When it comes to the Cybersecurity Maturity Model Certification (CMMC) 2.0, encryption standards are crucial to protecting Controlled Unclassified Information (CUI). CMMC 2.0 incorporates practices from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. SP 800-171 outlines the requirements for protecting CUI in non-federal systems.

Acceptable Encryption Standards

For CMMC 2.0, the encryption standards typically acceptable are those that align with Federal Information Processing Standards (FIPS) or those specified by NIST. The most commonly accepted encryption standards include:

  • AES (Advanced Encryption Standard): AES is the preferred standard for encrypting sensitive data. FIPS 197 defines AES, and it is widely used for both data at rest and data in transit.
  • TLS (Transport Layer Security): TLS 1.2 or higher (with FIPS-approved algorithms) is recommended for securing data in transit over networks. It ensures encrypted communication channels between systems.
  • SHA-256 (Secure Hash Algorithm): For hashing purposes, SHA-256 is commonly used as it meets the requirements for CUI protection and is recommended by NIST.
  • RSA (Rivest–Shamir–Adleman): RSA with at least 2048-bit keys is often used for digital signatures and key exchanges, adhering to the minimum key length standards recommended by NIST.

CMMC 2.0 Controls Related to Encryption

MP.L2-3.8.9: Protect the confidentiality of backup CUI at storage locations.

  • Recommend your organization encrypt all backups. Use FIPS 140-2/140-3 validated cryptographic modules (i.e. AES) for backups stored on any media, whether on-site or off-site. This ensures that even if the physical media is compromised, the data remains protected.

SC.L2-3.13.10: Establish and manage cryptographic keys for cryptography employed in organizational systems.

  • Recommend your organization implement a robust Key Management System (KMS) that complies with NIST guidelines, such as NIST SP 800-57. This guideline provides specific recommendations for key management. Ensure that keys are stored securely, rotated regularly, and access is limited to authorized personnel only.
  • Additionally, recommend assigning key management responsibilities to distinct roles to prevent unauthorized access or misuse. This ensures that individuals who manage the keys cannot use them without appropriate oversight.

SC.L2-3.13.16: Protect the confidentiality of CUI at rest.

  • Recommend your organization utilize AES encryption for data stored on systems that handle CUI. This will ensure that the encryption is applied transparently and consistently across all storage solutions.
  • It is also advisable to implement full-disk encryption on devices containing Controlled Unclassified Information (CUI). This measure is especially critical for mobile or removable devices to safeguard against data breaches in the event they are lost or stolen.

SC.L2-3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

  • Recommend your organization implement TLS 1.2 or higher for all network communications involving CUI. This ensures that data is encrypted in transit, preventing interception by unauthorized parties.
  • Also consider using a Virtual Private Network (VPN) with strong encryption (AES) for remote access to systems that contain CUI. This will ensure secure communication over potentially untrusted networks.

Securing CUI is a bit like James Bond navigating a high-stakes mission – only the best tools and strategies will do. IF FIPS-validated encryption is your “license to protect”, a robust KMS is your Q equipped Aston Martin. Using encryption properly ensures you’re always one step ahead of the enemy. So, no matter where your CUI data resides, cloud, on-prem, or hybrid, with the proper encryption, your organization can protect the DIB!

For assistance with your CMMC efforts, contact DTC’s C3PAO team.