Enable System Cryptography: Use FIPS compliant algorithms

A.Elrayes 186 Reputation points

Hi Team,

I need to apply the CMMC SC.L2-3.13.11  which is related to Bitlocker encryption.

Bitlocker is already configured and the encryption is AES and settings are enforced from Microsoft Endpoint Manager.

But I found an article to enable FIPS compliant from local policy related to SC.L2-3.13.11

I need to know is it mandatory to enable it? And, is there any issue will occur if I enabled it?


Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,130 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,669 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 43,966 Reputation points

    Hello A.Elrayes,

    Initially this implmentation is related to specific requirements of compliance, mostly for government organizations within the US. Unless there is a compliance requirement in your organization it is not mandatory to be installed.

    NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.

    There should not be no issue expected after enabling, since it only specifies a encryption standard to be uses specifically. BitLocker is FIPS-validated, but it requires a setting before encryption that ensures that the encryption meets the standards set forth by FIPS 140-2

    To enable, the machine needs to be decrypted (read as: Drives unencrypted and Bitlocker disabled) then:

    Open Local Security Policy as administrator

    Navigate to Local Policies => Security Options

    Set System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing to be Enabled

    Then, encrypt the machine using BitLocker

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

0 additional answers

Sort by: Most helpful