Employ FIPS-validated cryptography when used to protect the confidentiality of “Controlled Unclassified Information” (CUI).

FIPS-validated cryptography is required to protect “Federal Contract Information” (FCI) typically when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access) if not separately protected (e.g., by a protected distribution system). FIPS validated cryptography is required whenever the encryption is required to protect federal contract information. Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated. Note that any separate contract requirement to encrypt data at rest (e.g., PII) within the information system would require use of FIPS-validated cryptography