CMMC Requirement SC.L2-3.13.11 – CUI Encryption: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This NIST document is intended to provide programmatic guidance of the CMVP. This NIST Special Publication provides recommendations to facilitate more efficient and effective storage encryption solution design, implementation, and management for Federal departments and agencies. This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage. This sample policy from SANS provides guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. This SANS whitepaper defines FIPS, identify FIPS approved encryption algorithms, and examine some different vendor solutions and their use of these approved algorithms. This video from SANS educates viewers on the positive and negative aspects of using full disk encryption for security.
Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography.
Further Discussion
FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to protect CUI when transmitted or stored outside the protected environment of the covered OSA information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered OSA information system, would not need to use FIPS-validated cryptography.
This requirement, SC.L2-3.13.11, complements AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and SC.L2-3.13.16 by specifying that FIPS-validated cryptography must be used. While FIPS validated modules and algorithms are critical for protecting CUI, in limited cases Enduring Exceptions and temporary deficiencies may apply when implementing such cryptographic mechanisms.