CMMC

Most of What You Think Needs FIPS Doesn't Need FIPS

By Arnold De La Vega
Screenshot of an r/CMMC Reddit post titled 'FIPS 140-3 Validated USB FIDO Tokens' from a user trying to source FIPS 140-3 validated tokens because of the FIPS 140-2 sunset
Real post from r/CMMC. The exact confusion this article is about.

We see this every week. Someone reads through NIST SP 800-171 R2, sees “encryption” show up in five different practices, and decides every single thing in their environment has to be FIPS 140-2 validated. They budget for an entirely new network infrastructure. New FIPS validated switches, access points, firewalls, and removable drives. Months later, we come in and create a data flow diagram after sitting with company stakeholders. We find out that they in fact did not need to spend all that money.

The actual rule is small. It only kicks in when three things are all true at once.

The three-part test

FIPS validated modules are required when cryptography is being used to protect the confidentiality of CUI.

Three pieces:

  • CUI is involved
  • Cryptography is the thing protecting it
  • The reason for the cryptography is confidentiality

Miss any one of those and the FIPS requirement doesn’t apply.

Most of the panic happens because people see “encryption is required” somewhere in the practices and assume FIPS is required everywhere encryption shows up. It’s not.

Scenario 1: laptop to Office 365

A user is on a laptop. They hit Outlook on the web. CUI moves from the browser into O365 over HTTPS.

Does this scenario need FIPS? Yes.

Laptop in an office connecting to a Microsoft 365 GCC High cloud, with the connection labeled 'Encrypted with TLS 1.2 (FIPS)'
Browser-to-O365 traffic is wrapped in TLS 1.2 with FIPS validated modules. Microsoft handles the cloud side. You configure the endpoint.

Microsoft already enforces TLS 1.2 with FIPS validated modules on the O365 side. It’s in their KB articles and their shared responsibility matrix. Your responsibility is to configure your endpoints in FIPS mode. M365 GCC High is FedRAMP High. The second the browser establishes the session, the requirement has been inherited.

Scenario 2: two boxes inside your super secure office

Two servers sitting right next to each other inside a secured facility. One network cable between them. Locked doors with badge access. CUI is moving between the two boxes.

Is cryptography needed? No. The CUI is physically protected. This will hold up for NIST SP 800-171 R2. R3 is a different story, but not required yet.

Two server racks inside a single office building exchanging CUI over a direct cable. No cryptography, the office building itself is the protection mechanism
Inside one physically secured building, the office building itself is the control. No cryptography means no FIPS requirement.

So if someone was telling you that you needed to encrypt your file servers with BitLocker, read NIST SP 800-171 R2 again. If they’re in a secure building, you don’t need to.

Two office buildings with server racks inside, connected by a FIPS validated firewall on each side. CUI travels in plaintext inside each building, encrypted only across the boundary between them
Plaintext inside the building, FIPS validated firewall-to-firewall tunnel between buildings.

A backup sitting inside a physically secure facility with the right access controls is the same idea. The backup itself doesn’t need FIPS encryption. The protection mechanism isn’t crypto, it’s the physical building itself.

Scenario 3: Wi-Fi plus the cloud

This is the one that trips up the most people.

Laptop on Wi-Fi. Wi-Fi goes through a firewall, out to the internet, into Office 365. CUI is in the browser session.

A lot of teams look at this and decide their Wi-Fi has to be FIPS validated.

It doesn’t.

The TLS session from the browser to O365 is already FIPS validated. The CUI is wrapped in compliant crypto before it ever touches the wireless. There’s no need to encrypt it twice. Wi-Fi being WPA2 or WPA3 covers the wireless encryption practice, but that’s a different control with a different point. FIPS only enters the picture if CUI is crossing the wireless in a form that isn’t already wrapped in a FIPS validated tunnel.

When the CUI path is browser to O365, the wireless underneath is just transport. It’s carrying an already-encrypted payload.

The pattern

Before asking “does this need FIPS,” ask:

  1. Is CUI actually on this thing
  2. Is cryptography the control protecting it
  3. Is the reason confidentiality

If the answer to all three is yes, a FIPS validated module is required. If any one of them is no, it isn’t.

Find Out Where You Stand

Tell us about your situation. We'll tell you whether certification applies, what level you need, and what it takes to get there.

30 minutes. No obligation. Real answers.