Encryption

Encryption is the process of converting readable data into an unreadable format using mathematical algorithms, so that only authorized parties with the correct decryption key can access the original information. It protects data both 'at rest' (stored on drives) and 'in transit' (moving across networks).

For defense contractors, encryption is a fundamental requirement for protecting CUI. FIPS 140-2 validated encryption must be used — this means you can't use any encryption software; it must be cryptographic modules that have been tested and certified by NIST to meet federal standards.

Why It Matters

CMMC requires FIPS-validated encryption for protecting CUI both at rest and in transit. Using non-validated encryption methods — even strong ones — does not satisfy this requirement. Verify that your encryption solutions carry FIPS 140-2 (or 140-3) validation certificates.

Related Resources

CMMC: AC.L2-3.1.17
NIST 800-171: 3.1.17
NIST 800-53: AC-17(2)
NIST 800-53: AC-18(1)
NIST 800-53: AC-19(5)
NIST 800-53: SI-19(4)