CMMC 1.0 Practice SC.3.177 Requirement:

Employ FIPS-validated cryptography when used to protect the confidentiality of “Controlled Unclassified Information” (CUI).

CMMC 1.0 SC.3.177 Requirement Explanation:

FIPS-validated cryptography is required to protect “Federal Contract Information” (FCI) typically when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access) if not separately protected (e.g., by a protected distribution system). FIPS validated cryptography is required whenever the encryption is required to protect federal contract information. Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated. Note that any separate contract requirement to encrypt data at rest (e.g., PII) within the information system would require use of FIPS-validated cryptography

CMMC 1.0 SC.3.177 Scenario(s):

- Scenario 1:

The employees in your company all handle “Controlled Unclassified Information” (CUI) on their laptops. To protect the confidentiality of the “Controlled Unclassified Information” (CUI) on the laptops you use bit locker disk encryption software to encrypt their hard drives. Bit locker uses FIPs validated encryption.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.