CMMC Level 2 Controls
CMMC Encryption Requirements: Every Control, Its Point Value, and What “FIPS-Validated” Actually Means
If a new solicitation, a prime’s flow-down, or a nervous IT provider just put the phrase “FIPS-validated encryption” in front of you, here’s the short version before you spend a dollar. CMMC encryption requirementsare not one blanket order to encrypt everything. They’re a cluster of about ten Level 2 controls that switch on depending on where your protected data actually lives and moves. And the single control that trips up the most contractors isn’t technically hard to build — it’s easy to prove wrong.
Bottom line: For contractors that handle Controlled Unclassified Information (CUI), CMMC Level 2 adopts NIST Special Publication 800-171 Revision 2, which requires FIPS-validated cryptography whenever encryption is used to protect the confidentiality of CUI— across data in transit, data at rest, mobile devices, removable media, wireless, and remote access. What changes the answer for you: your CUI scope, your cloud environment, and whether you can actually prove the module is validated.
We read the actual sources — 32 CFR Part 170, NIST SP 800-171 Rev. 2, and the DoD’s own CMMC FAQ — and cross-checked every claim. Several pages currently ranking for this term contain real errors: one uses retired control numbers, another states the point penalty for the key FIPS control backwards. This is the version we’d hand a client the morning they found the clause.
Which category fits — and which doesn’t
Encryption is where “which vendor do I call?” gets confusing, because the answer depends on what you’re actually trying to fix:
- You need to implement encryption: turn on FIPS mode, configure BitLocker/VPN/TLS, stand up an enclave → a readiness partner: an RPO/RP (Registered Provider Organization / Registered Practitioner), a CMMC-focused MSSP (Managed Security Service Provider), or a Microsoft Government cloud implementer.
- You need to document and prove it: SSP entries, CMVP certificate numbers, POA&M tracking → a GRC platform as a supporting layer — not as your whole solution.
- You need to shrink what's in scope: so fewer systems touch CUI → a CUI enclave / secure collaboration environment.
- You're assessment-ready and need the formal check: → a C3PAO (Certified Third-Party Assessment Organization). They assess; they don't implement the same environment they later grade.
- You're not sure which of these you are: → start with the tool below, not a sales demo.
The 60-second verdict
| The question you’re really asking | Straight answer | Where it comes from |
|---|---|---|
| Does CMMC require encryption? | Yes, in specific Level 2 situations — not as one universal "encrypt everything" command. | NIST SP 800-171 Rev. 2 |
| Does CMMC require FIPS validation? | Yes, whenever encryption is used to protect the confidentiality of CUI. | SC.L2-3.13.11 |
| Does CUI at rest always require encryption? | It requires confidentiality protection. Encryption is the usual method, but the control text allows other mechanisms in some settings. | SC.L2-3.13.16 |
| Is AES-256 enough? | No — not by itself. The module running AES-256 has to be FIPS-validated (on NIST's CMVP list). | NIST CMVP |
| Is encrypted CUI still CUI? | Yes. Encryption does not "decontrol" data — it stays CUI until formally decontrolled. | DoD CMMC FAQ (B-Q8) |
| Can encrypted CUI sit in ordinary commercial cloud? | No — not just because it's encrypted. A cloud service handling CUI must meet FedRAMP Moderate (or equivalent). | DFARS 252.204-7012 / CMMC FAQ (E-Q1, E-Q2) |
What are the CMMC encryption requirements, in plain English?
CMMC doesn’t say “encrypt your company.” It asks a narrower question: wherever CUI is, or wherever it travels, is its confidentiality protected — and if you’re using cryptography to do that, is the cryptography actually validated?
A quick note on how these control numbers work. A practice ID like SC.L2-3.13.11 breaks down as: the domain (SC = System and Communications Protection), the level (L2 = Level 2), and the underlying NIST SP 800-171 requirement number (3.13.11). Once you see the pattern, the whole list gets readable fast.
CMMC Level 2 pulls in all 110 security requirements from NIST SP 800-171 Rev. 2, organized into 14 control families. About ten of those touch cryptography. We mapped every one below — with the exact points at stake and whether you can defer them — because no single official page hands a contractor that in one place.
Which CMMC level actually has encryption requirements?
This matters more than it looks. We regularly see small suppliers over-scope themselves — buying Level 2 encryption tooling before confirming they even handle CUI. Per 32 CFR Part 170, Level 1’s baseline is FAR 52.204-21 (FCI only), Level 2’s baseline is identical to NIST SP 800-171 Rev. 2 (CUI), and Level 3 adds a subset of NIST SP 800-172 on top. Our full breakdown lives in the CMMC levels guide.
One correction worth making early: you’ll see some pages say Level 1 has “17 controls.” Under the current CMMC rule, Level 1 is 15 requirements— the “17” is a holdover from the retired CMMC 1.0 model. If a source is still using CMMC 1.0 numbers, treat everything else on that page with caution too.
One more thing you should not have to relearn later: CMMC Level 2 is still assessed against NIST SP 800-171 Revision 2, not Revision 3. The DoD’s own CMMC FAQ confirms it plans to incorporate Rev. 3 through future rulemaking and issued a class deviation to keep Rev. 2 as the standard you’re assessed againstuntil Rev. 3 is folded into the rule. You can start modernizing toward Rev. 3, but the bar you’re graded on today is Rev. 2.
The complete CMMC Level 2 cryptography footprint (with point values and POA&M rules)
Before the table, two definitions: SPRS (Supplier Performance Risk System) is the DoD system where your score and CMMC status are posted, and a POA&Mlets you defer certain eligible gaps and still earn a Conditional status — but only within strict limits. Under 32 CFR 170.24, every Level 2 requirement is worth 1, 3, or 5 points if not met (you start at 110 and subtract). Under 32 CFR 170.21, only 1-point requirements can go on a POA&M— with one narrow encryption exception. To earn even a Conditional CMMC status you must score at least 88 of 110, have your SSP in place, and close all POA&M items within 180 days.
| Control (CMMC ID) | NIST 800-171 R2 | What it requires | Points off if not met | Can it go on a POA&M? |
|---|---|---|---|---|
| SC.L2-3.13.11 | 3.13.11 | Use FIPS-validated cryptography when encryption protects CUI confidentiality (the umbrella control) | 5 (no encryption) / 3 (encryption used, not FIPS-validated) | Only the “used but not FIPS-validated” (−3) case |
| AC.L2-3.1.13 | 3.1.13 | Cryptographic mechanisms to protect the confidentiality of remote access sessions | 5 | No |
| AC.L2-3.1.17 | 3.1.17 | Protect wireless access using authentication and encryption | 5 | No |
| IA.L2-3.5.10 | 3.5.10 | Store and transmit only cryptographically-protected passwords | 5 | No |
| AC.L2-3.1.19 | 3.1.19 | Encrypt CUI on mobile devices and mobile computing platforms | 3 | No |
| SC.L2-3.13.8 | 3.13.8 | Cryptographic mechanisms to prevent disclosure of CUI in transmission (unless otherwise physically protected) | 3 | No |
| SC.L2-3.13.16 | 3.13.16 | Protect the confidentiality of CUI at rest | 1 | Yes* |
| SC.L2-3.13.10 | 3.13.10 | Establish and manage cryptographic keys for cryptography used in the system | 1 | Yes* |
| MP.L2-3.8.6 | 3.8.6 | Cryptographic mechanisms to protect CUI on digital media during transport (unless otherwise physically protected) | 1 | Yes* |
| MP.L2-3.8.9 | 3.8.9 | Protect the confidentiality of backup CUI at storage locations | 1 | Yes* |
Takeaway 1: Most of your encryption exposure can’t be deferred.
Six of these controls are worth 3 or 5 points, which means they must be fully met on assessment day — no POA&M safety net. If your remote access, wireless, mobile, transmission, or password-hashing crypto is weak, that’s a fix-before-assessment item, not a fix-later one.
