Most guidance on what FIPS compliant means gets the key point wrong. It treats FIPS like a feature checkbox, as if a vendor can say “we use strong encryption” and that settles the question. For a defense contractor handling CUI or ITAR-related data, that framing is exactly how teams walk into avoidable audit trouble.
What matters in practice is not a marketing claim. It is whether the cryptographic module was validated under the government process that assessors recognize. If a tool says “FIPS compliant” but cannot prove validation status, the claim will not carry much weight in a CMMC assessment or a prime contractor’s review.
The dangerous myth of being FIPS compliant
The term “FIPS compliant” sounds reassuring. It also creates a shortcut in procurement conversations. A vendor says they use AES, TLS, or “government-grade encryption,” and the buyer assumes the product will satisfy defense requirements. That assumption fails in real audits.
FIPS 140 is the foundational encryption standard for U.S. government and defense contractor compliance. The March 2020 ITAR modernization allowed cloud services for unclassified technical data only when organizations use end-to-end encryption with FIPS 140 validated algorithms and keep decryption keys inaccessible to third parties. That made validation, not vendor marketing, the benchmark regulators and customers look for.
Why the wording matters
“Compliant” often means the vendor is describing its own design intent. “Validated” means an accredited process tested the cryptographic module and recorded that result in the system assessors expect.
The difference matters most when the environment handles:
- CUI under NIST 800-171 and CMMC expectations
- ITAR-related technical data in cloud systems
- DFARS flow-downs from a prime contractor asking for proof, not assurances
Small contractors also miss a second point. Encrypting CUI does not make it stop being regulated data. Encrypted CUI is still CUI covers that issue in detail.
What passes and what does not
What tends to pass is simple: the buyer can identify the module, the validation status, and where that module is used in the stack.
What tends to fail is fuzzy language:
- “Uses AES-256” with no module evidence
- “Runs in FIPS mode” with no tie to a validated component
- “Designed for government compliance” with no certificate trail
For defense contractors, the practical definition of “FIPS compliant” starts with a harder truth. If it is not validated in a way the assessor can verify, it is often just a claim.
Understanding true FIPS validation and the CMVP
FIPS is not just about the encryption algorithm. It is about the cryptographic module that implements it. That module might be hardware, software, firmware, or a hybrid.
Algorithm versus module
AES-256 is a strong algorithm. But using AES-256 inside an unvalidated product does not automatically satisfy the requirement that matters in federal and defense environments. The implementation itself has to be tested.
FIPS validation for cryptographic modules protecting CUI requires independent testing by NIST-accredited labs under the Cryptographic Module Validation Program (CMVP). That process verifies correctness across 11 security areas. Using AES-256 in an unvalidated module is a common audit failure because implementation flaws, including improper nonce handling in GCM mode, can create practical vulnerabilities even when the algorithm is sound.
What the CMVP actually tells you
The CMVP is what turns vague claims into something verifiable. If a module is validated, there is a record on the NIST CMVP list that can be inspected by anyone.
That matters because assessors usually do not care whether a sales engineer says the product was “built with FIPS in mind.” They care whether the module the contractor relies on was evaluated through the recognized path.
| Claim | What it usually means in practice | Audit value |
|---|---|---|
| FIPS compliant | Vendor self-description | Low unless backed by validation evidence |
| FIPS capable | Product may support a validated mode or component | Incomplete by itself |
| FIPS validated | CMVP-tested module with verifiable status | What assessors want to see |
Why small mistakes become big findings
Many crypto compliance failures are not obvious. Teams see “TLS enabled” or “AES at rest” in a dashboard and assume they are covered. The actual module underneath may not be validated, may be validated only in a narrow configuration, or may require a specific operating mode that nobody turned on.
The better procurement question is not “Are you FIPS compliant?” It is “What certificate covers this exact encryption function in this deployment?” That is the heart of what FIPS compliant means for a defense contractor: a verifiable property of the cryptographic module in use, not a branding term.
The transition from FIPS 140-2 to 140-3
A lot of contractors are still asking the wrong question. They ask, “Is the product FIPS?” The better question in 2026 is, “Is it validated under 140-2, validated under 140-3, or stuck somewhere in between with no credible roadmap?”
The practical difference between the standards
FIPS 140-2 is the legacy standard most contractors have been working with for years. FIPS 140-3 is the current successor. In day-to-day operations, the bigger issue is not the academic differences between the standards. It is whether vendors are keeping pace with the transition in a way that does not leave the contractor exposed during an assessment or contract review.
NIST has announced that FIPS 140-2 validations will not be accepted after September 2026, and all new validations now require FIPS 140-3. As of early 2026, there is still a meaningful migration gap because many vendors remain in transition amid accredited lab capacity constraints. For CMMC Level 2, DoD guidance allows use of 140-2 validated modules until the 2026 deadline, but only when the vendor has a clear documented roadmap to 140-3. Assessors reject self-declared or unproven transition plans.
What to ask vendors now
When evaluating email security, file sharing, VPN, endpoint encryption, or application hosting, direct questions produce better answers:
- Current status. Is the relevant module validated under 140-2 or 140-3 today?
- Scope. Which product functions are covered by that module?
