Complying with the DoDs Cybersecurity Maturity Model Certification (CMMC) presents a challenge. The Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) has recently released their Top 10 Other than Satisfied NIST SP 800-171 Requirements, which outlines the most common areas where organizations have failed to meet the NIST SP 800-171 compliance requirements. Out of the 117 DIBCAC High assessments conducted, 3.13.11, which is to “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI,” was the top requirement that organizations failed to satisfy. This article will discuss how organizations can ensure compliance with this requirement and the importance of implementing FIPS-validated cryptography.

DOD CMMC Compliance top 10 other than satisfied, FIPS Validated Cryptography

NIST SP 800-171 outlines security controls that organizations that work with the Department of Defense (DoD) must follow to protect controlled unclassified information (CUI) from unauthorized access. The CUI category covers sensitive but unclassified information, such as export-controlled information or intellectual property, that is not intended for public release.

Organizations that fail to comply with the NIST SP 800-171 requirements risk losing their DoD contracts, facing financial penalties, or damaging their reputation. Since the release of DFARS 7012 in 2017, compliance with NIST SP 800-171 has become even more critical. FIPS-validated cryptography is one of the most important requirements of NIST SP 800-171, as it ensures that Controlled Unclassified Information (CUI) is properly protected from unauthorized access.

To comply with practice 3.13.11, organizations must use FIPS-validated cryptography. This complements other security standards such as AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and SC.L2-3.13.16. FIPS-validated cryptography refers to cryptographic modules that NIST has tested and validated to meet specific security requirements outlined in the Federal Information Processing Standards. This includes approved cryptographic algorithms such as AES, 3DES, and RSA.

Implementing FIPS-validated cryptography requires organizations to identify all the data and systems that require encryption. This may include sensitive data such as personally identifiable information, financial data, and intellectual property. Once the data and systems have been identified, organizations should determine which cryptographic algorithms are appropriate for their needs based on the NIST-approved list of algorithms.

After selecting the appropriate cryptographic algorithms, organizations should implement the FIPS-validated cryptographic modules into their systems. These modules can be hardware-based, software-based, or a combination of both. It is important to ensure that the cryptographic modules are properly configured and that the encryption keys are securely managed. Organizations should also regularly review and update their cryptographic implementations to ensure that they remain up-to-date and secure.

Non-compliance with FIPS-validated cryptography can result in a deduction of 5 points from the score of 110 for the “Other than Satisfied” category of the DIBCAC assessment. However, the points deducted for non-compliance can be adjusted depending on how the requirements are implemented. For example, if an organization employs encryption but it is not FIPS validated, they would receive a deduction of 3 points from the score of 110. If encryption is not employed at all, then 5 points are subtracted from the score of 110. This allows organizations to receive partial credit for partially implementing FIPS-validated encryption.

It is important to note that implementing the derived security requirements of multi-factor authentication and FIPS-validated encryption is necessary for NIST SP 800-171 compliance.

The use of FIPS-validated cryptography is required to comply with practice 3.13.11, which complements other security standards such as AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and SC.L2-3.13.16. FIPS-validated cryptography refers to cryptographic modules that have been tested and validated by NIST to meet specific security requirements outlined in the Federal Information Processing Standards. This includes approved cryptographic algorithms such as AES, 3DES, and RSA.

Implementing FIPS-validated cryptography requires organizations to identify all the data and systems that require encryption. This may include sensitive data such as personally identifiable information, financial data, and intellectual property. Once the data and systems have been identified, organizations should determine which cryptographic algorithms are appropriate for their needs based on the NIST-approved list of algorithms.

After selecting the appropriate cryptographic algorithms, organizations should implement the FIPS-validated cryptographic modules into their systems. These modules can be hardware-based, software-based, or a combination of both. It is important to ensure that the cryptographic modules are properly configured and that the encryption keys are securely managed. Organizations should also regularly review and update their cryptographic implementations to ensure that they remain up-to-date and secure.

Failure to implement FIPS-validated cryptography can result in a deduction of 5 points from the score of 110 for the “Other than Satisfied” category of the DIBCAC assessment. However, the points deducted for non-compliance can be adjusted depending on how the requirements are implemented. For example, if an organization employs encryption but it is not FIPS validated, they would receive a deduction of 3 points from the score of 110. If encryption is not employed at all, then 5 points are subtracted from the score of 110. This allows organizations to receive partial credit for partially implementing FIPS-validated encryption.

It is important to note that while implementing the derived security requirements of multi-factor authentication and FIPS-validated encryption is necessary for NIST SP 800-171 compliance, the points deducted for non-compliance can be adjusted depending on how the requirements are implemented.

In addition to implementing FIPS-validated cryptography, organizations should also implement other security measures to protect their information. This may include access controls, intrusion detection and prevention systems, and security monitoring tools. It is important to have a comprehensive security plan that addresses all aspects of information security, including encryption.

It’s crucial to stay ahead of compliance regulations like CMMC and NIST SP 800-171. Implementing the 3.13.11 requirement for FIPS-validated cryptography is just one step in the process of achieving CMMC compliance, but it’s an essential one.

Priority Defense can support your company with this implementation and ensure that your data and CUI are properly protected. Our team of experts can work with you to assess your current encryption methods, identify gaps in compliance, and provide solutions that meet the requirements of CMMC. With our support, you can achieve CMMC compliance and keep your company’s valuable data and information secure. Don’t wait until it’s too late – contact Priority Defense today to learn more about how we can help with your compliance needs.

Download our FREE Self-Assessment Workbook

Stay up-to-date!
Get insights and tips from experts