Takeaway 2: The FIPS control has a strange, important quirk — and the internet keeps getting it backwards.
For SC.L2-3.13.11, 32 CFR 170.24 says: if encryption is employed but not FIPS-validated, you lose 3 points— and you may put it on a POA&M. If encryption is not employed at all, you lose 5 points— and you may notPOA&M it, so it blocks Conditional status outright. Read that twice. Running non-validated encryption is actually a better and more recoverableposition than running none. We’ve seen at least one widely shared page state the opposite; the regulation is unambiguous.
Takeaway 3: The math is tighter than “just hit 88.”
You only have 22 points of margin, most crypto controls can’t be deferred, and a missing System Security Plan is a hard stop on its own. Encryption gaps eat that margin fast. More on the scoring math in our CMMC Final Rule guide.
Map your CMMC encryption scope before you buy tools
Reading the table is one thing. Knowing which of these ten controls apply to yourenvironment — and where your points are actually at risk — is another. Use The Defense Compliance Report’s Find My CMMC Path tool: tell us where your CUI lives and moves (email, file shares, laptops, backups, remote access, cloud, removable media, wireless), and it returns the applicable controls, your CMMC scoring exposure, POA&M eligibility, an evidence checklist, and the provider category that usually fits.
What “FIPS-validated” actually means (and why AES-256 isn’t enough)
Here’s the distinction in plain terms:
- FIPS-approved algorithm — a math standard (AES is defined in FIPS 197). Necessary, but not sufficient.
- FIPS-validated module — the actual implementation of that algorithm, tested by an accredited lab and listed by the CMVP with a certificate. This is what the rule requires.
- "FIPS compliant" / "FIPS capable" — marketing language. It often means "could be configured to use approved algorithms," which is not the same as validated. It is not evidence.
Why does NIST care so much about the module and not just the algorithm? Because NIST’s CMVP treats non-validated cryptography as providing no protection at all — in effect, the data is considered unprotected plaintext. That single sentence is why an assessor won’t accept “we use AES-256.” From the government’s point of view, un-validated AES is the same as no encryption.
Two concrete examples we see constantly:
BitLocker — sometimes yes
Windows disk encryption relies on the Windows CNG cryptographic library, which doeshold CMVP certificates — but you must confirm the exact module version and that it’s running in the validated configuration. “BitLocker is on” is not the same as “our validated module is deployed and documented.”
VeraCrypt — no
Uses AES-256 and is not on the CMVP validated list. Same algorithm, wrong answer for CMMC. The lesson: verify the module and version you’ve actually deployed, not the product name on the box.
How to verify a module — and what to record
Go to the NIST CMVP Validated Modules Search, find the module (not just the product), and match it to a certificate. If you can’t match your deployed module, version, operating environment, and configuration to a validation certificate, treat that as a remediation or evidence gap until your vendor, RP/RPO, or assessor resolves it. What to capture from CMVP for each encryption product that touches CUI:
- Certificate number
- Module name and vendor
- Version
- Operational environment
- Validation standard (FIPS 140-2 or 140-3)
- Status (Active / Historical / Revoked)
- Date you checked
- Where it's used in your environment
FIPS 140-2 vs FIPS 140-3 — and the September 21, 2026 sunset
NIST CMVP states that FIPS 140-2 validations move to the Historical list on September 21, 2026. Modules on the Historical list may continue to be used for existing systems; FIPS 140-2 active modules can be used for newsystems only through that date. They are not revoked — but that date lands about seven weeks before CMMC Phase 2 begins.
Two dates worth putting on the same calendar line: the FIPS 140-2 sunset (September 21, 2026) and the start of CMMC Phase 2 (November 10, 2026), when the DoD begins including Level 2 (C3PAO) certification requirements in applicable solicitations. The practical read: inventory your modules now and plan your move to FIPS 140-3 before the two deadlines collide.
Before you rip out a platform over FIPS, map your actual exposure — you may need to reconfigure and document far more than you need to replace. If it’s beyond your team, get matched with readiness or enclave provider categories via Find My CMMC Path.
Which CUI must be encrypted in transit?
“In transit” is broader than most people assume. It covers CUI moving across the public internet, partner portals, secure file transfer (SFTP), VPN tunnels, APIs, and email. And it does not automatically stop at your office walls. A common and expensive assumption is “our network is internal, so we’re fine.” The control is about where CUI travels, not who owns the wire.
Common implementations include FIPS-validated TLS, VPN, and secure file-transfer paths (TLS 1.2 or 1.3 with approved cipher suites is typical) — but 3.13.8 itself doesn’t prescribe a specific protocol. What matters at assessment is that your evidence ties the deployedcryptographic module, its configuration, and your CUI data flow back to 3.13.8 and 3.13.11. The rare exception — “alternative physical safeguards” — is real but narrow (think a protected distribution system). For the vast majority of contractors, the answer is yes.
What must be protected at rest — and does that always mean encryption?
“At rest” is everywhere CUI sits: file shares, laptops and desktops, servers, databases, email archives, backups, and engineering systems like CAD/CAM. For most of those, encryption through a FIPS-validated module is the answer that’s easiest to prove. The point isn’t to find a loophole — it’s to map where CUI actually rests and choose the right protection for each location, then document it in your system security plan.
The scenario-to-evidence-to-provider map
| Where your CUI is / what you’re doing | Governing control | What it actually requires | FIPS-validated needed? | Evidence to have ready | Common mistake | Category that usually helps |
|---|---|---|---|---|---|---|
| FCI only, no CUI | Level 1 (FAR 52.204-21) | Not the Rev. 2 encryption cluster — confirm CUI is truly absent | Usually no (as a Level 1 requirement) | Contract review, FCI scope statement, Level 1 self-assessment | Buying Level 2 tools before confirming you handle CUI | RPO/RP for scoping if unsure |
| CUI moving over networks | SC.L2-3.13.8 | Encrypt CUI in transit (internal and external) unless physically protected | Yes | Data-flow diagram, TLS/VPN/SFTP configs, logs, CMVP cert details | "It's our internal network, so we're fine" | RPO/RP + MSSP |
| CUI stored (at rest) | SC.L2-3.13.16 | Protect confidentiality of stored CUI (encryption or other mechanisms) | Yes, when crypto is the mechanism | Asset inventory, storage locations, encryption/backup configs, SSP mapping | "Full-disk encryption everywhere" without mapping where CUI sits | RPO/RP + MSSP + GRC |
| Any CUI encryption | SC.L2-3.13.11 | The module must be FIPS-validated | This is the FIPS trigger | CMVP certificate, module name/version, FIPS mode evidence, config | Treating AES-256 or "FIPS compliant" as enough | RPO/RP + MSSP; vendor verification |
| Encryption key management | SC.L2-3.13.10 | Establish and manage the keys your crypto uses | Depends on the protected data; evidence still required | KMS/HSM config, rotation policy, access list, custody model, offboarding | Encrypting data but leaving key custody undocumented | MSSP + cloud/enclave architect |
| Remote access / VPN | AC.L2-3.1.13 | Encrypt remote access sessions | Yes | VPN/ZTNA/gateway config, approved methods, logs | Equating MFA with encrypted remote access | MSSP |
| Wireless | AC.L2-3.1.17 | Authenticate and encrypt wireless access | Yes | WLAN configs, auth method, segmentation, guest isolation | Letting CUI devices ride ordinary office Wi-Fi with thin evidence | MSSP |
| Laptops / phones / tablets | AC.L2-3.1.19 | Encrypt CUI on mobile devices | Yes | MDM policy, device encryption status, conditional access, lost-device procedure | "BitLocker/FileVault is on" with no module/version/FIPS evidence | MSSP + endpoint specialist |
