FIPS 140-3 for CMMC Compliance: Securing Federal Information With Modern Cryptography

FIPS 140-3 is a pivotal standard in modern cryptography, ensuring the security and integrity of cryptographic modules. It sets rigorous requirements for hardware and software, maintaining stringent levels of cybersecurity adherence. This cryptographic standard is crucial for protecting sensitive information across various sectors, including government and defense.

For companies seeking Cybersecurity Maturity Model Certification (CMMC) compliance, FIPS 140-3 is indispensable. It aligns with CMMC requirements, ensuring that organizations implement robust encryption practices for safeguarding controlled unclassified information (CUI). Adopting FIPS 140-3 not only aids in achieving CMMC compliance but also enhances the overall cybersecurity posture, reducing vulnerabilities and enhancing trust with stakeholders.

Need to comply with CMMC? Here is your complete CMMC compliance checklist.

In this blog post, we’ll examine the FIPS 140-3 framework, it’s importance for defense contractors in the Defense Industrial Base (DIB), and how to implement and maintain this cryptography standard to safeguard CUI and maintain CMMC compliance.

What Is FIPS 140-3?

Federal Information Processing Standards (FIPS) are security standards for federal and defense cybersecurity compliance, specifically focusing on data encryption. Similarly, FIPS 140-3 (Federal Information Processing Standards Publication 140-3) is a security standard developed by the National Institute of Standards and Technology (NIST) that establishes requirements for cryptographic modules used to protect sensitive but unclassified information. Published on March 22, 2019, FIPS 140-3 supersedes the previous FIPS 140-2 standard and aligns with the international ISO/IEC 19790:2012(E) standard, with modifications permitted by the Cryptographic Module Validation Program (CMVP).

Unlike its predecessor FIPS 140-2, which directly contained the requirements for cryptographic modules, FIPS 140-3 references the ISO/IEC 19790:2012 and ISO/IEC 24759:2017 standards. This represents a significant change in the management approach, creating alignment with international standards while maintaining the authority to make specific modifications to meet U.S. government security needs.

FIPS 140-3 applies to all U.S. federal agencies that use cryptography-based security systems to protect sensitive information in computer and telecommunication systems as defined in the Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002. All federal departments and agencies must use this standard when designing and implementing cryptographic modules that they operate or that are operated for them under contract. The standard also extends to private and commercial organizations that choose to adopt it, particularly those that interact with federal systems or operate in regulated industries.

FIPS 140 Security Levels

The FIPS 140 Security Levels define a set of criteria that cryptographic modules must meet to ensure data protection. These levels range from 1 to 4, with increasing complexity and security standards. Each level provides a different degree of security, accommodating various cryptographic needs and applications in both governmental and commercial sectors.

To align with CMMC compliance, understanding the nuances of FIPS 140-3 is essential, as it offers a comprehensive framework for organizations to implement robust cryptographic measures. Level 1 might suffice for basic applications, but more sensitive operations often require the advanced protections found in Levels 3 or 4. Ensuring your cryptographic modules meet these standards not only supports data integrity but also aligns with the rigorous requirements of FIPS 140-3 for CMMC compliance, which is crucial in today’s evolving cybersecurity landscape.

Why FIPS 140-3 Is Important

FIPS 140-3 creates a standardized framework for evaluating the security of cryptographic implementations and establishes minimum security requirements that provide assurance for protecting sensitive information. It offers a common benchmark that vendors can build to and that government agencies can require, ensuring consistency across different products and systems. By aligning U.S. standards with international security specifications, FIPS 140-3 also helps organizations that operate globally to meet requirements across different jurisdictions.

According to NIST and the Canadian Centre for Cyber Security, non-validated cryptography is viewed as providing no protection to information—equivalent to plaintext. This stark assessment underscores why using validated cryptographic modules is critical for systems handling sensitive information. When an agency specifies that information must be cryptographically protected, FIPS 140-2 or FIPS 140-3 validation is required to ensure that cryptographic implementations meet established security standards.

Key Features and Components of FIPS 140-3

FIPS 140-3 defines four increasing, qualitative security levels (Level 1 through Level 4) that cover a wide range of potential applications and environments. Level 1 provides basic security requirements for a cryptographic module, while Level 4 provides the highest level of security with enhanced physical protection and environmental attack resistance. These graduated levels allow organizations to select the appropriate security level based on their specific risk profile and the sensitivity of the information being protected.

The standard addresses eleven key security areas: cryptographic module specification; cryptographic module interfaces; roles, services, and authentication; software/firmware security; operating environment; physical security; non-invasive security; sensitive security parameter management; self-tests; life-cycle assurance; and mitigation of other attacks. A notable addition in FIPS 140-3 compared to FIPS 140-2 is the introduction of non-invasive physical security requirements, which address threats such as side-channel attacks that attempt to extract sensitive information by analyzing physical characteristics like power consumption or electromagnetic emissions.

