This post explains how to configure VPN and TLS to satisfy the intent of NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control AC.L2-3.1.13, focusing on practical steps, specific cryptographic settings, and small-business scenarios so you can create defensible, auditable encryption for remote access and data in transit.
Understanding the objective and risk
The objective behind AC.L2-3.1.13 in the Compliance Framework is to ensure confidentiality and integrity of Controlled Unclassified Information (CUI) in transit by using approved cryptographic mechanisms. For a small business, that means all remote access and application traffic that touches CUI must be protected with modern, well-configured VPNs and TLS channels. Failing to implement strong VPN/TLS configurations exposes CUI to eavesdropping, credential theft, session hijacking, lateral movement by attackers, and contractual or regulatory penalties — including loss of DoD contracts.
Choose the right technologies and modes
Pick VPN and TLS technologies that support current standards and can be audited. Recommended combinations: IKEv2/IPsec or WireGuard for network-layer VPNs; OpenVPN (TLS mode) or TLS-based VPN gateways where appropriate; and TLS 1.2 (with strict ciphers) or, preferably, TLS 1.3 for application-layer encryption. For small businesses with limited staff, managed appliances (Cisco Meraki, Palo Alto Prisma Access, Zscaler) or well-maintained open-source stacks (pfSense + StrongSwan for IKEv2/IPsec, or WireGuard) strike a balance between security and operational simplicity.
Concrete cryptographic settings and example configurations
Implement explicit configuration items you can show auditors: disable TLS versions 1.0/1.1 and TLS 1.2 with weak ciphers except where legacy clients require them (document exceptions). Favor TLS 1.3; if TLS 1.2 is needed, allow only AEAD ciphers such as AES256-GCM, AES128-GCM, or CHACHA20-POLY1305 and require ECDHE key exchange. Minimum key lengths: RSA ≥ 2048 bits (prefer 3072), ECC P-256 (or higher), and use SHA-256/SHA-384 for signatures. Example for a TLS stack (nginx/haproxy): set TLSv1.2 and TLSv1.3 supported, specify cipher suites to exclude CBC and RC4, enable ECDHE, and enable OCSP stapling and HSTS. For IPsec/IKEv2 use AES-GCM (256), prf = SHA-256, and ECP groups (group 19/20/21) for ECDH; ensure PFS (Perfect Forward Secrecy) is enabled.
Small-business sample: pfSense + StrongSwan (IKEv2) checklist
On pfSense/StrongSwan: enable IKEv2, choose ECDH groups (curve 521 optional but group 21/20 sufficient), set encryption to AES-GCM-256, authentication to SHA-256, set lifetime 8–12 hours, require certificate-based or EAP+MFA authentication (see MFA below), disable split-tunneling for CUI systems, and enable traffic logging to a central syslog collector for retention and audit. Keep the appliance firmware patched and export signed configuration snapshots as evidence for auditors.
Authentication, MFA, and endpoint posture
CUI demands strong authentication in addition to encrypted channels. Require multi-factor authentication (MFA) for VPN logins: certificate + password or certificate + OTP is preferred. Do not rely on password-only VPN. Integrate with your identity provider (Azure AD, Okta, or RADIUS with MFA) so you can produce authentication logs. Implement endpoint posture checks (antivirus, disk encryption, OS patch level) and block non-compliant endpoints from accessing CUI networks. For small firms, a cloud-managed VPN + SSO/MFA solution reduces management overhead while producing centralized logs for compliance evidence.
Operational controls, key management, and auditing
Maintain an inventory of all TLS certificates and VPN keys, with expiration dates and owner contacts; automate renewal where safe (ACME/Let’s Encrypt OK for public facing services, but for internal access to CUI prefer enterprise PKI or short-lived certs provisioned via your IDP). Rotate keys and certificates at least annually or upon personnel changes; revoke compromised certs immediately and demonstrate CRL/OCSP handling. Log VPN session metadata (username, source IP, start/stop times, bytes transferred) and retain logs per your organization’s retention policy for audits — commonly 1 year for CUI-related records. Document configuration baselines and change control procedures to show consistent secure posture.
Practical small-business scenarios and trade-offs
Scenario 1: A 25-person subcontractor uses remote developers and needs to protect CUI. Implement a cloud-managed IKEv2 VPN appliance with SSO + MFA, enforce full-tunnel (no split-tunnel), require disk encryption on developer laptops, and centralize logging to a small SIEM (or cloud log archive). Scenario 2: A low-budget shop wants open-source: deploy pfSense edge with WireGuard for remote access, authenticate with certificates provisioned from an internal CA and 2FA via a RADIUS server. Document the rationale for WireGuard (modern crypto, small codebase) and add compensating control documentation (frequent key rotation, strict interface rules) to satisfy auditors.
Compliance tips and best practices
Create an evidence package: architecture diagrams, configuration snippets (sanitized), certificate inventory, MFA logs, change-control tickets, and vulnerability scan/pen-test reports. Disable split tunneling for CUI by default; if you must enable it for performance, document compensating controls such as endpoint DLP and strict ACLs. Ensure firmware/software updates for VPN appliances are performed on a regular cadence and tie those updates into your configuration management and revision history. Finally, run periodic transport-layer and VPN handshake tests (sslscan, testssl.sh, Nessus) to detect weak ciphers or accidental regressions.
In summary, meeting AC.L2-3.1.13 for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requires a combination of modern cryptographic choices (TLS 1.3 or strong TLS 1.2, ECDHE/PFS, AES-GCM/ChaCha20), robust authentication (MFA and certificates), operational key management, and logging/monitoring. For small businesses, prioritize managed solutions or well-documented open-source stacks, disable split-tunnel for CUI, automate certificate/patch workflows where possible, and maintain auditable evidence to demonstrate compliance. Following these practices reduces risk to CUI and produces the configuration and operational artifacts auditors expect.
