When handling Controlled Unclassified Information (CUI), compliance with NIST SP 800-171 and the CMMC framework mandates strict data protection measures—including the use of FIPS-validated encryption in specific scenarios.
But one requirement that consistently generates questions is exactly what “FIPS-validated” means in practice, where it applies, and how it differs from the looser “FIPS-compliant” language that appears in many vendor datasheets. This post breaks down the requirement plainly, points to the exact controls that invoke it, and explains your options when full validation isn’t immediately achievable.
What is FIPS Encryption?
FIPS stands for Federal Information Processing Standards, and FIPS 140-2 (and now FIPS 140-3) is a U.S. government standard that specifies security requirements for cryptographic modules. To meet FIPS requirements, encryption algorithms and their implementations must be validated by the Cryptographic Module Validation Program (CMVP).
FIPS 140-2 will be expiring September 21, 2026, so all modules will need to be verified they are FIPS 140-3 before then, or are documented as a limited deficiency.
Relevance in NIST SP 800-171
| Control | Requirement |
|---|---|
| 3.1.13 | Use cryptographic methods to protect the confidentiality of remote access sessions. |
| 3.1.17 | Protect wireless access using authentication and encryption. |
| 3.1.19 | Encrypt CUI on mobile devices and mobile computing platforms. |
| 3.8.6 | Use cryptographic mechanisms to protect CUI on digital media during transport. |
| 3.13.8 | Use cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission. |
| 3.13.11 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. This is the anchor control—it explicitly names the FIPS validation requirement. |
| 3.13.15 | Protect the authenticity of communications sessions. |
| 3.13.16 | Protect the confidentiality of CUI at rest. |
The practical consequence is straightforward: CUI must be protected by FIPS-validated cryptography both at rest and in transit. This spans VPN clients, TLS configurations, full-disk encryption tools, and any application that stores or transmits CUI.
It’s important to note that merely using a FIPS-approved algorithm (e.g., AES) is not sufficient; the software or hardware implementation must be FIPS 140-2 or 140-3 “Validated” not “Equivalent” or “Compliant.”
Implications for CMMC
CMMC Level 2 aligns with NIST SP 800-171, which applies to contractors handling CUI. Therefore, the same FIPS encryption expectations apply under CMMC.
CMMC Level 1 (focused on FCI, not CUI) does not require FIPS encryption since it only applies to basic safeguarding of Federal Contract Information (FCI), not CUI.
How to Comply
To comply with FIPS encryption requirements:
- Use only validated cryptographic modules from the NIST CMVP Validated Modules List. Check every cryptographic tool in your environment—VPNs, disk encryption, TLS libraries—against the NIST CMVP Validated Modules List. A vendor claiming “FIPS-compliant” is not sufficient; the module must appear on the list.
- Verify your software is FIPS 140-validated—not just “FIPS-compliant” or “FIPS-equivalent.” This applies to VPNs, full disk encryption tools, TLS libraries, and any other software handling CUI.
- Enable FIPS mode in operating systems and applications when applicable. For example, Windows has a Group Policy setting that enables FIPS mode system-wide. Enabling the feature is not the same as having it on by default—verify it is active.
- Document the cryptographic solutions in your System Security Plan (SSP) and include validation evidence. Vague references to “AES encryption” are not sufficient. Include CMVP certificate numbers and confirm FIPS 140-3 status ahead of the September 21, 2026 deadline.
Temporary Deficiencies
“A condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency.”
- Feasibility: The system or component has the capability of being FIPS Validated in the future. There has been a history of the system or component being FIPS Validated but with updates or hardware changes to the system it is no longer validated.
- Validation is in Progress: The system or component is currently under process or in testing phase. This can be verified on the CMVP Website under their respective pages: Modules in Process List and Implementation Under Test List.
- Document: The vulnerabilities and deficiencies needs to be documented! The more evidence the better, and ensure all aspects of this Temporary Deficiency is covered. Vulnerabilities can be verified at CVEdetails.com.