What Are Federal Information Processing Standards?

FIPS are mandatory standards and guidelines issued by NIST under the Federal Information Security Modernization Act (FISMA). Unlike NIST Special Publications (which are typically recommendations), FIPS publications carry the force of federal law — meaning federal agencies and their contractors are required to comply with them. The standards cover a wide range of information processing topics, from cryptographic algorithms to data format specifications.

FIPS 140-2 and FIPS 140-3: Cryptographic Module Validation

The most relevant FIPS standards for defense contractors are FIPS 140-2 and FIPS 140-3, which establish security requirements for cryptographic modules used in hardware, software, and firmware. These standards define four increasing security levels:

• Level 1: Basic security requirements with at least one approved algorithm or security function.
• Level 2: Adds tamper-evidence requirements and role-based authentication.
• Level 3: Adds tamper-resistance and identity-based authentication with physical security mechanisms.
• Level 4: Provides the highest level of security with complete envelope of protection around the cryptographic module.

FIPS 140-3 became effective in September 2019 and aligns with international standards (ISO/IEC 19790). The CMVP stopped accepting new FIPS 140-2 validation submissions in April 2022, making FIPS 140-3 the current standard for all new cryptographic module certifications. The Cryptographic Module Validation Program (CMVP), jointly operated by NIST and the Canadian Centre for Cyber Security, manages the testing and validation process.

FIPS Compliance in CMMC and NIST 800-171

NIST SP 800-171 requirement 3.13.11 explicitly mandates the use of FIPS-validated cryptography when protecting Controlled Unclassified Information (CUI). This means defense contractors subject to DFARS 252.204-7012 and CMMC Level 2 must use FIPS-validated encryption for data at rest and data in transit. Common areas where FIPS compliance applies include VPN connections, disk encryption, email encryption, database encryption, and wireless network security.

FIPS Compliance in FedRAMP

FedRAMP requires cloud service providers to use FIPS 140-2 validated (or FIPS 140-3 validated) cryptographic modules at all impact levels — Low, Moderate, and High. This requirement extends to the entire data lifecycle within the cloud environment, making FIPS validation a prerequisite for any cloud service seeking FedRAMP authorization.

Common FIPS Compliance Challenges

Achieving FIPS compliance can be challenging because not all commercial encryption implementations are FIPS-validated. Organizations often discover that their existing tools — such as open-source libraries or default OS encryption — use approved algorithms but lack formal CMVP validation. The distinction matters: using AES-256 encryption is not the same as using a FIPS-validated AES-256 implementation. Contractors must verify that their specific cryptographic modules appear on the NIST CMVP validated modules list.