CMMC 2.0 • LEVEL 2 • SYSTEM & COMMUNICATIONS PROTECTION

SC.L2-3.13.11Cryptographic Protection

Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. FIPS-validated cryptography is recommended for the protection of CUI.

NIST 800-171 Mapping

NIST 800-53 Controls

SC-13

Assessment Objectives

  • the following types of cryptography are implemented to protect the confidentiality of CUI: FIPS 140-2 or 140-3 validated cryptographic modules; RSA 2048-bit minimum; AES-128 minimum (AES-256 preferred); key lifecycle managed per NIST SP 800-57 Part 1; documented key custodian roles requiredCMMC/STIG.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

SC.L1-3.13.1 Boundary Protection SC.L2-3.13.2 Employ Architectural Designs, Software Development Techniques, and Systems Engineering Principles That Promote Effective Information Security SC.L2-3.13.3 Separate User Functionality from System Management Functionality SC.L2-3.13.4 Information in Shared System Resources