FIPS 140 Control 3.13.11 // 5 MIN READ

FIPS 140 "Validated" vs "Compliant" for CMMC

The Proof Gap That Fails Assessments

Control 3.13.11 is the number one reason companies fail CMMC assessments. Here's what the distinction between "validated" and "compliant" actually means — and how to get it right.

A FIPS-validated cryptographic module is a hardware or software encryption component that has been independently tested by a NIST-approved laboratory and issued a CMVP certificate number under FIPS 140-2 or FIPS 140-3. If you've spent any time preparing for a CMMC assessment under DFARS 252.204-7012, you've come across the phrase "FIPS compliant" on a vendor's datasheet. It sounds official. It might even appear next to a padlock icon and some copy about military-grade encryption.

Here's the problem: "FIPS compliant" is not a thing. Not officially. And when your assessor asks you to prove your cryptography meets NIST SP 800-171 control 3.13.11, that datasheet won't save you.

Control 3.13.11 is the number one reason companies fail CMMC assessments, according to audits by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Here's what the distinction actually means — and how to get it right.

What does FIPS validated mean for CMMC?

A FIPS-validated cryptographic module is a hardware or software encryption component that has been independently tested by a NIST-approved laboratory and issued a CMVP certificate number under FIPS 140-2 or FIPS 140-3. The operative word is module — not algorithm, not product. The module is the specific implementation that executes the encryption. Under 32 CFR Part 170, CMMC Level 2 requires contractors handling CUI to satisfy all 110 practices in NIST SP 800-171, and control 3.13.11 specifically mandates FIPS-validated cryptography.

Here's something most contractors get wrong: it is the manufacturer's job — Cisco, Microsoft, whoever — to submit their product to a NIST-approved testing facility and put it through a battery of tests. The government doesn't test your network. The vendor earns the certificate; you verify it.

Every validated module gets a CMVP certificate number — a public record at csrc.nist.gov. No certificate number means no validation.

Step 01

Manufacturer

Cisco, Microsoft, etc.
Submits module to NIST-approved testing lab

Step 02

CMVP / NIST

Runs battery of tests.
Issues certificate with unique number

Step 03

DoD Contractor

Verifies public list.
Buys exact model/firmware.
Configures securely.

Figure: Three-step FIPS validation process — manufacturer submits module, NIST tests and certifies, contractor verifies and configures.
Contractors don't submit their network for testing. They check the public list, purchase the exact matching hardware and firmware, and configure it correctly. The testing burden is the manufacturer's. The verification burden is yours.

Why does "FIPS compliant" encryption fail CMMC assessments?

"FIPS compliant" means a product relies on FIPS-validated components for cryptographic functionality — but the product itself has never been tested. There is no official definition of "FIPS compliant" anywhere in the FIPS 140 standard. The industry coined the phrase on its own.

A CMMC instructor explained it this way: the manufacturer built the router using FIPS rules, but never sent it to the FIPS organization for testing — because testing costs too much money. It lacks the official seal of approval. That seal is the only thing a C3PAO assessor will accept.

"FIPS compliant" = the manufacturer followed the rules.
"FIPS validated" = a government-approved lab confirmed it and issued a certificate.

Only one satisfies NIST SP 800-171 control 3.13.11.

How does FIPS encryption status affect your SPRS score?

Control 3.13.11 carries real weight in the CMMC assessment methodology. Getting it wrong isn't a footnote — it's a scored failure that directly impacts your SPRS score:

Scenario Assessment Impact
No encryption at all −5 points (critical failure)
"FIPS compliant" encryption only — not validated −3 points
FIPS-validated module, configured and documented Full credit — control satisfied
Table: SPRS scoring impact of FIPS encryption status on CMMC Level 2 assessment.

With CMMC now applying to all ~250,000 Defense Industrial Base companies that handle Controlled Unclassified Information (CUI), this requirement has never been more broadly enforced. Either you have a CMVP certificate number proving your validated module, or you don't.

How do you prove FIPS validation to a C3PAO assessor?

Assessors don't want to fish through a 200-page binder. They need to see three specific things that connect precisely:

Evidence 01 Active Config Screen
Screenshot showing FIPS mode is enabled (e.g., "FIPS Mode: ON" in OS settings or router admin panel)
Evidence 02 System Info Screen
Screenshot showing the exact firmware version currently running — must match what appears on the NIST certificate exactly
Evidence 03 NIST CMVP Certificate
The official certificate from csrc.nist.gov showing the matching manufacturer, module name, and firmware version
Figure: Three-part evidence chain linking active configuration, firmware version, and CMVP certificate for FIPS validation proof.
Most common failure: firmware version mismatch. A contractor checks their router against the NIST CMVP list — but the firmware was updated last quarter and no longer matches the certificate on file. From an assessor's standpoint, the module is now unvalidated. Always re-verify after any firmware update.

Beyond the three-part test, also prepare:

  • A Crypto Module Reporting Table (CMRT) mapping every validated module to its data flow — both in transit (DIT) and at rest (DAR)
  • Confirmation that your cloud provider's FedRAMP Moderate or High authorization covers FIPS validation
  • A check that no certificates on your list have moved to "Historical" status

What FIPS 140 changes should contractors prepare for?

Two patterns catch contractors off guard late in the process:

Common Mistake

The Algorithm Assumption

Saying "we use AES-256" satisfies nothing. The algorithm and the validated module are not the same thing. The implementation must be separately tested and certified.

Upcoming Deadline

FIPS 140-3 Transition

September 21, 2026 is the cutoff to move from FIPS 140-2 to FIPS 140-3 validated modules. If your environment isn't already on 140-3, build a remediation plan now.

The Bottom Line

To pass control 3.13.11, verify every cryptographic module in your environment against the NIST CMVP database at csrc.nist.gov. Match the exact manufacturer, module name, and firmware version to an active certificate. Document the CMVP certificate number in your System Security Plan (SSP). After any firmware update, re-verify that the running version still appears on the certificate — a version mismatch renders the module unvalidated.

For every cryptographic module in scope: record the CMVP certificate number, capture a screenshot of the active firmware version, and confirm the certificate status is not "Historical." Add each entry to your Crypto Module Reporting Table and cross-reference it in your SSP under control SC.L2-3.13.11. Re-verify after every firmware change.

Related Articles

How Assessors Evaluate Evidence: Examine, Interview, and TestAdequate vs Sufficient Evidence in CMMCHow to Write a CMMC System Security Plan (SSP)CMMC Level 1 vs Level 2: What Triggers Each LevelCMMC Scoring: Met vs Not Met and Assessment Objectives