Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.11 ā Employ FIPS-validated cryptography when used to protect the confidentiality of āControlled Unclassified Informationā (CUI).
Understanding the Requirement
This control requires that when your organization encrypts CUI, the cryptographic implementations you rely on must be FIPS-validated rather than merely using a NIST-recommended algorithm. In practice that means selecting encryption products (disk encryption, VPNs, WiāFi, backup solutions) whose crypto modules have passed FIPS validation so you have assurance the implementation was tested. The objective is straightforward: FIPS-validated cryptography is employed to protect the confidentiality of CUI under NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.
Technical Implementation
-
Inventory CUI locations and flows. Start by identifying where CUI is created, stored, transmitted, and backed up (workstations, servers, removable drives, cloud storage, email, VPN). This inventory determines which systems must use FIPS-validated cryptography and drives scope for configuration and procurement.
-
Adopt FIPS-validated endpoint and disk encryption. Deploy solutions with documented FIPS validation such as Microsoft BitLocker (in FIPS mode) or Apple FileVault and ensure configuration uses the validated mode (e.g., AES with FIPS-approved modules, TPM + PIN). Enforce encryption by policy using Group Policy, Intune, or your MDM/endpoint management tool.
-
Verify FIPS status for network protection. Ensure VPN appliances, TLS libraries used by web services, and enterprise WiāFi access points use FIPS-validated crypto modules (check vendor FIPS 140-2/140-3 certificates). Configure TLS to use FIPS-approved ciphers and disable non-validated implementations on appliances.
-
Encrypt backups and removable media with validated crypto. Require that backup software and external drives use FIPS-validated encryption; for cloud backups, verify the cloud providerās encryption modules and obtain proof of FIPS validation or a compliance statement.
-
Maintain evidence and change control. Keep vendor FIPS certificate numbers, product documentation, and configuration baselines in your compliance folder. Document any exceptions with compensating controls and a risk acceptance approved by leadership.
-
Test, audit, and patch cryptographic components. Regularly test that FIPS modes are enforced (e.g., try to enable an unvalidated cipher and verify itās blocked), include crypto validation checks in audits, and apply vendor patches that preserve FIPS validation or re-certify when major changes occur.
Example in a Small or Medium Business
A 75-person engineering firm handles CUI in project files and client reports on employee laptops and a central file server. IT starts by mapping where CUI resides and identifies that laptops, a Windows file server, an on-site VPN appliance, and nightly backup jobs touch CUI. They standardize on Microsoft BitLocker for Windows endpoints and enable the FIPS-validated crypto mode via Group Policy and Intune, requiring TPM + PIN on all laptops. The Windows file server is configured with BitLocker and access is limited to authorized accounts; backups are encrypted using the backup applianceās FIPS-validated module and stored on encrypted removable media for transport. The firm verifies the VPN applianceās FIPS 140-2 certificate with the vendor and updates the TLS configuration to only allow FIPS-approved cipher suites. IT documents the vendor validation numbers, records the configuration baseline, and adds periodic checks to their monthly IT checklist to ensure FIPS mode remains active after updates. When a contractor needs temporary access, the firm issues an encrypted, FIPS-protected container and logs the transfer to preserve the audit trail.
Summary
Meeting SC.L2-3.13.11 requires a combination of policy (identify CUI, mandate FIPS-validated products, document exceptions) and technical controls (deploy and enforce FIPS-validated disk, network, and backup encryption). For SMBs the practical path is: scope where CUI lives, standardize on known FIPS-validated solutions, enforce configurations with management tools, retain vendor validation evidence, and test routinely. Together these steps provide the assurance that cryptography protecting CUI is not just based on strong algorithms but on validated, tested implementations.
