Encryption protecting CUI must be FIPS 140-validated — not just 'on'.
What it actually means
The single most commonly failed control in real government assessments. The trap: it's not enough that CUI is encrypted — the cryptographic module doing the encrypting has to be FIPS 140-validated (listed on NIST's Cryptographic Module Validation Program). BitLocker, FileVault, and your VPN can all encrypt without running in a validated mode.
Pass or fail — an assessor needs a "yes" to each
- Data at rest: full-disk encryption (BitLocker/FileVault) in FIPS mode on devices holding CUI.
- Data in transit: TLS 1.2+ everywhere CUI moves.
- Cloud (e.g., GCC High) confirmed to use FIPS-validated modules.
- Modules can be matched to a CMVP validation certificate when asked.
What to have ready
- FIPS-mode configuration screenshots
- CMVP certificate numbers for the modules in use
- Cloud provider's FIPS/validated-module documentation
Where teams trip up
- 'We encrypt everything' — without verifying the module is validated
- BitLocker on but not in FIPS mode
- Assuming a cloud platform is FIPS without confirming
POA&M note: 3.13.11 is the one higher-weight control the CMMC program lets you place on a POA&M (most 3- and 5-point controls cannot be deferred). Full validation is still the goal — a POA&M is a clock, not a finish line.
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →