The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Level 2 Controls

CMMC Encryption Requirements: Every Control, Its Point Value, and What “FIPS-Validated” Actually Means

By The Defense Compliance Report Editorial Team · Last reviewed: · Last verified:

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

If a new solicitation, a prime’s flow-down, or a nervous IT provider just put the phrase “FIPS-validated encryption” in front of you, here’s the short version before you spend a dollar. CMMC encryption requirementsare not one blanket order to encrypt everything. They’re a cluster of about ten Level 2 controls that switch on depending on where your protected data actually lives and moves. And the single control that trips up the most contractors isn’t technically hard to build — it’s easy to prove wrong.

Bottom line: For contractors that handle Controlled Unclassified Information (CUI), CMMC Level 2 adopts NIST Special Publication 800-171 Revision 2, which requires FIPS-validated cryptography whenever encryption is used to protect the confidentiality of CUI— across data in transit, data at rest, mobile devices, removable media, wireless, and remote access. What changes the answer for you: your CUI scope, your cloud environment, and whether you can actually prove the module is validated.

We read the actual sources — 32 CFR Part 170, NIST SP 800-171 Rev. 2, and the DoD’s own CMMC FAQ — and cross-checked every claim. Several pages currently ranking for this term contain real errors: one uses retired control numbers, another states the point penalty for the key FIPS control backwards. This is the version we’d hand a client the morning they found the clause.

Which category fits — and which doesn’t

Encryption is where “which vendor do I call?” gets confusing, because the answer depends on what you’re actually trying to fix:

The 60-second verdict

The question you’re really askingStraight answerWhere it comes from
Does CMMC require encryption?Yes, in specific Level 2 situations — not as one universal "encrypt everything" command.NIST SP 800-171 Rev. 2
Does CMMC require FIPS validation?Yes, whenever encryption is used to protect the confidentiality of CUI.SC.L2-3.13.11
Does CUI at rest always require encryption?It requires confidentiality protection. Encryption is the usual method, but the control text allows other mechanisms in some settings.SC.L2-3.13.16
Is AES-256 enough?No — not by itself. The module running AES-256 has to be FIPS-validated (on NIST's CMVP list).NIST CMVP
Is encrypted CUI still CUI?Yes. Encryption does not "decontrol" data — it stays CUI until formally decontrolled.DoD CMMC FAQ (B-Q8)
Can encrypted CUI sit in ordinary commercial cloud?No — not just because it's encrypted. A cloud service handling CUI must meet FedRAMP Moderate (or equivalent).DFARS 252.204-7012 / CMMC FAQ (E-Q1, E-Q2)
What we checked for this guide (July 3, 2026): 32 CFR Part 170, NIST SP 800-171 Rev. 2 and NIST SP 800-171A, DFARS 252.204-7012 and 252.204-7021, the NIST Cryptographic Module Validation Program, and the DoD’s official CMMC FAQ (v5). Every regulatory claim below is tied to one of these primary sources. This is educational research, not legal, contractual, cybersecurity, or compliance advice — confirm scope and applicability with a Registered Practitioner or a qualified federal-contracts attorney.

What are the CMMC encryption requirements, in plain English?

Answer: CMMC encryption requirements are a set of Level 2 controls, not a single rule. The three most contractors blur together are SC.L2-3.13.8 (protect CUI in transit), SC.L2-3.13.16 (protect CUI at rest), and SC.L2-3.13.11 (use FIPS-validated cryptography whenever encryption protects CUI). Miss the difference between them and you can pass one while failing another.

CMMC doesn’t say “encrypt your company.” It asks a narrower question: wherever CUI is, or wherever it travels, is its confidentiality protected — and if you’re using cryptography to do that, is the cryptography actually validated?

A quick note on how these control numbers work. A practice ID like SC.L2-3.13.11 breaks down as: the domain (SC = System and Communications Protection), the level (L2 = Level 2), and the underlying NIST SP 800-171 requirement number (3.13.11). Once you see the pattern, the whole list gets readable fast.

CMMC Level 2 pulls in all 110 security requirements from NIST SP 800-171 Rev. 2, organized into 14 control families. About ten of those touch cryptography. We mapped every one below — with the exact points at stake and whether you can defer them — because no single official page hands a contractor that in one place.

Which CMMC level actually has encryption requirements?

Answer: CMMC Level 1 covers Federal Contract Information (FCI) and uses the 15 basic safeguarding requirements from FAR 52.204-21 — it does not impose the NIST SP 800-171 Rev. 2 encryption cluster. CMMC Level 2 covers CUI and adopts all 110 requirements of NIST SP 800-171 Rev. 2, which is where the encryption controls live. Level 3 keeps everything in Level 2 and adds selected NIST SP 800-172 requirements.

This matters more than it looks. We regularly see small suppliers over-scope themselves — buying Level 2 encryption tooling before confirming they even handle CUI. Per 32 CFR Part 170, Level 1’s baseline is FAR 52.204-21 (FCI only), Level 2’s baseline is identical to NIST SP 800-171 Rev. 2 (CUI), and Level 3 adds a subset of NIST SP 800-172 on top. Our full breakdown lives in the CMMC levels guide.

One correction worth making early: you’ll see some pages say Level 1 has “17 controls.” Under the current CMMC rule, Level 1 is 15 requirements— the “17” is a holdover from the retired CMMC 1.0 model. If a source is still using CMMC 1.0 numbers, treat everything else on that page with caution too.

DCR operational rule: Don’t buy any encryption tooling until you know whether your contract requires Level 1, Level 2 (Self), Level 2 (C3PAO), or Level 3. The sameencryption product can be overkill, insufficient, or irrelevant depending on that one clause. The clause decides — a checklist doesn’t.

One more thing you should not have to relearn later: CMMC Level 2 is still assessed against NIST SP 800-171 Revision 2, not Revision 3. The DoD’s own CMMC FAQ confirms it plans to incorporate Rev. 3 through future rulemaking and issued a class deviation to keep Rev. 2 as the standard you’re assessed againstuntil Rev. 3 is folded into the rule. You can start modernizing toward Rev. 3, but the bar you’re graded on today is Rev. 2.

The complete CMMC Level 2 cryptography footprint (with point values and POA&M rules)

Answer: Ten NIST SP 800-171 Rev. 2 controls involve cryptography, and under CMMC they all sit at Level 2. Those ten carry up to 30 CMMC scoring pointsof deductions on the 110-point scale — and most of them cannotbe deferred to a Plan of Action and Milestones (POA&M). This is the table competitors don’t build.

Before the table, two definitions: SPRS (Supplier Performance Risk System) is the DoD system where your score and CMMC status are posted, and a POA&Mlets you defer certain eligible gaps and still earn a Conditional status — but only within strict limits. Under 32 CFR 170.24, every Level 2 requirement is worth 1, 3, or 5 points if not met (you start at 110 and subtract). Under 32 CFR 170.21, only 1-point requirements can go on a POA&M— with one narrow encryption exception. To earn even a Conditional CMMC status you must score at least 88 of 110, have your SSP in place, and close all POA&M items within 180 days.

Control (CMMC ID)NIST 800-171 R2What it requiresPoints off if not metCan it go on a POA&M?
SC.L2-3.13.113.13.11Use FIPS-validated cryptography when encryption protects CUI confidentiality (the umbrella control)5 (no encryption) / 3 (encryption used, not FIPS-validated)Only the “used but not FIPS-validated” (−3) case
AC.L2-3.1.133.1.13Cryptographic mechanisms to protect the confidentiality of remote access sessions5No
AC.L2-3.1.173.1.17Protect wireless access using authentication and encryption5No
IA.L2-3.5.103.5.10Store and transmit only cryptographically-protected passwords5No
AC.L2-3.1.193.1.19Encrypt CUI on mobile devices and mobile computing platforms3No
SC.L2-3.13.83.13.8Cryptographic mechanisms to prevent disclosure of CUI in transmission (unless otherwise physically protected)3No
SC.L2-3.13.163.13.16Protect the confidentiality of CUI at rest1Yes*
SC.L2-3.13.103.13.10Establish and manage cryptographic keys for cryptography used in the system1Yes*
MP.L2-3.8.63.8.6Cryptographic mechanisms to protect CUI on digital media during transport (unless otherwise physically protected)1Yes*
MP.L2-3.8.93.8.9Protect the confidentiality of backup CUI at storage locations1Yes*

Those ten controls carry up to 30 points combined (scored independently). A related control, SC.L2-3.13.15(protect the authenticity of communications sessions), is worth 5 more points if not met and is not POA&M-eligible — but its Rev. 2 text is about session authenticity, not encrypting CUI, so we list it separately. *Sources: control text from NIST SP 800-171 Rev. 2; point values from 32 CFR 170.24; POA&M eligibility from 32 CFR 170.21. The four 1-point crypto controls are POA&M-eligible because they’re worth 1 point and not on the excluded-requirements list in 32 CFR 170.21(a)(2)(iii); confirm that list before relying on it.

Takeaway 1: Most of your encryption exposure can’t be deferred.

Six of these controls are worth 3 or 5 points, which means they must be fully met on assessment day — no POA&M safety net. If your remote access, wireless, mobile, transmission, or password-hashing crypto is weak, that’s a fix-before-assessment item, not a fix-later one.

Takeaway 2: The FIPS control has a strange, important quirk — and the internet keeps getting it backwards.

For SC.L2-3.13.11, 32 CFR 170.24 says: if encryption is employed but not FIPS-validated, you lose 3 points— and you may put it on a POA&M. If encryption is not employed at all, you lose 5 points— and you may notPOA&M it, so it blocks Conditional status outright. Read that twice. Running non-validated encryption is actually a better and more recoverableposition than running none. We’ve seen at least one widely shared page state the opposite; the regulation is unambiguous.

Takeaway 3: The math is tighter than “just hit 88.”

You only have 22 points of margin, most crypto controls can’t be deferred, and a missing System Security Plan is a hard stop on its own. Encryption gaps eat that margin fast. More on the scoring math in our CMMC Final Rule guide.

Map your CMMC encryption scope before you buy tools

Reading the table is one thing. Knowing which of these ten controls apply to yourenvironment — and where your points are actually at risk — is another. Use The Defense Compliance Report’s Find My CMMC Path tool: tell us where your CUI lives and moves (email, file shares, laptops, backups, remote access, cloud, removable media, wireless), and it returns the applicable controls, your CMMC scoring exposure, POA&M eligibility, an evidence checklist, and the provider category that usually fits.

Launch the Encryption & FIPS Gap Explorer →

Do not submit CUI, drawings, or sensitive contract details. Provider matching may generate compensation when disclosed; compensation does not control our regulatory analysis or provider-category guidance.

What “FIPS-validated” actually means (and why AES-256 isn’t enough)

Answer: FIPS-validated means the specific cryptographic module— the software or hardware component that performs the encryption — appears on NIST’s Cryptographic Module Validation Program (CMVP) list, backed by a validation certificate. It is not the same as using an approved algorithm like AES-256, and it is not a vendor’s “FIPS-compliant” claim. At assessment you’ll be asked for the CMVP certificate details, not the algorithm name.

Here’s the distinction in plain terms:

Why does NIST care so much about the module and not just the algorithm? Because NIST’s CMVP treats non-validated cryptography as providing no protection at all — in effect, the data is considered unprotected plaintext. That single sentence is why an assessor won’t accept “we use AES-256.” From the government’s point of view, un-validated AES is the same as no encryption.

Two concrete examples we see constantly:

BitLocker — sometimes yes

Windows disk encryption relies on the Windows CNG cryptographic library, which doeshold CMVP certificates — but you must confirm the exact module version and that it’s running in the validated configuration. “BitLocker is on” is not the same as “our validated module is deployed and documented.”

VeraCrypt — no

Uses AES-256 and is not on the CMVP validated list. Same algorithm, wrong answer for CMMC. The lesson: verify the module and version you’ve actually deployed, not the product name on the box.

How to verify a module — and what to record

Go to the NIST CMVP Validated Modules Search, find the module (not just the product), and match it to a certificate. If you can’t match your deployed module, version, operating environment, and configuration to a validation certificate, treat that as a remediation or evidence gap until your vendor, RP/RPO, or assessor resolves it. What to capture from CMVP for each encryption product that touches CUI:

That eight-line record turns a vague “we’re FIPS” into the exact evidence an assessor asks for.

FIPS 140-2 vs FIPS 140-3 — and the September 21, 2026 sunset

NIST CMVP states that FIPS 140-2 validations move to the Historical list on September 21, 2026. Modules on the Historical list may continue to be used for existing systems; FIPS 140-2 active modules can be used for newsystems only through that date. They are not revoked — but that date lands about seven weeks before CMMC Phase 2 begins.

Two dates worth putting on the same calendar line: the FIPS 140-2 sunset (September 21, 2026) and the start of CMMC Phase 2 (November 10, 2026), when the DoD begins including Level 2 (C3PAO) certification requirements in applicable solicitations. The practical read: inventory your modules now and plan your move to FIPS 140-3 before the two deadlines collide.

Before you rip out a platform over FIPS, map your actual exposure — you may need to reconfigure and document far more than you need to replace. If it’s beyond your team, get matched with readiness or enclave provider categories via Find My CMMC Path.

Which CUI must be encrypted in transit?

Answer: NIST SP 800-171 Rev. 2 requirement 3.13.8 requires cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission, unless the transmission is otherwise protected by alternative physical safeguards. NIST applies this to internal and external networks, so the real question isn’t “is this the internet?” — it’s “does CUI move here?”

“In transit” is broader than most people assume. It covers CUI moving across the public internet, partner portals, secure file transfer (SFTP), VPN tunnels, APIs, and email. And it does not automatically stop at your office walls. A common and expensive assumption is “our network is internal, so we’re fine.” The control is about where CUI travels, not who owns the wire.

Common implementations include FIPS-validated TLS, VPN, and secure file-transfer paths (TLS 1.2 or 1.3 with approved cipher suites is typical) — but 3.13.8 itself doesn’t prescribe a specific protocol. What matters at assessment is that your evidence ties the deployedcryptographic module, its configuration, and your CUI data flow back to 3.13.8 and 3.13.11. The rare exception — “alternative physical safeguards” — is real but narrow (think a protected distribution system). For the vast majority of contractors, the answer is yes.

What must be protected at rest — and does that always mean encryption?

Answer: Requirement 3.13.16 says to protect the confidentiality of CUI at rest. Encryption is the most common and cleanest way to do it, but the control’s own discussion allows other mechanisms in certain contexts. So “at rest” does not automatically mean identical full-disk encryption on every device — it means every place CUI is stored has documented confidentiality protection.

“At rest” is everywhere CUI sits: file shares, laptops and desktops, servers, databases, email archives, backups, and engineering systems like CAD/CAM. For most of those, encryption through a FIPS-validated module is the answer that’s easiest to prove. The point isn’t to find a loophole — it’s to map where CUI actually rests and choose the right protection for each location, then document it in your system security plan.

The honest part: Encryption is not a compliance button, and it is definitely not a scoping shortcut. If your CUI is scattered across laptops, email archives, file shares, backups, and supplier folders, flipping on one encryption setting does not make you CMMC-ready — and it does not shrink your scope either. Anyone who tells you “just turn on encryption and you’re compliant” is selling the exact oversimplification that fails contractors at assessment.

The scenario-to-evidence-to-provider map

Answer: The fastest way to end the “what applies to me?” spiral is to work by scenario, not by control number. Each common situation maps to the governing control, what it actually requires, whether FIPS validation is in play, the evidence to have ready, the mistake we see most, and the provider category that usually helps.
Where your CUI is / what you’re doingGoverning controlWhat it actually requiresFIPS-validated needed?Evidence to have readyCommon mistakeCategory that usually helps
FCI only, no CUILevel 1 (FAR 52.204-21)Not the Rev. 2 encryption cluster — confirm CUI is truly absentUsually no (as a Level 1 requirement)Contract review, FCI scope statement, Level 1 self-assessmentBuying Level 2 tools before confirming you handle CUIRPO/RP for scoping if unsure
CUI moving over networksSC.L2-3.13.8Encrypt CUI in transit (internal and external) unless physically protectedYesData-flow diagram, TLS/VPN/SFTP configs, logs, CMVP cert details"It's our internal network, so we're fine"RPO/RP + MSSP
CUI stored (at rest)SC.L2-3.13.16Protect confidentiality of stored CUI (encryption or other mechanisms)Yes, when crypto is the mechanismAsset inventory, storage locations, encryption/backup configs, SSP mapping"Full-disk encryption everywhere" without mapping where CUI sitsRPO/RP + MSSP + GRC
Any CUI encryptionSC.L2-3.13.11The module must be FIPS-validatedThis is the FIPS triggerCMVP certificate, module name/version, FIPS mode evidence, configTreating AES-256 or "FIPS compliant" as enoughRPO/RP + MSSP; vendor verification
Encryption key managementSC.L2-3.13.10Establish and manage the keys your crypto usesDepends on the protected data; evidence still requiredKMS/HSM config, rotation policy, access list, custody model, offboardingEncrypting data but leaving key custody undocumentedMSSP + cloud/enclave architect
Remote access / VPNAC.L2-3.1.13Encrypt remote access sessionsYesVPN/ZTNA/gateway config, approved methods, logsEquating MFA with encrypted remote accessMSSP
WirelessAC.L2-3.1.17Authenticate and encrypt wireless accessYesWLAN configs, auth method, segmentation, guest isolationLetting CUI devices ride ordinary office Wi-Fi with thin evidenceMSSP
Laptops / phones / tabletsAC.L2-3.1.19Encrypt CUI on mobile devicesYesMDM policy, device encryption status, conditional access, lost-device procedure"BitLocker/FileVault is on" with no module/version/FIPS evidenceMSSP + endpoint specialist
USB / external drives in transportMP.L2-3.8.6Encrypt CUI on media during transport unless physically protectedYesRemovable-media policy, approved encrypted media, transport controls, certsAllowing unmanaged USBs "because they're temporary"RPO/RP + MSSP
BackupsMP.L2-3.8.9Protect confidentiality of backup CUIYes, when encryption is the mechanismBackup configs, encrypted media/targets, restore tests, SSP entryEncrypting production but backing up to an unencrypted targetMSSP + GRC
CUI in cloudDFARS 252.204-7012 + CMMC FAQCloud handling CUI must meet FedRAMP Moderate (or equivalent)Yes for encryption; FedRAMP is a separate requirementFedRAMP authorization/equivalency evidence, shared-responsibility matrix, data-flow map, SSP section"It's encrypted, so commercial cloud is fine"CUI enclave / cloud architect + RPO/RP
Email / file sharingSC.L2-3.13.8, 3.13.16, 3.13.11Transit + at rest + FIPS + endpoint caching + key custody, all at onceYesPlatform configs, provider matrix, CMVP certs, mail-flow logs"TLS email = CMMC-compliant email"Secure collaboration / CUI enclave

Notice the pattern: almost every row’s “common mistake” is a proof failure or a scopemisread, not a missing feature. That’s the real shape of CMMC encryption work.

Once you can see which rows are yours, the next move is matching each gap to the right category — readiness/MSSP for implementation, GRC for evidence, an enclave for scope reduction.

Get matched with source-checked provider categories →

Keep the CUI out of the form.

What evidence will assessors actually ask for?

Answer: NIST SP 800-171A — the assessment procedures incorporated into the CMMC rule for Level 2 — turns each requirement into assessment objectives with specific evidence. For FIPS-validated cryptography, that evidence includes your policies and SSP, system design and configuration settings, and cryptographic module validation certificates and a list of the FIPS-validated modules in use, backed by interviews and tests. “The tool can do it” is not evidence. “Here is the certificate, the version, and the running configuration” is.
Evidence itemWhy it matters
CUI data-flow diagramShows where the encryption controls apply — the backbone of everything else
System boundary / scope diagramDefines what's in the assessment and what isn't
CMVP certificate detailsProves module validation, not marketing language
Module name, version, and operating environmentPrevents a mismatch between the certificate and what's actually deployed
Configuration screenshotsShows the feature is enabled in the assessed environment, not just available
Logs / audit recordsShows the control operates, not just that it was designed
SSP section per controlTies each implementation to the assessed system
Shared-responsibility matrix (for cloud/MSP)Shows what a provider owns versus what you still own

Two habits save the most pain here. First, capture the module versionalongside the certificate — CMVP validations are tied to specific versions, and a routine update can push you past the validated build. Second, write your SSP to what you can prove, not to what you hope. Overclaiming in the SSP is how a design gap becomes a credibility gap.

Does encrypting CUI take it out of scope?

Answer: No.The DoD’s official CMMC FAQ is explicit: encrypted CUI remains CUI until it is formally decontrolled, and encryption alone does not create the “logical separation” needed to define a boundary. Encryption reduces risk and can support a boundary argument — but it does not make CUI, or the systems that handle it, disappear.

This is the single most expensive myth in CMMC scoping, and the DoD has shut the door on it in writing. Per the DoD CMMC FAQ (v5):

There’s a related nuance most contractors miss. A VDI (Virtual Desktop Infrastructure)endpoint can stay out of scope only if CUI never lands on it — the session is limited to keyboard, video, and mouse, with no local copy, save, print, or screenshot, and separate multifactor authentication to reach the desktop. It’s a real path to avoid turning every laptop into a CUI asset, but only if the configuration actually enforces “no local CUI.”

The CMMC FAQ has been revised several times and the DoD renumbers its questions between versions; we’ve cited the question number where it’s stable and described the rest by substance so this stays accurate as the FAQ is updated.

Can encrypted CUI live in commercial cloud, email, or file-sharing tools?

Answer: Not merely because it’s encrypted. Under DFARS 252.204-7012, if an external cloud service provider processes, stores, or transmits CUI for a contract, it must meet security requirements equivalent to the FedRAMP Moderate baseline— and the DoD CMMC FAQ confirms a non-FedRAMP-Moderate cloud offering cannot store encrypted CUI just because it’s encrypted. The cloud requirement is separate from, and additional to, the encryption requirement.
The questionEncryption answerCloud / FedRAMP answerWhat to have ready
Is the CUI protected in transit and at rest?Yes — via FIPS-validated cryptography (SC.L2-3.13.8, 3.13.16, 3.13.11)Doesn't change this obligationCMVP certificate details, configs
Can this cloud service hold CUI at all?Encryption alone doesn't answer thisThe service must be FedRAMP Moderate-authorized or meet DoD's FedRAMP Moderate-equivalency requirementsFedRAMP authorization/equivalency evidence, authorized-boundary list
Who can decrypt the CUI?Key custody is your callFedRAMP status doesn't decide thisKey generation/rotation/revocation/recovery docs, shared-responsibility matrix

Commercial Microsoft 365 is generally not sufficient for CUI. Contractors commonly move to Microsoft 365 GCC High (built for the Defense Industrial Base, including export-controlled data), Microsoft 365 GCC, or build enclaves in AWS GovCloud or Azure Government. Which one fits depends on your CUI categories, ITAR exposure, and budget — and before you procure, verify the specific offering’s FedRAMP Moderate authorization (or documented equivalency) and which features sit inside the authorized boundary. We compare the trade-offs in our GCC High for CMMC guide.

Key ownership is its own decision. Even on FedRAMP-authorized infrastructure, assessors look at who can decrypt your CUI. Provider-managed keys leave the provider technically able to decrypt. “Customer-managed” keys (BYOK) still often leave the provider with access. Customer-owned keys— where only you hold them — give the cleanest evidence that you control CUI access. Whatever model you choose, document who can decrypt, and who controls key generation, rotation, revocation, and recovery.

Verify vendors before you procure — questions that matter

Ask the providerWhy it matters
Will this service process, store, or transmit our CUI?Determines whether it's in CUI scope at all
What exact FedRAMP authorization or equivalency evidence applies?Encryption doesn't replace the cloud requirement
What cryptographic module protects the CUI, and what's the CMVP certificate?Cuts through "FIPS compliant" ambiguity
Who holds the encryption keys?Affects scope, custody, and evidence
What does the shared-responsibility matrix say we still own?Prevents false reliance on the vendor
Which specific features are inside the authorized boundary?Prevents using uncovered features by accident

Because email is the single most confused encryption workflow — it hits transit, at rest, endpoint caching, and key custody all at once — we keep the deep, provider-by-provider analysis on our dedicated CUI email encryption for CMMC page. The one-line version: TLS email is not the same as CMMC-compliant CUI email.

Can you put FIPS encryption (SC.L2-3.13.11) on a POA&M?

Answer: Only narrowly. Under 32 CFR 170.21, most POA&M items must be 1-point requirements, but SC.L2-3.13.11 has a specific carve-out: if encryption is employed but not FIPS-validated, it can go on a POA&M at a 3-point value. If no encryption is employed at all, the penalty is 5 points and it cannot be deferred — which blocks Conditional Level 2 status.

Per 32 CFR 170.21, a Level 2 POA&M is limited to 1-point requirements, except SC.L2-3.13.11 may be included onlywhen encryption is present but not yet FIPS-validated. “We plan to encrypt later” is not that exception — that’s the 5-point, non-deferrable version.

The most common CMMC encryption mistakes

Answer: The costliest encryption mistakes are proof and scope errors, not missing features: treating “FIPS compliant” as FIPS-validated, assuming AES-256 is enough, parking encrypted CUI in commercial cloud, believing encryption removes CUI from scope, ignoring mobile and removable media, and failing to document module, version, and configuration in the SSP.
  1. 1"AES-256 means we're good." Fix: Match your deployed module to a CMVP certificate and record certificate/version/config.
  2. 2"FIPS mode is enabled, so we're validated." Fix: FIPS mode restricts algorithms; still confirm the module carries a current CMVP validation.
  3. 3"Encrypted CUI isn't CUI anymore." Fix: It stays CUI until formally decontrolled — CMMC FAQ B-Q8.
  4. 4"It's encrypted, so commercial cloud is fine." Fix: DFARS 252.204-7012 requires FedRAMP Moderate (or equivalent) for any cloud handling CUI.
  5. 5"TLS email covers our email CUI." Fix: Protect the message and attachments end to end, not just the transport channel.
  6. 6"Mobile devices are out of scope because we use MDM." Fix: Document validated encryption of CUI on the device (AC.L2-3.1.19), not just MDM enrollment.
  7. 7"The vendor has a compliance page, so we're compliant." Fix: Their capability isn't your implementation or your evidence — map it to your assessed system.
  8. 8"We'll POA&M FIPS later." Fix: Only the "employed but not validated" case is deferrable; "no encryption" is a hard blocker.

What should you do first — and who should help?

Answer: The first step is not buying encryption software. It’s mapping where CUI is processed, stored, transmitted, accessed remotely, cached on mobile, or placed on media — then matching each flow to the applicable control, the evidence, and the provider category. That order prevents overbuying, under-scoping, and assuming one product solves CMMC.
  1. 1Confirm FCI vs CUI. Read the contract and the clauses. The clause sets your level — not a checklist, and not an assumption.
  2. 2Map every CUI flow — in transit, at rest, mobile, removable media, remote access, wireless, and cloud.
  3. 3Match each flow to its control, and decide where encryption is the mechanism versus where other safeguards carry the load.
  4. 4Verify FIPS modules on the CMVP list before you procure anything.
  5. 5Choose the right category for the gaps you actually have.

This last step is what we call The CMMC Path Framework— the logic that maps your required level, FCI vs CUI handling, assessment type, IT and cloud environment, and contract timeline to the category of provider you need. It routes you to a category, not a named vendor, and it is not a score, a ranking, or compliance advice. See our full provider-category comparison and cost ranges so you can budget before you call anyone.

Your situationBetter first categoryWhy
You don't know where CUI livesRPO/RPScoping and requirement mapping before you spend
CUI is scattered across endpoints, file shares, email, and cloudRPO/RP + MSSPYou need both compliance mapping and operational implementation
You need to contain CUI fastCUI enclave / secure collaborationShrinks the blast radius if users keep CUI inside the boundary
Your evidence is chaosGRC platform + RPO/RPOrganizes SSP, POA&M, evidence, ownership, and timestamps
You're making cloud architecture decisionsCloud/enclave architect + RPO/RPFedRAMP, FIPS, key custody, and scope all intersect
Your contract requires a Level 2 C3PAO and evidence is readyC3PAOFormal assessment — not remediation
One line we won’t soften: keep readiness and formal assessment separate. Under the CMMC Code of Professional Conduct and the Cyber AB’s impartiality rules, a C3PAO cannot both consult for and assess the same organization. Don’t ask your assessor to be your remediation shop; if a provider offers to do both on the same engagement, that’s a red flag.

What we actually verified for this guide

We built this page from primary sources and dated the check so you can re-verify anything yourself.

