Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

CMMC Clarification

Only use cryptography validated through the NIST Cryptographic Module Validation Program (CMVP) to protect the confidentiality of CUI. Any other cryptography cannot be used since it has not been tested and validated to protect CUI. FIPS validated cryptography is not a requirement for all information, FIPS-validation is only used for the protection of CUI. Example You are an IT administrator responsible for deploying encryption on all devices that contain CUI for your organization. You must ensure that the encryption you use on the devices is FIPS validated cryptography. An employee informs you that they must carry a large volume of CUI offsite and asks for guidance on how to do so. You provide the user with Whole Disk Encryption software that you have verified via the NIST website uses a CVMP-validated encryption module. You instruct the user on the use of the software. Once the encryption software is active, the user copies their CUI data onto the drive to transport the data.

800-171 Description

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

800-171 Discussion

Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPS- validated cryptography and/or NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; and [NIST CMVP].

Other Source Discussion


CIS Control References

CIS Controls v7.1 14.4, 14.8

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-13

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.13.11

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.DS-1, PR.DS-2

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

SC.3.177.[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15