Skip to main content

SC.L2-3.13.11Employ FIPS-validated cryptography to protect CUI

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Verbatim NIST SP 800-171 Rev 2 requirement text (3.13.11).

SPRS weight: 5 ptsPOA&M-eligible (32 CFR 170.21)1 assessment objective

How it's scored

5 points deducted from your SPRS score if unmet.

Special scoring rule (DoD Assessment Methodology v1.2.1):

Subtract 5 points if encryption is not employed; subtract 3 points if encryption is employed but is not FIPS-validated.

May be included on a POA&M only when encryption is employed but not FIPS-validated (the 3-point case), per 32 CFR 170.21(a)(2)(ii). If encryption is absent entirely (5-point case), it is not POA&M eligible.

Source: DoD Assessment Methodology v1.2.1 Annex A; 32 CFR 170.24(c)(2)(i)(B)(4)(ii); 32 CFR 170.21(a)(2)(ii)

An open gap here may sit on a POA&M at conditional Level 2 certification (32 CFR 170.21), provided your total score is at least 88 of 110 — and it must close within 180 days of the conditional status date.

What an assessor checks: the 1 assessment objective

NIST SP 800-171A determination statements, verbatim. A CMMC Level 2 assessor marks SC.L2-3.13.11 MET only when every applicable objective is satisfied — and examines evidence, not assertions.

ObjectiveDetermination statement
3.13.11FIPS-validated cryptography is employed to protect the confidentiality of CUI.

Where do you stand on SC.L2-3.13.11?

The free Muster Score walks all 110 requirements — including every objective above — and computes your exact SPRS score in your browser. No signup, no upload, and your answers never leave your device.

Get your free Muster Score →

Requirement and objective text: NIST SP 800-171 Rev 2 / SP 800-171A (verbatim). Scoring: DoD Assessment Methodology v1.2.1; POA&M eligibility: 32 CFR 170.21. Muster is independent and not affiliated with the U.S. Department of Defense or the Cyber AB; this page is compliance information, not legal advice or a certification.