NIST 800-171 Requirements for Validated Cryptographic Modules

While the Cybersecurity Maturity Model Certification (CMMC) was experiencing growing pains, SafeLogic was working behind the scenes to produce a whitepaper that would properly distill the associated requirements for encryption into easily-digestible content. After many drafts, much discussion, and then an unplanned firedrill late in the game to reflect the broad changes made in CMMC 2.0, we have succeeded.

We took into consideration all of the rumors and official messaging as it was released by the CMMC Accreditation Board (CMMC-AB) and determined early in the process that our whitepaper should be focused on the strict controls in NIST 800-171. While CMMC was intended to cover significantly more, the nuts and bolts of the cryptographic requirements were inherited directly from 800-171 and we embraced the NIST standard as the bedrock of our paper as well. As with most federal programs, the cryptographic prerequisites are well entrenched due to NIST’s significant efforts with the FIPS 140 publications and investment in the Cryptographic Module Validation Program (CMVP).

We are proud to publish this whitepaper that gets to the point, will remain accurate even as process maturity is added back into the mix, and is relevant to the thousands of companies in the Defense Industrial Base affected by CMMC. Whether you are evaluating software solutions to keep your operations in compliance, self-attesting and uploading to SPRS, or preparing for an on-site audit, the requirement for FIPS 140 Validated encryption is clear and explicit. We’ll explain why and how to align fully with the controls.

Many thanks to our partner in the development of this paper - Kratos Defense was the first firm to be authorized by the CMMC-AB and their expertise reflects that priority status. We can recommend Kratos without hesitation if you find yourself requiring the services of a C3PAO!

And now, to the whitepaper itself…