8 min read

CMMC FIPS 140-2 Compliance Requirements

BEMO on Jun 1, 2026 1:00:00 PM

CMMC

Quick Answer: CMMC FIPS 140-2 compliance requires DoD contractors to use cryptographic modules validated under the Federal Information Processing Standard 140-2 when protecting Controlled Unclassified Information. If you handle CUI, any encryption you deploy must meet FIPS 140-2 validation standards. This applies to data in transit, data at rest, and the tools your team uses daily.

CMMC Level 2 requires implementing all 110 security controls from NIST SP 800-171 across 14 control families. Cryptography sits inside the System and Communications Protection family, and FIPS 140-2 validation is one of the most technically demanding requirements in that group. Getting it right means auditing every tool, module, and configuration in your environment that touches CUI.

This page covers what the requirement actually says, where organizations typically get stuck, and how to build a compliant cryptographic posture before your assessment.

Key Takeaways

CMMC FIPS 140-2 compliance requirements apply to any contractor at Level 2 or above who uses encryption to protect CUI in transit or at rest.
The most common challenge is discovering non-compliant cryptographic modules already embedded in tools your team relies on every day.
Achieving Level 2 compliance typically takes several months to over a year depending on your current security posture and the gaps you need to close.
Documenting which modules are FIPS 140-2 validated, and proving it during assessment, requires more than just purchasing compliant software.
Working with a managed compliance partner can significantly reduce the time and technical burden of getting your cryptographic controls assessment-ready.

What Are CMMC FIPS 140-2 Compliance Requirements?

FIPS 140-2 is a U.S. government standard published by the National Institute of Standards and Technology (NIST) that defines security requirements for cryptographic modules. Under CMMC Level 2, contractors must use FIPS-validated cryptography whenever they transmit or store CUI. This requirement flows directly from NIST SP 800-171, specifically control 3.13.8 (protecting CUI during transmission) and 3.13.10 (establishing and managing cryptographic keys).

The Cryptographic Module Validation Program (CMVP), jointly operated by NIST and the Canadian Centre for Cyber Security, maintains the official list of validated modules. If a module is not on that list, it does not satisfy the requirement, regardless of how strong the underlying algorithm is.

Here is how FIPS 140-2 requirements map to the CMMC control families most directly affected:

CMMC Control Family	Relevant Control	FIPS 140-2 Requirement
System and Communications Protection (SC)	3.13.8	Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission
System and Communications Protection (SC)	3.13.10	Establish and manage cryptographic keys for required cryptography
Identification and Authentication (IA)	3.5.10	Store and transmit only cryptographically-protected passwords
Access Control (AC)	3.1.13	Employ cryptographic mechanisms to protect remote access sessions
Configuration Management (CM)	3.4.2	Establish and enforce security configuration settings

FIPS 140-2 has four security levels, ranging from Level 1 (basic software requirements) to Level 4 (physical tamper resistance). Most DoD contractors need to meet at least Level 1 validation for software-based cryptographic modules, but some contracts specify higher levels. Always confirm the exact level required in your contract documentation.

Practically speaking, this means the VPN your team uses for remote access, the encryption on your file storage, your email security tools, and your authentication systems all need to use validated modules. You can verify module validation status through the CMMC compliance resources available from BEMO or directly through the NIST CMVP database.

Challenges Companies Face When Getting CMMC Compliant

Meeting CMMC FIPS 140-2 compliance requirements is rarely a straightforward technical fix. Most organizations underestimate how deeply cryptographic requirements reach into their existing environment.

Underestimating scope: Many contractors assume FIPS 140-2 only affects one or two tools, then discover it touches their VPN, email gateway, file storage, authentication system, and developer environments simultaneously.
No internal expertise: Cryptographic compliance requires knowledge that spans IT infrastructure, security engineering, and policy documentation. Most small and mid-sized contractors do not have all three in-house.
Tool sprawl: Your existing security stack may include tools that use encryption but are not FIPS 140-2 validated. Replacing or reconfiguring those tools while maintaining operations is a significant project.
Deadline pressure: CMMC compliance timelines are not flexible. Phase 2 third-party assessments begin in early to mid-2026, and unprepared contractors risk losing contract eligibility.
Ongoing burden: FIPS 140-2 validation status can change. Modules get deprecated, software updates can break compliance, and your environment needs continuous monitoring to stay current.
Auditor back-and-forth: Assessors will ask for documented evidence that each cryptographic module in your environment is validated. Gathering that evidence without a clear inventory process can stretch your assessment timeline significantly.

What Does It Take to Meet CMMC FIPS 140-2 Compliance Requirements?

Meeting the cryptographic requirements under CMMC Level 2 involves more than switching on an encryption setting. You need to audit your environment, configure systems correctly, document everything, and keep it maintained. The sections below cover the four areas that require the most deliberate effort.

Technical Controls and Tooling

Every tool that encrypts CUI must use a FIPS 140-2 validated cryptographic module. That includes your VPN client, remote desktop solution, email encryption, cloud storage, endpoint protection, and any developer or DevOps tools that handle sensitive data.

For Microsoft environments, Windows operating systems can be configured to enforce FIPS-compliant algorithms through Group Policy. Microsoft 365 Government Cloud (GCC High) environments are built with FIPS 140-2 validated modules, which is one reason many CMMC-bound contractors migrate to GCC High. If you are still on a commercial Microsoft 365 tenant, that migration may be a prerequisite for meeting this requirement.

Documentation and Policy Development

You need a written cryptographic policy that identifies which modules are in use, confirms their validation status, and defines how cryptographic keys are generated, stored, rotated, and destroyed. Assessors will review this documentation directly.

Your System Security Plan (SSP) must reference FIPS 140-2 validation for every applicable control. Gaps in the SSP are one of the most common reasons contractors receive findings during assessment. BEMO creates 18 or more IT policies during implementation, including the documentation required to support cryptographic controls.

Ongoing Monitoring and Maintenance

FIPS 140-2 validation is not permanent. When a vendor releases a software update, the updated version may not carry the same validation status as the previous release. Your compliance program needs a process to verify that updates do not break your validated cryptographic posture.

This is where continuous monitoring becomes a practical necessity rather than a checkbox. A 24/7 SOC reviewing logs and configuration changes can catch drift before it becomes an assessment finding.

Staff Training and Awareness

Your team needs to understand why they cannot use non-validated encryption tools, even if those tools are technically strong. Shadow IT, personal devices, and unapproved file-sharing applications are common sources of FIPS non-compliance in otherwise well-configured environments.

Security awareness training through a platform like KnowBe4 can reinforce acceptable use policies and reduce the risk of employees inadvertently introducing non-compliant tools into your CUI environment.

In-House vs Managed: Approaches to CMMC Compliance

There is no single right way to approach CMMC FIPS 140-2 compliance. The right path depends on your team's existing capabilities, your timeline, and how much of the work you can realistically absorb internally. The table below presents three common approaches without advocating for any one of them.

	DIY / In-House	GRC Platform Only (Drata, Vanta)	Managed Compliance Partner
Implementation	Your team builds it	Platform guides you, you do the work	Partner builds it for you
Ongoing maintenance	Your team	Your team + automation	Partner's team + automation
Auditor coordination	You manage it	Limited support	Managed end-to-end
Tech stack	You select and configure	Integrations only	Full security stack deployed
Dedicated team	Your hires	None	Multi-role team assigned to your account
Typical timeline	12-18+ months	6-12 months	~8 months initial implementation

The DIY path gives you full control but requires hiring or developing expertise across security engineering, policy writing, and GRC management. A GRC platform accelerates documentation and evidence collection but still requires your team to configure controls and manage remediation. A managed compliance partner handles implementation, tooling, and auditor coordination on your behalf, which reduces internal burden but requires selecting a partner you trust with your environment.

For FIPS 140-2 specifically, the technical depth required to audit cryptographic modules, configure Group Policy correctly, and manage GCC High migration makes the DIY path particularly resource-intensive for organizations without a dedicated security engineer.

Getting Started With CMMC Compliance

If you are not sure where your cryptographic posture stands today, a structured starting point makes the process manageable.

Book a GAP Assessment: Evaluate your current security posture against all 110 CMMC Level 2 requirements, including FIPS 140-2 cryptographic controls. Identify which tools are validated and which are not.
Get Your Implementation Roadmap: Receive a prioritized plan that covers which controls to address first, which tools to replace or reconfigure, and what documentation needs to be created or updated.
Deploy Controls: Configure your environment for FIPS 140-2 compliance, migrate to GCC High if needed, deploy required security tooling, and build out the policy documentation your SSP requires.
Achieve and Maintain Compliance: Work with your C3PAO for third-party assessment, then maintain your validated cryptographic posture through continuous monitoring and scheduled reviews.

Why Choose BEMO for CMMC Compliance

The challenges covered above, from cryptographic module audits to GCC High migration to SSP documentation, are exactly the kind of work that stalls organizations trying to handle CMMC on their own. BEMO is a Cyber AB Registered Practitioner Organization (RPO) that manages 251 CMMC controls for clients and takes ownership of the compliance outcome rather than leaving your team to figure it out.

Here is what that looks like in practice:

A dedicated team is assigned to your account from day one, including a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO.
BEMO deploys a Microsoft-native security stack built on M365, Entra ID, Purview, Sentinel, Intune, and Defender, with GCC High migration support for contractors who need it.
GRC automation runs on the Drata platform, managed by BEMO's compliance engineers so you are not left managing it yourself.
BEMO coordinates directly with auditors including Sensiba, A-LIGN, and the Johanson Group on your behalf.
Implementation follows an 8-month timeline with bi-weekly status meetings and a 72-hour SLA for remediation items.
A 24/7 SOC reviews 100,000 or more monthly logs, with approximately 100 per month escalated for human verification.
BEMO is SOC 2 Type 2 and ISO 27001 certified, and was recognized as the 2023 Microsoft US Partner of the Year. BEMO has appeared on the Inc. 5000 list four consecutive years and was featured by Satya Nadella at the Microsoft Secure 2024 Summit.

Ready to Meet CMMC FIPS 140-2 Requirements?

BEMO assigns a dedicated, multi-role compliance team to your account and owns the outcome of getting you certified. You do not manage the process alone.

Book a meeting with BEMO to start with a GAP assessment and get a clear picture of where your cryptographic controls stand today.

Frequently Asked Questions About CMMC FIPS 140-2 Compliance Requirements

What exactly do CMMC FIPS 140-2 compliance requirements cover?

CMMC FIPS 140-2 compliance requirements apply to any cryptographic module used to protect CUI, whether that data is in transit or at rest. The requirement is rooted in NIST SP 800-171 controls 3.13.8 and 3.13.10, and it means every encryption tool in your environment must use a module validated through the NIST Cryptographic Module Validation Program. This applies to VPNs, email encryption, file storage, remote access solutions, and authentication systems.

Does FIPS 140-2 apply at CMMC Level 1?

No. CMMC Level 1 covers 15 basic requirements focused on protecting Federal Contract Information and does not require FIPS 140-2 validated cryptography. FIPS 140-2 requirements become mandatory at Level 2, where contractors handling CUI must implement all 110 controls from NIST SP 800-171. If your contract involves CUI, you are almost certainly looking at Level 2 requirements. You can learn more about the differences in our CMMC Level 1 vs Level 2 breakdown.

How long does it take to become CMMC compliant when FIPS 140-2 gaps exist?

The timeline depends on how many non-compliant tools are in your environment and whether you need to migrate to a GCC High environment. For most small and mid-sized contractors starting from a moderate security baseline, reaching Level 2 readiness takes several months to over a year. BEMO's typical implementation timeline is approximately 8 months, which includes cryptographic control configuration, documentation, and pre-assessment preparation.

What does a CMMC GAP assessment include for FIPS 140-2?

A GAP assessment evaluates your current environment against all 110 CMMC Level 2 requirements. For FIPS 140-2 specifically, it identifies which cryptographic modules you are currently using, checks each against the NIST CMVP validated modules list, and flags any tools or configurations that do not meet the standard. The output is a prioritized remediation plan that tells you exactly what needs to change before your third-party assessment.

Why is GCC High migration often part of FIPS 140-2 compliance for CMMC?

Commercial Microsoft 365 tenants are not always configured to enforce FIPS-compliant cryptography by default. Microsoft's GCC High environment is purpose-built for DoD contractors and uses FIPS 140-2 validated modules throughout. For many contractors, migrating from a commercial M365 tenant to GCC High is the most efficient path to satisfying FIPS 140-2 requirements across email, file storage, and collaboration tools at once.

What team does BEMO assign for CMMC compliance?

BEMO assigns a dedicated, multi-role team to every client account. That team includes a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and a virtual CISO. Each role contributes to a different part of the compliance process, from technical control deployment to policy documentation to auditor coordination. No single person on your side is expected to manage all of it.