NIST 800-171 • LEVEL 2 • SYSTEM AND COMMUNICATIONS PROTECTION

3.13.11Cryptographic Protection

Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. FIPS-validated cryptography is recommended for the protection of CUI.

CMMC Practice Mapping

NIST 800-53 Controls

SC-13

Assessment Objectives

  • the following types of cryptography are implemented to protect the confidentiality of CUI: {{ insert: param, A.03.13.11.ODP.01 }}.

Practitioner Notes

This practice requires that when you use cryptography to protect CUI, you use FIPS-validated cryptographic modules. In practical terms, this means making sure your encryption tools and algorithms meet federal standards -- not rolling your own crypto.

Example 1: Enable FIPS-compliant mode on Windows endpoints via GPO: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing -- set to Enabled. This forces Windows to use only FIPS 140-validated cryptographic modules.

Example 2: Verify that your VPN solution uses FIPS-validated encryption. For example, Cisco AnyConnect supports FIPS mode -- enable it in the AnyConnect Local Policy profile by setting <FIPSMode>true</FIPSMode>. This ensures the VPN tunnel uses only approved algorithms (AES-256, SHA-256, etc.).

Check NIST's Cryptographic Module Validation Program (CMVP) list at csrc.nist.gov to confirm your products have valid FIPS 140 certificates.

Related NIST 800-171 Requirements

3.13.1 Boundary Protection 3.13.2 Employ Architectural Designs, Software Development Techniques, and Systems Engineering Principles That Promote Effective Information Security 3.13.3 Separate User Functionality from System Management Functionality 3.13.4 Information in Shared System Resources