SC.L2-3.13.11 CUI Encryption - DIB SCC CyberAssist

CMMC Practice SC.L2-3.13.11 – CUI Encryption: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Links to Publicly Available Resources

CMMC Level 2 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.
NIST – Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program
This NIST document is intended to provide programmatic guidance of the CMVP.
NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
This NIST Special Publication provides recommendations to facilitate more efficient and effective storage encryption solution design, implementation, and management for Federal departments and agencies.
NIST SP 800-175b Guideline for Using Cryptographic Standards in the Federal Government
This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage.
SANS – Acceptable Encryption Policy
This sample policy from SANS provides guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.
SANS Whitepaper – Securing Sensitive Data: Understanding Federal Information Processing Standards (FIPS)
This SANS whitepaper defines FIPS, identify FIPS approved encryption algorithms, and examine some different vendor solutions and their use of these approved algorithms.
YouTube – Pros & Cons of Full Disk Encryption
This video from SANS educates viewers on the positive and negative aspects of using full disk encryption for security.

Discussion [NIST SP 800-171 R2]
Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography.

Further Discussion
When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or-2 requirements. Simply using an approved algorithm is not sufficient –the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated.
This practice, SC.L2-3.13.11, complements AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and SC.L2-3.13.16 by specifying that FIPS-validated cryptography must be used.