CMMC Level 2 Controls
CMMC FIPS 140-2 Requirements: What Actually Counts for Level 2
Here’s the thing that trips up almost everyone who searches CMMC FIPS 140-2 requirements: your vendor’s datasheet says “FIPS compliant,” the rule says “FIPS-validated,” and nobody can tell you whether that one-word gap is going to cost you a contract.
For CMMC Level 2, FIPS 140-2 (and its successor, FIPS 140-3) matters in exactly one situation: when cryptography is the thing protecting the confidentiality of your Controlled Unclassified Information (CUI). When it is, the proof an assessor wants is a FIPS-validated cryptographic module— a module with a certificate on NIST’s Cryptographic Module Validation Program (CMVP) list, running in the right version and configuration — nota vendor’s “FIPS compliant” claim and not an approved algorithm alone.
That’s the bottom line. Two things make it more urgent than it looks: this is one of the controls assessors flag most often, and the point penalty for getting it wrong is one that many articles online report backwards. Stick with us to the scoring section — the number matters, because it decides whether you can defer this at all.
The CMMC FIPS answer in five rows
| Your question | The straight answer |
|---|---|
| Does CMMC require FIPS 140-2? | Yes — indirectly. Level 2 requires FIPS-validated cryptography wherever cryptography protects CUI confidentiality (control 3.13.11). The valid certificate may be FIPS 140-2 or FIPS 140-3, depending on status and timing. |
| Is "FIPS compliant" good enough? | No. You need a CMVP-validated module (certificate + matching version + correct configuration), not marketing language or an approved algorithm alone. |
| Does every device need FIPS? | No. Start with your CUI data flows. FIPS applies where encryption is the control protecting CUI — not to every box on the network. |
| What changes in 2026? | FIPS 140-2 certificates are accepted for CUI protection through September 21, 2026; after that they move to NIST's Historical list for existing systems only. |
| What if my encryption isn't validated? | If you encrypt CUI but the module isn't validated, it's a −3 point gap that can go on a POA&M. If you don't encrypt CUI at all where required, it's a −5 point gap that can block your certification. (Yes — in that order. More below.) |
This is for you if…
you handle CUI (or expect to), you’re preparing a Level 2 self-assessment or C3PAO certification, you’re the IT or MSP team assembling the evidence package, or you’re a prime or sub staring at a flow-down clause.
You can skip most of this if…
your contract is Level 1, FCI-only. FIPS-validated cryptography is a CUI requirement. Level 1 runs on the 15 basic safeguards in FAR 52.204-21 and does not invoke control 3.13.11. Jump to “Does CMMC Level 1 require FIPS 140-2?”
What are the CMMC FIPS 140-2 requirements?
Where does this actually come from? It’s worth seeing the chain, because “CMMC FIPS 140-2 requirements” is really six documents pointing at one sentence:
| What it establishes | Primary source | What it actually says |
|---|---|---|
| The duty to protect CUI to a standard | DFARS 252.204-7012, "adequate security" | Provide adequate security on covered systems by implementing NIST SP 800-171. |
| The FIPS control itself | NIST SP 800-171 Rev. 2, §3.13.11 | Employ FIPS-validated cryptography to protect the confidentiality of CUI. |
| That CMMC Level 2 = these exact controls | 32 CFR Part 170 (incorporated by reference) | CMMC Level 2 is the 110 requirements of NIST SP 800-171 Rev. 2 across 14 families — Revision 2, not Revision 3. |
| How it's assessed | NIST SP 800-171A | The assessment objective for 3.13.11 asks whether FIPS-validated cryptography is employed to protect CUI. |
| The contract clause requiring the status | DFARS 252.204-7021 | Have and maintain a current CMMC status at the required level, and complete required affirmations in SPRS. |
| The solicitation notice of your level | DFARS 252.204-7025 | The provision that tells offerors which CMMC level the procurement requires. |
| The validation program & the deadline | NIST CMVP | The module needs a CMVP certificate; FIPS 140-2 certificates are accepted through Sept. 21, 2026, then move to Historical. |
First: it’s Revision 2, not Revision 3. NIST published SP 800-171 Revision 3 in May 2024. For CMMC purposes today, ignore that instinct. CMMC Level 2 is locked to Revision 2 by 32 CFR Part 170. Unless and until DoD amends the rule, Rev. 3 does not govern your Level 2 obligations. Build to Rev. 2.
