FIPS 140 Validated Cryptography
Also known as: FIPS 140-2, FIPS 140-3, FIPS validated encryption
FIPS 140 validated cryptography is encryption implemented by a module that has been tested and certified against the Federal Information Processing Standard 140 by the NIST Cryptographic Module Validation Program. CMMC Level 2 requirement 3.13.11 requires FIPS validated cryptography to protect CUI, and simply enabling encryption is not enough if the module is not validated.
Related terms
- NIST SP 800-171
NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2, but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections, and at the contractual level, CMMC Level 2.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.
- Microsoft 365 GCC High
Microsoft 365 Government Community Cloud High (GCC High) is the Microsoft cloud offering authorized to handle CUI and ITAR data for DoD contractors. GCC High is generally required at CMMC Level 2 when CUI is present; it is not required at Level 1, where standard Microsoft 365 Commercial is sufficient for FCI.