NIST SP 800-171
Control 3.13.11
Employ FIPS-Validated Cryptography
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
What This Means in Plain English
When encrypting CUI, you must use encryption algorithms and modules that have been validated under FIPS 140-2 (or later). This ensures the encryption meets federal security standards and has been independently tested.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Windows FIPS mode enabled via Group Policy ensuring FIPS-validated cryptographic modules
- FortiGate VPN using FIPS 140-2 validated encryption modules for all VPN tunnels
- BitLocker configured with AES-256 using FIPS-validated modules
- TLS configurations restricted to FIPS-approved cipher suites
- ComplianceArmor documenting FIPS validation status for all cryptographic implementations
Assessment Guidance
Assessors will verify that FIPS mode is enabled on systems processing CUI, check that encryption modules are FIPS 140-2 validated, review VPN and TLS cipher suite configurations, and confirm that non-FIPS encryption is not used for CUI.
Common Implementation Gaps
- Non-FIPS validated encryption used for CUI
- FIPS mode not enabled on Windows systems
- VPN using non-FIPS cipher suites
- Third-party applications using their own non-validated encryption
- No documentation of FIPS validation status for encryption implementations
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | SC-13 |
| PCI DSS | Req 3.4 - Render PAN unreadable |
Need Help Implementing 3.13.11?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment