What is FIPS-validated Cryptography?

What is FIPS-validated Cryptography?

This blog post defines another acronym that appears often in CMMC 2.0 and NIST SP 800-171r2. The acronym is FIPS, and most often you will see it as part of the phrase, “FIPS-validated cryptography.” This appears specifically in 3.1.13 in NIST 800-171r2. Incidentally, this control is one of the most commonly “unmet” controls in DIBCAC assessments. You can learn more about that list in our December 2023 webinar.

What Does FIPS Stand For?

The acronym FIPS stands for Federal Information Processing Standard. This set of standards was developed by the National Institute of Standards and Technology (NIST). When a cryptographic module is FIPS-compliant, it means it has met requirements the government uses to ensure the safety of protected information.

A FIPS-validated cryptography has undergone rigorous testing to ensure it will offer the high level of security the name indicates.

What is Cryptography?

With FIPS defined, cryptography is next. Cryptography means that sensitive data is encrypted, meaning the message is jumbled so it cannot be picked up by incorrect sources. When the information reaches the correct destination, it can then be decrypted so the message can be read and understood. You may have come across this type of cybersecurity in email communications that ask you to log into a website to authenticate your identity before you can read the enclosed message.

FIPS-validated Cryptography and NIST SP 800-171

If FIPS validation is a high level of security for CUI and cryptography is an encoding of CUI, the two together help to provide the kind of protection at the heart of the NIST standard. Other facets of NIST security controls will further strengthen the protection of CUI you receive, store, or distribute. These other tactics include rigid access control policies, multi-factor authorization protocols, and more.

It is important to remember that even if you are working with an External Service Provider (ESP), responsibility for the protection of the CUI you work with falls on you. A shared responsibility matrix is helpful in working out with your ESP who will cover different parts of the cybersecurity plan so nothing falls through the cracks. That includes tasks like training and education to staff members, regularly updating cryptographic controls, and more.


Are you wondering how much of a journey you have until you reach FIPS-validated cryptography in your organization? Do you have questions about other controls in the NIST SP 800-171 standard? Contact us today or schedule a no-obligation 30-minute conversation. While we cannot offer consultation, we can help you decrypt what some of the NIST requirements translate to in the real world.

Show Policy

New! NIST 800-171 assessment checklist!

Latest Resources

See all resources