Reference: CMMC 2.0
Family: SC
Level Introduced: 2
Title: CUI Encryption
Practice:
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
CMMC Clarification:
Only use cryptography validated through the NIST Cryptographic Module Validation Program (CMVP) to protect the confidentiality of CUI. Any other cryptography cannot be used since it has not been tested and validated to protect CUI. FIPS validated cryptography is not a requirement for all information, FIPS-validation is only used for the protection of CUI.
Example
You are an IT administrator responsible for deploying encryption on all devices that contain CUI for your organization. You must ensure that the encryption you use on the devices is FIPS validated cryptography. An employee informs you that they must carry a large volume
of CUI offsite and asks for guidance on how to do so.
You provide the user with Whole Disk Encryption software that you have verified via the NIST website uses a CMVP-validated encryption module. You instruct the user on the use of the software. Once the encryption software is active, the user copies their CUI data onto the drive to transport the data.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.