Are your FIPS encryption controls ready for a CMMC Level 2 assessment?

Assessors look for CMVP certificate numbers, documented FIPS mode configurations, and evidence packages that match what’s in your SSP. If your controls exist but your documentation doesn’t show it, the gap still counts against you. 

This checklist walks you through FIPS encryption controls – so you know whether they will hold up under a CMMC Level 2 assessment. 

What’s inside: 

• CUI scoping prerequisite – Why encryption coverage can’t be validated until you know exactly which systems, users, and workflows touch CUI. 

• Cryptographic validation – How to confirm you have actual CMVP certificate numbers, not vendor phrases like “FIPS-compliant” or “uses AES.” 

• FIPS 140-2 transition deadline – What September 21, 2026 means for your current modules, and what a documented temporary deficiency requires. 

• OS and application configuration – What assessors expect to see when they ask how FIPS mode is enabled and verified across your environment. 

• CUI coverage in real-world scenarios – Endpoints, VPNs, mobile devices, backups, email, edge cases – the full picture assessors will walk through. 

• Temporary deficiencies – The three criteria that make a deficiency defensible, and the ones that will get it rejected. 

• SSP and evidence readiness – What your SSP must explicitly name, and what goes in the evidence package you hand to an assessor. 

Where most contractors stall 

Finding the gaps is the straightforward part. Building a documented, defensible plan to close them before your assessment window is where your time can run out. This checklist tells you what to look for – and where the evidence needs to be – so you’re not reconstructing your posture the week before a C3PAO walks in.