1.2 on the front end. [Pull up SSP] The exception is documented here with the mitigation approach and the date we plan to retire the application.

How do you verify your encryption is actually working?

[Pull up SSL Labs scan results] We run quarterly scans against our public-facing services. Here's the most recent one showing TLS 1.2 only, no weak ciphers. For internal services, our MSSP validates encryption settings during their quarterly configuration reviews.

Disclaimer: This page is provided for informational purposes and reflects general CMMC requirements. It is not legal advice. Consult your CMMC-C appraiser or compliance advisor for interpretation specific to your organization.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← CA.L2-3.12.4: System Security Plan All Practices IA.L2-3.5.2: Device & User Authentication →