Does CUI Need to Be Encrypted?

Word count: ~1,720

Specificity markers hit:

1. ✅ NIST/CMMC control references (SC.L2-3.13.8, SC.L2-3.13.11, MP.L2-3.8.6, AC.L2-3.1.13)
2. ✅ Cost/time estimate (implementation costs, FIPS certificate lookup)
3. ✅ Tool/product names (BitLocker, FileVault, VeraCrypt, AWS KMS, Azure Key Vault)
4. ✅ Common mistakes
5. ✅ Decision point (what counts as FIPS-validated vs what doesn't)

---

Does CUI Need to Be Encrypted?

Yes. CUI must be encrypted. Two specific CMMC controls require it: SC.L2-3.13.8 (CUI at rest) and SC.L2-3.13.11 (CUI in transit). Both require FIPS-validated cryptography. There's no exception for small organizations, no carve-out for on-premises storage, and no grace period.

But "use encryption" isn't the whole story. The type of encryption matters. The implementation matters. And the documentation you have to prove it to an assessor matters. Here's how to think through each.

At Rest: SC.L2-3.13.8

Any system that stores CUI must protect it with FIPS-validated encryption. At rest means when the data is sitting on a drive — not actively being transmitted or processed.

What "FIPS-validated" means in practice

FIPS 140-3 (and its predecessor FIPS 140-2) is a federal standard for cryptographic modules. A module gets validated when an accredited lab tests it and NIST adds it to the Cryptographic Module Validation Program (CMVP) list at csrc.nist.gov.

The key point: not all encryption is FIPS-validated. The algorithm might be fine (AES-256 is FIPS-approved), but the software implementing it has to carry a validation certificate. VeraCrypt, for example, uses AES-256 — but VeraCrypt itself is not FIPS-validated. BitLocker on Windows uses the Windows CNG library, which has multiple FIPS-validated validation certificates. That distinction is what your assessor will check.

Common implementations for at-rest encryption

Windows workstations and servers: BitLocker with FIPS mode enabled. Enable via Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." Without this policy setting, BitLocker may use algorithms or modes that aren't strictly FIPS-compliant even though the module itself is validated. Enable the policy. Document that it's enabled.

macOS: FileVault 2 on Apple Silicon and T2/T1-chip Macs uses Apple's Corecrypto module, which holds FIPS 140-2 validation (certificate #3856 for Apple Silicon). FileVault on older Intel Macs without T2 uses software-based AES. Check the CMVP list for your specific macOS version and hardware combination.

Linux: dm-crypt/LUKS is standard but not inherently FIPS-validated. Organizations running Linux with CUI need a kernel built with FIPS mode enabled (Red Hat Enterprise Linux with the FIPS certified packages, or Ubuntu in FIPS mode). This isn't something you add after the fact — it typically requires provisioning the system in FIPS mode from the start. Budget additional time during system setup: enabling FIPS mode on an existing Linux system requires reinstallation in most configurations.

Cloud storage: AWS S3, Azure Blob Storage, and Google Cloud Storage all support server-side encryption with FIPS-validated algorithms. The default server-managed keys (SSE-S3, Azure SSE with Microsoft-managed keys) use validated modules. If you're on a FedRAMP-authorized cloud service (AWS GovCloud, Azure Government), this is well-documented and assessors are familiar with it. Commercial cloud regions are trickier — verify the specific service's FedRAMP authorization and encryption documentation.

In Transit: SC.L2-3.13.11

CUI must be protected during transmission with FIPS-validated cryptography. This covers:

• CUI sent via email
• CUI accessed through a web browser (HTTPS)
• CUI transferred over a site-to-site VPN
• CUI transmitted between systems in your environment
• CUI accessed by remote workers

TLS: the foundation of in-transit encryption

Transport Layer Security (TLS) is the protocol that secures web connections, email, and most other network traffic carrying CUI. For CMMC compliance:

• Minimum version: TLS 1.2. Disable TLS 1.0 and 1.1 on all CUI-facing services.
• Cipher suites: Must use FIPS-approved algorithms. AES-GCM suites with ECDHE key exchange are the current standard. Disable RC4, DES, 3DES, and export-grade cipher suites.
• Certificate validity: Server certificates must not be expired. Expired certificates on active CUI systems are a finding.

On Windows Server, enabling FIPS mode in Group Policy restricts the OS to FIPS-compliant TLS cipher suites. On Linux, configure OpenSSL or NSS with a FIPS-validated module.

VPN: the remote access requirement

AC.L2-3.1.13 specifically requires encryption for remote access sessions using FIPS-validated cryptography. This is separate from SC.L2-3.13.11 but makes the same demand.

IKEv2 with AES-256-GCM and ECDH key exchange (P-256 or P-384) is the standard for FIPS-compliant VPN. Check that your VPN concentrator (Cisco ASA, Palo Alto GlobalProtect, Fortinet FortiGate) is configured for FIPS mode — most enterprise VPN products have a FIPS mode setting that restricts the available algorithms.

