Requirement text: SC.3.177: Employ FIPS-validated cryptography when used to protect the
confidentiality of CUI.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Cryptography can be employed to support many security solutions including the protection
of controlled unclassified information, the provision of digital signatures, and the
enforcement of information separation when authorized individuals have the necessary
clearances for such information but lack the necessary formal access approvals.
Cryptography can also be used to support random number generation and hash generation.
Generally applicable cryptographic standards include FIPS-validated cryptography and/or
NSA-approved cryptography.
CMMC CLARIFICATION
Only use FIPS-validated cryptography to protect the confidentiality of CUI since it has been
tested and validated to meet FIPS 140-3 requirements. Any other cryptography cannot be
used since it has not been tested and validated to protect CUI. FIPS validated cryptography
is not a requirement for all information, FIPS-validation is only used for the protection of
CUI.
Example
You are an IT administrator responsible for deploying encryption on all devices that contain
CUI for your organization. You must ensure that the encryption you use on the devices is
FIPS validated cryptography. An employee informs you that they must carry a large volume
of CUI offsite and asks for guidance on how to do so.
You provide the user with Whole Disk Encryption software that you have verified via the
NIST website uses a FIPS 140-3 validated encryption module. You instruct the user on the
use of the software. Once the encryption software is active, the user copies their CUI data
onto the drive to transport the data.
References
• NIST SP 800-171 Rev 1 3.13.11
• CIS Controls v7.1 14.4, 14.8
• NIST CSF v1.1 PR.DS-1, PR.DS-2
• CERT RMM v1.2 KIM:SG4.SP1
• NIST SP 800-53 Rev 4 SC-13