Back to Control Explorer
SC.3.185
Content
Control Acronym
SC
Family
System And Communications Protection
CMMC Level
3
800-171 Control #
3.13.8
CMMC Description
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
CMMC Clarification
Only use cryptography validated through the NIST Cryptographic Module Validation Program (CMVP) to protect the confidentiality of CUI during transmission. Any other approved cryptography cannot be used since it has not been tested and validated to protect CUI. FIPS-validated cryptography is not a requirement for all information, it is only used for the protection of CUI. This encryption guideline must be followed unless an alternative physical safeguard is in place to protect CUI. Example You are an IT administrator responsible for employing encryption on all devices that contains CUI for your organization. You install a Secure FTP server to allow CUI to be transmitted in a compliant manner. You verify that the server is using a FIPS-validated encryption module by checking the NIST Cryptographic Module Validation Program website. You turn on the “FIPS Compliance” setting for the server during configuration since that is what is required for this product in order to use only FIPS-validated cryptography.
800-171 Description
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
800-171 Discussion
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO].
Other Source Discussion
N/A
CIS Control References
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 SC-8(1)
CMMC Derived
NIST CSF Control References
NIST 800-171 References
NIST SP 800-171 Rev 1 3.13.8
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 PR.AC-2
CERT RMM Reference
CERT RMM v1.2 KIM:SG4.SP1
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
SC.3.185.[a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;
Assessment Sub-Criteria 2
SC.3.185.[b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and
Assessment Sub-Criteria 3
SC.3.185.[c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.