SC.L2-3.13.11 CUI Encryption
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Source: NIST SP 800-171 Rev 2 3.13.11
Discussion: Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; and [NIST CMVP].
Assessment Objectives:
Determine if:
- [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic protection; security plan; system design documentation; system configuration settings and associated documentation; cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with responsibilities for cryptographic protection].
Test: [SELECT FROM: Mechanisms supporting or implementing cryptographic protection].
SPRS Score: 5
POA&M Allowed: Yes