Second: this is the only control in 800-171 with the word “FIPS” in its text.Because only one control says “FIPS,” teams assume FIPS is a narrow, one-and-done checkbox. In practice, several controls quietly rely on cryptography (transmission, remote access, wireless, mobile, media, data at rest), and the moment any of them uses encryption to protect CUI, control 3.13.11 pulls that encryption into scope.
The right CMMC provider depends on your actual gap. Use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category (RPO, MSSP, GRC platform, or CUI enclave) before you spend anything.
Does “FIPS compliant” count, or does CMMC require FIPS-validated cryptography?
People use “FIPS” to mean five different things. Only one of them reliably passes:
| What people say | What it actually is | Does it satisfy 3.13.11? | How an assessor treats it |
|---|---|---|---|
| "FIPS-validated module" | A crypto module tested by an accredited lab that holds a CMVP certificate | Yes — when the certificate covers the running version and mode | Accepted; the certificate number belongs in your SSP |
| "FIPS 140-2 vs FIPS 140-3" | Both are genuine CMVP validations | Yes — but 140-2 status changes at the 2026 transition | 140-3 (Active) preferred; 140-2 usable for existing systems, not new builds after the transition |
| "We use AES" / an approved algorithm | FIPS 197 approves the AES algorithm; the implementation isn't separately validated | No, by itself | Not sufficient — the module must be validated |
| "FIPS compliant / capable / equivalent" | Vendor language that may or may not have a validated module behind it | Not on its own | Not accepted as proof — the classic finding; ask for the certificate |
| "We turned on FIPS mode" | A setting (e.g., a Windows Group Policy) that restricts algorithms | Only if the underlying module is validated and the running version matches the certificate | The setting alone isn't proof; assessors check the whole evidence chain |
This isn’t a theoretical distinction — it has a track record. In one multi-year practitioner review, 83% of assessed contractors failed control 3.13.11, and the report pointed to reliance on “FIPS compliant” cryptography instead of FIPS-validated cryptography. Treat that as historical practitioner data rather than a current DoD-wide failure rate — but the pattern hasn’t changed.
A weak claim vs. a usable evidence packet
Weak (fails)
“Our laptops are encrypted with BitLocker and it’s FIPS compliant.”
Usable (passes scrutiny)
“CUI at rest on laptops is protected by [disk-encryption product], which uses [cryptographic module name], CMVP certificate #[number], validated to FIPS 140-[2/3], running version [x], in FIPS-approved mode per Group Policy [setting]. Evidence: certificate PDF, module version screenshot, GPO export. Mapped to SC.L2-3.13.16 and SC.L2-3.13.11 in the SSP.”
The trap inside the trap: product ≠ module ≠ version ≠ configuration
A productcan contain a validated module without the product itself being “the certificate.” Take BitLocker: Windows ships with cryptographic modules that appear on NIST’s CMVP list, and BitLocker can use them — but the product name is never your evidence. The encryption only counts when FIPS mode is enabled, the version you’re running matches the validated module, and you can produce the certificate. If your installed build has drifted past the validated version, or you’re running it in a mode the certificate doesn’t cover, you have a validated module on paper and an evidence gap in reality.
So the real question is never “is this product FIPS?” It’s four questions stacked:
- 1Is there a CMVP certificate for the module inside this product?
- 2Does the certificate cover the version we're actually running?
- 3Are we running it in the approved mode/configuration the security policy requires?
