The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Level 2 Controls

CMMC FIPS 140-2 Requirements: What Actually Counts for Level 2

By The Defense Compliance Report Editorial Team · Last reviewed: · Last verified:

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

Here’s the thing that trips up almost everyone who searches CMMC FIPS 140-2 requirements: your vendor’s datasheet says “FIPS compliant,” the rule says “FIPS-validated,” and nobody can tell you whether that one-word gap is going to cost you a contract.

For CMMC Level 2, FIPS 140-2 (and its successor, FIPS 140-3) matters in exactly one situation: when cryptography is the thing protecting the confidentiality of your Controlled Unclassified Information (CUI). When it is, the proof an assessor wants is a FIPS-validated cryptographic module— a module with a certificate on NIST’s Cryptographic Module Validation Program (CMVP) list, running in the right version and configuration — nota vendor’s “FIPS compliant” claim and not an approved algorithm alone.

That’s the bottom line. Two things make it more urgent than it looks: this is one of the controls assessors flag most often, and the point penalty for getting it wrong is one that many articles online report backwards. Stick with us to the scoring section — the number matters, because it decides whether you can defer this at all.

The CMMC FIPS answer in five rows

Your questionThe straight answer
Does CMMC require FIPS 140-2?Yes — indirectly. Level 2 requires FIPS-validated cryptography wherever cryptography protects CUI confidentiality (control 3.13.11). The valid certificate may be FIPS 140-2 or FIPS 140-3, depending on status and timing.
Is "FIPS compliant" good enough?No. You need a CMVP-validated module (certificate + matching version + correct configuration), not marketing language or an approved algorithm alone.
Does every device need FIPS?No. Start with your CUI data flows. FIPS applies where encryption is the control protecting CUI — not to every box on the network.
What changes in 2026?FIPS 140-2 certificates are accepted for CUI protection through September 21, 2026; after that they move to NIST's Historical list for existing systems only.
What if my encryption isn't validated?If you encrypt CUI but the module isn't validated, it's a −3 point gap that can go on a POA&M. If you don't encrypt CUI at all where required, it's a −5 point gap that can block your certification. (Yes — in that order. More below.)

This is for you if…

you handle CUI (or expect to), you’re preparing a Level 2 self-assessment or C3PAO certification, you’re the IT or MSP team assembling the evidence package, or you’re a prime or sub staring at a flow-down clause.

You can skip most of this if…

your contract is Level 1, FCI-only. FIPS-validated cryptography is a CUI requirement. Level 1 runs on the 15 basic safeguards in FAR 52.204-21 and does not invoke control 3.13.11. Jump to “Does CMMC Level 1 require FIPS 140-2?”

What are the CMMC FIPS 140-2 requirements?

The core requirement: SC.L2-3.13.11, which is NIST SP 800-171 Revision 2 control 3.13.11: “employ FIPS-validated cryptography when used to protect the confidentiality of CUI.” It applies to organizations handling CUI at Level 2 (and Level 3), it is assessed through NIST SP 800-171A, and it is not a blanket mandate that every contractor, device, or encryption function carry a FIPS certificate.

Where does this actually come from? It’s worth seeing the chain, because “CMMC FIPS 140-2 requirements” is really six documents pointing at one sentence:

What it establishesPrimary sourceWhat it actually says
The duty to protect CUI to a standardDFARS 252.204-7012, "adequate security"Provide adequate security on covered systems by implementing NIST SP 800-171.
The FIPS control itselfNIST SP 800-171 Rev. 2, §3.13.11Employ FIPS-validated cryptography to protect the confidentiality of CUI.
That CMMC Level 2 = these exact controls32 CFR Part 170 (incorporated by reference)CMMC Level 2 is the 110 requirements of NIST SP 800-171 Rev. 2 across 14 families — Revision 2, not Revision 3.
How it's assessedNIST SP 800-171AThe assessment objective for 3.13.11 asks whether FIPS-validated cryptography is employed to protect CUI.
The contract clause requiring the statusDFARS 252.204-7021Have and maintain a current CMMC status at the required level, and complete required affirmations in SPRS.
The solicitation notice of your levelDFARS 252.204-7025The provision that tells offerors which CMMC level the procurement requires.
The validation program & the deadlineNIST CMVPThe module needs a CMVP certificate; FIPS 140-2 certificates are accepted through Sept. 21, 2026, then move to Historical.

First: it’s Revision 2, not Revision 3. NIST published SP 800-171 Revision 3 in May 2024. For CMMC purposes today, ignore that instinct. CMMC Level 2 is locked to Revision 2 by 32 CFR Part 170. Unless and until DoD amends the rule, Rev. 3 does not govern your Level 2 obligations. Build to Rev. 2.

Second: this is the only control in 800-171 with the word “FIPS” in its text.Because only one control says “FIPS,” teams assume FIPS is a narrow, one-and-done checkbox. In practice, several controls quietly rely on cryptography (transmission, remote access, wireless, mobile, media, data at rest), and the moment any of them uses encryption to protect CUI, control 3.13.11 pulls that encryption into scope.

The uncomfortable truth: most FIPS failures aren’t “we have no encryption.” They’re “we can’t provethe exact validated module, the version it’s running, and the configuration it’s in.” Assessors see teams with perfectly reasonable encryption fail this control on documentation, not technology. If the gap is proof, the fix is usually verification and paperwork— not ripping out your stack and starting over.

The right CMMC provider depends on your actual gap. Use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category (RPO, MSSP, GRC platform, or CUI enclave) before you spend anything.

Find My CMMC Path →

Do not submit CUI, drawings, or sensitive contract details. Provider matching may generate referral or partner compensation, disclosed at the point of recommendation.

Does “FIPS compliant” count, or does CMMC require FIPS-validated cryptography?

Bottom line: “FIPS compliant” does notsatisfy CMMC by itself. The DoD’s assessment guidance is explicit: using an approved algorithm is not sufficient — the module that implements the algorithm must be separately validated under FIPS 140 and carry a CMVP certificate. “Compliant,” “capable,” and “equivalent” are not proof on their own, and treating them as proof is the most common way contractors fail this control.

People use “FIPS” to mean five different things. Only one of them reliably passes:

What people sayWhat it actually isDoes it satisfy 3.13.11?How an assessor treats it
"FIPS-validated module"A crypto module tested by an accredited lab that holds a CMVP certificateYes — when the certificate covers the running version and modeAccepted; the certificate number belongs in your SSP
"FIPS 140-2 vs FIPS 140-3"Both are genuine CMVP validationsYes — but 140-2 status changes at the 2026 transition140-3 (Active) preferred; 140-2 usable for existing systems, not new builds after the transition
"We use AES" / an approved algorithmFIPS 197 approves the AES algorithm; the implementation isn't separately validatedNo, by itselfNot sufficient — the module must be validated
"FIPS compliant / capable / equivalent"Vendor language that may or may not have a validated module behind itNot on its ownNot accepted as proof — the classic finding; ask for the certificate
"We turned on FIPS mode"A setting (e.g., a Windows Group Policy) that restricts algorithmsOnly if the underlying module is validated and the running version matches the certificateThe setting alone isn't proof; assessors check the whole evidence chain

This isn’t a theoretical distinction — it has a track record. In one multi-year practitioner review, 83% of assessed contractors failed control 3.13.11, and the report pointed to reliance on “FIPS compliant” cryptography instead of FIPS-validated cryptography. Treat that as historical practitioner data rather than a current DoD-wide failure rate — but the pattern hasn’t changed.

A weak claim vs. a usable evidence packet

Weak (fails)

“Our laptops are encrypted with BitLocker and it’s FIPS compliant.”

No module, no certificate, no version, no configuration.

Usable (passes scrutiny)

“CUI at rest on laptops is protected by [disk-encryption product], which uses [cryptographic module name], CMVP certificate #[number], validated to FIPS 140-[2/3], running version [x], in FIPS-approved mode per Group Policy [setting]. Evidence: certificate PDF, module version screenshot, GPO export. Mapped to SC.L2-3.13.16 and SC.L2-3.13.11 in the SSP.”

Same laptop. One is a finding; the other is a pass. The difference is entirely proof.

The trap inside the trap: product ≠ module ≠ version ≠ configuration

A productcan contain a validated module without the product itself being “the certificate.” Take BitLocker: Windows ships with cryptographic modules that appear on NIST’s CMVP list, and BitLocker can use them — but the product name is never your evidence. The encryption only counts when FIPS mode is enabled, the version you’re running matches the validated module, and you can produce the certificate. If your installed build has drifted past the validated version, or you’re running it in a mode the certificate doesn’t cover, you have a validated module on paper and an evidence gap in reality.

