Reference: CMMC 2.0
Level Introduced: 2
Title: CUI Encryption
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Only use cryptography validated through the NIST Cryptographic Module Validation Program (CMVP) to protect the confidentiality of CUI. Any other cryptography cannot be used since it has not been tested and validated to protect CUI. FIPS validated cryptography is not a requirement for all information, FIPS-validation is only used for the protection of CUI.
You are an IT administrator responsible for deploying encryption on all devices that contain CUI for your organization. You must ensure that the encryption you use on the devices is FIPS validated cryptography. An employee informs you that they must carry a large volume
of CUI offsite and asks for guidance on how to do so.
You provide the user with Whole Disk Encryption software that you have verified via the NIST website uses a CMVP-validated encryption module. You instruct the user on the use of the software. Once the encryption software is active, the user copies their CUI data onto the drive to transport the data.