GRCWatch
Sign inStart free trial

SC.L2-3.13.11: Encrypt CUI with FIPS-Validated Cryptography

Control SC.L2-3.13.11 mandates the use of FIPS-validated cryptographic algorithms to protect Controlled Unclassified Information (CUI) at rest and in transit. For CMMC Level 2 compliance, your organization must implement encryption controls that meet federal cryptographic standards, ensuring CUI remains confidential throughout its lifecycle.

What this means

This control requires your organization to protect CUI confidentiality using cryptography validated by NIST's Cryptographic Module Validation Program (CMVP). FIPS 140-2 or FIPS 140-3 validated modules ensure that encryption algorithms meet rigorous federal standards for strength and implementation. Encryption must cover CUI both at rest (stored data) and in transit (data moving across networks).

How to comply

  1. 1.Identify all systems and storage locations containing CUI within your environment
  2. 2.Audit current encryption implementations to verify FIPS 140-2 or FIPS 140-3 validation status
  3. 3.Select and deploy FIPS-validated cryptographic modules for data at rest (databases, file systems, backups)
  4. 4.Implement FIPS-validated TLS/SSL protocols for data in transit across networks and remote connections
  5. 5.Configure encryption key management with secure generation, storage, and rotation procedures
  6. 6.Document all cryptographic implementations, including algorithm types, key lengths, and validation certificates
  7. 7.Test encryption controls to verify proper functionality and data protection effectiveness
  8. 8.Establish a schedule for periodic reviews and updates of cryptographic standards as NIST guidance evolves

Evidence auditors look for

  • CMVP validation certificates for deployed cryptographic modules
  • System configuration documentation showing FIPS 140-2/3 enabled settings
  • Network traffic analysis confirming TLS 1.2+ encryption for CUI transmissions
  • Key management procedures and audit logs documenting key lifecycle activities
  • Backup and archive encryption verification reports
  • Cryptographic policy documentation aligned with NIST standards
  • Third-party security assessment reports validating encryption implementations
  • Encryption control test results from vulnerability or compliance scanning tools

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

See how GRCWatch handles this control automatically.

See how GRCWatch handles this control automatically

Start free trial

Related controls

SC.L2-3.13.1 (Cryptographic Controls)SC.L2-3.13.8 (Cryptographic Key Establishment)SC.L2-3.13.9 (Cryptographic Key Destruction)SI.L2-3.14.1 (Information System Monitoring)