- 4Can we map the product to the module clearly enough for an assessor to follow?
Not sure whether your encryption is validated or just “FIPS-capable”? Before you replace a single tool, map your level, CUI flows, assessment type, and timeline with The Defense Compliance Report’s Find My CMMC Path tool— it points you to the provider category that fits your actual gap, so you don’t overbuy hardware you may not need.
How do I verify my cryptography is actually FIPS-validated?
This is a workflow you can run yourself in an afternoon:
- 1Identify the module, not just the product. For each tool protecting CUI (disk encryption, VPN, TLS termination, email/file platform, backup, MDM), find the cryptographic module name and version. This is usually in the vendor's compliance or security documentation, not the marketing page.
- 2Search the CMVP list. Look the module up in NIST’s CMVP validated-modules search. CMVP is the joint NIST / Canadian Centre for Cyber Security program that tests and publishes validated modules — it is the authoritative source. The listing gives you the certificate number, vendor, standard (140-2 or 140-3), status, and a link to the security policy.
- 3Confirm the version and mode match. Check that the version you're running is the version on the certificate, and that your configuration matches the approved mode in the security policy. This is the step most people skip.
- 4Record it as evidence. Capture, for each protection point: certificate number, module name and version, standard (140-2/140-3), status (Active/Historical), the operational environment, and where it sits in your CUI flow. Note the product-to-module mapping if the module is embedded in a larger product.
- 5Write it into your System Security Plan (SSP). The SSP is where this becomes assessable. An assessor should be able to read your 3.13.11 narrative and trace each place CUI is encrypted to a certificate you can produce.
What to highlight when you pull a CMVP certificate: the certificate number, the module name, the standard (FIPS 140-2 or 140-3), the status (Active or Historical), the version/build it covers, and the security policy(which spells out the approved operating mode). Those six items are the spine of your evidence — an annotated screenshot of that certificate entry is exactly the kind of proof object assessors like.
One caution NIST states plainly: for federal purposes, if cryptography is required to protect information and the cryptography is not validated, it’s treated as providing no protection at all— as if the data were plaintext. “Encrypted but not validated” doesn’t earn partial trust from the standard; it’s the validation that counts.
Your FIPS evidence self-check (copy this)
Run every place CUI lives through these columns. If any cell is blank or “unknown,” that’s your gap list — and your to-do list before an assessment.
| CUI touchpoint | Protection mechanism | Module + CMVP cert # | FIPS 140-2 or 140-3 | Cert status | Running version matches? | Approved mode evidence | New or existing system? |
|---|---|---|---|---|---|---|---|
| Email / file sharing | — | — | — | — | — | — | — |
| Endpoint / laptop (at rest) | — | — | — | — | — | — | — |
| File server (at rest) | — | — | — | — | — | — | — |
| Backups | — | — | — | — | — | — | — |
| Remote access / VPN | — | — | — | — | — | — | — |
| Wireless | — | — | — | — | — | — | — |
| Mobile devices | — | — | — | — | — | — | — |
| Removable media | — | — | — | — | — | — | — |
Where does FIPS-validated cryptography actually apply in a CMMC Level 2 environment?
The CMMC FIPS Obligation & Evidence Matrix
| CUI scenario / data flow | FIPS-validated crypto required? | Control drivers | Evidence to collect | Most common failure | Provider category if there's a gap |
|---|---|---|---|---|---|
| CUI in transit (email, SFTP, API, TLS, VPN, external connections) | Yes, when cryptography protects CUI confidentiality | SC.L2-3.13.8 + SC.L2-3.13.11 | CUI flow diagram, protocol/config export, CMVP cert #, module version, FIPS-mode proof, SSP narrative | "We use TLS/AES" with no validated-module or version proof | MSSP, RPO/RP, or CUI enclave |
| Remote access into a CUI-capable environment | Yes — remote-session crypto protecting CUI must meet 3.13.11 | AC.L2-3.1.13 + SC.L2-3.13.11 | Remote-access architecture, cryptographic mechanism, CMVP cert, remote-access policy, logs | Remote tool is encrypted but not validated, or no FIPS-mode proof | MSSP or RPO/RP |
| Wireless carrying or reaching CUI | Yes, where wireless encryption protects CUI | AC.L2-3.1.17 + SC.L2-3.13.11 | Wireless design, auth/encryption config, device authorization list, CMVP evidence | "WPA2/3" wording treated as sufficient without module proof | MSSP or network security provider |
| Mobile devices storing/processing/transmitting CUI | Yes, where encryption protects CUI on the device | AC.L2-3.1.19 + SC.L2-3.13.11 | MDM policy, device-encryption config, CMVP cert, asset inventory, SSP mapping | "Device encryption is on" with no cert/version/config mapping | MSSP or CUI enclave |
| CUI at rest (laptops, servers, removable media, backups) | Yes, where encryption protects confidentiality at rest | SC.L2-3.13.16, MP.L2-3.8.6, MP.L2-3.8.9 + SC.L2-3.13.11 | Storage/backup/media inventory, encryption product/module, CMVP cert, key-management notes | Backups and removable media left out of the FIPS inventory | MSSP, RPO/RP, or GRC platform |
| Encryption used for a non-CUI-confidentiality purpose inside a protected system | Not automatically — scope and purpose govern | 3.13.11 boundary/purpose language | Scope rationale, protected-environment description, physical/logical controls, data-flow map | "Any encryption anywhere" triggers FIPS — assumed incorrectly | RPO/RP for scoping |
| Internal switch/router passes encrypted traffic but doesn't decrypt/re-encrypt | Depends — prove the device's role in the CUI flow | Scope + 3.13.11 purpose test | Network diagram, device function, boundary rationale | Buying "FIPS routers" blindly without proving the crypto boundary | RPO/RP + network architect |
| Product says "FIPS compliant" but no CMVP module evidence | No — not sufficient | Assessment guidance + NIST CMVP | CMVP certificate, module name/version, security policy, vendor product-to-module confirmation | Confusing algorithm approval or marketing with module validation | RPO/RP or MSSP |
| Encryption exists but isn't validated at assessment | Conditional path only, under strict POA&M rules | 32 CFR §170.21 + §170.24 | Current encryption proof, gap description, POA&M, 180-day closeout plan | Treating a POA&M as a substitute for implementation | RPO/RP or readiness provider |
| No encryption where encryption is required for CUI | No conditional FIPS shortcut — larger gap | 32 CFR §170.24 scoring | Gap record, remediation plan, design decision, implementation evidence | "We'll just POA&M it" when nothing is encrypted | MSSP, enclave, or implementation partner |
In transit (SC.L2-3.13.8): when you encrypt CUI moving across a network, that encryption has to be validated. TLS and VPNs are the usual culprits — common, and commonly un-proven.
At rest (SC.L2-3.13.16): full-disk encryption on endpoints and servers, plus backups and removable media. Backups are the item teams forget to inventory.
Remote access (AC.L2-3.1.13): the crypto protecting remote sessions into a CUI environment must be validated — and, again, an approved algorithm alone won't do it.
Wireless (AC.L2-3.1.17) and mobile (AC.L2-3.1.19): where wireless or mobile encryption is used to protect CUI confidentiality, that encryption is in scope.
Internal network gear: a switch isn't automatically in scope just because it sits in the environment. The test is whether that device or its module is providing the cryptographic protection for CUI — terminating a tunnel, decrypting/re-encrypting CUI. Prove the role before you buy the 'FIPS' version.
The scope lever most contractors miss
Here’s the move that separates a six-figure project from a manageable one. Because 3.13.11 protects CUI specifically, if you isolate CUI into a dedicated enclave— a bounded environment where CUI lives and nowhere else — you can confine the FIPS-validated requirement to that boundaryinstead of hardening your entire company. The DoD’s own assessment guidance supports this thinking. Scope is not a loophole — it’s the legitimate lever. And whether a given system, switch, or cloud component is inside or outside your CUI boundary is exactly the determination to confirm with a Registered Practitioner before you spend.
For the cloud specifically, the rule is about the service provider’s baseline, not a brand name. Under DFARS 252.204-7012, an external cloud service provider used for covered defense information must meet security requirements equivalent to the FedRAMP Moderate baseline. Standard commercial Microsoft 365 does not meet DFARS 7012 for CUI. Microsoft’s government cloud carries a FedRAMP High authorization; AWS GovCloud (US) is FedRAMP High authorized as well. Do not rely on the brand name alone — verify the specific service, boundary, FedRAMP package or equivalency documentation, shared-responsibility matrix, and any CMVP evidence tied to your CUI use case. We go deeper on environment selection in our GCC High and AWS GovCloud breakdowns.
Have CUI flowing in places you hadn’t mapped?Tell us your level, scope, and timeline and we’ll match the gap to the right provider category — an RPO or MSSP to implement and document it, a CUI enclave to shrink where FIPS even applies, or a C3PAO only if you’re already assessment-ready. Readiness help and formal assessment stay separate, on purpose.
What evidence will an assessor or readiness reviewer ask for?
Assemble this once and it serves both a self-assessment and a C3PAO certification. Here’s the packet:
| Evidence item | Why it matters |
|---|---|
| CUI data-flow diagram | Shows where CUI is processed, stored, transmitted, and protected |
| CMMC assessment scope definition | Shows which systems/assets are in or out of scope |
| Asset inventory | Identifies every system involved in CUI handling |
| Encryption inventory | Shows every point where cryptography protects CUI |
| CMVP certificate number | Ties each protection point to validation evidence |
| Module version / build | Prevents "right module, wrong version" findings |
| Product-to-module mapping | Shows how a product uses the validated module inside it |
| FIPS-mode / configuration proof | Shows the module is operating in the approved mode |
| Security policy (from the certificate) | Confirms approved modes and operational environment |
| SSP control narrative for 3.13.11 | Connects your implementation to the requirement |
| Screenshots / config exports | Supports the "examine/test" side of the assessment |
| POA&M / operational plan of action | Only where truthful and permitted |
| Vendor clarification letter | Useful only alongside a CMVP mapping — never instead of one |
Want this as a one-pager? The CMMC Readiness Checklist puts the CMVP certificate items, module version, approved-mode proof, CUI-flow mapping, SSP narrative, and POA&M risk on a single sheet you can work from before you ever schedule an assessment.
How is FIPS-validated cryptography (3.13.11) scored in SPRS — and can you POA&M it?
Your SPRS score starts at 110 and you subtract points for gaps. Here’s the 3.13.11 truth table, straight from the regulation:
| Your situation | SPRS point impact | POA&M-eligible? |
|---|---|---|
| FIPS-validated crypto everywhere CUI is protected | 0 (full credit) | N/A — it's Met |
| Encryption employed, but not FIPS-validated | −3 | Yes — the only 5-point control with a carve-out |
| No encryption employed where required | −5 | No — this single gap can block conditional certification |
| Validation broke after a patch (running version no longer validated) | Scored "as implemented" if captured in a plan of action (a "temporary deficiency") | Treated as a temporary deficiency, not a standard POA&M gap |
The carve-out that makes 3.13.11 unusual
Under 32 CFR §170.21, POA&M items generally have to be worth 1 point or less— which means your 3-point and 5-point gaps must be closed before the assessment. There is exactly one exception in the entire Level 2 rule: SC.L2-3.13.11 may go on a POA&M when encryption is employed but not yet FIPS-validated— the −3 condition. If you’re in the no-encryptionstate (−5), that carve-out does not apply, it’s over the point limit, and it can stop your certification cold.
- If you already encrypt CUI with something— even a non-validated tool — you can potentially reach Conditional Level 2, put 3.13.11 on a POA&M, and have 180 days to get to a validated module.
- If you’re not encrypting CUI at all, that one gap is a −5 that can’t be deferred. This page should make you slower to schedule an assessment, not faster.
Two more rules bound this. To earn a Conditional status at all, your score divided by 110 must be at least 0.8 — an 88 — and your SSP (control 3.12.4) must be in place at the time of assessment. The POA&M closeout window is 180 days from your Conditional Status Date; miss it and the conditional status expires.
“Temporary deficiency” is not a free pass
The regulation and the DoD’s assessment methodology use 3.13.11 as their textbook example of a temporary deficiency: you had FIPS-validated cryptography implemented, then a patch changed the module so the running version was no longer the validated one. With a documented plan of action, that’s scored as implemented — because it’s a break after implementation, not a failure to implement. That is a genuine, government-recognized safety valve. It is not cover for never having stood the control up in the first place.
Why does the point math matter beyond the assessment? Because your SPRS submission and CMMC affirmations are compliance representations the Government relies on. Overstating them can create False Claims Act (FCA) risk — illustrated by the Department of Justice’s 2022 $9 millionAerojet Rocketdyne settlement over alleged cybersecurity misrepresentations. That case wasn’t about FIPS specifically, but the lesson generalizes: score honestly, document what’s real, and don’t let a validated-vs-compliant gap turn into a representation you can’t defend. More on how the whole score works in our CMMC Final Rule coverage.
What changes when FIPS 140-2 sunsets in September 2026?
The transition itself is settled fact, verified against NIST’s FIPS 140-3 transition materials on July 3, 2026: FIPS 140-3 was approved in March 2019 and became effective in September 2019; CMVP began issuing 140-3 validations in September 2020; it stopped accepting new 140-2 submissions after April 1, 2022; and 140-2 validations are accepted for CUI protection through September 21, 2026, after which they move to the Historical list. Even then, NIST allows those modules to keep serving existing systems — agencies simply should not build new systems on them.
| Your situation | Practical planning answer |
|---|---|
| Existing system on an Active 140-2 module today | Document the certificate, the system's use, and its configuration; it remains usable |
| New implementation before the transition | Prefer FIPS 140-3 where it exists; if you choose 140-2, document why |
| New implementation after the transition | Don't build on a 140-2-only certificate without explicit confirmation |
| Existing system after the transition | Treat as legacy/Historical; document the status and a replacement roadmap |
| Vendor has only 140-2 and no 140-3 roadmap | Get the roadmap, module status, and support window before you buy |
Questions to ask any vendor before you sign
- Is the module FIPS 140-2 or 140-3 validated?
- What's the CMVP certificate number?
- Is the certificate Active, Historical, or Revoked?
- Which product versions use that module?
- What configuration is required for approved mode?
- What's the FIPS 140-3 roadmap, and what happens after the 2026 transition?
- Can you provide evidence suitable for an SSP and assessment?
If your assessment window touches late 2026, don’t buy a FIPS 140-2-only product on faith.Map your situation first — the smarter move is often remediation, a managed environment, or a CUI enclave, not a rushed purchase you’ll have to justify to an assessor eight weeks later.
Does CMMC Level 1 require FIPS 140-2?
The trap here is drift. A company starts as FCI-only, wins work that involves CUI, and doesn’t re-scope. The contract clause and the data you actually handle set your level — not last year’s assessment. If there’s any chance CUI has entered your systems, treat FIPS as in play and re-check your scope. See our CMMC scoping guide if you’re not certain which you handle.
