Enable System Cryptography: Use FIPS compliant algorithms

A.Elrayes 186 Reputation points
2023-02-01T12:20:46.5833333+00:00

Hi Team,

I need to apply the CMMC SC.L2-3.13.11  which is related to Bitlocker encryption.

Bitlocker is already configured and the encryption is AES and settings are enforced from Microsoft Endpoint Manager.

But I found an article to enable FIPS compliant from local policy related to SC.L2-3.13.11
https://cui.gatech.edu/3-13-11-bitlocker-setup/

I need to know is it mandatory to enable it? And, is there any issue will occur if I enabled it?

Thanks.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,130 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,669 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 43,966 Reputation points
    2023-02-02T17:21:18.8533333+00:00

    Hello A.Elrayes,

    Initially this implmentation is related to specific requirements of compliance, mostly for government organizations within the US. Unless there is a compliance requirement in your organization it is not mandatory to be installed.

    NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.

    There should not be no issue expected after enabling, since it only specifies a encryption standard to be uses specifically. BitLocker is FIPS-validated, but it requires a setting before encryption that ensures that the encryption meets the standards set forth by FIPS 140-2

    To enable, the machine needs to be decrypted (read as: Drives unencrypted and Bitlocker disabled) then:

    Open Local Security Policy as administrator

    Navigate to Local Policies => Security Options

    Set System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing to be Enabled

    Then, encrypt the machine using BitLocker

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

0 additional answers

Sort by: Most helpful