3.13.11—System and Communications Protection - Derived
Derived Requirement
>Control Description
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
>Discussion
Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography.
See [NIST CRYPTO]; [NIST CAVP]; and [NIST CMVP].
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern cryptographic protection of CUI in transit?
- •What procedures ensure data in transit is encrypted?
- •Who is responsible for implementing data-in-transit encryption?
- •What governance ensures CUI is never transmitted unencrypted?
- •What exceptions exist for CUI data in transit encryption?
Technical Implementation:
- •What encryption protects CUI during transmission?
- •How do you enforce encryption for email, file transfers, APIs?
- •What FIPS 140-2 validated cryptography secures data in transit?
- •How do you prevent unencrypted CUI transmission?
- •What DLP tools enforce encryption for sensitive data in transit?
Evidence & Documentation:
- •Can you demonstrate CUI data in transit encryption?
- •What configurations show mandatory encryption for CUI transmission?
- •Can you provide evidence of FIPS-validated encryption in use?
- •What monitoring verifies CUI is encrypted during transit?
- •What audit findings confirm data in transit encryption compliance?
Ask AI
Configure your API key to use AI features.