3.13.11 — FIPS or It Doesn't Count

The One-Liner

Using AES-256 means nothing if the software implementing it hasn’t been FIPS 140 validated. This can’t go on a POA&M — fix it before assessment.

What It Says

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

What It Actually Means

This is one of the most misunderstood requirements. The critical distinction:

FIPS validates the MODULE, not the ALGORITHM.

Using AES-256 (an approved algorithm) in OpenSSL (which may or may not be FIPS-validated depending on the version and configuration) is NOT the same as using a FIPS-validated cryptographic module. The actual software or hardware performing the encryption must have a FIPS 140-2 or 140-3 validation certificate issued by NIST.

Where to check: The NIST Cryptographic Module Validation Program (CMVP) database at https://csrc.nist.gov/projects/cryptographic-module-validation-program. Search for your product. If it’s not there, it’s not FIPS-validated.

Common FIPS-validated modules:

• Windows CNG (Cryptography Next Generation) — validated when FIPS mode is enabled via GPO
• BitLocker — uses Windows CNG, FIPS-validated when FIPS mode is on
• OpenSSL FIPS module — specific FIPS-validated build, not standard OpenSSL
• Most enterprise VPN products have FIPS-validated versions

This requirement CANNOT be on a POA&M. It must be MET before assessment. There is no conditional certification path without FIPS-validated encryption.

Check every encryption deployment: disk encryption, VPN, TLS, Wi-Fi, email encryption, database encryption. Each one needs a FIPS-validated module.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is FIPS-validated cryptography employed to protect CUI?	Every encryption module has a FIPS 140-2/3 validation certificate on file

---

What to Have Ready on Assessment Day

Documents they’ll review: System and communications protection policy; system security plan; system configuration settings; cryptographic module validation certificates; list of FIPS-validated cryptographic modules; NIST CMVP database verification

People they’ll talk to: System or network administrators; personnel with information security responsibilities; system developers; personnel with cryptographic protection responsibilities

Live demos they’ll ask for: Mechanisms implementing FIPS-validated cryptographic protection; FIPS mode verification on systems

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me the FIPS validation certificate for your disk encryption.”
• “Is Windows FIPS mode enabled? Show me the GPO setting.”
• “What about your VPN — is the cryptographic module FIPS-validated?”
• “Show me the TLS implementation — is the library FIPS-validated?”
• “Is your Wi-Fi encryption using a FIPS-validated module?”
• “Have you verified each encryption product against the NIST CMVP database?”
• “Is there any encryption in your environment that ISN’T FIPS-validated?”

Real-World Example

A contractor audits every encryption deployment: BitLocker (Windows CNG — FIPS validated, GPO confirms FIPS mode enabled), VPN (Cisco AnyConnect with FIPS-validated module — certificate on file), TLS (Windows Schannel — FIPS validated), Wi-Fi (Cisco access points with FIPS-validated firmware — certificate on file). Each certificate is printed and filed in the evidence binder. The assessor picks BitLocker — IT shows the GPO: ‘System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing’ = Enabled. The assessor then checks the NIST CMVP database to confirm the Windows 10 CNG module is listed.

---

Where Companies Trip Up

Right algorithm, unvalidated module. AES-256 in a Python library that hasn’t been FIPS-validated. The algorithm is approved; the module isn’t. Both are required.

No validation certificates on file. You believe your tools are FIPS-validated but can’t produce the certificates. Pull them from the vendor or NIST CMVP database and file them.

FIPS mode not enabled. Windows has FIPS-validated cryptographic modules but FIPS mode must be enabled via GPO for them to operate in FIPS mode.

Some encryption FIPS, some not. VPN is validated but the disk encryption tool you chose isn’t. Every encryption deployment must be checked.

POA&M attempt. This is a must-fix requirement. No conditional certification without it. Fix before assessment.

---

How to Talk About This

To a CEO or Board

All our encryption is FIPS-validated — disk, VPN, TLS, Wi-Fi. We have the validation certificates on file. This isn’t optional and it isn’t deferred.

To an Engineering Team

FIPS 140-2/3 validated across all encryption: BitLocker (Windows CNG, FIPS mode GPO enabled), VPN (vendor FIPS module), TLS (Schannel), Wi-Fi (AP firmware FIPS module). Certificates in evidence binder. Verified against NIST CMVP database. Cannot be on POA&M.

---

Connected Requirements

Requirement	Why it matters here
3.13.8 — Encrypt in Transit	Transit encryption must use FIPS-validated modules
3.13.16 — Encrypt CUI at Rest	At-rest encryption must use FIPS-validated modules
3.1.13 — Encrypt Remote Sessions	VPN encryption must be FIPS-validated
3.13.10 — Manage Your Keys	Keys used with FIPS-validated modules

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: SC.L2-3.13.11 | SPRS Weight: 5 points | POA&M Eligible: Yes