Data in Transit: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
Monarch ISC Guidance
The organization must ensure when CUI is transmitted, only encrypted channels are used. For most organizations, this means encrypting wireless networks and VPN's. This also includes secure protocols used for file transfers, and system/device administration.
Check that all cryptography modules in use outside of physically protected boundaries are approved by checking the NIST Cryptographic Module Validation program website. Assign a resource responsible for re-validating all modules on a regular interval, and notifying staff of an depreciation.
NIST SP 800-171 R2
This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.