FIPS 140-2

FIPS 140-2 (Federal Information Processing Standard Publication 140-2) specifies the security requirements for cryptographic modules — the hardware, software, and firmware that perform encryption and other cryptographic functions. A FIPS 140-2 validated module has been tested by an accredited laboratory and certified by NIST to meet specific security requirements.

FIPS 140-2 validation is being superseded by FIPS 140-3, but both are currently accepted. The key point is that for protecting CUI, you can't use any encryption — it must be implemented through modules that carry FIPS validation certificates. Using strong encryption that isn't FIPS-validated doesn't satisfy the requirement.

Why It Matters

FIPS-validated encryption is a specific CMMC requirement for protecting CUI. Verifying that your encryption solutions — disk encryption, VPN, TLS, email encryption — use FIPS-validated modules is a concrete compliance step. Check the NIST CMVP database to verify validation.