Most of What You Think Needs FIPS Doesn't Need FIPS
We see this every week. Someone reads through NIST SP 800-171 R2, sees “encryption” show up in five different practices, and decides every single thing in their environment has to be FIPS 140-2 validated. They budget for an entirely new network infrastructure. New FIPS validated switches, access points, firewalls, and removable drives. Months later, we come in and create a data flow diagram after sitting with company stakeholders. We find out that they in fact did not need to spend all that money.
The actual rule is small. It only kicks in when three things are all true at once.
The three-part test
FIPS validated modules are required when cryptography is being used to protect the confidentiality of CUI.
Three pieces:
- CUI is involved
- Cryptography is the thing protecting it
- The reason for the cryptography is confidentiality
Miss any one of those and the FIPS requirement doesn’t apply.
Most of the panic happens because people see “encryption is required” somewhere in the practices and assume FIPS is required everywhere encryption shows up. It’s not.
Scenario 1: laptop to Office 365
A user is on a laptop. They hit Outlook on the web. CUI moves from the browser into O365 over HTTPS.
Does this scenario need FIPS? Yes.
Microsoft already enforces TLS 1.2 with FIPS validated modules on the O365 side. It’s in their KB articles and their shared responsibility matrix. Your responsibility is to configure your endpoints in FIPS mode. M365 GCC High is FedRAMP High. The second the browser establishes the session, the requirement has been inherited.
Scenario 2: two boxes inside your super secure office
Two servers sitting right next to each other inside a secured facility. One network cable between them. Locked doors with badge access. CUI is moving between the two boxes.
Is cryptography needed? No. The CUI is physically protected. This will hold up for NIST SP 800-171 R2. R3 is a different story, but not required yet.
So if someone was telling you that you needed to encrypt your file servers with BitLocker, read NIST SP 800-171 R2 again. If they’re in a secure building, you don’t need to.
A backup sitting inside a physically secure facility with the right access controls is the same idea. The backup itself doesn’t need FIPS encryption. The protection mechanism isn’t crypto, it’s the physical building itself.
Scenario 3: Wi-Fi plus the cloud
This is the one that trips up the most people.
Laptop on Wi-Fi. Wi-Fi goes through a firewall, out to the internet, into Office 365. CUI is in the browser session.
A lot of teams look at this and decide their Wi-Fi has to be FIPS validated.
It doesn’t.
The TLS session from the browser to O365 is already FIPS validated. The CUI is wrapped in compliant crypto before it ever touches the wireless. There’s no need to encrypt it twice. Wi-Fi being WPA2 or WPA3 covers the wireless encryption practice, but that’s a different control with a different point. FIPS only enters the picture if CUI is crossing the wireless in a form that isn’t already wrapped in a FIPS validated tunnel.
When the CUI path is browser to O365, the wireless underneath is just transport. It’s carrying an already-encrypted payload.
The pattern
Before asking “does this need FIPS,” ask:
- Is CUI actually on this thing
- Is cryptography the control protecting it
- Is the reason confidentiality
If the answer to all three is yes, a FIPS validated module is required. If any one of them is no, it isn’t.
