CMMC Practice Requirement:

Implement cryptographic mechanisms to prevent unauthorized disclosure of “Controlled Unclassified Information” (CUI) during transmission unless otherwise protected by alternative physical safeguards.

CMMC Requirement Explanation:

Due to the sensitive nature of “Controlled Unclassified Information” (CUI) it must be encrypted when in transit.

Example CMMC Implementation:

When you transmit “Controlled Unclassified Information” (CUI) over a network it needs to be encrypted. Whatever technology you use to transmit (e.g., SFTP) it needs to be validated by the NIST Cryptographic Module Validation Program. You can see if the cryptography is validated by searching for it on the NIST CMVP page.


- Scenario 1:

You have digital files containing “Controlled Unclassified Information” (CUI). Your employees need to send these back and forth to each other however they transmission needs to be encrypted. To facilitate this you setup an SFTP server that uses FIPS validated encryption. You confirm this by checking the NIST CMVP website.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance