CMMC Practice SC.3.185

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Source

CMMC Version 1.02, pg. 258

Bold Coast Security Guidance

For Level 3 compliance the organization must have a plan to ensure when CUI is transmitted, only secure channels are used. For most organizations, this means that a secure messaging platform must be in place, as well as secure protocols used for file transfers, and system/device administration. Check that all cryptography modules in use are approved by checking the NIST Cryptographic Module Validation program website. For Maturity Level 4, assign a resource responsible for re-validating all modules on a regular interval, and notifying staff of an depreciation.

Discussion From Source

DRAFT NIST SP 800-171 R2 This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages . If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.

References