SC.L2-3.13.11 — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

What this control requires

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Source: CMMC L2 v2.13 SC.L2-3.13.11 / NIST SP 800-171 R2 3.13.11 (official control text).

Why this matters

Federal Information Processing Standards (FIPS) 140-2 and 140-3 define cryptographic modules that have been rigorously tested by NIST-accredited labs. When organizations handle Controlled Unclassified Information, using unvalidated or weak cryptography exposes that data to potential decryption by adversaries. This control mandates that wherever encryption protects CUI—whether at rest on drives, in transit over networks, or in application layers—the cryptographic algorithms and their implementations must carry FIPS validation. This ensures a baseline security posture that DoD and federal agencies can trust, preventing the use of homegrown or deprecated ciphers that sophisticated attackers can break.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls