Important News:SafeLogic Announces CryptoComply Entropy Provider at RSA Conference 2025! Read the press release.
Data encryption is a fundamental security control, popular for mitigating the impact that a data breach has on an organization. By making data unusable to anyone without the decryption key, encryption provides an additional layer of depth to an organization’s defensive posture. If threat actors manage to evade detection and exfiltrate data, they need the appropriate decryption key to use it, rendering their efforts moot and discouraging further activity.
As members of the Defense Industrial Base (DIB) seek to meet CMMC compliance requirements, they need to employ best cryptographic practices for securing information.
Under CMMC 2.0, NIST SP 800-171 is now the primary set of compliance requirements for setting minimum security baselines. Data encryption is featured prominently among those requirements, and 800-171 references another NIST publication, the FIPS 140 standard, for specific governance.
Organizations that need to comply with CMMC Level 2 or higher should understand:
-
The intersection between NIST SP 800-171, the FIPS 140 standard for cryptography, and CMMC controls
-
CMMC Practices that directly reference encryption requirements
-
CMMC Level 2 and 3 compliance requirements for FIPS 140 validation
-
The distinction between FIPS Validated and FIPS Compliant encryption
-
The process to achieve FIPS 140 validation with recommended strategies