Practice SC.L2-3.13.11 Details

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

SC.L2-3.13.11 – CUI ENCRYPTION

SECURITY REQUIREMENT

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

ASSESSMENT OBJECTIVES

Determine if:

[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

Examine

[SELECT FROM: System and communications protection policy;procedures addressing cryptographic protection;system security plan;system design documentation;system configuration settings and associated documentation;cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit logs and records; any other relevant documents or records].

Interview

[SELECT FROM: System or network administrators; personnel with information security responsibilities;system developers;personnel with responsibilities for cryptographic protection].

Test

[SELECT FROM: Mechanisms supporting or implementing cryptographic protection].

DISCUSSION

Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals.Cryptography can also be used to support random number generation and hash generation.Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography.

FURTHER DISCUSSION

When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or-2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated.

This practice, SC.L2-3.13.11, complements AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and SC.L2-3.13.16 by specifying that FIPS-validated cryptography must be used.

Example

You are a system administrator responsible for deploying encryption on all devices that contain CUI. You must ensure that the encryption you use on the devices is FIPS-validated cryptography [a]. An employee informs you of a need to carry a large volume of CUI offsite and asks for guidance on how to do so. You provide the user with disk encryption software that you have verified via the NIST website that uses a CMVP-validated encryption module [a]. Once the encryption software is active, the user copies the CUI data onto the drive for transport.

Potential Assessment Considerations

  • Is cryptography implemented to protect the confidentiality of CUI at rest and in transit, through the configuration of systems and applications or through the use of encryption tools [a]?

KEY REFERENCES

  • NIST SP 800-171 Rev 2 3.13.11