System and Communications ProtectionCMMC Level 2

NIST 800-171 3.13.11Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

Overview

This control requires organizations to employ FIPS-validated cryptography when used to protect the confidentiality of CUI. It is part of the System and Communications Protection family and is required for CMMC Level 2 certification. Defense contractors handling CUI must implement this control to protect sensitive information and demonstrate compliance during assessments.

Assessment Objectives

1Determine if the organization has defined policies and procedures to employ fips-validated cryptography when used to protect the confidentiality of cui
2Determine if the organization implements mechanisms to employ fips-validated cryptography when used to protect the confidentiality of cui
3Verify that the implementation is consistent with organizational policies and NIST 800-171 requirements

Implementation Guidance

Implement this control by establishing documented policies and procedures, deploying appropriate technical controls, and maintaining evidence of ongoing compliance. Regularly review and test the implementation to ensure effectiveness and address any gaps identified during assessments.

Common Audit Gaps

!No documented policy or procedure addressing this requirement

!Implementation exists but lacks evidence of consistent enforcement

!Monitoring and review processes are informal or undocumented

Related DFARS Clauses

DFARS 252.204-7012 DFARS 252.204-7019 DFARS 252.204-7020 DFARS 252.204-7021

Frequently Asked Questions

What is NIST 800-171 control 3.13.11?

NIST 800-171 control 3.13.11 requires organizations to employ FIPS-validated cryptography when used to protect the confidentiality of CUI. This control is part of the System and Communications Protection family and is required for CMMC Level 2 certification.

How do you implement NIST 800-171 3.13.11?

To implement control 3.13.11, establish documented policies, deploy technical controls to employ fips-validated cryptography when used to protect the confidentiality of c, and maintain evidence of compliance. Regular testing and monitoring are essential.

What evidence is needed for NIST 800-171 3.13.11?

Evidence for control 3.13.11 typically includes written policies and procedures, system configuration documentation, audit logs showing enforcement, and records of periodic reviews. Assessors will look for both documentation and technical implementation.

Related Controls

3.13.10|Establish and manage cryptographic keys for cryptography employed in organizational systems

System and Communications Protection

3.13.12|Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device

System and Communications Protection

3.14.1|Identify, report, and correct system flaws in a timely manner

System and Information Integrity

More in System and Communications Protection

3.13.1 — Monitor, control, and protect communications at the external boundaries and key internal boundaries of organizational systems 3.13.2 — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems 3.13.3 — Separate user functionality from system management functionality 3.13.4 — Prevent unauthorized and unintended information transfer via shared system resources 3.13.5 — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

Check your compliance for NIST 800-171 3.13.11

Cabrillo Club automates evidence collection and audit readiness across all 110 NIST 800-171 controls.

Join Free

← All NIST 800-171 Controls

System and Communications ProtectionCMMC Level 2

NIST 800-171 3.13.11Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

Overview

Assessment Objectives

1Determine if the organization has defined policies and procedures to employ fips-validated cryptography when used to protect the confidentiality of cui
2Determine if the organization implements mechanisms to employ fips-validated cryptography when used to protect the confidentiality of cui
3Verify that the implementation is consistent with organizational policies and NIST 800-171 requirements

Implementation Guidance

Common Audit Gaps

!No documented policy or procedure addressing this requirement

!Implementation exists but lacks evidence of consistent enforcement

!Monitoring and review processes are informal or undocumented

Related DFARS Clauses

DFARS 252.204-7012 DFARS 252.204-7019 DFARS 252.204-7020 DFARS 252.204-7021

Frequently Asked Questions

What is NIST 800-171 control 3.13.11?

How do you implement NIST 800-171 3.13.11?

What evidence is needed for NIST 800-171 3.13.11?

Related Controls

3.13.10|Establish and manage cryptographic keys for cryptography employed in organizational systems

System and Communications Protection

3.13.12|Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device

System and Communications Protection

3.14.1|Identify, report, and correct system flaws in a timely manner

System and Information Integrity

Check your compliance for NIST 800-171 3.13.11

Cabrillo Club automates evidence collection and audit readiness across all 110 NIST 800-171 controls.

Join Free

← All NIST 800-171 Controls

NIST 800-171 3.13.11Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

Overview

Assessment Objectives

Implementation Guidance

Common Audit Gaps

Related DFARS Clauses

Frequently Asked Questions

What is NIST 800-171 control 3.13.11?

How do you implement NIST 800-171 3.13.11?

What evidence is needed for NIST 800-171 3.13.11?

Related Controls

More in System and Communications Protection

Related Guides

NIST 800-171 3.13.11Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

Overview

Assessment Objectives

Implementation Guidance

Common Audit Gaps

Related DFARS Clauses

Frequently Asked Questions

What is NIST 800-171 control 3.13.11?

How do you implement NIST 800-171 3.13.11?

What evidence is needed for NIST 800-171 3.13.11?

Related Controls

More in System and Communications Protection

Related Guides