Skip to content
AeoliTech Whitepaper

Encryption Standards for CUI

Expert research on CMMC preparation and defense compliance

Meeting FIPS 140-2/140-3 Validated Cryptography Requirements for CMMC

Author: Leonard Esere, Senior Security Architect

Date: April 2026

Organization: Aeolitech

Abstract

Encryption is not a checkbox — it is the last line of defense between a threat actor and your Controlled Unclassified Information (CUI). NIST Special Publication 800-171 control 3.13.11 is unambiguous: organizations that store, process, or transmit CUI must employ FIPS-validated cryptography. Not FIPS-"compliant." Not FIPS-"equivalent." Validated — meaning the specific cryptographic module implementation has been tested by an accredited laboratory and certified by the Cryptographic Module Validation Program (CMVP).

This whitepaper provides security engineers and compliance practitioners with a complete technical understanding of what FIPS 140-2 and FIPS 140-3 mean, how the transition between standards affects current deployments, how to verify validation status using the NIST CMVP database, and how to correctly enable FIPS-validated modes in Azure Government, AWS GovCloud, and Google Cloud environments. It draws directly on practitioner experience — including mandatory FIPS enforcement on classified and CUI-handling systems at Los Alamos National Laboratory (LANL) — to provide the practical lessons that documentation alone cannot convey.

Table of Contents

1. The Anchor Control — NIST 800-171 3.13.11

2. What FIPS 140-2 and FIPS 140-3 Mean

3. The Cryptographic Module Validation Program (CMVP)

4. The FIPS 140-2 to 140-3 Transition

5. Approved Algorithms and Key Lengths

6. Data-at-Rest, Data-in-Transit, and Data-in-Use

7. Cloud Provider FIPS Compliance — Azure, AWS, and Google

8. Key Management and Hardware Security Modules

9. Practitioner Lessons — What Goes Wrong

10. Assessor Expectations and Evidence

11. Conclusion

1. The Anchor Control

NIST SP 800-171 Revision 2 control 3.13.11 states:

> Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

This is the anchor control for all cryptography in CUI environments. Its discussion section in 800-171 is direct: cryptography that is not FIPS-validated is, from NIST's perspective, equivalent to no protection at all — the data is considered unprotected plaintext for compliance purposes. This is not rhetorical: non-validated cryptography may use mathematically sound algorithms but fails on the implementation assurance that FIPS validation provides. A cryptographic library with a subtle side-channel vulnerability or an incorrect random number generator will encrypt data that an adversary can ultimately decrypt. Validation testing catches these implementation flaws.

The control applies specifically to cryptography used to protect CUI confidentiality. It does not exempt:

  • Encryption used in cloud storage services
  • VPN and remote access tunnels
  • Disk encryption on endpoints handling CUI
  • TLS sessions terminating on load balancers or application proxies
  • Encryption of backup media containing CUI

Every cryptographic operation in the CUI data path must use a FIPS-validated module.

The Critical Distinction: Validated vs. "Compliant"

The compliance ecosystem is rife with vendors claiming "FIPS compliant," "FIPS equivalent," or "FIPS ready." None of these phrases satisfies 3.13.11. Only modules that appear on the NIST CMVP Validated Modules List with an active or historical certificate — and that are operating in their validated configuration — satisfy the requirement.

The distinction matters in practice. A vendor may use AES-256 (a FIPS-approved algorithm) but implement it in a software module that has not been through CMVP testing. Using a FIPS-approved algorithm in an unvalidated module does not satisfy 3.13.11. The module — the specific software or hardware implementation — must carry CMVP certification.

2. What FIPS 140-2 and FIPS 140-3 Mean

The Federal Information Processing Standard (FIPS) 140 series defines security requirements for cryptographic modules. A "cryptographic module" in this context is any software, hardware, or hybrid component that implements cryptographic functions (encryption, decryption, key generation, signing, hashing).

FIPS 140-2 (Historical Standard)

FIPS 140-2, Security Requirements for Cryptographic Modules, was approved in May 2001 and defined four security levels:

| Level | Description | Typical Use Case |

|-------|-------------|-----------------|

| Level 1 | Basic algorithm correctness; no physical security requirements | Software-only implementations |

| Level 2 | Tamper-evident seals; role-based authentication | Tokens, smart cards |

| Level 3 | Tamper-resistance; identity-based authentication; critical security parameter zeroization | HSMs, secure enclosures |

| Level 4 | Complete physical envelope; environment failure protection | High-assurance HSMs |

For most CUI environments, Level 1 or Level 2 modules are appropriate. Level 3 is required for specific high-assurance key management scenarios.

FIPS 140-3 (Current Standard)

FIPS 140-3, approved March 22, 2019 (effective September 22, 2019), supersedes FIPS 140-2. Its key improvements include:

  • Alignment with international standards: FIPS 140-3 is based on ISO/IEC 19790:2012 and ISO/IEC 24759:2017, enabling a single validation that satisfies both U.S. government and international requirements.
  • Stronger algorithm requirements: Tighter restrictions on deprecated algorithms; explicit requirements for approved security functions per NIST SP 800-140C.
  • Non-invasive attack resistance: New requirements for side-channel attack resistance at higher levels.
  • Software security requirements: More granular software module security requirements, including source code analysis.

The CMVP began accepting FIPS 140-3 submissions on September 22, 2020.

3. The Cryptographic Module Validation Program (CMVP)

The Cryptographic Module Validation Program (CMVP) is a joint program of NIST (U.S. Department of Commerce) and the Canadian Centre for Cyber Security (CCCS). Its purpose is to validate cryptographic modules against FIPS 140-2 and FIPS 140-3, providing federal agencies and their contractors with independent assurance that a module's cryptographic implementation is correct and secure.

How Validation Works

1. Lab testing: The module vendor submits the module to a NIST-accredited Cryptographic and Security Testing Laboratory (CSTL). The lab tests the module's implementation against the requirements of FIPS 140-2 or 140-3.

2. CMVP review: CMVP reviews the CSTL's test results and validation report.

3. Certificate issuance: If the module passes, CMVP issues a validation certificate with a unique certificate number.

4. Active list: The validated module is placed on the CMVP Active Modules List.

As of 2024, CMVP has validated over 5,000 cryptographic modules since the program's inception, with over 1,000 currently on the active list.

Searching for Validated Modules

The authoritative search tool is the CMVP Validated Modules Search. Practitioners can search by vendor name, module name, or certificate number. Each result shows:

  • Certificate number and status (Active, Historical, Revoked)
  • Validation level (1–4)
  • Applicable standard (FIPS 140-2 or 140-3)
  • Validated configuration (the specific version and operating mode under which the validation holds)
  • Algorithm testing certificates (ACVTs) documenting which algorithms were validated

Critical practice: Verify not just that a module has a certificate, but that the specific version you are deploying matches the validated configuration. Version mismatches invalidate the certificate for compliance purposes.

4. The FIPS 140-2 to 140-3 Transition

The FIPS 140 transition timeline is now well-established, but misunderstood by many practitioners:

| Date | Event |

|------|-------|

| September 22, 2019 | FIPS 140-3 effective; CMVP begins accepting 140-3 submissions |

| September 22, 2020 | CMVP begins processing FIPS 140-3 submissions |

| September 22, 2021 | CMVP stops accepting new FIPS 140-2 submissions (with narrow extension for contracts in progress) |

| April 1, 2022 | Final cutoff — CMVP no longer accepts any new FIPS 140-2 submissions |

| September 21, 2026 | All FIPS 140-2 certificates moved to the Historical List |

What "Historical List" Means for CUI Environments

After September 21, 2026, every FIPS 140-2 certificate becomes historical. NIST's CMVP guidance clarifies: modules on the historical list may continue to be used in existing deployed systems, but are no longer approved for new system implementations. For a CUI environment undergoing a CMMC assessment or ATO renewal after September 2026, deployers relying on FIPS 140-2 historical modules in newly implemented systems will face a compliance gap.

The practical guidance: begin transitioning to FIPS 140-3 validated modules now, particularly for:

  • New system acquisitions and cloud service onboarding
  • Software library updates (OpenSSL, BoringSSL, Microsoft's BCNG/CNG)
  • VPN and remote access hardware refresh cycles

As of mid-2025, Microsoft's Azure Storage and many other major cloud services still relied on FIPS 140-2 validated modules, with FIPS 140-3 submissions in progress. The Microsoft Service Trust Portal provides current validation status. AWS GovCloud FIPS endpoints similarly have an active FIPS 140-2 baseline with progressive 140-3 validation underway.

5. Approved Algorithms and Key Lengths

FIPS 140 validation ensures the module is correctly implemented; it does not by itself specify which algorithms to use. Algorithm selection is governed by NIST's approved algorithm lists (primarily SP 800-57, Key Management and SP 800-131A).

For CUI environments in 2026, the following algorithm selections satisfy both FIPS validation requirements and current cryptographic best practice:

| Use Case | Approved Algorithm | Minimum Key/Parameter |

|----------|-------------------|-----------------------|

| Symmetric encryption (data at rest, VPN, storage) | AES | AES-256 (preferred); AES-128 (acceptable) |

| Digital signatures | RSA | RSA-3072 minimum; RSA-4096 preferred |

| Digital signatures (ECC) | ECDSA | P-384 minimum; P-521 preferred |

| Key exchange | ECDH | P-384 |

| Key exchange (traditional) | RSA | RSA-3072 |

| Hashing (integrity) | SHA-2 | SHA-256 minimum; SHA-384 preferred for 192-bit security |

| Key derivation | HKDF, SP 800-108 KDF | Derived from approved primitives |

| Random number generation | CTR_DRBG | AES-256 based |

Algorithms to avoid in new CUI deployments:

  • SHA-1 (deprecated; collision attacks demonstrated)
  • 3DES/TDEA (deprecated by NIST as of 2023 for encryption of new data)
  • RSA-1024 and RSA-2048 (2048 acceptable through 2030 per SP 800-131A Rev 2, but 3072+ preferred for new systems)
  • MD5 (not approved for any cryptographic purpose)
  • RC4 (not approved)

TLS Minimum Version

For all CUI-handling systems, TLS 1.2 is the minimum required version for data-in-transit encryption. AWS enforced TLS 1.2 as the minimum for all FIPS endpoints effective March 2021; Azure Application Gateway has FIPS mode enabled by default in Azure Government, which enforces TLS with FIPS-validated cipher suites. TLS 1.3 is preferred for new implementations due to its simplified handshake, perfect forward secrecy (mandatory), and removal of legacy cipher suites.

Permitted TLS 1.2 cipher suites for CUI environments:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Prohibited:

  • Any cipher suite using RC4, 3DES, export-grade ciphers, or anonymous key exchange
  • TLS_RSA_ suites without ECDHE (no forward secrecy)

6. Data-at-Rest, Data-in-Transit, and Data-in-Use

NIST 800-171 addresses encryption across all three data states, though the controls use different language:

Data at Rest (3.13.11 and 3.13.16)

Control 3.13.16 requires CUI at rest to be protected. When cryptographic protection is the chosen mechanism (the most common implementation), 3.13.11 requires that the cryptography be FIPS-validated.

Implementation patterns:

  • Full-disk encryption: BitLocker on Windows (FIPS mode enabled via Group Policy; uses AES-256 with the Windows CNG module, FIPS 140-2 cert #4825, transitioning to 140-3). FileVault 2 on macOS (FIPS 140-3 cert #4823 for the Apple Corecrypto module).
  • Database encryption: SQL Server Transparent Data Encryption (TDE) using AES-256; the SQL Server cryptographic module holds an active CMVP certificate.
  • Cloud storage encryption: Azure Storage Service Encryption uses AES-256 with Microsoft-managed or customer-managed keys via Azure Key Vault (Key Vault HSM is FIPS 140-3 Level 3 validated). AWS S3 server-side encryption with SSE-S3 or SSE-KMS (AWS KMS uses FIPS 140-2 validated HSMs in GovCloud).
  • Backup media: Backup sets containing CUI must be encrypted before being written to portable media or transmitted to off-site storage.

Data in Transit (3.13.8 and 3.13.11)

Control 3.13.8 requires cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission. Combined with 3.13.11, this means TLS 1.2+ with FIPS-validated cipher suites for all CUI transmission.

Common gaps:

  • Internal (east-west) API calls between microservices use plaintext HTTP on the assumption that "internal traffic is safe." Zero Trust principles reject this assumption; mTLS should be used for all inter-service communication in CUI environments.
  • Legacy database connections from applications to on-premises SQL servers use non-encrypted connections.
  • Backup and replication traffic is excluded from TLS enforcement policies.

Data in Use

Data-in-use encryption (protecting data while it is being processed in memory) is an emerging area. Technologies like Intel TDX, AMD SEV-SNP, and AWS Nitro Enclaves provide hardware-enforced confidential computing. These are not yet required by NIST 800-171 Rev. 2, but are increasingly relevant for highly sensitive CUI categories and are likely to appear in future revisions. Practitioners with LANL-level classification experience will recognize the trajectory: data-in-use protection follows the same adoption curve that data-at-rest encryption did a decade ago.

7. Cloud Provider FIPS Compliance — Azure, AWS, and Google

Understanding cloud provider FIPS posture is essential — but the details matter more than the marketing claims.

Microsoft Azure (Government Cloud)

Azure Government (GCC High and DoD) operates in a FIPS 140-approved mode by default. Key facts:

  • Azure Application Gateway V2 has FIPS mode enabled by default in Azure Government as of August 2024 (FedRAMP mandate).
  • The Windows CNG (Cryptographic Next Generation) module, which underlies most Azure cryptographic operations, holds active FIPS 140-2 certificates (transitioning to 140-3 as submissions complete).
  • Azure Key Vault Premium tier uses FIPS 140-3 Level 3 validated HSMs.
  • Azure Government endpoints enforce TLS 1.2 minimum with approved cipher suites.

Operator action required: Enabling FIPS mode for a service in Azure Government does not happen automatically everywhere. Configuration steps include:

1. Enable Windows FIPS policy via Group Policy for all Windows VMs.

2. Set TLS minimum version to 1.2 in Azure Application Gateway, API Management, and Service Bus configurations.

3. Configure Azure Storage to use customer-managed keys via Key Vault if key control is required for your CUI categories.

AWS GovCloud (US)

AWS GovCloud (US) provides FIPS 140-2 validated endpoints for supported services. Key facts:

  • FIPS endpoints (e.g., s3-fips.us-gov-west-1.amazonaws.com) terminate TLS using FIPS 140-2 validated cryptographic software modules.
  • AWS KMS uses FIPS 140-2 Level 3 validated HSMs in GovCloud.
  • TLS 1.2 is the minimum for all AWS FIPS endpoints (enforced since March 31, 2021).
  • Not all AWS services offer FIPS endpoints; practitioners must verify service-by-service. FIPS endpoints for EC2, S3, KMS, CloudTrail, IAM, and STS are available; some newer services may lag.

Operator action required: Simply using GovCloud does not guarantee FIPS-validated cryptography. You must explicitly select FIPS endpoints in your SDKs and CLI configurations:

`

aws configure set endpoint_url https://s3-fips.us-gov-west-1.amazonaws.com

`

Google Cloud (Government)

Google Cloud's Federal Compliance documentation confirms that Google Front End (GFE) infrastructure uses BoringCrypto, a FIPS 140-2 validated module (certificate #3678), for TLS termination. Google Cloud KMS uses FIPS 140-2 Level 1 validated software modules (with Cloud HSM providing Level 3).

Google's assurance is somewhat narrower than Azure Government or AWS GovCloud: FIPS validation applies specifically to the TLS termination layer and Cloud HSM; other internal service communications may use non-validated Google-internal cryptographic libraries. For the highest-assurance CUI environments, this distinction matters and should be reflected in SSP documentation.

8. Key Management and Hardware Security Modules

Encryption is only as strong as its key management. NIST SP 800-57 Part 1 (Rev. 5) governs key management requirements. For CUI environments, the key management obligations include:

Key Lifecycle Requirements

| Phase | Requirement |

|-------|------------|

| Generation | Keys generated using FIPS-validated DRBG; generated within an HSM or FIPS-validated module |

| Storage | Encrypted at rest using a key-encrypting key; HSM-protected for high-value keys |

| Distribution | Keys distributed only over FIPS-validated encrypted channels |

| Rotation | Symmetric keys: rotate annually at minimum; immediately upon suspected compromise |

| Revocation | Immediate revocation capability; key compromise procedures documented |

| Destruction | Secure key destruction (zeroization) documented and verifiable |

Hardware Security Modules (HSMs)

An HSM is a dedicated hardware device that generates, stores, and uses cryptographic keys in a tamper-resistant environment. For CUI environments:

  • Azure Key Vault Managed HSM: FIPS 140-3 Level 3 validated. Keys generated and used exclusively within the HSM; never exported in plaintext.
  • AWS CloudHSM (GovCloud): FIPS 140-2 Level 3 validated. Single-tenant HSMs with customer-exclusive control of keys.
  • On-premises HSMs: Thales Luna Network HSM (FIPS 140-3 Level 3), Entrust nShield (FIPS 140-2/140-3 Level 3).

For most CUI environments, a cloud-managed HSM (Azure Key Vault Premium / Managed HSM, or AWS CloudHSM) provides the appropriate validation level while eliminating the operational burden of physical HSM management. The requirement for an HSM is driven by data sensitivity and key criticality — not every encryption key needs HSM protection, but key-encrypting keys (KEKs) and signing keys for PKI should be.

Key Rotation

800-171 does not specify rotation intervals explicitly, but NIST SP 800-57 provides the framework. Practical minimums for CUI:

  • Data encryption keys (DEKs): Annually, or upon personnel departure with access to encrypted data.
  • Key-encrypting keys (KEKs): Two years; immediately upon suspected compromise.
  • TLS certificates: Annual rotation at minimum; automate with ACME/Let's Encrypt or cloud certificate management services.
  • API keys / service credentials: 90 days; automate rotation via secrets managers (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault).

9. Practitioner Lessons — What Goes Wrong

From years of FIPS compliance enforcement in classified and CUI environments — including mandatory FIPS mode for all cryptographic operations at LANL — the following failure patterns recur most frequently:

Failure 1: FIPS mode is enabled at the OS level but disabled in the application.

Windows FIPS policy (HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy) does not force all applications to use FIPS-validated modules. Applications that link their own cryptographic libraries (Python's cryptography package using bundled OpenSSL, Java using its default JCE provider) may bypass the OS FIPS setting entirely. Solution: audit all applications for their cryptographic library usage; ensure FIPS-validated providers are configured at the application level.

Failure 2: The FIPS-validated version is not the version deployed.

A vendor holds a FIPS certificate for version 3.0.1 of their TLS library. The organization deploys version 3.1.2 (a security patch release). The certificate does not apply to the new version. Solution: maintain a cryptographic module inventory that maps each deployed version to its CMVP certificate; verify CMVP applicability with vendors before updating.

Failure 3: Development and test environments are excluded.

FIPS requirements are applied to production CUI systems but not to dev/test environments that also process CUI data (often for testing with real CUI samples). Solution: enforce consistent FIPS requirements across all environments in the CUI boundary.

Failure 4: SSH is overlooked.

TLS gets attention; SSH is often forgotten. SSH connections to CUI servers must also use FIPS-validated algorithms. Configure SSH to use only approved algorithms:

`

KexAlgorithms ecdh-sha2-nistp384,ecdh-sha2-nistp521

Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com

MACs hmac-sha2-512,hmac-sha2-256

`

Failure 5: Backup encryption is not FIPS-validated.

The backup software uses a proprietary encryption scheme or an older, non-validated mode. CUI in backup sets is CUI — the same requirements apply.

Failure 6: "The cloud provider handles it."

Cloud providers provide FIPS-capable infrastructure. But operators must configure it correctly: select FIPS endpoints, enable FIPS mode where operator action is required, and verify that customer-managed encryption keys are stored in FIPS-validated HSMs. Shared responsibility is not no responsibility.

10. Assessor Expectations and Evidence

A CMMC Level 2 C3PAO assessor reviewing control 3.13.11 will typically ask for:

1. Cryptographic module inventory: A list of all cryptographic modules used in the CUI environment, with their CMVP certificate numbers and validation status.

2. CMVP certificate verification: Live lookup or documentation showing the certificates are Active (not Historical or Revoked) and that the deployed versions match.

3. FIPS mode configuration evidence: Screenshots or configuration exports showing FIPS mode is enabled at the OS, application, and service levels.

4. TLS configuration evidence: TLS policy exports from load balancers, web servers, and API gateways showing TLS 1.2+ with approved cipher suites.

5. Key management procedures: Documentation of key generation, storage, rotation, and destruction procedures, with evidence that procedures are followed (e.g., rotation logs).

6. HSM usage documentation: For high-value keys, evidence that an HSM (FIPS 140-2 Level 3 or higher) is used.

The assessment objective for 3.13.11 in the NIST SP 800-171A assessment guide includes: "Determine if FIPS-validated cryptography is employed to protect the confidentiality of CUI." Evidence that NIST will find persuasive: CMVP certificate numbers, configured FIPS mode settings, and TLS scan outputs (e.g., SSL Labs reports for internet-facing endpoints, or internal TLS scanning reports for internal systems).

11. Conclusion

FIPS-validated cryptography is not optional for CUI environments — it is the explicit, non-waivable requirement of 800-171 control 3.13.11. The distinction between "validated" and "compliant" is one of the most consequential in the CMMC compliance space, and getting it wrong means either a failed assessment or, worse, a breach that compromised data believed to be protected.

The FIPS 140-2 to 140-3 transition adds urgency: organizations that defer cryptographic modernization until September 2026 will find themselves in a compressed timeline with limited FIPS 140-3 validated options for all their use cases. Beginning the inventory, gap assessment, and migration planning now is the right answer — both for compliance and for genuine security improvement.

The approved algorithms (AES-256, RSA-3072+, ECDSA P-384+, SHA-2) represent the current state of cryptographic best practice. Using them in FIPS-validated implementations, with disciplined key management and documented rotation procedures, creates a cryptographic program that will satisfy assessors, withstand adversary attack, and provide the genuine confidentiality protection that CUI deserves.

About the Author

Leonard Esere is a senior security architect whose career spans classified computing environments at Los Alamos National Laboratory (LANL), MITRE-aligned threat modeling for DoD programs, and security architecture for systems requiring DoD Secret and DoE Q clearance-level protection. At LANL, FIPS-validated cryptography was a mandatory baseline requirement across all systems — an environment that built deep practitioner understanding of the gap between compliance claims and actual cryptographic assurance. He has also led PCI DSS security architecture for large-scale computing infrastructure, including work associated with the Frontier supercomputing program, where encryption standards were a central audit concern.

References

1. National Institute of Standards and Technology. (2021). NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Control 3.13.11. https://doi.org/10.6028/NIST.SP.800-171r2

2. NIST Cryptographic Module Validation Program. Validated Modules Search. https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search

3. NIST. FIPS 140-3 Transition Effort. https://csrc.nist.gov/projects/fips-140-3-transition-effort

4. NIST. (2001). FIPS 140-2: Security Requirements for Cryptographic Modules. https://csrc.nist.gov/publications/detail/fips/140/2/final

5. NIST. (2019). FIPS 140-3: Security Requirements for Cryptographic Modules. https://csrc.nist.gov/publications/detail/fips/140/3/final

6. NIST. (2020). SP 800-57 Part 1 Rev. 5: Recommendation for Key Management. https://doi.org/10.6028/NIST.SP.800-57pt1r5

7. NIST. (2019). SP 800-131A Rev. 2: Transitioning the Use of Cryptographic Algorithms and Key Lengths. https://doi.org/10.6028/NIST.SP.800-131Ar2

8. Microsoft Learn. (2025). FIPS 140 on Azure Application Gateway. https://learn.microsoft.com/en-us/azure/application-gateway/fips

9. Amazon Web Services. (2021). TLS 1.2 required for all AWS FIPS endpoints. https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-fips-endpoints/

10. Chainguard. (2025). FIPS 140-2 vs 140-3: What's the difference? https://www.chainguard.dev/supply-chain-security-101/fips-140-2-vs-140-3-whats-the-difference

11. 112Cyber. (2026). FIPS Encryption Requirements in CMMC and NIST SP 800-171. https://112cyber.com/blog/fips-encryption-requirements-in-cmmc-and-nist-sp-800-171/

Take the Next Step

Cryptographic compliance for CUI environments is a technical discipline, not a policy exercise. If your organization needs a cryptographic module inventory, FIPS gap assessment, or support building the key management program that CMMC assessors will scrutinize, Aeolitech's security engineering team brings direct practitioner experience from some of the most demanding cryptographic compliance environments in the federal sector.

Contact Aeolitech to discuss your encryption compliance posture or to schedule a FIPS 140 readiness review.

Ready to Start Your CMMC Journey?

Our team of cleared engineers and compliance specialists can help you scope, plan, and execute your path to CMMC Level 2 certification.

Contact Us
Back to All Whitepapers