Which provider category helps with CMMC FIPS 140-2 requirements?
| Your FIPS problem | Likely provider category | What they should help with | What to verify before hiring |
|---|---|---|---|
| “You don't know where FIPS applies” | RPO/RP or readiness consultant | CUI scoping, control interpretation, SSP/evidence plan | CMMC experience, RP/RPO status if claimed, scoping methodology |
| “Endpoints/VPN/wireless/backups aren't configured or documented” | MSSP | Implementation, configuration, monitoring, evidence exports | FIPS-evidence experience, CUI-environment experience |
| “You want to reduce scope, not harden everything” | CUI enclave | Isolating CUI, shrinking the assessment boundary, standardized evidence | Boundary model, inheritance limits, and the CMVP certificate behind any FIPS claim |
| “You have controls but weak evidence” | GRC platform (+ RPO/RP) | Evidence repository, SSP/POA&M workflow, control mapping | CMMC/800-171 support, exportable evidence, no 'automation = compliance' overclaims |
| “You're ready for a formal Level 2 assessment” | C3PAO | The official certification assessment | Current Cyber AB Marketplace status, impartiality/conflict-of-interest process, scope readiness |
| “You're not sure which applies” | Find My CMMC Path | Maps level, CUI scope, assessment type, environment, and timeline to a category | Do not submit CUI or sensitive contract details |
Two cautions worth keeping. First, software alone does not make you CMMC compliant — a GRC platform or an enclave is a powerful layer, not the whole solution, and any vendor implying otherwise is overselling. Second, on assessment independence: Cyber AB’s authorization requirements call for C3PAOs to manage impartiality and conflict-of-interest risks. In practice, treat implementation/remediation and formal assessment as separate lanes.
Still deciding? Our CMMC provider-category guide breaks down what each type does.
Different FIPS gaps route to different categories.Give us your CMMC level, CUI scope, environment, and timeline, and we’ll help you compare provider categories — RPO/RP, MSSP, GRC platform, CUI enclave, or C3PAO — before you request a single quote.
The most common CMMC FIPS 140-2 mistakes
| Mistake | Why it’s risky | The fix |
|---|---|---|
| "Our vendor says FIPS compliant" | Marketing language isn't validated-module evidence | Pull the CMVP cert and map it to product/version/config |
| "We use AES-256" | An approved algorithm alone isn't enough | Verify the module is validated |
| "Everything on the network needs FIPS" | Over-scopes and burns budget | Map CUI flows and the actual crypto protection points |
| "Only email matters" | CUI also lives on endpoints, backups, remote sessions, mobile, media | Build a full CUI flow map |
| "We'll POA&M FIPS later" | The POA&M path is narrow and conditional | Confirm encryption exists and that the −3 conditions are met |
| "FIPS 140-2 is fine forever" | 140-2 goes Historical after the Sept. 2026 transition | Plan around 140-3 for new systems |
| "We turned on FIPS mode" | The setting alone may not prove validation | Tie the config to the certificate and security policy |
| "Our SSP says it, so it passes" | Evidence must be final and supported | Store certs/configs/screenshots and cross-reference them |
What we actually verified
- 32 CFR Part 170 — CMMC Level 2 is the 110 requirements of NIST SP 800-171 Rev. 2 across 14 families; Level 1 uses FAR 52.204-21.
- NIST SP 800-171 Rev. 2, §3.13.11 — the FIPS-validated cryptography requirement text.
- NIST SP 800-171A — the assessment objective for 3.13.11.
- DoD Assessment Methodology — an approved algorithm alone is not sufficient; the module must be separately validated; evidence objects; adjacent controls.
- NIST CMVP / FIPS 140-3 Transition — 140-2 accepted through Sept. 21, 2026, then Historical; Historical ≠ revoked; new 140-2 submissions closed after April 1, 2022.
- 32 CFR §170.24 — scoring: −3 (non-validated) / −5 (no encryption); evidence must be final, not draft.
- 32 CFR §170.21 — the SC.L2-3.13.11 POA&M carve-out; the 0.8 (88-point) threshold; the 180-day closeout.