See our editorial standards and corrections policy. Next scheduled review: October 2026, or sooner if the DoD, DFARS, NIST, CMVP, FedRAMP, the Cyber AB, or the CMMC FAQ issue changes.

Frequently asked questions

Does CMMC require encryption?

Yes, but not as one blanket rule. CMMC Level 2 adopts NIST SP 800-171 Rev. 2, which includes encryption-related requirements for CUI in transit, CUI at rest, FIPS validation when encryption protects CUI, remote access, wireless, mobile devices, digital media in transport, passwords, and cryptographic keys.

Does CMMC require encryption at rest?

CMMC Level 2 requires the confidentiality of CUI at rest to be protected under SC.L2-3.13.16. Encryption is usually the cleanest way to prove it, but the control's discussion allows other confidentiality mechanisms in some environments.

Does CMMC require encryption in transit?

Yes. When CUI is transmitted, SC.L2-3.13.8 requires cryptographic mechanisms unless the transmission is otherwise protected by alternative physical safeguards, and NIST applies this to internal as well as external networks.

When does CMMC require FIPS-validated cryptography?

Whenever cryptography is used to protect the confidentiality of CUI, SC.L2-3.13.11 requires it to be FIPS-validated — meaning the cryptographic module appears on NIST's Cryptographic Module Validation Program list with a validation certificate.

Is AES-256 enough for CMMC?

Not by itself. AES-256 is a FIPS-approved algorithm, but the module implementing it must be FIPS-validated (on the CMVP list) for the encryption to count.

Is "FIPS compliant" the same as "FIPS validated"?

No. "FIPS validated" ties to a specific CMVP certificate, module name, version, and operating environment. "FIPS compliant" or "FIPS capable" is marketing language and is not accepted as evidence.

Is BitLocker enough for CMMC?

Sometimes, in the right configuration — but never assume. Verify the exact cryptographic module, certificate status, version, operating environment, and FIPS mode, and confirm that implementation protects the CUI in your assessed system.

Is encrypted CUI still CUI?

Yes. The DoD's official CMMC FAQ (B-Q8) states that CUI remains controlled until it is formally decontrolled, regardless of encryption state, and that encryption alone does not create logical separation for scoping.

Can encrypted CUI be stored in ordinary commercial cloud?

Not merely because it's encrypted. If an external cloud service provider stores, processes, or transmits CUI for contract performance, DFARS 252.204-7012 requires FedRAMP Moderate (or equivalent) security, and the CMMC FAQ (E-Q2) confirms a non-FedRAMP-Moderate cloud can't store encrypted CUI just because it's encrypted.

Can SC.L2-3.13.11 go on a POA&M?

Only narrowly. Under 32 CFR 170.21, it may be placed on a Level 2 POA&M if encryption is employed but not FIPS-validated (a 3-point value). If no encryption is employed, the penalty is 5 points and it cannot be deferred.

What evidence do I need for FIPS validation?

Following NIST SP 800-171A, assessors typically ask for cryptographic module validation certificates, a list of the FIPS-validated modules in use, configuration settings, system design documentation, the relevant SSP content, and supporting logs — plus interviews and tests.

Do I need GCC High for CMMC encryption requirements?

Not automatically. It depends on where CUI lives, whether the service processes/stores/transmits CUI, FedRAMP authorization or equivalency, your CUI categories, key custody, and your contract clauses. Many contractors use GCC High for export-controlled CUI, but it isn't a default requirement for every company.

Which provider category should help with encryption requirements?

If you're still scoping or remediating, start with an RPO/RP, MSSP, CUI enclave, cloud architect, or GRC platform depending on the gap. Use a C3PAO when you're ready for formal assessment and the contract requires one — and keep readiness and assessment separate.

The next step, without the guesswork

You came for “what does CMMC require for encryption,” and you now have the map: the ten controls, what FIPS-validated really means, the points at stake, what you can and can’t defer, what evidence to collect, and what encryption does not solve. The last mile is turning that into a plan for your environment.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Use Find My CMMC Path to map your situation to the right provider category before you request quotes.

Find My CMMC Path →

Do not submit CUI, drawings, or sensitive contract details in the form.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This is educational research, not legal, contractual, or compliance advice. The contract clause and your CUI handling set your level, not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you act. Last reviewed: · Last verified: