CMMC Practice Requirement:

Employ FIPS-validated cryptography when used to protect the confidentiality of “Controlled Unclassified Information” (CUI).

CMMC Requirement Explanation:

FIPS-validated cryptography is required to protect “Federal Contract Information” (FCI) typically when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access) if not separately protected (e.g., by a protected distribution system). FIPS validated cryptography is required whenever the encryption is required to protect federal contract information. Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated. Note that any separate contract requirement to encrypt data at rest (e.g., PII) within the information system would require use of FIPS-validated cryptography


- Scenario 1:

The employees in your company all handle “Controlled Unclassified Information” (CUI) on their laptops. To protect the confidentiality of the “Controlled Unclassified Information” (CUI) on the laptops you use bit locker disk encryption software to encrypt their hard drives. Bit locker uses FIPs validated encryption.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance