NIST 800-171 Control 3.13.11: CUI Encryption
Protecting Controlled Unclassified Information (CUI) requires more than access controls—it demands strong encryption. NIST SP 800-171 control 3.13.11 mandates the use of FIPS-validated cryptography to ensure CUI remains confidential at rest and in transit. For defense contractors and government vendors, this is a non-negotiable requirement.
What this means
Control 3.13.11 requires your organization to use only FIPS-validated cryptographic algorithms and implementations when encrypting CUI. FIPS validation ensures cryptography meets rigorous federal security standards and has been tested by the National Institute of Standards and Technology. This applies to CUI stored on systems, transmitted across networks, and handled during backup or archival processes. Non-validated encryption—including proprietary or homegrown solutions—does not satisfy this control.
How to comply
- 1.Identify all systems, databases, and storage locations where CUI resides or transits
- 2.Audit current encryption implementations to verify FIPS 140-2 or FIPS 140-3 validation status
- 3.Replace any non-validated encryption with FIPS-approved algorithms (AES, RSA, SHA-256, etc.) and validated implementations
- 4.Document cryptographic controls in your System Security Plan (SSP) with specific product names, versions, and FIPS certifications
- 5.Configure encryption for data at rest (databases, file systems, removable media) and data in transit (TLS 1.2+, IPSEC, SSH)
- 6.Establish key management procedures including generation, storage, rotation, and destruction
- 7.Implement monitoring and logging to track encryption usage and key lifecycle events
- 8.Conduct annual reviews of cryptographic implementations against current FIPS standards
Evidence auditors look for
- Approved Products List (APL) documentation showing FIPS 140-2/140-3 certified tools in use
- System Security Plan with cryptographic control descriptions and algorithm specifications
- Network diagrams highlighting encrypted CUI data flows
- Database encryption configuration reports (TDE, column-level encryption)
- TLS certificate inventory and configuration audit results
- Key management procedure documentation with rotation schedules
- Vendor attestations confirming FIPS validation of commercial products
- Encryption audit logs spanning the past 12 months
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
See how GRCWatch handles this control automatically.
See how GRCWatch handles this control automatically
Start free trial