The FIPS 140-3 framework consists of several key documents that work together to define the full set of requirements. FIPS 140-3 itself is the top-level standard that references the ISO/IEC standards. ISO/IEC 19790:2012 specifies the security requirements for cryptographic modules, while ISO/IEC 24759:2017 provides the test requirements. NIST has also published the SP 800-140 series of Special Publications that modify or add to the ISO/IEC requirements to meet U.S. government needs. Additional documents include Implementation Guidance that provides interpretations and clarifications, and the CMVP Management Manual that describes program procedures.

What Is the Cryptographic Module Validation Program (CMVP)

The CMVP is a joint effort between NIST and the Canadian Centre for Cyber Security that validates cryptographic modules against FIPS 140-3 requirements. This validation process provides assurance that modules correctly implement approved security functions and meet all security requirements. Modules that successfully complete the validation process receive a certificate and are listed on the CMVP website.

The CMVP began validating cryptographic modules to FIPS 140-3 on September 22, 2020. There is a transition period during which FIPS 140-2 validated modules will continue to be accepted through September 21, 2026. After that date, FIPS 140-2 validated modules will be moved to the Historical list and may only be used in existing systems.

The validation process involves testing by accredited laboratories that hold appropriate National Voluntary Laboratory Accreditation Program (NVLAP) credentials. These labs perform testing against the requirements and create submission packages that the CMVP reviews. This independent testing and validation provides credibility and assurance that modules meet the required security standards.

Does CMMC Require FIPS?

The Cybersecurity Maturity Model Certification (CMMC) framework emphasizes protecting sensitive information within the Defense Industrial Base. One question often arises: Does CMMC require Federal Information Processing Standards (FIPS)? While CMMC prioritizes robust security protocols, it aligns with FIPS where applicable, ensuring compliance with federal guidelines to safeguard unclassified federal information effectively.

To achieve CMMC compliance with a focus on cryptographic security, organizations should consider adopting the FIPS 140-3 standard. This standard plays a pivotal role in certifying that cryptographic modules have undergone rigorous testing and meet specific security requirements. By integrating FIPS 140-3 into their cybersecurity strategies, companies can enhance the integrity of data protection mechanisms. This not only aligns with federal expectations but also strengthens the overall cybersecurity posture essential for CMMC compliance. The alignment with FIPS 140-3 demonstrates a commitment to adhering to the highest levels of security protocols.

FIPS 140 Certified Encryption for CMMC 2.0 Alignment

Achieving CMMC 2.0 compliance requires organizations to utilize FIPS 140 certified encryption methodologies to ensure data protection and cybersecurity resilience. These cryptographic standards foster robust security measures, safeguarding sensitive information against potential threats. Aligning with these standards not only fulfills compliance obligations but also enhances overall data security posture.

Adopting FIPS 140-3 for CMMC compliance is crucial, as it provides a verified foundation for encryption practices, ensuring that all cryptographic components meet rigorous security benchmarks. This alignment is indispensable for contractors and organizations working with the Department of Defense, as it ensures their security measures are both effective and up to date. By integrating FIPS 140-3 certified solutions, organizations not only adhere to compliance requirements but also gain a competitive edge through fortified cybersecurity defenses.

CMMC 2.0 and FIPS 140-3: The Critical Connection

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s framework designed to enforce cybersecurity standards for defense contractors handling sensitive data. FIPS 140-3 validation plays a crucial role within this framework, particularly for organizations that need to achieve CMMC compliance.

CMMC 2.0 has streamlined the previous model into three distinct certification levels:

1. Level 1 (Foundational): CMMC Level 1 requires 15 basic safeguarding practices for Federal Contract Information (FCI) and allows for annual self-assessment.
2. Level 2 (Advanced): CMMC Level 2 mandates all 110 security requirements from NIST SP 800-171 Rev. 2 for protecting controlled unclassified information (CUI). This level requires triennial third-party assessments by Certified Third-Party Assessment Organizations (C3PAOs) and annual self-attestation.
3. Level 3 (Expert): CMMC Level 3 builds upon Level 2 by incorporating 24 additional requirements from NIST SP 800-172 for enhanced protection of high-priority programs and involves government-led assessments.

FIPS 140-3 validation is a critical component of CMMC Level 2 compliance, which is required for organizations handling CUI. According to DoD guidelines, organizations must achieve Level 2 compliance by 2028, with phased enforcement beginning in 2025.

The integration of FIPS 140-3 into CMMC becomes evident in the scoring methodology. As outlined in the DoD Assessment Methodology, CMMC Level 2 uses a scoring system based on the 110 security requirements from NIST SP 800-171 Rev. 2. Each requirement is valued at 1, 3, or 5 points, with a maximum score of 110 and a minimum passing score of 88.

Learn the difference between CMMC 1.0 vs. 2.0.

Specifically for cryptography requirements, the scoring guidelines state:

• 5 points are deducted if no cryptography is employed
• 3 points are deducted if cryptography is employed but not FIPS validated

This scoring approach highlights the importance of FIPS validation within the CMMC framework, though it also acknowledges the challenges of implementation by allowing partial credit for organizations that have implemented non-validated cryptography as an interim step.

Unlike previous federal requirements that primarily affected government agencies and their direct contractors, CMMC expands FIPS 140 requirements to approximately 250,000 Defense Industrial Base (DIB) companies. This significant scope expansion creates both challenges and opportunities for organizations in the defense supply chain.

For many smaller defense contractors with limited cybersecurity resources, implementing FIPS 140-3 validated cryptography represents a substantial hurdle. Traditional FIPS 140 certification can take up to two years, requiring collaboration with accredited labs and NIST, which may strain resources for smaller organizations.

How FIPS 140-3 Enhances Security and Compliance

FIPS 140-3 improves organizational security by ensuring the use of strong, validated cryptographic algorithms and standardizing security controls across different products and vendors. It enforces proper management of encryption keys and other sensitive security parameters, mandates integrity verification through self-tests, and provides requirements for physical protection based on the chosen security level.

From a compliance perspective, FIPS 140-3 supports organizations in meeting various regulations that require protection of sensitive data. It’s directly required for federal agencies under the Federal Information Security Management Act (FISMA). Organizations in regulated sectors like healthcare, finance, and government that handle sensitive information or interact with federal systems often need to comply with FIPS standards to meet their regulatory obligations.

The use of FIPS 140-3 validated modules provides evidence of due diligence in implementing appropriate security controls, which can help organizations demonstrate compliance with broader security requirements and data protection regulations. This validation offers a recognized benchmark that auditors and regulators accept as evidence of proper cryptographic implementation.

Risks of Not Using FIPS 140-3 Validated Cryptography

Organizations that don’t use FIPS 140-3 validated cryptography face several significant risks. From a regulatory perspective, federal agencies and their contractors are required to use validated cryptography. Noncompliance can result in failed audits, potential penalties, and loss of the ability to do business with government entities.

The security risks are equally important. Non-validated cryptography may contain implementation flaws or vulnerabilities that could lead to data breaches or compromise of sensitive information. As NIST explicitly states, non-validated cryptography is viewed as providing no protection—equivalent to plaintext. This means that organizations relying on non-validated cryptography may believe they’re protecting data when, from a compliance perspective, they’re not.

Financial risks include the costs associated with data breaches, regulatory fines, and remediation efforts if security incidents occur due to cryptographic weaknesses. There are also reputational risks, as security failures can damage public trust and customer confidence. For organizations that work with government clients or in regulated industries, the loss of business opportunities due to noncompliance can have significant financial impacts.

Legal risks increase when organizations fail to implement required security standards. In the event of a data breach, not using validated cryptography could be seen as a failure to implement reasonable security measures, potentially increasing liability in legal proceedings. This becomes especially problematic when organizations have claimed to protect data but have used non-validated cryptographic implementations.

Best Practices for Implementing and Maintaining FIPS 140-3

FIPS 140-3 is a critical benchmark for cryptographic security in government and regulated industries. Implementing these standards properly ensures the protection of sensitive information while maintaining compliance with federal requirements, particularly for organizations handling controlled unclassified information (CUI) under CMMC frameworks.

The following best practices guide organizations through the complex process of implementing, verifying, and maintaining FIPS 140-3 validated cryptographic modules across systems, helping to secure sensitive data while meeting stringent regulatory requirements.

1. Take Inventory of Cryptography Modules

When implementing FIPS 140-3, organizations should start by conducting a thorough inventory of cryptographic modules used across their systems and identifying which ones need to be FIPS 140-3 validated based on the data they protect. This assessment should include both hardware and software components that implement cryptographic functions. For CMMC compliance specifically, organizations should:

• Conduct a CUI Boundary Analysis: Identify data flows involving CUI and separate them from non-CUI systems to scope the implementation of FIPS 140-validated cryptography appropriately.
• Perform a Gap Assessment: Compare current cryptographic practices against NIST SP 800-171 requirements and identify deficiencies, particularly focusing on outdated encryption protocols that may need replacement.
• Implement FIPS 140-Validated Cryptography: Replace noncompliant encryption tools with FIPS 140-3-certified solutions. This may involve purchasing validated products or working with vendors to ensure their solutions meet FIPS requirements.
• Prepare for Assessment: Develop System Security Plans (SSPs) that clearly document how cryptographic requirements are met, conduct mock audits to test readiness, and be prepared to demonstrate proper implementation during C3PAO assessments.
• Manage Subcontractors: Ensure all third-party vendors handling CUI meet equivalent FIPS standards, as the prime contractor is ultimately responsible for ensuring compliance throughout the supply chain.