| USB / external drives in transport | MP.L2-3.8.6 | Encrypt CUI on media during transport unless physically protected | Yes | Removable-media policy, approved encrypted media, transport controls, certs | Allowing unmanaged USBs "because they're temporary" | RPO/RP + MSSP |
| Backups | MP.L2-3.8.9 | Protect confidentiality of backup CUI | Yes, when encryption is the mechanism | Backup configs, encrypted media/targets, restore tests, SSP entry | Encrypting production but backing up to an unencrypted target | MSSP + GRC |
| CUI in cloud | DFARS 252.204-7012 + CMMC FAQ | Cloud handling CUI must meet FedRAMP Moderate (or equivalent) | Yes for encryption; FedRAMP is a separate requirement | FedRAMP authorization/equivalency evidence, shared-responsibility matrix, data-flow map, SSP section | "It's encrypted, so commercial cloud is fine" | CUI enclave / cloud architect + RPO/RP |
| Email / file sharing | SC.L2-3.13.8, 3.13.16, 3.13.11 | Transit + at rest + FIPS + endpoint caching + key custody, all at once | Yes | Platform configs, provider matrix, CMVP certs, mail-flow logs | "TLS email = CMMC-compliant email" | Secure collaboration / CUI enclave |
Once you can see which rows are yours, the next move is matching each gap to the right category — readiness/MSSP for implementation, GRC for evidence, an enclave for scope reduction.
What evidence will assessors actually ask for?
| Evidence item | Why it matters |
|---|---|
| CUI data-flow diagram | Shows where the encryption controls apply — the backbone of everything else |
| System boundary / scope diagram | Defines what's in the assessment and what isn't |
| CMVP certificate details | Proves module validation, not marketing language |
| Module name, version, and operating environment | Prevents a mismatch between the certificate and what's actually deployed |
| Configuration screenshots | Shows the feature is enabled in the assessed environment, not just available |
| Logs / audit records | Shows the control operates, not just that it was designed |
| SSP section per control | Ties each implementation to the assessed system |
| Shared-responsibility matrix (for cloud/MSP) | Shows what a provider owns versus what you still own |
Two habits save the most pain here. First, capture the module versionalongside the certificate — CMVP validations are tied to specific versions, and a routine update can push you past the validated build. Second, write your SSP to what you can prove, not to what you hope. Overclaiming in the SSP is how a design gap becomes a credibility gap.
Does encrypting CUI take it out of scope?
This is the single most expensive myth in CMMC scoping, and the DoD has shut the door on it in writing. Per the DoD CMMC FAQ (v5):
- Encrypted CUI is still CUI (B-Q8).Encryption does not “decontrol” data. If a file contains CUI, it stays in scope even when encrypted — a point the DoD added and reinforced across its late-2025 and 2026 FAQ revisions.
- Encryption alone is not logical separation.You cannot encrypt a file and declare it out of scope. Real separation comes from segmentation, firewall and routing policy, VLANs, VPN architecture, access controls, and key management — not from ciphertext by itself.
- But encrypted CUI can traverse otherwise out-of-scope systems.If your CUI enclave relies on enterprise networking components outside the enclave, and all CUI is properly encrypted before it leaves, you don’t automatically have to pull those enterprise components into scope — provided the enclave is genuinely, logically separated. Encryption plus a defensible boundary; not encryption instead of one.
There’s a related nuance most contractors miss. A VDI (Virtual Desktop Infrastructure)endpoint can stay out of scope only if CUI never lands on it — the session is limited to keyboard, video, and mouse, with no local copy, save, print, or screenshot, and separate multifactor authentication to reach the desktop. It’s a real path to avoid turning every laptop into a CUI asset, but only if the configuration actually enforces “no local CUI.”
Can encrypted CUI live in commercial cloud, email, or file-sharing tools?
| The question | Encryption answer | Cloud / FedRAMP answer | What to have ready |
|---|---|---|---|
| Is the CUI protected in transit and at rest? | Yes — via FIPS-validated cryptography (SC.L2-3.13.8, 3.13.16, 3.13.11) | Doesn't change this obligation | CMVP certificate details, configs |
| Can this cloud service hold CUI at all? | Encryption alone doesn't answer this | The service must be FedRAMP Moderate-authorized or meet DoD's FedRAMP Moderate-equivalency requirements | FedRAMP authorization/equivalency evidence, authorized-boundary list |
| Who can decrypt the CUI? | Key custody is your call | FedRAMP status doesn't decide this | Key generation/rotation/revocation/recovery docs, shared-responsibility matrix |
Commercial Microsoft 365 is generally not sufficient for CUI. Contractors commonly move to Microsoft 365 GCC High (built for the Defense Industrial Base, including export-controlled data), Microsoft 365 GCC, or build enclaves in AWS GovCloud or Azure Government. Which one fits depends on your CUI categories, ITAR exposure, and budget — and before you procure, verify the specific offering’s FedRAMP Moderate authorization (or documented equivalency) and which features sit inside the authorized boundary. We compare the trade-offs in our GCC High for CMMC guide.
Key ownership is its own decision. Even on FedRAMP-authorized infrastructure, assessors look at who can decrypt your CUI. Provider-managed keys leave the provider technically able to decrypt. “Customer-managed” keys (BYOK) still often leave the provider with access. Customer-owned keys— where only you hold them — give the cleanest evidence that you control CUI access. Whatever model you choose, document who can decrypt, and who controls key generation, rotation, revocation, and recovery.
Verify vendors before you procure — questions that matter
| Ask the provider | Why it matters |
|---|---|
| Will this service process, store, or transmit our CUI? | Determines whether it's in CUI scope at all |
| What exact FedRAMP authorization or equivalency evidence applies? | Encryption doesn't replace the cloud requirement |
| What cryptographic module protects the CUI, and what's the CMVP certificate? | Cuts through "FIPS compliant" ambiguity |
| Who holds the encryption keys? | Affects scope, custody, and evidence |
| What does the shared-responsibility matrix say we still own? | Prevents false reliance on the vendor |
| Which specific features are inside the authorized boundary? | Prevents using uncovered features by accident |
Because email is the single most confused encryption workflow — it hits transit, at rest, endpoint caching, and key custody all at once — we keep the deep, provider-by-provider analysis on our dedicated CUI email encryption for CMMC page. The one-line version: TLS email is not the same as CMMC-compliant CUI email.
Can you put FIPS encryption (SC.L2-3.13.11) on a POA&M?
Per 32 CFR 170.21, a Level 2 POA&M is limited to 1-point requirements, except SC.L2-3.13.11 may be included onlywhen encryption is present but not yet FIPS-validated. “We plan to encrypt later” is not that exception — that’s the 5-point, non-deferrable version.
- A POA&M is not a comfort blanket. To even qualify for Conditional status you need at least 88 of 110, and every open item must close within 180 days, confirmed by a closeout assessment. Miss the window and the conditional status lapses.
- This should never be your plan. The narrow FIPS exception exists for genuine, temporary situations — not as a strategy for deferring the control. There's also a separate concept in the rule for a temporary deficiency (32 CFR 170.4(b)) — for example, when a patch invalidates a module that was validated — which can be documented in an operational plan of action. That's a real safety valve, but it's for after implementation, not instead of it.
- The 88 floor is a floor, not a goal. Primes increasingly screen subcontractors on their actual score, and an 88 with encryption gaps invites follow-up questions. Aim higher than the minimum.
The most common CMMC encryption mistakes
- 1"AES-256 means we're good." Match your deployed module to a CMVP certificate and record certificate/version/config.
- 2"FIPS mode is enabled, so we're validated." FIPS mode restricts algorithms; still confirm the module carries a current CMVP validation.
- 3"Encrypted CUI isn't CUI anymore." It stays CUI until formally decontrolled — CMMC FAQ B-Q8.
- 4"It's encrypted, so commercial cloud is fine." DFARS 252.204-7012 requires FedRAMP Moderate (or equivalent) for any cloud handling CUI.
- 5"TLS email covers our email CUI." Protect the message and attachments end to end, not just the transport channel.
- 6"Mobile devices are out of scope because we use MDM." Document validated encryption of CUI on the device (AC.L2-3.1.19), not just MDM enrollment.
- 7"The vendor has a compliance page, so we're compliant." Their capability isn't your implementation or your evidence — map it to your assessed system.
- 8"We'll POA&M FIPS later." Only the "employed but not validated" case is deferrable; "no encryption" is a hard blocker.
What should you do first — and who should help?
- 1Confirm FCI vs CUI. Read the contract and the clauses. The clause sets your level — not a checklist, and not an assumption.
- 2Map every CUI flow — in transit, at rest, mobile, removable media, remote access, wireless, and cloud.
- 3Match each flow to its control, and decide where encryption is the mechanism versus where other safeguards carry the load.
- 4Verify FIPS modules on the CMVP list before you procure anything.
- 5Choose the right category for the gaps you actually have.
This last step is what we call The CMMC Path Framework— the logic that maps your required level, FCI vs CUI handling, assessment type, IT and cloud environment, and contract timeline to the category of provider you need. It routes you to a category, not a named vendor, and it is not a score, a ranking, or compliance advice. See our full provider-category comparison and cost ranges so you can budget before you call anyone.
| Your situation | Better first category | Why |
|---|---|---|
| “You don't know where CUI lives” | RPO/RP | Scoping and requirement mapping before you spend |
| “CUI is scattered across endpoints, file shares, email, and cloud” | RPO/RP + MSSP | You need both compliance mapping and operational implementation |
| “You need to contain CUI fast” | CUI enclave / secure collaboration | Shrinks the blast radius if users keep CUI inside the boundary |
| “Your evidence is chaos” | GRC platform + RPO/RP | Organizes SSP, POA&M, evidence, ownership, and timestamps |
| “You're making cloud architecture decisions” | Cloud/enclave architect + RPO/RP | FedRAMP, FIPS, key custody, and scope all intersect |
| “Your contract requires a Level 2 C3PAO and evidence is ready” | C3PAO | Formal assessment — not remediation |
What we actually verified for this guide
We built this page from primary sources and dated the check so you can re-verify anything yourself.
- 32 CFR Part 170 (CMMC Program Rule), including §170.14 (levels), §170.21 (POA&M), and §170.24 (scoring) — checked July 3, 2026.
- NIST SP 800-171 Rev. 2 encryption-related controls (3.1.13, 3.1.17, 3.1.19, 3.5.10, 3.8.6, 3.8.9, 3.13.8, 3.13.10, 3.13.11, 3.13.16) — checked July 3, 2026.
- NIST SP 800-171A assessment procedures and evidence expectations — checked July 3, 2026.
- DFARS 252.204-7012 and 252.204-7021 on Acquisition.gov — checked July 3, 2026.
- NIST CMVP and FIPS 140-3 transition including the September 21, 2026 sunset — checked July 3, 2026.
- DoD CMMC FAQ (v5) including B-Q8 (encrypted CUI remains CUI) and E-Q1/E-Q2 (cloud FedRAMP Moderate), plus scoping, VDI, and enclave guidance — checked July 3, 2026.
- CMMC Code of Professional Conduct / Cyber AB impartiality rules for the readiness-vs-assessment separation — checked July 3, 2026.
- No named provider rankings are used on this page. Provider categories only.
Frequently asked questions
Does CMMC require encryption?
Yes, but not as one blanket rule. CMMC Level 2 adopts NIST SP 800-171 Rev. 2, which includes encryption-related requirements for CUI in transit, CUI at rest, FIPS validation when encryption protects CUI, remote access, wireless, mobile devices, digital media in transport, passwords, and cryptographic keys.
