David at 01:40, 16 March 2025

2025-03-16T01:40:00Z

← Older revision		Revision as of 01:40, 16 March 2025
Line 1:		Line 1:
	'''Source of Reference: The official [https://~~www~~.~~acq~~.~~osd.mil~~/cmmc/~~documentation.html~~ CMMC Level 2 Assessment Guide] from the ~~Office of the Under Secretary~~ of Defense ~~Acquisition & Sustainment~~.'''		'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 2 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''

	For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.		For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
Line 12:		Line 12:
	'''Examine'''		'''Examine'''

	[SELECT FROM: System and communications protection policy;procedures addressing cryptographic protection;system security plan;system design documentation;system configuration settings and associated documentation;cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit logs and records; any other relevant documents or records].		[SELECT FROM: System and communications protection policy; procedures addressing cryptographic protection; system security plan; system design documentation; system configuration settings and associated documentation; cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit logs and records; any other relevant documents or records].

	'''Interview'''		'''Interview'''

	[SELECT FROM: System or network administrators; personnel with information security responsibilities;system developers;personnel with responsibilities for cryptographic protection].		[SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers; personnel with responsibilities for cryptographic protection].

	'''Test'''		'''Test'''
Line 22:		Line 22:
	[SELECT FROM: Mechanisms supporting or implementing cryptographic protection].		[SELECT FROM: Mechanisms supporting or implementing cryptographic protection].
	=== DISCUSSION ===		=== DISCUSSION ===
	Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals.Cryptography can also be used to support random number generation and hash generation.Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography.		Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography.
	=== FURTHER DISCUSSION ===		=== FURTHER DISCUSSION ===
	When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or-2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated.		When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or-2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated.

Wikiadmin: Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == SC.L2-3.13.11 – CUI ENCRYPTION == === SECURITY REQUIREMENT === Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. === ASSESSME..."

2022-02-25T03:04:51Z

Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == SC.L2-3.13.11 – CUI ENCRYPTION == === SECURITY REQUIREMENT === Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. === ASSESSME..."

New page

'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''

For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

== SC.L2-3.13.11 – CUI ENCRYPTION ==
=== SECURITY REQUIREMENT ===
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
=== ASSESSMENT OBJECTIVES ===
Determine if:
: [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
=== POTENTIAL ASSESSMENT METHODS AND OBJECTS ===
'''Examine'''

[SELECT FROM: System and communications protection policy;procedures addressing cryptographic protection;system security plan;system design documentation;system configuration settings and associated documentation;cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit logs and records; any other relevant documents or records].

'''Interview'''

[SELECT FROM: System or network administrators; personnel with information security responsibilities;system developers;personnel with responsibilities for cryptographic protection].

'''Test'''

[SELECT FROM: Mechanisms supporting or implementing cryptographic protection].
=== DISCUSSION ===
Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals.Cryptography can also be used to support random number generation and hash generation.Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography.
=== FURTHER DISCUSSION ===
When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or-2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated.

This practice, SC.L2-3.13.11, complements AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and SC.L2-3.13.16 by specifying that FIPS-validated cryptography must be used.

'''Example'''

You are a system administrator responsible for deploying encryption on all devices that contain CUI. You must ensure that the encryption you use on the devices is FIPS-validated cryptography [a]. An employee informs you of a need to carry a large volume of CUI offsite and asks for guidance on how to do so. You provide the user with disk encryption software that you have verified via the NIST website that uses a CMVP-validated encryption module [a]. Once the encryption software is active, the user copies the CUI data onto the drive for transport.

'''Potential Assessment Considerations'''
* Is cryptography implemented to protect the confidentiality of CUI at rest and in transit, through the configuration of systems and applications or through the use of encryption tools [a]?
=== KEY REFERENCES ===
* NIST SP 800-171 Rev 2 3.13.11

Practice SC.L2-3.13.11 Details - Revision history

David at 01:40, 16 March 2025