What is “FIPS-validated” cryptography in CMMC 2.0 / DFARS 7012?

If you’re implementing CMMC 2.0 Level 2 or DFARS 252.204-7012, you’ll encounter NIST SP 800-171 Rev 2 Control 3.13.11. This control requires you to “…employ FIPS-validated cryptography when used to protect the confidentiality of CUI (Controlled Unclassified Information).” It’s derived from NIST SP 800-53 Rev 5 (SC-13): https://lnkd.in/ejPQCvsE

The current cryptography standard is FIPS 140-3, FIPS 140-3 stands for Federal Information Processing Standard Publication 140-3, and it specifies the security requirements for cryptographic modules used by U.S. government agencies and contractors. It replaces FIPS 140-2 and is now effectively required for CMMC Levels 2 and 3 compliance involving CUI. FIPS 140-3 is mandatory for systems governed by FedRAMP, CMMC, and DFARS.

For DFARS 7012, your SPRS (Supplier Performance Risk System) score demonstrates cybersecurity compliance. Under the NIST SP 800-171 DoD Assessment Methodology v1.2.1, Control 3.13.11 allows partial credit (3 of 5 points) if your encryption isn’t FIPS-validated. To address this gap, you can submit a POA&M (Plan of Action and Milestones), giving you 180 days to fully remediate the discrepancy.

While NIST validation of cryptographic modules is technically possible, it can take several years and is not a practical short-term option.

Instead, leverage your Cloud Service Provider (CSP) to address this issue. If your CSP meets FedRAMP Moderate (or higher), they must publish a Customer Responsibility Matrix (CRM) outlining inherited controls. For AWS, Control 3.13.11 is partially inherited, meaning you are still responsible for FIPS-validated encryption where applicable.

If you’re using AWS GovCloud, FIPS mode is available for services like ECS, EC2, S3, KMS, Fargate, and CloudTrail. For data in transit, ensure applications running on ECS use FIPS-compliant cryptographic libraries (e.g., OpenSSL with FIPS module, or those from compliant Linux distros).

Key recommendation: define your security requirements before starting your compliance journey. Verify CSP support for your architecture. For instance, AWS Fargate only supports Linux on x86_64 CPU architectures.