CMMCDocs.comHome / Glossary / FIPS / FIPS 140-2 / FIPS 140-3
FIPS / FIPS 140-2 / FIPS 140-3
Also known as: FIPS 140 · FIPS validation · FIPS-validated cryptography
Federal Information Processing Standards 140-2 and 140-3 are the U.S. government standards for cryptographic modules. CMMC Level 2 requires FIPS-validated cryptography to protect CUI.
FIPS 140-2 and FIPS 140-3 are the Federal Information Processing Standards that specify the security requirements for cryptographic modules used in U.S. government systems. NIST SP 800-171 requirement SC.L2-3.13.11 obligates defense contractors handling CUI to use only FIPS-validated cryptographic modules.
A cryptographic module is FIPS-validated when it has been independently tested by an accredited laboratory and listed on the NIST Cryptographic Module Validation Program (CMVP) website. Validation is module- and version-specific: a vendor's product may be FIPS-validated in one configuration and not in another.
FIPS 140-2 is the older standard, still widely used. FIPS 140-3 is the current version and is gradually replacing 140-2. Both are acceptable for CMMC purposes as long as the specific module in use is validated and listed in the CMVP database.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account