CMMC encryption requirements are not the hardest part of a Level 2 assessment, but they are one of the most reliably misunderstood. Most contractors who fail this control are missing proof that their encryption meets the standard that an assessor will accept. Of course, that means your gap shows up at the worst possible time…during the assessment itself.
Find out if your FIPS encryption controls will hold up under a CMMC Level 2 assessment.
Key Takeaways
- FIPS-validated and FIPS-compliant are not interchangeable.
- CMMC encryption requirements cover every place CUI lives, not just servers.
- The FIPS 140-2 to FIPS 140-3 transition deadline is September 21, 2026; any module still relying on FIPS 140-2 after that date must be documented as a limited deficiency, or it becomes a finding.
- A temporary deficiency is a documented compliance path with strict eligibility requirements, not a shortcut.
Table of Contents
What are the CMMC encryption requirements for Level 2?
CMMC Level 2 requires FIPS-validated cryptography to protect CUI everywhere it is stored, transmitted, or accessed. The anchor control is SC.L2-3.13.11 from NIST SP 800-171, which explicitly requires FIPS-validated cryptography – not just any encryption.
Supporting controls extend that requirement to remote access sessions (3.1.13), wireless networks (3.1.17), mobile devices (3.1.19), digital media transport (3.8.6), and CUI in transit (3.13.8).
CMMC Level 1 does not carry this requirement. Level 1 covers basic safeguarding of Federal Contract Information (FCI) – not CUI – so FIPS encryption is a Level 2 obligation.
7 Common CMMC Encryption Requirement Mistakes
1. Accepting "FIPS-compliant" as proof.
Is "FIPS-compliant" the same as “FIPS-validated” for CMMC purposes?
No, and this is one of the most common mistakes we see in pre-assessment reviews. “FIPS-compliant,” “FIPS-equivalent,” and “uses AES-256” are marketing language. They tell you the vendor chose a FIPS-approved algorithm. They do not tell you that the implementation has been independently tested and certified.
To satisfy CMMC encryption requirements, a cryptographic module must appear on the NIST Cryptographic Module Validation Program (CMVP) Validated Modules List with an active certificate number. That certificate number is what an assessor will ask for.
Gar Whaley, Teal CMMC cofounder and CMMC Registered Practitioner with more than 30 years of experience in regulated environments, is direct on this point.
The fix
For every tool in your environment that handles CUI (e.g., VPNs, full-disk encryption, TLS libraries, email security), pull the CMVP certificate number and document it in your System Security Plan. If you can’t find it, you have a gap to close.
2. Assuming the tool is running in FIPS mode.
Does a FIPS-validated module automatically run in FIPS-approved mode?
No. Having a FIPS-validated module installed is not the same as operating it in FIPS-approved mode. Many operating systems and applications require a separate configuration step to activate FIPS mode, and that step is not on by default.
In Windows environments, for example, FIPS mode is controlled by a Group Policy setting. Enabling it requires a deliberate configuration change. A contractor can have BitLocker installed on every endpoint, using the Windows Cryptographic Primitives Library with a valid CMVP certificate, and still fail SC.L2-3.13.11 because FIPS mode was never enabled.
During a CMMC assessment, an assessor will ask for configuration evidence: screenshots, Group Policy settings, or documented configuration files. So, a list of installed software is not sufficient.
There’s a related trap after software updates.
When an OS or application updates, you’ll want to re-verify that the cryptographic module version still maps to the active CMVP certificate. Updates can sometimes break the alignment between your running configuration and its validated security policy.
So, that broken alignment can either become a temporary deficiency if you catch it, or an assessment finding if you don’t.
3. Mapping encryption to servers but missing the full CUI scope.
What systems and scenarios do CMMC encryption requirements cover?
Every place CUI lives must be covered. CMMC encryption requirements apply across all of the following:
At rest
Endpoints and servers, mobile devices and laptops, removable and portable media, backup storage.
In transit
VPN and remote access connections, wireless networks, email, file transfers, and API connections.
Edge cases most contractors miss
Cached or temporary files containing CUI, transfers to third parties or subcontractors, and administrator access paths.
What are the common gaps seen in encryption requirements?
The coverage gap we see most often is backup storage. A contractor will have FIPS-validated full-disk encryption deployed on every endpoint, and then back that data up to a device or service without validated encryption. That single gap goes directly into the finding column.
The fix
Before your assessment, map the full CUI lifecycle:
- Creation
- Storage
- Transmission
- Backup
- Disposal
Verify that FIPS-validated cryptography is documented at each step. If your CUI scope is incomplete, your encryption coverage cannot be validated.
4. Treating SSP documentation as a last-minute task.
Does your SSP have to include CMVP certificate numbers for CMMC encryption controls?
Yes, and vague references will not hold up. “We use AES encryption” is not a complete SSP entry for SC.L2-3.13.11. Your System Security Plan must name the cryptographic mechanisms used, where they are applied, their FIPS validation status, and the corresponding CMVP certificate numbers by module.
There is also a hard rule that many contractors don’t know until it’s too late.
The SSP (CA.L2-3.12.4) is one of six controls explicitly prohibited from POA&M deferral.
Your SSP must be complete and current at the time of assessment. Not in progress. Not partially drafted. Complete.
The SSP is not the only documentation that matters. Build a standalone evidence package alongside it, including:
- CMVP certificate printouts
- Screenshots of FIPS mode settings
- A module-to-system inventory
5. Missing the September 2026 FIPS 140-2 deadline.
What does the FIPS 140-2 to FIPS 140-3 transition mean for CMMC assessments?
On September 21, 2026, the CMVP will declare all remaining active FIPS 140-2 certificates historical.
Historical certificates cannot support new federal acquisitions. Any contractor with a CMMC assessment window after that date that still relies on FIPS 140-2 modules without CMVP evidence and documented coverage via a temporary deficiency or enduring exception will likely have a finding.
However, this is the more immediate problem.
CMVP validation currently averages 542 days. For most vendors, completing a new FIPS 140‑3 validation before September 2026 is no longer realistic unless it’s already in progress.
If your modules are not yet FIPS 140-3 validated and are not listed on the CMVP Modules in Process list, a documented temporary deficiency is likely your nearest defensible path.
Check every cryptographic tool in your environment against the CMVP list now. With Phase 2 coming in hot, this isn’t a task to schedule later.
6. Misusing the temporary deficiency path.
Can you use a temporary deficiency to cover missing FIPS encryption in a CMMC assessment?
Only under specific conditions. A temporary deficiency is not a general workaround for incomplete controls. Under 32 CFR 170.4(b), a temporary deficiency applies only when all three criteria are met.
Feasibility
The system previously held FIPS validation or is capable of achieving it.
Validation in Progress
The module is actively listed in the CMVP Modules in Process or Implementation Under Test lists, not simply “planned for future validation.”
Documentation
The gap is fully recorded in your SSP and POA&M with evidence and a target resolution date.
What is the condition most often misapplied?
A control that was never implemented cannot be claimed as a temporary deficiency.
A temporary deficiency arises after implementation when a specific update or configuration change breaks an existing validated status. If you have never had FIPS-validated encryption in place, there is no deficiency to document.
Also worth noting, SC.L2-3.13.11 qualifies for POA&M deferral only when encryption is in place and the specific module is not yet FIPS-validated.
A complete absence of encryption is a full finding, nor is it POA&M-eligible.
To reach Conditional Level 2 status, your assessment score must meet or exceed 80% of total Level 2 requirements, with 180 days from Conditional status to close all POA&M items.
DIBCAC assessments have accepted well-documented temporary deficiencies when all three criteria are met. Poorly supported or undocumented deficiencies are routinely rejected.
7. Treating encryption as a project instead of a posture.
What happens to encryption compliance between assessments?
FIPS validation status can change after your assessment ends.
A software update can break the alignment between your running configuration and its validated module. A new system can enter the CUI environment without a validated cryptographic module. Backup procedures can shift.
None of these situations “trigger” an alert – so they can quickly drift your posture away from compliance without you being any wiser.
That’s why encryption coverage needs periodic review, not just pre-assessment preparation.
Your company should regularly confirm that certificates are active, that new systems in the CUI scope carry validated modules, and that FIPS mode hasn’t been inadvertently disabled.
Find out if your FIPS encryption controls will hold up under a CMMC Level 2 assessment.
The problem probably isn't your encryption. It's your proof.
CMMC encryption requirements are not usually a technology problem for most DIB contractors. They are generally a documentation/verification problem.
If your SSP doesn’t name CMVP certificate numbers, your vendor documentation relies on FIPS-compliant language, or you haven’t mapped every CUI touchpoint to a validated module, those are gaps worth closing before you schedule your assessment.
If you’re still planning your assessment timeline, check out this article on why the CMMC assessor shortage makes it vital you pass your first assessment attempt.
FAQ
Does CMMC Level 1 require FIPS encryption?
No. CMMC Level 1 covers basic protection of Federal Contract Information (FCI) and does not require FIPS-validated cryptography. FIPS encryption requirements apply at Level 2, which covers organizations that handle Controlled Unclassified Information (CUI).
What are the CMMC encryption requirements for Level 2?
CMMC Level 2 requires FIPS‑validated cryptography to protect the confidentiality of CUI, both at rest and in transit. The primary control is SC.L2-3.13.11, which explicitly requires FIPS-validated cryptography – meaning modules confirmed through NIST’s CMVP program with an active certificate number. Supporting controls extend this requirement to remote access, wireless, mobile devices, media transport, and CUI in transit.
What is the difference between FIPS-compliant and FIPS-validated?
FIPS-compliant is a vendor marketing term meaning the product uses a FIPS-approved algorithm, but the implementation has not been independently tested or certified. FIPS-validated means the cryptographic module has been through NIST’s CMVP program and holds an active certificate number. CMMC assessors require FIPS-validated modules. FIPS-compliant claims are not accepted as evidence.
What happens if my cryptographic module isn't FIPS-validated at my CMMC assessment?
If the module is not on the CMVP Validated Modules List, the control is not met. If the module was previously validated and lost validation due to an update or configuration change, a temporary deficiency may apply – provided it meets the feasibility, in-progress, and documentation criteria under 32 CFR 170.4(b). A complete absence of cryptography results in a NOT MET finding and is not eligible for POA&M deferral.
