This control requires organizations to encrypt all remote access sessions to protect Controlled Unclassified Information (CUI) from being intercepted during transmission. Encryption must meet recognized cryptographic standards (e.g., FIPS 140-2 validated).
Read the full blog breakdown of 3.13.8