03.13.11 —
What this control requires
Source: NIST SP 800-171 R3 §03.13.11 (official control text).
Why this matters
Cryptographic protection ensures that Controlled Unclassified Information remains unreadable to unauthorized parties during storage and transmission. Weak or improperly implemented encryption can be broken by adversaries, exposing sensitive data even when access controls fail. This control mandates the use of FIPS 140-validated cryptographic modules—encryption algorithms and implementations that have been independently tested and certified by NIST. Using non-validated or deprecated cryptography (like MD5, SHA-1, or homegrown algorithms) creates vulnerabilities that sophisticated attackers routinely exploit. Proper cryptographic implementation protects against data breaches, espionage, and regulatory penalties.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.13.11.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →