Level 5 CMMC - CMMC Practices

SC.3.177  

Reference: CMMC 1.02

Family: SC

Level Introduced: 3

Practice:
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

CMMC Clarification:
Only use cryptography validated through the NIST Cryptographic Module Validation Program (CMVP) to protect the confidentiality of CUI. Any other cryptography cannot be used since it has not been tested and validated to protect CUI. FIPS validated cryptography is not a requirement for all information, FIPS-validation is only used for the protection of CUI.

Example
You are an IT administrator responsible for deploying encryption on all devices that contain CUI for your organization. You must ensure that the encryption you use on the devices is FIPS validated cryptography. An employee informs you that they must carry a large volume
of CUI offsite and asks for guidance on how to do so.

You provide the user with Whole Disk Encryption software that you have verified via the NIST website uses a CMVP-validated encryption module. You instruct the user on the use of the software. Once the encryption software is active, the user copies their CUI data onto the drive to transport the data.

3.13.11

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Discussion:
Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS-validated cryptography and/or NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; and [NIST CMVP].

Source: NIST Special Publication 800-171 Rev. 2

SC-13

CRYPTOGRAPHIC PROTECTION

Description:
The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Supplemental Guidance:
Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related controls: AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02