SC.L2-3.13.11

SC.L2-3.13.11 requires the contractor to 'employ FIPS-validated cryptography when used to protect the confidentiality of CUI.' This means cryptographic modules used to protect CUI in transit (TLS, IPsec, S/MIME) and at rest (BitLocker, FileVault, database encryption, backup encryption) must be validated under the NIST Cryptographic Module Validation Program (CMVP).

A C3PAO will ask for the CMVP certificate numbers for every cryptographic module protecting CUI. Vendor marketing claims like 'AES-256 encryption' are not sufficient — what matters is whether the specific module implementing that algorithm has a current FIPS 140-2 or FIPS 140-3 validation listed in the CMVP database.

This is one of the most common areas where contractors fail their assessments: they assume their commercial cloud or commercial endpoint encryption is FIPS-validated and discover at assessment time that the specific configuration they are running is not.