System and Communications Protection 3.13.11 (3.13.11)

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Get Full Guidance

What Is This CMMC Control?

Organizations must use cryptography that has been validated by the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) program when encrypting Controlled Unclassified Information (CUI). This means you cannot use just any encryption tool or algorithm - it must be one that has been officially tested and approved by NIST to meet federal cryptographic standards. This applies to data at rest (stored files), data in transit (network communications), and any other cryptographic operations protecting CUI.

Control Intent

Ensure that cryptographic protections applied to CUI use proven, standardized algorithms and implementations that have been independently validated to meet federal security requirements, thereby preventing the use of weak, proprietary, or unvalidated encryption that could be compromised.

Who This Control Applies To

  • Any system, application, or service that stores CUI
  • Any system, application, or service that transmits CUI over networks
  • Encryption solutions for CUI at rest (full disk encryption, file encryption, database encryption)
  • Encryption solutions for CUI in transit (VPN, TLS/SSL, secure email)
  • Cloud services and SaaS applications storing or processing CUI
  • Backup and archive systems containing CUI
  • Mobile devices and removable media containing CUI
  • Cryptographic key management systems
  • Authentication systems using cryptographic functions for CUI access

Not Applicable When

  • The system does not store, process, or transmit CUI
  • Cryptography is used for purposes other than protecting CUI confidentiality (though FIPS validation is still recommended)
  • Data is public or unclassified and not designated as CUI
  • Legacy systems scheduled for decommissioning within the assessment period (requires documented POA&M)

Key Objectives

  • 1Ensure all cryptographic modules protecting CUI confidentiality are FIPS 140-2 or FIPS 140-3 validated
  • 2Prevent use of non-validated, deprecated, or weak cryptographic algorithms for CUI protection
  • 3Maintain verifiable evidence of FIPS validation for all cryptographic implementations protecting CUI

Sample Self-Assessment Questions (Partial)

Does your organization store, process, or transmit CUI in any systems or applications?

What encryption technologies are currently used to protect CUI (at rest and in transit)?

Implementation Approaches (High-Level)

Operating System Native FIPS Mode

Enable and enforce FIPS 140-2 validated cryptographic modules built into modern operating systems for protecting CUI at rest and in transit.

FIPS-Validated Full Disk Encryption

Deploy full disk encryption solutions with FIPS 140-2 validated cryptographic modules to protect CUI stored on system drives.

FIPS-Validated VPN and Network Encryption

Implement VPN and network encryption solutions using FIPS 140-2 validated cryptographic modules to protect CUI in transit.

FIPS-Validated TLS/SSL for Web and Application Encryption

Configure web servers, applications, and APIs to use FIPS 140-2 validated TLS/SSL implementations for protecting CUI in transit.

FIPS-Validated Cloud and SaaS Encryption

Select and configure cloud services and SaaS applications that provide FIPS 140-2 validated encryption for CUI storage and transmission.

FIPS-Validated Email Encryption

Implement email encryption solutions with FIPS 140-2 validated cryptographic modules to protect CUI transmitted via email.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

Identify all systems storing, processing, or transmitting CUI that currently use non-FIPS validated cryptography Prioritize remediation based on CUI sensitivity and exposure risk (e.g., internet-facing systems, mobile devices) For each non-compliant system, document: current encryption solution, FIPS validation status, remediation approach, and timeline Common remediation approaches: enable FIPS mode on existing systems, upgrade to FIPS-validated versions, replace with FIPS-validated solutions Establish interim compensating controls if immediate remediation is not feasible (e.g., network segmentation, enhanced monitoring, restricted access) Set realistic timelines considering testing requirements, application compatibility, and operational impact Document any systems that cannot support FIPS-validated cryptography and require long-term exceptions or alternative approaches Include milestones for FIPS validation verification, configuration changes, testing, and deployment Plan for ongoing FIPS validation maintenance after initial remediation (e.g., update management, validation verification) Consider phased approach: remediate highest-risk systems first, then expand to remaining systems Document resource requirements (budget, personnel, vendor support) for remediation activities Establish process for verifying FIPS validation status after remediation is complete

Related CMMC Controls

3.13.83.13.163.1.133.1.193.5.103.14.7

Frequently Asked Questions

What is FIPS validation and how is it different from FIPS compliance?

FIPS validation means a cryptographic module has been independently tested by an accredited laboratory and validated by NIST to meet FIPS 140-2 or FIPS 140-3 standards. Each validated module receives a unique certificate number listed on the NIST CMVP website. FIPS compliance is a vendor claim that a product uses FIPS-approved algorithms, but without independent validation. For CMMC, you must use FIPS-validated modules with verifiable certificate numbers, not just vendor claims of compliance.

Do I need FIPS validation for all encryption, or only encryption protecting CUI?

This control specifically requires FIPS-validated cryptography only when used to protect the confidentiality of CUI. Encryption used for other purposes (e.g., protecting non-CUI data, internal network segmentation) is not strictly required to be FIPS-validated under this control, though it is recommended as a best practice. However, if a system handles both CUI and non-CUI, it is often simpler to use FIPS-validated cryptography for all encryption on that system.

Can I use open-source encryption tools like OpenSSL for CUI protection?

Yes, but only if you use a FIPS-validated version of the open-source tool. For example, OpenSSL has a FIPS-validated cryptographic module (OpenSSL FIPS Object Module) that can be used. You must configure your systems to use the FIPS-validated module, not the standard OpenSSL library, and you must verify the FIPS validation certificate number. Simply using OpenSSL without the FIPS module does not meet this control.

What happens if a FIPS validation expires or is revoked?

If a FIPS validation is revoked or the cryptographic module moves to the 'historical' list on the NIST CMVP website, it is no longer considered validated for new implementations. For existing systems, you should plan to upgrade to a currently validated version. During an assessment, assessors will verify that your FIPS validations are current and have not been revoked. Continued use of revoked validations will likely result in a finding and require a POA&M for remediation.

Do cloud services like AWS, Azure, or Microsoft 365 provide FIPS-validated encryption?

Major cloud providers offer FIPS-validated encryption, but it is not always enabled by default. You must verify FIPS validation for the specific services and regions you use, and often must enable FIPS mode or use specific FIPS endpoints. For example, AWS provides FIPS-validated encryption for services like S3 and KMS, but you must use FIPS endpoints. Microsoft 365 offers FIPS validation in GCC High and DoD environments. Always verify FIPS validation certificates and configure services appropriately.

How do I verify FIPS validation for a product or service?

Visit the NIST Cryptographic Module Validation Program (CMVP) website and search for the product or cryptographic module. Each validated module has a certificate number, validation date, and security policy document. Verify that the certificate is current (not historical or revoked) and matches the version you are using. For cloud services, request FIPS validation documentation from the provider, including certificate numbers and attestation letters.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.