Employ FIPS-validated cryptography when used to protect the confidentiality of “Controlled Unclassified Information” (CUI).

It is not adequate to use a NIST-recommended algorithm, such as AES, unless the developer’s implementation of the algorithm has also been validated. FIPS-validated cryptography is not required for all information, only the protection of CUI.

When encrypting computers, servers, backup drives, and removable storage devices that contain CUI, ensure that FIPS validated cryptography is used. Microsoft Bitlocker and Mac FileVault are examples of FIPS validated cryptographic solutions. Ensure that your VPN appliance and WiFi access points used FIPS validated cryptography. Check with the device manufacturers to verify.