- DFARS 252.204-7012 — "adequate security" via NIST SP 800-171, and the FedRAMP Moderate-equivalent requirement for cloud providers handling covered defense information.
- DFARS 252.204-7021 and 252.204-7025 — the CMMC contract clause (have/maintain status + affirmations) and the solicitation notice.
Regulation-stated vs. operationally-verified
The rule tells you what is required. Your evidence proves whether you meet it. Keep the two separate:
| Claim | What the source says | How you operationally verify it | Last verified |
|---|---|---|---|
| Level 2 control set | 110 NIST SP 800-171 Rev. 2 requirements (32 CFR Part 170) | Check the contract clause + your CUI scope | |
| FIPS requirement | Employ FIPS-validated cryptography for CUI confidentiality (§3.13.11) | CMVP certificate + version/config match | |
| 140-2 transition | Accepted through Sept. 21, 2026; Historical after transition (NIST CMVP) | Check each module's CMVP certificate status | |
| POA&M carve-out | 3.13.11 allowed only in the non-validated-encryption (−3) case (§170.21) | Confirm encryption exists; plan the 180-day closeout |
Frequently asked questions about CMMC FIPS 140-2 requirements
Does CMMC require FIPS 140-2 or FIPS 140-3?
CMMC Level 2 requires FIPS-validated cryptography wherever cryptography protects the confidentiality of CUI. FIPS 140-3 is the current validation path, but Active FIPS 140-2 modules remain accepted for CUI protection through September 21, 2026, after which FIPS 140-2 certificates move to NIST's Historical list for existing systems only.
Is "FIPS compliant" enough for CMMC?
No. For CMMC evidence you need a FIPS-validated cryptographic module — a CMVP certificate, the correct version, the correct configuration, and a clear tie to the CUI protection use case. The DoD's assessment guidance states that an approved algorithm alone is not sufficient.
Is AES-256 enough for CMMC FIPS requirements?
Not by itself. FIPS 197 approves the AES algorithm, but control 3.13.11 requires the cryptographic module implementing it to be separately validated under FIPS 140 and listed by the CMVP.
Does BitLocker meet CMMC FIPS requirements?
It can, but not automatically. Windows includes cryptographic modules that appear on NIST's CMVP list, and BitLocker can use them — but a product name is never the proof. The encryption only counts for control 3.13.11 when FIPS mode is enabled, the running version matches the validated module, and you can produce the certificate. Verify the specific version, module, certificate, and configuration for the systems you run rather than assuming a blanket yes.
Do all network switches and routers need FIPS 140-2?
No. A device is not in scope just because it is on the network. The question is whether that device or its cryptographic module is protecting CUI confidentiality — for example, terminating an encrypted session or decrypting and re-encrypting CUI traffic. Map the role before buying 'FIPS' hardware.
Can SC.L2-3.13.11 go on a POA&M?
Yes, but narrowly. Under 32 CFR §170.21 it may be placed on a POA&M only when encryption is employed but not FIPS-validated (a 3-point condition) and the other Level 2 conditional-status requirements are met, with a 180-day closeout. If no encryption is in place at all where required (a 5-point condition), it is not POA&M-eligible.
What happens to my FIPS 140-2 systems after September 2026?
They keep working, and NIST allows continued use for existing systems, but the certificates move to the Historical list and should not be built into new systems. Plan a FIPS 140-3 path for anything new near or after the September 21, 2026 transition.
Should I hire an RPO, MSSP, CUI enclave, GRC platform, or C3PAO for CMMC FIPS?
If you are still scoping, configuring, or building evidence, start with readiness, implementation, or evidence tooling — an RPO/RP, an MSSP, a GRC platform, or a CUI enclave. Engage a C3PAO when you are assessment-ready and need the official Level 2 certification, and keep implementation and assessment appropriately separate.
Choose the right CMMC path before you hire
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path
Map your level, CUI scope, assessment type, environment, and timeline to the right provider category — before you request a single quote or sign a contract.
Related