2. Verify Cryptographic Products Validation Status

Organizations should verify the validation status of cryptographic products by checking the CMVP validation lists directly rather than relying solely on vendor claims. The CMVP maintains an up-to-date list of validated modules with their certificate numbers and validation details. Look for actual certificate numbers, as NIST cautions against misleading marketing claims about FIPS compliance.

3. Select the Appropriate Security Level

The appropriate security level is based on risk assessment and the sensitivity of the information being protected. Not all systems require the highest security levels, and there may be performance or cost implications for higher-level implementations. Choose the level that appropriately balances security needs with operational requirements.

4. Maintain Proper Configuration of Validated Modules

Ensure validated modules operate in FIPS-approved modes. Many cryptographic modules have both FIPS-approved and non-approved operational modes, and using them in non-approved modes negates the validation benefits. This includes ensuring that only approved algorithms and key lengths are used.

5. Develop and Implement Cryptographic Key Management Practices That Align With FIPS Requirements and NIST Guidelines

Proper management of cryptographic keys throughout their life cycle is essential for maintaining the security of cryptographic systems. This includes secure generation, storage, distribution, use, and destruction of keys.

6. Plan for the FIPS 140-2 to FIPS 140-3 Transition

With FIPS 140-2 validated modules being accepted only through September 21, 2026, organizations should develop a transition plan to ensure all systems use FIPS 140-3 validated modules by that deadline.

Kiteworks and FIPS 140-3 Compliance

Kiteworks has achieved FIPS 140-3 compliance through the implementation of the KeyPair FIPS Provider for OpenSSL 3, which has been validated at FIPS 140-3 Level 1 across most security sections, with notable Level 3 compliance in Life-Cycle Assurance (Certificate #4724). This validated cryptographic module enhances Kiteworks’ multilayered protection framework, which includes double encryption where files are encrypted at both the file level and the disk level using separate encryption keys.

Kiteworks encrypts data at rest with AES-256 encryption by default (with AES-128 as an option) and utilizes TLS 1.3 protocols for encryption in transit.

The platform’s Email Protection Gateway (EPG) extends this protection with S/MIME and OpenPGP encryption for email messages and attachments. The KeyPair cryptographic module operates exclusively in Approved mode, supporting a comprehensive suite of algorithms including AES (CBC, GCM, CCM, KW), SHA (1, 2, 3), HMAC, RSA, DSA, ECDSA, EDDSA, and various key derivation functions—all CAVP-certified.

This FIPS 140-3 validation provides assurance that Kiteworks’ cryptographic implementation meets federal standards required for protecting sensitive information in U.S. federal agencies and Designated Information in Canada, making it suitable for organizations in regulated sectors like healthcare, finance, and government that handle sensitive information or interact with federal systems.

Kiteworks Supports CMMC 2.0 Compliance

The Kiteworks Private Content Network, a FIPS 140-2 Level validated secure file sharing and file transfer platform, consolidates email, file sharing, web forms, SFTP, managed file transfer, and next-generation digital rights management solution so organizations control, protect, and track every file as it enters and exits the organization.

Kiteworks supports nearly 90% of CMMC 2.0 Level 2 compliance controls out of the box. As a result, DoD contractors and subcontractors can accelerate their CMMC 2.0 Level 2 accreditation process by ensuring they have the right sensitive content communications platform in place.

Kiteworks enables rapid CMMC 2.0 compliance with core capabilities and features including:

• Certification with key U.S. government compliance standards and requirements, including SSAE-16/SOC 2, NIST SP 800-171, and NIST SP 800-172
• FIPS 140-2 Level 1 validation
• FedRAMP authorized for Moderate Impact Level CUI
• AES 256-bit encryption for data at rest, TLS 1.2 for data in transit, and sole encryption key ownership

To learn more about Kiteworks, schedule a custom demo today.

Additional Resources

• Blog Post CMMC Compliance for Small Businesses: Challenges and Solutions
• Blog Post If You Need to Comply With CMMC 2.0, Here Is Your Complete CMMC Compliance Checklist
• Blog Post CMMC Audit Requirements: What Assessors Need to See When Gauging Your CMMC Readiness
• Guide CMMC 2.0 Compliance Mapping for Sensitive Content Communications
• Blog Post 12 Things Defense Industrial Base Suppliers Need to Know When Preparing for CMMC 2.0 Compliance