Overview:
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Action Items:
3.13.11[a]
Determine if: FIPS-validated cryptography is employed to protect the confidentiality of CUI.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System and communications protection policy; procedures addressing cryptographic protection; system security plan; system design documentation; system configuration settings and associated documentation; cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit logs and records; other relevant documents or records].
2
Interview: System or network administrators; personnel with information security responsibilities; system developer; personnel with responsibilities for cryptographic protection].
3
Test: Mechanisms supporting or implementing cryptographic protection].
Related Documents (document name and content will vary by organization):
1) System and communications protection policy
2) procedures addressing cryptographic protection
3) system security plan
4) system design documentation
5) system configuration settings and associated documentation
6) cryptographic module validation certificates
7) list of FIPS-validated cryptographic modules
8) system audit logs and records
9) other relevant documents or records
Additional Guidance:
Cryptography can be employed to support many security solutions including, for example, the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on other security requirements, organizations define each type of cryptographic use and the type of cryptography required (e.g., FIPS-validated cryptography). See NIST Cryptographic Standards; NIST Cryptographic Module Validation Program; NIST Cryptographic Algorithm Validation Program.
Article ID: 203
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-cryptographic-protection-3-13-11-203.html