OS FIPS Mode Detection
The first check between your environment and a 5-point SPRS hit on 3.13.11.
The problem
FIPS mode is the most consequential boolean in a CMMC environment. The kernel either enforces FIPS-approved algorithms across every cryptographic library on the host, or it does not, and the difference is invisible until an assessor asks for evidence. Most contractors discover the answer halfway through their C3PAO engagement, when remediation costs five times what a pre-assessment fix would have.
The failure mode is silent. OpenSSL, GnuTLS, NSS, and the kernel's own random number generator all defer to the OS for algorithm enforcement. A box configured for FIPS at build time can drift out of FIPS after a kernel upgrade, a missing dracut package, or a removed boot parameter. Nothing surfaces the regression until the next reboot, the next image deployment, or the next assessment cycle.
On 3.13.11, the DoD scoring methodology applies a partial-credit deduction tied directly to this check. If the OS is not in FIPS mode but encryption exists, that is a 3-point loss. If no encryption exists at all, it is the full 5. The agent determines which tier applies, per host, before the assessor walks in the door.
What CMMC requires
NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.
Verifies the OS is enforcing FIPS-validated algorithms at the kernel level,the prerequisite for every crypto library on the host operating in a validated state.
Read in NIST 800-171 r2↗Confirms FIPS mode is restricting the cipher suites TLS can negotiate, so applications cannot select non-approved suites even when configuration files claim they should not.
Read in NIST 800-171 r2↗Establishes that key sizes and generation algorithms are constrained to FIPS-approved values at the OS level, including the kernel's RNG.
Read in NIST 800-171 r2↗Treats OS FIPS mode as a configuration baseline item. Its absence is a configuration management gap, not just a cryptographic one.
Read in NIST 800-171 r2↗How it works
Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.
Reads /proc/sys/crypto/fips_enabled and confirms fips=1 on /proc/cmdline so the setting actually survives reboot. Checks for /etc/system-fips and the dracut-fips package as secondary signals, then runs update-crypto-policies --show on RHEL-family systems to verify the system-wide policy is set to FIPS. The full sweep runs unprivileged in well under a second per host, with zero kernel calls.
Queries HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled via the winreg crate, no FFI required. Cross-checks SChannel for explicit Enabled=0 entries on TLS 1.0 and TLS 1.1, since Windows does not auto-block deprecated TLS versions when FipsAlgorithmPolicy is set. Returns a structured tier verdict ready for the SSP narrative.
macOS exposes no kernel FIPS toggle, so the agent reads the OS build and maps it to Apple's Corecrypto CMVP certification history. macOS 13 and later are covered by FIPS 140-3 cert #4532, macOS 11 and 12 by an earlier 140-2 cert that remains valid, and anything below 11 is flagged. The cert number is attached to every finding so an assessor can verify it directly.
What it finds
Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.
- CRITICALOS FIPS mode disabled/proc/sys/crypto/fips_enabled returns 0,every cryptographic library on the host is operating in a non-validated state, regardless of installed package versions.
- HIGHfips=1 boot parameter missingThe kernel is in FIPS mode now, but /proc/cmdline does not include fips=1. The configuration will not survive the next reboot.
- MEDIUMFIPS dracut package not installedRHEL-family system has FIPS enabled but the dracut-fips package is missing,initramfs cryptographic verification at boot is incomplete.
- HIGHmacOS version below FIPS coverageHost is running an OS release that predates Apple's Corecrypto FIPS 140-2 certification. No validated cryptographic module is present.
- HIGHWindows SChannel allows TLS 1.0 or 1.1FipsAlgorithmPolicy is enabled but SChannel does not have Enabled=0 set for TLS 1.0/1.1,applications can still negotiate deprecated protocol versions.
3.13.11 is a 5-point control with partial credit under the DoD Assessment Methodology, and this agent is the single most reliable predictor of which tier a contractor lands in. OS FIPS on with validated encryption in use scores 0. Encryption present but OS not in FIPS scores −3. No encryption at all scores the full −5. Misjudging the tier by a single step is the difference between a clean SPRS and a contract-blocking deduction; the agent removes the guesswork before the C3PAO does it for you.
How it hooks into the platform
The platform auto-discovers every in-scope host and runs this check on a cadence assigned to its tier, with no manual invocation. You decide whether kernel and registry signals stay on-prem or sync to the platform. Either way, the SPRS tier (0, -3, or -5) is computed for you and routed into the 3.13.11 lane of the gap assessment. The result drafts the SSP's cryptographic protection narrative; any failure opens a POA&M with the right remediation command. A kernel upgrade that drops fips=1 surfaces the same day.
How we know it's working
Acceptance criteria from the engineering spec,what the agent must do to ship.
- Returns the SPRS tier per host with NIST mapping in one pass
- Covers Linux, Windows, and macOS from a single deploy
- Runs unprivileged on Linux against kernel /proc state
- Inspects Windows registry directly without unsafe FFI
- Maps each macOS build to its Corecrypto CMVP certificate
Run this agent against your environment.
Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.