CUI must be protected from eavesdropping and unauthorized access. SC.L2-3.13.11 requires encryption using FIPS-validated algorithms. This applies to CUI in transit and at rest. The assessor will verify that encryption is actually in use and that it meets FIPS standards. See SC.L2-3.13.8 for encryption in transit and SC.L2-3.13.10 for key management.
What the assessor is actually evaluating
The assessor will check:
Encryption policy: You should have a documented policy requiring FIPS-validated encryption for CUI in transit and at rest.
Data in transit: TLS 1.2 or higher should be used for network communications. The assessor will test connectivity to verify TLS is in use and check certificate details.
Data at rest: BitLocker, FileVault, or database-native encryption should protect stored CUI. The assessor will verify encryption is enabled and that FIPS mode is configured.
FIPS validation: Encryption algorithms and libraries should be FIPS-validated. The assessor may ask for documentation or module numbers.
What a realistic SSP definition looks like
Policy: “The organization encrypts all CUI in transit using TLS 1.2 or higher with FIPS-validated algorithms. All CUI at rest is encrypted using FIPS-validated encryption such as BitLocker or database-native encryption. FIPS mode is enabled on all encryption mechanisms.”
Supporting details:
- Data in transit: Web applications use TLS 1.2 with AES-256. APIs use TLS 1.2. VPN connections use IPsec with AES-256. Certificates are issued by internal PKI or trusted CAs.
- Data at rest: All laptops and servers have BitLocker enabled with FIPS mode. Database encryption is enabled with AES-256. File shares are encrypted with SMB encryption.
- FIPS validation: All encryption libraries and algorithms are FIPS 140-2 Level 1 or higher. Configuration is verified annually.
How to present your evidence
- Encryption policy document: Describes encryption requirements for data in transit and at rest, and specifies FIPS-validated algorithms.
- TLS certificate information: Show the certificates in use for web servers and APIs. Display the algorithm (should be SHA256 or SHA384) and key size (2048-bit or higher).
- BitLocker configuration: Screenshots showing BitLocker is enabled on systems and FIPS mode is configured. Verify on multiple systems (servers and workstations).
- Database encryption verification: Screenshots showing database encryption is enabled. For SQL Server, show Transparent Data Encryption (TDE) is enabled. For other databases, show encryption configuration.
- FIPS mode verification: Evidence that FIPS mode is enabled in operating systems, applications, and libraries. This might be registry settings on Windows, settings in configuration files, or screenshots from admin consoles.
- Encryption algorithm audit: Documentation listing all encryption algorithms in use and confirming they are FIPS-validated.
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
Assessor: “How do you encrypt CUI? Walk me through your encryption implementation.”
You: “We encrypt CUI in transit with TLS 1.2 and at rest with BitLocker and database encryption. Everything is FIPS-validated.” [Pull up encryption policy and certificate details]
Assessor: “Show me BitLocker configuration on a system.”
You: [Open BitLocker settings or Get-BitLockerVolume in PowerShell showing BitLocker is enabled and FIPS mode is configured]
Assessor: “What about your database?”
You: “Our SQL Server database has Transparent Data Encryption enabled with AES-256.” [Pull up database encryption settings]
Assessor: “Verify for me. Can someone read the database files without the encryption key?”
You: “No. The files are encrypted. Without the encryption key, they are unreadable.” [If time permits, demonstrate by attempting to read a database file]
Common failures
No encryption at rest: CUI is stored unencrypted. Database files, file shares, and backups contain plaintext sensitive data.
Weak encryption: Encryption is in use but it is not FIPS-validated (e.g., RC4, DES, or home-grown encryption).
FIPS mode not enabled: BitLocker is enabled, but FIPS mode is not configured. The system does not restrict algorithms to FIPS-validated ones.
Encryption in transit is missing: Some communications channels are unencrypted. Data is sent over HTTP instead of HTTPS.
Comprehensive encryption: All CUI in transit is encrypted with TLS 1.2+. All CUI at rest is encrypted with FIPS-validated algorithms. FIPS mode is verified.
Consistent implementation: Encryption is applied comprehensively across all systems and data stores, with no exceptions or gaps.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
FIPS mode on firewalls covers most encryption requirements for boundary traffic. If you're on GCC High, encryption is inherited from the platform for many services. Document the platform capabilities and explain them. The assessor wants to know what's encrypting your CUI, not necessarily that you built it yourself.
If you use an MSP/MSSP
If your MSP hosts or manages systems containing CUI, ensure the service agreement specifies FIPS-validated encryption in transit and at rest. Request configuration documentation and verification that encryption is enabled. You are accountable to assessors for ensuring CUI is encrypted, even if hosted by an MSP.
This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.