Any CUI moving across a network you don't fully control must be encrypted.
What it actually means
When CUI travels over a network — email, file transfer, remote access, web — it must be protected with encryption unless an alternative physical safeguard protects it. In practice that means TLS for web and email, encrypted file transfer (SFTP/HTTPS), and a VPN for remote access. This pairs with 3.13.11, which adds the requirement that the cryptography be FIPS-validated.
Pass or fail — an assessor needs a "yes" to each
- Is CUI encrypted whenever it crosses a network (TLS, VPN, SFTP, encrypted email)?
- Have you eliminated cleartext paths (plain FTP, unencrypted SMTP) for CUI?
What to have ready
- Configuration showing TLS / VPN / SFTP for CUI flows
- Email encryption configuration (TLS enforced, or message-level encryption)
Where teams trip up
- Sending CUI by ordinary email with no transport encryption enforced
- Legacy plain-FTP or HTTP paths still in use for files
A 3-point control, and closely tied to 3.13.11 — encryption in transit must use FIPS-validated cryptography to fully satisfy both. Solve them together.
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →