CMMC Requirement SC.L2-3.13.11 – CUI Encryption: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This article from Ignyte describes what it means for CMMC and FedRAMP to follow the FIPS standard. This article from Microsoft speaks to Microsoft's approach to FIPS 140-2 validation. Focused on securing Controlled Unclassified Information, this work highlights how Virtual Desktop Infrastructure (VDI) reduces endpoint risk and aligns with CMMC requirements across the defense industrial base. This NIST document is intended to provide programmatic guidance of the CMVP. This NIST Special Publication provides recommendations to facilitate more efficient and effective storage encryption solution design, implementation, and management for Federal departments and agencies. This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage. In this article, Pure Storage looks at what the Federal Information Processing Standard (FIPS) is, how to become FIPS compliant, and what it means for your organization. This SANS whitepaper defines FIPS, identify FIPS approved encryption algorithms, and examine some different vendor solutions and their use of these approved algorithms. What is a FIPS-validated crypto module and why do I need one? Watch this video for an overview of how to find FIPS-validated cryptographic modules and why we need them.
Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography.
Further Discussion
FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to protect CUI when transmitted or stored outside the protected environment of the covered OSA information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered OSA information system, would not need to use FIPS-validated cryptography.
This requirement, SC.L2-3.13.11, complements AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and SC.L2-3.13.16 by specifying that FIPS-validated cryptography must be used. While FIPS validated modules and algorithms are critical for protecting CUI, in limited cases Enduring Exceptions and temporary deficiencies may apply when implementing such cryptographic mechanisms.