SC.L2-3.13.11 · NIST SP 800-171 3.13.11

CUI Encryption

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

5 points if not metMust be fully met, cannot POA&M1 assessment objective

What an assessor scores, the objectives

SC.L2-3.13.11 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.FIPS-validated cryptography is employed to protect the confidentiality of CUI

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For SC.L2-3.13.11, an assessor uses these:

Examine

System and communications protection policy; procedures addressing cryptographic protection; system security plan; system design documentation; system configuration settings and associated documentation; cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit logs and records; any other relevant documents or records

Interview

System or network administrators; personnel with information security responsibilities; system developers; personnel with responsibilities for cryptographic protection

Test

Mechanisms supporting or implementing cryptographic protection

What it means, in context

Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures , and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals . Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS -validated cryptography and/or NSA -approved cryptography.

FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140 -2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS -validated cryptography is required to protect CUI when transmitted or stored outside the protected environment of the covered OSA information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered OSA information system, would not need to use FIPS-validated cryptography. This requirement, SC.L2-3.13.11, complements AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and SC.L2-3.13.16 by specifying that FIPS -validated cryptography must be used. While FIPS - validated modules and algorithms are critical for protecting CUI, in limited cases Enduring Exceptions and temporary deficiencies may apply when implementing such cryptographic mechanisms. Example You are a system administrator responsible for deploying encryption on all devices that contain CUI. You must ensure that the encryption you use on the devices is FIPS -validated cryptography [a]. An employee informs you of a need to carry a large volume of CUI offsite and asks for guidance on how to do so. You provide the user with disk encryption software that you have verified via the NIST website that uses a CMV P-validated encryption module [a]. Once the encryption software is active, the user copies the CUI data onto the drive for transport. Potential Assessment Considerations • Is cryptography implemented to protect the confidentiality of CUI at rest and in transit, through the configuration of systems and applications or through the use of encryption tools [a]?

What passing evidence looks like

FIPS validated cryptography protecting CUI confidentiality: the FIPS mode setting or the module's CMVP certificate number for each mechanism you rely on.

Common ways contractors fail SC.L2-3.13.11

  • !The special case: encryption present but not FIPS VALIDATED scores minus 3 instead of minus 5, and only that gap may ride a POA&M. Windows FIPS mode plus BitLocker, and platform crypto in GCC High, are your validated path; name certificate numbers where you can.
  • !Answer the step 5 scoring question honestly: it changes your deduction and POA&M eligibility.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove SC.L2-3.13.11, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

SC.L2-3.13.11 questions, answered

How many points is CMMC requirement SC.L2-3.13.11 worth?+

SC.L2-3.13.11 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can SC.L2-3.13.11 be placed on a POA&M?+

No. SC.L2-3.13.11 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does SC.L2-3.13.11 belong to?+

SC.L2-3.13.11 is in the System & Communications Protection (SC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.13.11