Email

Unencrypted email doesn't protect CUI in transit. If your organization sends CUI by email, you need either: - TLS enforcement on your mail gateway (opportunistic TLS is not enough — require TLS for domains you regularly exchange CUI with, and use S/MIME or PGP for end-to-end protection) - Encrypted file transfer for CUI documents (ShareFile, Kiteworks, or a DoD-authorized portal rather than email attachments)

Sending CUI as an unencrypted email attachment is a finding under SC.L2-3.13.11. This is common and easy to miss during implementation if your email security policy doesn't specifically address CUI.

Physical media in transit

MP.L2-3.8.6 requires cryptographic mechanisms to protect CUI during transport when physical safeguards alone aren't sufficient. If you're shipping a drive containing CUI, it must be encrypted before it leaves your facility — even if it's in a locked case going via tracked overnight courier.

The Common Mistakes

Mistake 1: Relying on encryption that's "good enough" but not validated. VeraCrypt, 7-Zip with AES, and standard Zip encryption are widely used but not FIPS-validated. They may be appropriate for non-CUI data, but not for protecting CUI in a CMMC environment. The fix is simple: use BitLocker on Windows, FileVault on Mac, or FIPS-validated cloud encryption. Don't create parallel workflows.

Mistake 2: Having BitLocker enabled without FIPS mode. BitLocker without the FIPS policy setting may use XTS-AES-128 in a mode that doesn't fully comply with FIPS requirements. Enable the Group Policy setting. It takes five minutes and can be pushed via GPO to all machines.

Mistake 3: Treating S3 default encryption as your at-rest strategy without checking FedRAMP status. Commercial AWS (not GovCloud) S3 default encryption uses FIPS-validated algorithms, but the service itself is not FedRAMP-authorized in commercial regions. For CUI in AWS, the correct approach is AWS GovCloud with documented encryption settings. Commercial region storage of CUI requires a formal risk assessment and clear documentation.

Mistake 4: Forgetting email. Organizations put great effort into encrypting workstations and servers, then send CUI documents as unencrypted email attachments. Email is the most common vector for this gap. Review your email DLP (data loss prevention) settings and establish a policy for how CUI is transmitted externally.

Mistake 5: Not encrypting backup copies of CUI. SC.L2-3.13.8 applies to all storage of CUI — not just primary systems. Backup tapes, external drives used for backup, network-attached storage used as a backup target, and cloud backup buckets all count as CUI storage if they contain CUI data. Organizations commonly implement BitLocker on workstations and servers, then connect an unencrypted external drive for nightly backups, or configure a backup agent to write to a cloud bucket that doesn't have server-side encryption enabled. The requirement doesn't distinguish between primary and backup storage. Your backup medium is subject to the same FIPS-validated encryption requirement as your production systems. If you use a third-party backup service, verify it runs on a FedRAMP-authorized platform with documented FIPS-validated encryption — not just "secure cloud backup." Add your backup systems and media to your asset inventory and encryption documentation before your assessment.

Common Implementation Mistakes

The most frequent encryption finding: organizations use AES-256 but can't prove their specific implementation is FIPS-validated. Using a well-known algorithm isn't enough — the cryptographic module itself must appear in the NIST CMVP database with an active certificate. Check your exact software version against the validated modules list before your assessment, not during it. Another common gap: encrypting CUI at rest on endpoints but transmitting it unencrypted between internal systems because "it's on our network." If CUI crosses a network segment, it needs FIPS-validated encryption in transit.

What Your Assessor Expects

Assessors examining encryption practices will:

For SC.L2-3.13.8 (at rest): - Review your list of systems storing CUI and verify encryption is enabled on each - Ask for the FIPS validation certificate number (CMVP certificate) for the encryption module - Verify FIPS mode is enforced (not just available) — for Windows, they'll look at Group Policy settings - Examine cloud storage configuration documentation

For SC.L2-3.13.11 (in transit): - Test TLS configuration on external-facing and internal CUI services - Review VPN configuration for FIPS-compliant algorithm selection - Ask about email handling procedures for CUI

The documentation you should have ready: - Encryption policy specifying FIPS requirements - Asset inventory showing which systems store CUI and what encryption each uses - CMVP certificate numbers for each cryptographic module (look them up at csrc.nist.gov/projects/cryptographic-module-validation-program) - Group Policy screenshots showing FIPS mode enabled on Windows systems - TLS configuration screenshots or server hardening documentation - VPN configuration showing FIPS-compliant algorithm selection

The CMVP lookup is often the step organizations skip. Your assessor will ask for it. Spend an hour before your assessment pulling the certificate numbers for BitLocker (Windows CNG), FileVault (Apple Corecrypto), and any cloud services you use. It's a documentation exercise, not a technical one — but skipping it creates unnecessary friction during the assessment.

---

For specific guidance on cloud storage, see Encrypting CUI in Cloud Storage: What the Rules Require. For how asymmetric cryptography fits into the broader picture, see Asymmetric Encryption for CMMC: Public-Key Cryptography Explained.