Does CMMC require encryption at rest?
CMMC Level 2 requires the confidentiality of CUI at rest to be protected under SC.L2-3.13.16. Encryption is usually the cleanest way to prove it, but the control's discussion allows other confidentiality mechanisms in some environments.
Does CMMC require encryption in transit?
Yes. When CUI is transmitted, SC.L2-3.13.8 requires cryptographic mechanisms unless the transmission is otherwise protected by alternative physical safeguards, and NIST applies this to internal as well as external networks.
When does CMMC require FIPS-validated cryptography?
Whenever cryptography is used to protect the confidentiality of CUI, SC.L2-3.13.11 requires it to be FIPS-validated — meaning the cryptographic module appears on NIST's Cryptographic Module Validation Program list with a validation certificate.
Is AES-256 enough for CMMC?
Not by itself. AES-256 is a FIPS-approved algorithm, but the module implementing it must be FIPS-validated (on the CMVP list) for the encryption to count.
Is "FIPS compliant" the same as "FIPS validated"?
No. "FIPS validated" ties to a specific CMVP certificate, module name, version, and operating environment. "FIPS compliant" or "FIPS capable" is marketing language and is not accepted as evidence.
Is BitLocker enough for CMMC?
Sometimes, in the right configuration — but never assume. Verify the exact cryptographic module, certificate status, version, operating environment, and FIPS mode, and confirm that implementation protects the CUI in your assessed system.
Is encrypted CUI still CUI?
Yes. The DoD's official CMMC FAQ (B-Q8) states that CUI remains controlled until it is formally decontrolled, regardless of encryption state, and that encryption alone does not create logical separation for scoping.
Can encrypted CUI be stored in ordinary commercial cloud?
Not merely because it's encrypted. If an external cloud service provider stores, processes, or transmits CUI for contract performance, DFARS 252.204-7012 requires FedRAMP Moderate (or equivalent) security, and the CMMC FAQ (E-Q2) confirms a non-FedRAMP-Moderate cloud can't store encrypted CUI just because it's encrypted.
Can SC.L2-3.13.11 go on a POA&M?
Only narrowly. Under 32 CFR 170.21, it may be placed on a Level 2 POA&M if encryption is employed but not FIPS-validated (a 3-point value). If no encryption is employed, the penalty is 5 points and it cannot be deferred.
What evidence do I need for FIPS validation?
Following NIST SP 800-171A, assessors typically ask for cryptographic module validation certificates, a list of the FIPS-validated modules in use, configuration settings, system design documentation, the relevant SSP content, and supporting logs — plus interviews and tests.
Do I need GCC High for CMMC encryption requirements?
Not automatically. It depends on where CUI lives, whether the service processes/stores/transmits CUI, FedRAMP authorization or equivalency, your CUI categories, key custody, and your contract clauses. Many contractors use GCC High for export-controlled CUI, but it isn't a default requirement for every company.
Which provider category should help with encryption requirements?
If you're still scoping or remediating, start with an RPO/RP, MSSP, CUI enclave, cloud architect, or GRC platform depending on the gap. Use a C3PAO when you're ready for formal assessment and the contract requires one — and keep readiness and assessment separate.
The next step, without the guesswork
You came for “what does CMMC require for encryption,” and you now have the map: the ten controls, what FIPS-validated really means, the points at stake, what you can and can’t defer, what evidence to collect, and what encryption does not solve. The last mile is turning that into a plan for your environment.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Use Find My CMMC Path to map your situation to the right provider category before you request quotes.
Related
- CMMC FIPS 140-2 Requirements: What Actually Counts (2026)
- CMMC Level 2 requirements — all 110 controls
- CMMC MFA Requirements: What IA.L2-3.5.3 Requires
- CUI email encryption for CMMC
- GCC High for CMMC — is it required?
- CMMC scoping: FCI vs CUI and what's in scope
- CMMC provider categories: who to hire first
- CMMC Level 2 cost ranges
- CMMC readiness checklist