This post explains how to implement cryptographic protections for Controlled Unclassified Information (CUI) in transit over networks to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control MP.L2-3.8.6, with step-by-step, practical advice for small businesses including TLS and SFTP configuration patterns, testing commands, and evidence you can present during an audit.
What MP.L2-3.8.6 requires and scoping for small businesses
MP.L2-3.8.6 requires organizations to protect the confidentiality of CUI during transmission over networks. For most small businesses this means: (1) identifying all data flows that carry CUI (web portals, APIs, file transfers, VPNs, cloud storage links), (2) applying approved cryptography to those flows, and (3) documenting configuration, testing, and lifecycle processes. The compliance objective is direct: ensure CUI is encrypted in transit so an attacker sniffing network traffic cannot read or modify the data.
Practical steps to encrypt CUI in transit
TLS for web, API, and service traffic
Use TLS 1.2 minimum, prefer TLS 1.3 where supported. Disable SSL and TLS 1.0/1.1. Use cipher suites that provide forward secrecy (ECDHE) and strong AEAD ciphers (AES-GCM or ChaCha20-Poly1305). Recommended server-side examples: for TLS 1.2 prefer ECDHE-ECDSA-AES256-GCM-SHA384 or ECDHE-RSA-AES256-GCM-SHA384; for TLS 1.3 use TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256. Generate keys using RSA 3072+ or ECDSA P-256/P-384. Implement HSTS, enable OCSP stapling, and prefer certificate chains issued by a trusted CA (public or an organization-managed internal CA with documented trust anchors). Example test commands: openssl s_client -connect example.com:443 -servername example.com and nmap --script ssl-enum-ciphers -p 443 example.com. For servers: configure nginx with ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:...'; and enable ssl_session_tickets off or rotate appropriately.
SFTP for file transfers (recommended over FTP/FTPS for many CUI flows)
SFTP (SSH File Transfer Protocol) uses SSH (not TLS) and is widely accepted for secure file movement. Use OpenSSH with Protocol 2, disable password authentication for CUI transfers, and require key-based authentication with strong keys (ed25519 or rsa 3072+). Harden sshd_config: Protocol 2; PermitRootLogin no; PasswordAuthentication no; PubkeyAuthentication yes; AllowUsers cui_user@192.0.2.0/24; MaxAuthTries 2; Subsystem sftp internal-sftp; ChrootDirectory /srv/sftp/%u and set proper ownership/permissions. For additional restriction use sshd ForceCommand internal-sftp to prevent shell access. Log SFTP activity with verbose logging (LogLevel VERBOSE) and centralize logs to a SIEM. If you must support legacy clients, segment them into a non-CUI zone and force additional controls or compensating encryption.
Key and certificate lifecycle management
Document an inventory of certificates and SSH keys (fingerprint, owner, purpose, expiration). Automate public certificate renewal with ACME (Certbot, acme.sh) for web endpoints; adopt a 90–365 day rotation policy depending on risk (shorter for public-facing endpoints). For SSH keys and internal certs, rotate on a schedule or upon personnel changes; store private keys in a hardware security module (HSM) or cloud KMS when possible (AWS KMS, Azure Key Vault, Google Cloud KMS) and enforce strict access controls. Maintain a revocation/compromise process: publish and test certificate revocation (CRL or OCSP) and immediately revoke keys for terminated contractors. Record change tickets and cryptographic configuration snapshots as compliance evidence.
Real-world small business scenarios and step-by-step tasks
Example 1: A small defense subcontractor has a web portal where partners upload CUI. Steps: (1) classify the endpoint traffic as CUI, (2) obtain a public certificate, configure nginx/Apache to enforce TLS 1.2+ with HSTS and OCSP stapling, (3) require client authentication (mTLS) for high-risk file uploads or at least strong session protections and token-based authentication, (4) audit TLS configuration with testssl.sh and document results. Example 2: The same company exchanges design files with a prime contractor via SFTP. Steps: (1) create separate SFTP accounts for each partner, (2) enforce key-based auth with ed25519 keys, (3) chroot accounts and enable server-side anti-virus scanning for uploaded files, (4) centralize SFTP logs and retain them per your retention policy for audits. Practical commands for testing: ssh -i partner_key -v sftp_user@host and openssl s_client -connect host:443 -tls1_2 -servername host.
Compliance tips, monitoring, and evidence collection
Collect artifacts that auditors expect: an inventory of CUI flows, documented TLS and SFTP configurations (sshd_config, nginx conf), certificate/key inventory with rotation schedules, test results from SSL Labs/testssl.sh, recent vulnerability scan and remediation notes, logs demonstrating encrypted sessions (TLS handshake records, SFTP session logs), and change-control records for configuration changes. Monitor TLS expirations via automated alerts, monitor syslog/SFTP logs for unauthorized access attempts, and run periodic internal scans to ensure TLS and SSH policy adherence. Map these artifacts to the NIST SP 800-171 control language (e.g., “protect CUI during transmission”) and to CMMC 2.0 Level 2 evidence expectations.
Risk of not implementing MP.L2-3.8.6 properly
Failing to encrypt CUI in transit exposes sensitive information to interception, modification, and replay by attackers on internal or external networks. Risks include data exfiltration, loss of contracts or eligibility for DoD work, regulatory fines, reputational damage, and mandatory breach reporting. From an audit perspective, lack of encryption or weak configurations (e.g., TLS 1.0, allowing weak ciphers, password-based SFTP) will lead to immediate noncompliance findings and force corrective action plans that can be costly to remediate under tight deadlines.
Summary: To meet NIST SP 800-171 Rev.2 / CMMC 2.0 MP.L2-3.8.6, inventory where CUI flows, apply TLS 1.2+ (prefer TLS 1.3) with strong cipher suites and certificate management for web/API traffic, use hardened SFTP (SSH v2 with key auth and chroot) for file transfers, automate certificate/key lifecycle, log and monitor securely, and retain configuration and test evidence. Small businesses can achieve compliance by following the steps above, validating configurations with standard tools, and keeping auditable records of their cryptographic controls and processes.