So the real question is never “is this product FIPS?” It’s four questions stacked:

  1. 1Is there a CMVP certificate for the module inside this product?
  2. 2Does the certificate cover the version we're actually running?
  3. 3Are we running it in the approved mode/configuration the security policy requires?
  4. 4Can we map the product to the module clearly enough for an assessor to follow?

Miss any one of those and “we’re FIPS” becomes “we thought we were.”

Not sure whether your encryption is validated or just “FIPS-capable”? Before you replace a single tool, map your level, CUI flows, assessment type, and timeline with The Defense Compliance Report’s Find My CMMC Path tool— it points you to the provider category that fits your actual gap, so you don’t overbuy hardware you may not need.

Map my CMMC path →

How do I verify my cryptography is actually FIPS-validated?

Answer capsule: Find the exact cryptographic module name and version behind each tool that protects CUI, then look it up in NIST’s CMVP Validated Modules search. An Active FIPS 140-3 certificate is the strongest evidence — provided the module, running version, approved mode, and CUI use case all match. A FIPS 140-2 certificate is valid today but moves to Historical after the September 21, 2026 transition. If you cannot point to a CMVP certificate for the module you rely on, you have not proven validation for control 3.13.11 — and unproven is treated as unmet.

This is a workflow you can run yourself in an afternoon:

  1. 1Identify the module, not just the product. For each tool protecting CUI (disk encryption, VPN, TLS termination, email/file platform, backup, MDM), find the cryptographic module name and version. This is usually in the vendor's compliance or security documentation, not the marketing page.
  2. 2Search the CMVP list. Look the module up in NIST’s CMVP validated-modules search. CMVP is the joint NIST / Canadian Centre for Cyber Security program that tests and publishes validated modules — it is the authoritative source. The listing gives you the certificate number, vendor, standard (140-2 or 140-3), status, and a link to the security policy.
  3. 3Confirm the version and mode match. Check that the version you're running is the version on the certificate, and that your configuration matches the approved mode in the security policy. This is the step most people skip.
  4. 4Record it as evidence. Capture, for each protection point: certificate number, module name and version, standard (140-2/140-3), status (Active/Historical), the operational environment, and where it sits in your CUI flow. Note the product-to-module mapping if the module is embedded in a larger product.
  5. 5Write it into your System Security Plan (SSP). The SSP is where this becomes assessable. An assessor should be able to read your 3.13.11 narrative and trace each place CUI is encrypted to a certificate you can produce.

What to highlight when you pull a CMVP certificate: the certificate number, the module name, the standard (FIPS 140-2 or 140-3), the status (Active or Historical), the version/build it covers, and the security policy(which spells out the approved operating mode). Those six items are the spine of your evidence — an annotated screenshot of that certificate entry is exactly the kind of proof object assessors like.

One caution NIST states plainly: for federal purposes, if cryptography is required to protect information and the cryptography is not validated, it’s treated as providing no protection at all— as if the data were plaintext. “Encrypted but not validated” doesn’t earn partial trust from the standard; it’s the validation that counts.

Your FIPS evidence self-check (copy this)

Run every place CUI lives through these columns. If any cell is blank or “unknown,” that’s your gap list — and your to-do list before an assessment.

CUI touchpointProtection mechanismModule + CMVP cert #FIPS 140-2 or 140-3Cert statusRunning version matches?Approved mode evidenceNew or existing system?
Email / file sharing
Endpoint / laptop (at rest)
File server (at rest)
Backups
Remote access / VPN
Wireless
Mobile devices
Removable media

Where does FIPS-validated cryptography actually apply in a CMMC Level 2 environment?

Answer capsule: FIPS-validated cryptography applies wherever cryptography is the mechanism protecting CUI confidentiality — most commonly CUI in transit, CUI at rest, remote access, wireless, mobile devices, portable media, and backups. It does notmean every internal device automatically needs a certificate. Scope is driven by where CUI actually flows and where encryption is doing the protecting, which is why scoping your CUI boundary is the single highest-leverage cost decision you’ll make.

The CMMC FIPS Obligation & Evidence Matrix

CUI scenario / data flowFIPS-validated crypto required?Control driversEvidence to collectMost common failureProvider category if there's a gap
CUI in transit (email, SFTP, API, TLS, VPN, external connections)Yes, when cryptography protects CUI confidentialitySC.L2-3.13.8 + SC.L2-3.13.11CUI flow diagram, protocol/config export, CMVP cert #, module version, FIPS-mode proof, SSP narrative"We use TLS/AES" with no validated-module or version proofMSSP, RPO/RP, or CUI enclave
Remote access into a CUI-capable environmentYes — remote-session crypto protecting CUI must meet 3.13.11AC.L2-3.1.13 + SC.L2-3.13.11Remote-access architecture, cryptographic mechanism, CMVP cert, remote-access policy, logsRemote tool is encrypted but not validated, or no FIPS-mode proofMSSP or RPO/RP
Wireless carrying or reaching CUIYes, where wireless encryption protects CUIAC.L2-3.1.17 + SC.L2-3.13.11Wireless design, auth/encryption config, device authorization list, CMVP evidence"WPA2/3" wording treated as sufficient without module proofMSSP or network security provider
Mobile devices storing/processing/transmitting CUIYes, where encryption protects CUI on the deviceAC.L2-3.1.19 + SC.L2-3.13.11MDM policy, device-encryption config, CMVP cert, asset inventory, SSP mapping"Device encryption is on" with no cert/version/config mappingMSSP or CUI enclave
CUI at rest (laptops, servers, removable media, backups)Yes, where encryption protects confidentiality at restSC.L2-3.13.16, MP.L2-3.8.6, MP.L2-3.8.9 + SC.L2-3.13.11Storage/backup/media inventory, encryption product/module, CMVP cert, key-management notesBackups and removable media left out of the FIPS inventoryMSSP, RPO/RP, or GRC platform
Encryption used for a non-CUI-confidentiality purpose inside a protected systemNot automatically — scope and purpose govern3.13.11 boundary/purpose languageScope rationale, protected-environment description, physical/logical controls, data-flow map"Any encryption anywhere" triggers FIPS — assumed incorrectlyRPO/RP for scoping
Internal switch/router passes encrypted traffic but doesn't decrypt/re-encryptDepends — prove the device's role in the CUI flowScope + 3.13.11 purpose testNetwork diagram, device function, boundary rationaleBuying "FIPS routers" blindly without proving the crypto boundaryRPO/RP + network architect
Product says "FIPS compliant" but no CMVP module evidenceNo — not sufficientAssessment guidance + NIST CMVPCMVP certificate, module name/version, security policy, vendor product-to-module confirmationConfusing algorithm approval or marketing with module validationRPO/RP or MSSP
Encryption exists but isn't validated at assessmentConditional path only, under strict POA&M rules32 CFR §170.21 + §170.24Current encryption proof, gap description, POA&M, 180-day closeout planTreating a POA&M as a substitute for implementationRPO/RP or readiness provider
No encryption where encryption is required for CUINo conditional FIPS shortcut — larger gap32 CFR §170.24 scoringGap record, remediation plan, design decision, implementation evidence"We'll just POA&M it" when nothing is encryptedMSSP, enclave, or implementation partner

Source basis: CMMC Level 2 maps to NIST SP 800-171 Rev. 2 (32 CFR Part 170); NIST SP 800-171A defines the 3.13.11 assessment objective; the DoD assessment guidance explains the module-validation requirement and the adjacent controls; NIST CMVP governs the 140-2/140-3 transition; 32 CFR §§170.21 and 170.24 set the POA&M and scoring consequences.

In transit (SC.L2-3.13.8): when you encrypt CUI moving across a network, that encryption has to be validated. TLS and VPNs are the usual culprits — common, and commonly un-proven.

At rest (SC.L2-3.13.16): full-disk encryption on endpoints and servers, plus backups and removable media. Backups are the item teams forget to inventory.

Remote access (AC.L2-3.1.13): the crypto protecting remote sessions into a CUI environment must be validated — and, again, an approved algorithm alone won't do it.

Wireless (AC.L2-3.1.17) and mobile (AC.L2-3.1.19): where wireless or mobile encryption is used to protect CUI confidentiality, that encryption is in scope.

Internal network gear: a switch isn't automatically in scope just because it sits in the environment. The test is whether that device or its module is providing the cryptographic protection for CUI — terminating a tunnel, decrypting/re-encrypting CUI. Prove the role before you buy the 'FIPS' version.

The scope lever most contractors miss

Here’s the move that separates a six-figure project from a manageable one. Because 3.13.11 protects CUI specifically, if you isolate CUI into a dedicated enclave— a bounded environment where CUI lives and nowhere else — you can confine the FIPS-validated requirement to that boundaryinstead of hardening your entire company. The DoD’s own assessment guidance supports this thinking. Scope is not a loophole — it’s the legitimate lever. And whether a given system, switch, or cloud component is inside or outside your CUI boundary is exactly the determination to confirm with a Registered Practitioner before you spend.

For the cloud specifically, the rule is about the service provider’s baseline, not a brand name. Under DFARS 252.204-7012, an external cloud service provider used for covered defense information must meet security requirements equivalent to the FedRAMP Moderate baseline. Standard commercial Microsoft 365 does not meet DFARS 7012 for CUI. Microsoft’s government cloud carries a FedRAMP High authorization; AWS GovCloud (US) is FedRAMP High authorized as well. Do not rely on the brand name alone — verify the specific service, boundary, FedRAMP package or equivalency documentation, shared-responsibility matrix, and any CMVP evidence tied to your CUI use case. We go deeper on environment selection in our GCC High and AWS GovCloud breakdowns.

Have CUI flowing in places you hadn’t mapped?Tell us your level, scope, and timeline and we’ll match the gap to the right provider category — an RPO or MSSP to implement and document it, a CUI enclave to shrink where FIPS even applies, or a C3PAO only if you’re already assessment-ready. Readiness help and formal assessment stay separate, on purpose.

Get matched to a provider category →

No CUI in the form.

What evidence will an assessor or readiness reviewer ask for?

Answer capsule: An assessor connects each CUI flow to a protection mechanism, a validated module, a configuration, a certificate status, and an SSP narrative. Under the CMMC scoring methodology in 32 CFR §170.24, that evidence must be final and approved — drafts, working papers, and unofficial or unapproved policies are not acceptable.

Assemble this once and it serves both a self-assessment and a C3PAO certification. Here’s the packet:

Evidence itemWhy it matters
CUI data-flow diagramShows where CUI is processed, stored, transmitted, and protected
CMMC assessment scope definitionShows which systems/assets are in or out of scope
Asset inventoryIdentifies every system involved in CUI handling
Encryption inventoryShows every point where cryptography protects CUI
CMVP certificate numberTies each protection point to validation evidence
Module version / buildPrevents "right module, wrong version" findings
Product-to-module mappingShows how a product uses the validated module inside it
FIPS-mode / configuration proofShows the module is operating in the approved mode
Security policy (from the certificate)Confirms approved modes and operational environment
SSP control narrative for 3.13.11Connects your implementation to the requirement
Screenshots / config exportsSupports the "examine/test" side of the assessment
POA&M / operational plan of actionOnly where truthful and permitted
Vendor clarification letterUseful only alongside a CMVP mapping — never instead of one
A sample SSP evidence row (what “good” looks like): “SC.L2-3.13.11 — CUI in transit over the site-to-site VPN is protected by [VPN product], using [module name], CMVP cert #[number], FIPS 140-3, version [x], operated in FIPS mode per [config reference]. Evidence: certificate PDF, running-config export, module-version screenshot. Related: SC.L2-3.13.8, SC.L2-3.13.10. Owner: [role].”
What not to lean on: “AES-256” as a standalone claim. “FIPS compliant” marketing copy. Old screenshots with no version. A vendor letter with no CMVP mapping. Draft policies. Unapproved procedures. “We turned on FIPS mode” with nothing tying it to a certificate. Each of those is a finding waiting to happen.

Want this as a one-pager? The CMMC Readiness Checklist puts the CMVP certificate items, module version, approved-mode proof, CUI-flow mapping, SSP narrative, and POA&M risk on a single sheet you can work from before you ever schedule an assessment.

Get the FIPS evidence checklist →

How is FIPS-validated cryptography (3.13.11) scored in SPRS — and can you POA&M it?

Answer capsule: Under 32 CFR §170.24, control 3.13.11 has a special partial-credit rule. If you encrypt CUI but the module is not FIPS-validated, you lose 3 points. If you don’t encrypt CUI at all where encryption is required, you lose 5 points. FIPS-validated everywhere means no deduction. And 3.13.11 is the only5-point Level 2 control that can be placed on a POA&M — but only in the “encryption employed, not validated” (−3) case.

Your SPRS score starts at 110 and you subtract points for gaps. Here’s the 3.13.11 truth table, straight from the regulation:

Your situationSPRS point impactPOA&M-eligible?
FIPS-validated crypto everywhere CUI is protected0 (full credit)N/A — it's Met
Encryption employed, but not FIPS-validated−3Yes — the only 5-point control with a carve-out
No encryption employed where required−5No — this single gap can block conditional certification
Validation broke after a patch (running version no longer validated)Scored "as implemented" if captured in a plan of action (a "temporary deficiency")Treated as a temporary deficiency, not a standard POA&M gap
The correction we’re publishing on purpose: several widely read pages report these penalties backwards— claiming non-validated encryption costs −5 and no encryption costs −3. The regulation is explicit, and it’s the reverse. Non-validated encryption = −3. No encryption = −5.We verified this against 32 CFR §170.24, the DoD’s CMMC-to-NIST alignment materials, and the DoD’s NIST SP 800-171 Assessment Methodology — all three agree. If a consultant tells you otherwise, ask them to show you the CFR.

The carve-out that makes 3.13.11 unusual

Under 32 CFR §170.21, POA&M items generally have to be worth 1 point or less— which means your 3-point and 5-point gaps must be closed before the assessment. There is exactly one exception in the entire Level 2 rule: SC.L2-3.13.11 may go on a POA&M when encryption is employed but not yet FIPS-validated— the −3 condition. If you’re in the no-encryptionstate (−5), that carve-out does not apply, it’s over the point limit, and it can stop your certification cold.

Two more rules bound this. To earn a Conditional status at all, your score divided by 110 must be at least 0.8 — an 88 — and your SSP (control 3.12.4) must be in place at the time of assessment. The POA&M closeout window is 180 days from your Conditional Status Date; miss it and the conditional status expires.

“Temporary deficiency” is not a free pass

The regulation and the DoD’s assessment methodology use 3.13.11 as their textbook example of a temporary deficiency: you had FIPS-validated cryptography implemented, then a patch changed the module so the running version was no longer the validated one. With a documented plan of action, that’s scored as implemented — because it’s a break after implementation, not a failure to implement. That is a genuine, government-recognized safety valve. It is not cover for never having stood the control up in the first place.

Why does the point math matter beyond the assessment? Because your SPRS submission and CMMC affirmations are compliance representations the Government relies on. Overstating them can create False Claims Act (FCA) risk — illustrated by the Department of Justice’s 2022 $9 millionAerojet Rocketdyne settlement over alleged cybersecurity misrepresentations. That case wasn’t about FIPS specifically, but the lesson generalizes: score honestly, document what’s real, and don’t let a validated-vs-compliant gap turn into a representation you can’t defend. More on how the whole score works in our CMMC Final Rule coverage.

What changes when FIPS 140-2 sunsets in September 2026?

Answer capsule: NIST’s CMVP accepts FIPS 140-2 modules for protecting CUI through September 21, 2026. After that transition point, FIPS 140-2 certificates move to the Historical list— meaning they can still be used for existing systems, but should not be built into new systems. “Historical” does not mean revoked. For new CMMC implementations landing near or after that date, plan around FIPS 140-3 or confirm the legacy path explicitly before you rely on it.

The transition itself is settled fact, verified against NIST’s FIPS 140-3 transition materials on July 3, 2026: FIPS 140-3 was approved in March 2019 and became effective in September 2019; CMVP began issuing 140-3 validations in September 2020; it stopped accepting new 140-2 submissions after April 1, 2022; and 140-2 validations are accepted for CUI protection through September 21, 2026, after which they move to the Historical list. Even then, NIST allows those modules to keep serving existing systems — agencies simply should not build new systems on them.

Your situationPractical planning answer
Existing system on an Active 140-2 module todayDocument the certificate, the system's use, and its configuration; it remains usable
New implementation before the transitionPrefer FIPS 140-3 where it exists; if you choose 140-2, document why
New implementation after the transitionDon't build on a 140-2-only certificate without explicit confirmation
Existing system after the transitionTreat as legacy/Historical; document the status and a replacement roadmap
Vendor has only 140-2 and no 140-3 roadmapGet the roadmap, module status, and support window before you buy

Questions to ask any vendor before you sign

The timing that should be on your calendar in red: The FIPS 140-2 transition (September 21, 2026) lands roughly seven weeks before CMMC Phase 2 begins on November 10, 2026— the point when a third-party Level 2 assessment becomes the standard for applicable contracts. The exact window when many contractors will be finalizing evidence for a C3PAO assessment is the same window when 140-2 certificates go Historical. If you’re deploying new CUI infrastructure in the back half of 2026, that convergence is not a coincidence you want to discover during your assessment.

If your assessment window touches late 2026, don’t buy a FIPS 140-2-only product on faith.Map your situation first — the smarter move is often remediation, a managed environment, or a CUI enclave, not a rushed purchase you’ll have to justify to an assessor eight weeks later.

Check my 2026 FIPS risk →

Does CMMC Level 1 require FIPS 140-2?

Answer: No.Control 3.13.11 protects CUI, and CMMC Level 1 covers only Federal Contract Information (FCI) under FAR 52.204-21 — the 15 basic safeguards, not the 110 NIST SP 800-171 Rev. 2 requirements. If CUI enters your environment, re-check the contract clause, your CUI scope, and your assessment type. Handling CUI generally moves the analysis to Level 2, because Level 2 is the level built on NIST SP 800-171 Rev. 2, including control 3.13.11.

The trap here is drift. A company starts as FCI-only, wins work that involves CUI, and doesn’t re-scope. The contract clause and the data you actually handle set your level — not last year’s assessment. If there’s any chance CUI has entered your systems, treat FIPS as in play and re-check your scope. See our CMMC scoping guide if you’re not certain which you handle.

Which provider category helps with CMMC FIPS 140-2 requirements?

Answer capsule: Most FIPS problems are readiness, scoping, implementation, or evidence problems before they are formal-assessment problems. A C3PAO is the right call only when you’re assessment-ready. If you still need to map CUI flows, configure tools, build the SSP, remediate endpoints, or assemble evidence, you likely need an RPO/RP, an MSSP, a GRC platform, or a CUI enclave first — and readiness work and formal assessment must stay separate.
Your FIPS problemLikely provider categoryWhat they should help withWhat to verify before hiring
You don't know where FIPS appliesRPO/RP or readiness consultantCUI scoping, control interpretation, SSP/evidence planCMMC experience, RP/RPO status if claimed, scoping methodology
Endpoints/VPN/wireless/backups aren't configured or documentedMSSPImplementation, configuration, monitoring, evidence exportsFIPS-evidence experience, CUI-environment experience
You want to reduce scope, not harden everythingCUI enclaveIsolating CUI, shrinking the assessment boundary, standardized evidenceBoundary model, inheritance limits, and the CMVP certificate behind any FIPS claim
You have controls but weak evidenceGRC platform (+ RPO/RP)Evidence repository, SSP/POA&M workflow, control mappingCMMC/800-171 support, exportable evidence, no 'automation = compliance' overclaims
You're ready for a formal Level 2 assessmentC3PAOThe official certification assessmentCurrent Cyber AB Marketplace status, impartiality/conflict-of-interest process, scope readiness
You're not sure which appliesFind My CMMC PathMaps level, CUI scope, assessment type, environment, and timeline to a categoryDo not submit CUI or sensitive contract details

Two cautions worth keeping. First, software alone does not make you CMMC compliant — a GRC platform or an enclave is a powerful layer, not the whole solution, and any vendor implying otherwise is overselling. Second, on assessment independence: Cyber AB’s authorization requirements call for C3PAOs to manage impartiality and conflict-of-interest risks. In practice, treat implementation/remediation and formal assessment as separate lanes.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Still deciding? Our CMMC provider-category guide breaks down what each type does.

Different FIPS gaps route to different categories.Give us your CMMC level, CUI scope, environment, and timeline, and we’ll help you compare provider categories — RPO/RP, MSSP, GRC platform, CUI enclave, or C3PAO — before you request a single quote.

Compare provider categories →

The most common CMMC FIPS 140-2 mistakes

Answer capsule: The recurring mistakes are scope mistakes and proof mistakes: trusting “FIPS compliant” marketing, assuming every device needs a certificate, forgetting backups and removable media and remote access, relying on an algorithm name, ignoring the 2026 transition, and scheduling an assessment before the evidence is final.
MistakeWhy it’s riskyThe fix
"Our vendor says FIPS compliant"Marketing language isn't validated-module evidencePull the CMVP cert and map it to product/version/config
"We use AES-256"An approved algorithm alone isn't enoughVerify the module is validated
"Everything on the network needs FIPS"Over-scopes and burns budgetMap CUI flows and the actual crypto protection points
"Only email matters"CUI also lives on endpoints, backups, remote sessions, mobile, mediaBuild a full CUI flow map
"We'll POA&M FIPS later"The POA&M path is narrow and conditionalConfirm encryption exists and that the −3 conditions are met
"FIPS 140-2 is fine forever"140-2 goes Historical after the Sept. 2026 transitionPlan around 140-3 for new systems
"We turned on FIPS mode"The setting alone may not prove validationTie the config to the certificate and security policy
"Our SSP says it, so it passes"Evidence must be final and supportedStore certs/configs/screenshots and cross-reference them

What we actually verified

Everything on this page is traced to a primary source. On we verified the control text and mapping, the assessment objective, the DoD’s FIPS explanation, the CMVP transition dates, the scoring and POA&M rules, the contract clauses, and the phased-rollout timing against the issuing authorities below.

What we did not independently re-test: any single vendor’s current CMVP certificate for your specific module and version. Certificate status is tied to your exact build and configuration, so verify your own against the CMVP list before you rely on it.

Regulation-stated vs. operationally-verified

The rule tells you what is required. Your evidence proves whether you meet it. Keep the two separate:

ClaimWhat the source saysHow you operationally verify itLast verified
Level 2 control set110 NIST SP 800-171 Rev. 2 requirements (32 CFR Part 170)Check the contract clause + your CUI scope
FIPS requirementEmploy FIPS-validated cryptography for CUI confidentiality (§3.13.11)CMVP certificate + version/config match
140-2 transitionAccepted through Sept. 21, 2026; Historical after transition (NIST CMVP)Check each module's CMVP certificate status
POA&M carve-out3.13.11 allowed only in the non-validated-encryption (−3) case (§170.21)Confirm encryption exists; plan the 180-day closeout

Frequently asked questions about CMMC FIPS 140-2 requirements

Does CMMC require FIPS 140-2 or FIPS 140-3?

CMMC Level 2 requires FIPS-validated cryptography wherever cryptography protects the confidentiality of CUI. FIPS 140-3 is the current validation path, but Active FIPS 140-2 modules remain accepted for CUI protection through September 21, 2026, after which FIPS 140-2 certificates move to NIST's Historical list for existing systems only.

Is "FIPS compliant" enough for CMMC?

No. For CMMC evidence you need a FIPS-validated cryptographic module — a CMVP certificate, the correct version, the correct configuration, and a clear tie to the CUI protection use case. The DoD's assessment guidance states that an approved algorithm alone is not sufficient.

Is AES-256 enough for CMMC FIPS requirements?

Not by itself. FIPS 197 approves the AES algorithm, but control 3.13.11 requires the cryptographic module implementing it to be separately validated under FIPS 140 and listed by the CMVP.

Does BitLocker meet CMMC FIPS requirements?

It can, but not automatically. Windows includes cryptographic modules that appear on NIST's CMVP list, and BitLocker can use them — but a product name is never the proof. The encryption only counts for control 3.13.11 when FIPS mode is enabled, the running version matches the validated module, and you can produce the certificate. Verify the specific version, module, certificate, and configuration for the systems you run rather than assuming a blanket yes.

Do all network switches and routers need FIPS 140-2?

No. A device is not in scope just because it is on the network. The question is whether that device or its cryptographic module is protecting CUI confidentiality — for example, terminating an encrypted session or decrypting and re-encrypting CUI traffic. Map the role before buying 'FIPS' hardware.

Can SC.L2-3.13.11 go on a POA&M?

Yes, but narrowly. Under 32 CFR §170.21 it may be placed on a POA&M only when encryption is employed but not FIPS-validated (a 3-point condition) and the other Level 2 conditional-status requirements are met, with a 180-day closeout. If no encryption is in place at all where required (a 5-point condition), it is not POA&M-eligible.

What happens to my FIPS 140-2 systems after September 2026?

They keep working, and NIST allows continued use for existing systems, but the certificates move to the Historical list and should not be built into new systems. Plan a FIPS 140-3 path for anything new near or after the September 21, 2026 transition.

Should I hire an RPO, MSSP, CUI enclave, GRC platform, or C3PAO for CMMC FIPS?

If you are still scoping, configuring, or building evidence, start with readiness, implementation, or evidence tooling — an RPO/RP, an MSSP, a GRC platform, or a CUI enclave. Engage a C3PAO when you are assessment-ready and need the official Level 2 certification, and keep implementation and assessment appropriately separate.

Choose the right CMMC path before you hire

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, export-controlled technical data, or sensitive contract details through this form.

Find My CMMC Path

Map your level, CUI scope, assessment type, environment, and timeline to the right provider category — before you request a single quote or sign a contract.

Find My CMMC Path →

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance. This is educational research, not legal, contractual, or compliance advice. The contract clause and your CUI handling set your level, not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you act. For more on how we work, see our editorial standards, our sourcing and verification methodology, and our corrections policy. Last reviewed: · Last verified: