GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.13.8: Data in Transit Encryption

Control 3.13.8 requires organizations to encrypt Controlled Unclassified Information (CUI) while it travels across networks and systems. This control prevents unauthorized disclosure through cryptographic mechanisms or approved physical safeguards. For contractors handling sensitive government data, proper data-in-transit encryption is a non-negotiable compliance requirement.

What this means

Organizations must deploy cryptographic mechanisms to protect the confidentiality of CUI during transmission across networks. The control applies to all data flows unless alternative physical safeguards (such as air-gapped networks or secured facility boundaries) provide equivalent protection. This includes data transmitted over internal networks, between systems, and across external connections.

How to comply

  1. 1.Identify all transmission points where CUI flows across network boundaries or between systems
  2. 2.Select and implement approved cryptographic algorithms (TLS 1.2+, AES-256, or equivalent) for all identified data pathways
  3. 3.Configure encryption at the transport layer (TLS/SSL) and application layer where applicable
  4. 4.Establish certificate management procedures including issuance, renewal, and revocation processes
  5. 5.Document all encryption implementations and the specific mechanisms used for each data flow
  6. 6.Test encryption configurations to verify proper implementation and prevent downgrade attacks
  7. 7.Monitor encrypted connections for failures or degradation and maintain audit logs of encryption events

Evidence auditors look for

  • Network traffic captures showing TLS encryption in use (packet headers with TLS handshake)
  • Encryption configuration documentation listing algorithms, key lengths, and certificate details
  • Certificate inventory with validity dates, issuing CAs, and renewal schedules
  • System architecture diagrams annotating encrypted versus unencrypted data flows
  • Security scanning reports confirming no unencrypted transmission of CUI
  • Encryption validation test results demonstrating successful TLS implementation
  • Access logs showing certificate usage and SSL/TLS connection establishment

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers and validates all data-in-transit encryption implementations across your infrastructure, generates evidence artifacts, and alerts you to weak cipher suites or expired certificates—eliminating manual audits and compliance gaps.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.13.1 — Cryptographic Controls3.13.11 — Cryptographic Key Establishment and Management3.1.13 — Mobile Device Management3.4.7 — Information System Monitoring