SC.L2-3.13.11: Employ FIPS-validated cryptography when used to protect CUI

📖 What This Means

This control requires using government-approved encryption methods (FIPS-validated) whenever you're protecting sensitive defense information (CUI). Think of it like using certified locks instead of cheap padlocks for important documents. For example: 1) When sending contract details to a DoD partner, your email system must use FIPS-approved encryption. 2) When storing blueprints on a server, the hard drive encryption must meet FIPS standards. It doesn't mean everything must be encrypted - just that when you choose to encrypt CUI, you must use these certified methods.

🎯 Why It Matters

Weak encryption can expose defense secrets to foreign adversaries. In 2020, a defense contractor's unencrypted drone footage was intercepted, revealing sensitive surveillance capabilities (DoD reported 137 similar incidents that year). FIPS validation ensures encryption can withstand sophisticated attacks. Without it: 1) Stolen data becomes readable (average breach cost: $4.24M) 2) Contracts may be terminated 3) Future bids become ineligible. The DoD mandates this because adversaries specifically target weak crypto in supply chains.

✅ How to Implement

1. In AWS: Enable 'FIPS endpoints' in account settings and use FIPS-validated EC2 instances (like m5.xlarge with Nitro)
2. For Azure: Select 'FIPS 140-2 Level 1' compliance in virtual machine creation and use Azure Key Vault with HSM-backed keys
3. In GCP: Use 'Shielded VMs' with FIPS-enabled images and Cloud KMS with FIPS 140-2 Level 3 validation
4. Configure all storage services (S3, Blob Storage) to use FIPS-validated AES-256 encryption
5. Enable TLS 1.2+ with FIPS-approved cipher suites (TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
6. Document all FIPS-enabled services in your system security plan

⏱️

Estimated Effort

Initial setup: 16-40 hours (depending on environment complexity). Ongoing: 2-4 hours quarterly for validation. Requires mid-level sysadmin skills.

📋 Evidence Examples

FIPS Validation Certificates

Format: PDF

Frequency: Upon procurement and when modules are updated

Contents: Official NIST certificates for all cryptographic modules

Collection: Download from vendor sites, store in /compliance/crypto_certs

Cryptographic Configuration Screenshots

Format: PNG

Frequency: After each configuration change

Contents: Windows GPO showing FIPS enabled, OpenSSL config with FIPS mode

Collection: Use Greenshot or equivalent, store in /evidence/sc/YYYY-MM

Encryption Inventory Spreadsheet

Format: XLSX

Frequency: Quarterly

Contents: List of all systems using crypto with FIPS status, version, purpose

Collection: Export from CMDB or manual inventory, store in /inventories

TLS Configuration Test Results

Format: HTML

Frequency: Monthly

Contents: Output from SSL Labs test showing FIPS-compliant cipher suites

Collection: Run test at https://www.ssllabs.com/ssltest/

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For SC.L2-3.13.11 ("Employ FIPS-validated cryptography when used to protect CUI"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your network security architecture, including segmentation, encryption standards, VPN configuration, session management, key management, and monitoring capabilities. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"SC.L2-3.13.11 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to employ fips-validated cryptography when used to protect cui. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"SC.L2-3.13.11 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to employ fips-validated cryptography when used to protect cui. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"SC.L2-3.13.11 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Document network architecture with CUI boundary clearly marked
• Identify all encryption mechanisms (at rest and in transit)
• Specify network monitoring and IDS/IPS deployment
• Ensure this control covers all systems within your defined CUI boundary where employ fips-validated cryptography when used to protect cui applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 System and Communications Protection Policy
📄 Network architecture diagram
📄 Firewall rule documentation
📄 Encryption configuration documentation
📄 Evidence artifacts specific to SC.L2-3.13.11
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review network diagrams for proper segmentation, test encryption settings, verify VPN split tunneling is disabled, and check FIPS 140-2 validation of cryptographic modules.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do we maintain an inventory of all cryptographic modules used for CUI?

✅ YES → Proceed to Q2

❌ NO → GAP: Create spreadsheet listing all crypto modules (OS, apps, network devices) with version numbers. Remediation: 1 week.

Remediation:

Template available at /compliance/templates/crypto_inventory.xlsx

Question 2: Are all identified modules FIPS 140-2 validated (check NIST CMVP list)?

✅ YES → Proceed to Q3

❌ NO → GAP: Replace non-compliant modules (common offenders: old OpenSSL, Java JCE). Remediation: 2-4 weeks.

Remediation:

NIST list: https://csrc.nist.gov/projects/cryptographic-module-validation-program

Question 3: Are FIPS modes actively enabled in OS/application configurations?

✅ YES → Proceed to Q4

❌ NO → GAP: Enable FIPS mode (Windows GPO, Linux kernel params). Remediation: 3 days.

Remediation:

Windows command: 'Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy -Name Enabled -Value 1'

Question 4: Do we test encryption configurations quarterly?

✅ YES → COMPLIANT

❌ NO → GAP: Implement automated tests (OpenSSL ciphersuite verification). Remediation: 1 week.

Remediation:

Test script: openssl s_client -connect yourserver:443 -cipher 'ECDHE-ECDSA-AES256-GCM-SHA384'

⚠️ Common Mistakes (What Auditors Flag)

1. Assuming cloud providers' default encryption is FIPS-compliant

Why this happens: Many cloud services enable FIPS only in specific regions or service tiers

How to avoid: Explicitly enable FIPS endpoints and document the configuration

2. Overlooking third-party applications' crypto modules

Why this happens: ERP/CRM systems often bundle non-compliant OpenSSL versions

How to avoid: Require vendors to provide FIPS validation certificates during procurement

3. Incomplete documentation of FIPS modes

Why this happens: Teams enable FIPS but don't record where/how it's implemented

How to avoid: Create a cryptographic configuration matrix showing all touchpoints

4. Not testing after patches/updates

Why this happens: OS updates sometimes reset crypto policies to defaults

How to avoid: Include FIPS verification in your patch management checklist

📚 Parent Policy

This practice is governed by the System and Communications Protection Policy

View SC Policy →

📚 Related Controls

SC.L2-3.13.16 (Cryptographic key management) SC.L2-3.13.8 (TLS requirements) SI.L2-3.14.4 (Encryption of CUI at rest)