- Roadmap. What is the vendor’s documented path to 140-3 where needed?
- Evidence. Can they identify the certificate and deployment conditions?
The goal is precise answers, not another whitepaper.
Red flags during the transition
Some vendors are legitimate but slow. Others are hiding behind vague language. These patterns warrant immediate scrutiny:
| Red flag | Why it matters |
|---|---|
| ”We align with FIPS principles” | Avoids validation status entirely |
| ”Our infrastructure provider is FIPS” | Shared components do not automatically validate the full product |
| ”We’re moving to 140-3 soon" | "Soon” is not a roadmap |
| ”FIPS mode is available on request” | Availability is not proof of assessed deployment |
A vendor without a transition answer today is asking the customer to carry their compliance risk tomorrow.
How to make a sane decision
Not every contractor needs to rip out every 140-2 module immediately. But every contractor should know where those modules sit in the environment and whether each vendor has a credible path forward. Keep using validated technology where allowed. Eliminate anything based on self-declared claims. Push vendors for a roadmap before the assessor asks for one.
How to verify a vendor’s FIPS certificate in three steps
Most buying teams skip this step. They ask whether a product is FIPS compliant, hear “yes,” and move on. A better process takes a few minutes and saves significant trouble later.
Step 1: Ask for the exact certificate reference
Do not ask, “Are you FIPS compliant?” Ask:
- Which cryptographic module is validated?
- What is the FIPS 140 certificate number or CMVP listing reference?
- Which product version and deployment architecture does it apply to?
A serious vendor can answer those questions without turning it into a philosophy discussion. If they cannot, that is the first warning sign.
Step 2: Look up the module independently
Go to the NIST CMVP validated modules database and search using the certificate number, module name, or vendor name. The goal is not to become a cryptography expert. The goal is to confirm that the validation exists and that it appears to match the product being evaluated.
Check for alignment between vendor identity, module name, validation standard, status, and relevant platform details. If the listing is hard to tie to the product being sold, ask the vendor to map it in writing.
Step 3: Inspect the status and the scope
In practice, many “yes, we’re FIPS” claims fall apart at this step. Look for:
- Historical status rather than an active validation path
- A certificate tied to a component but not the service being purchased
- Validation limited to a specific configuration that does not match the planned deployment
- No clear explanation of FIPS mode when the product depends on one
A simple screening table helps:
| What you find | What to do |
|---|---|
| Clear listing that matches the product function | Keep evaluating |
| Listing exists but only covers a lower-level library | Ask how the product depends on it and whether the full implementation stays within scope |
| Historical or unclear status | Escalate before procurement |
| No certificate information at all | Treat the claim as unverified |
What buyers miss most often
Buyers often stop at the first proof point. They see that a vendor uses a validated operating system module or a validated library and assume the whole application inherits that status. Sometimes that is directionally helpful. It still is not enough unless the vendor can clearly explain how the validated module supports the exact service and configuration under review. If the assessor has to guess how a vendor’s validation maps to the contractor’s system, the due diligence is not finished.
Building the broader CMMC evidence file? Get the free CMMC Level 2 readiness checklist. 30 items across 11 control families, with what a C3PAO expects to see for each one.
FIPS as a cornerstone of CMMC, ITAR, and DFARS compliance
FIPS matters because it does not sit alone. It feeds into the broader frameworks defense contractors live under. Treating it as a standalone encryption preference misses why assessors and primes push on it so hard.
For contractors handling technical data under ITAR, the encryption floor is not vague. The required minimum encryption strength is 128 bits (NIST Special Publication 800-57 Part 1), and the ITAR cloud carve-out specifically requires FIPS 140 compliant modules for end-to-end encryption. That 128-bit minimum also serves as the baseline across related defense frameworks, including CMMC and NIST 800-171.
That has a practical consequence. Choosing collaboration tools, storage, remote access, or email controls is not just a security decision. It determines whether the environment can credibly support ITAR, CUI, and contract obligations at the same time.
How the frameworks connect in practice
A small contractor usually encounters FIPS through one of these entry points:
- NIST 800-171 and CMMC Level 2 when protecting CUI
- ITAR cloud handling for unclassified technical data
- DFARS flow-downs from a prime asking how the environment protects covered data
- FedRAMP-adjacent expectations when inheriting cloud control questions from government customers or primes
What “good enough” usually looks like
The answer is rarely “buy the most expensive product on the market.” Usually it is this:
| Control area | What assessors expect to see |
|---|---|
| Data in transit | Validated cryptography supporting secure transmission |
| Data at rest | Validated modules for storage encryption where required |
| Key protection | Clear custody model and restricted access to decryption keys |
| Vendor evidence | Mapped documentation, not generic security brochures |
The common thread is evidence. The encryption approach must align with the requirement, and the technology stack behind it must be supportable during an assessment.
Where teams get into trouble
Trouble usually starts when teams buy one cloud service for email, another for files, another for messaging, and assume each provider’s security page adds up to a compliant whole. It often does not. Shared responsibility, inherited controls, and component-level validation claims can leave gaps between what the vendor protects and what the assessor needs to see. That is why FIPS is a cornerstone: it provides one of the clearest technical proof points inside a wider compliance story.
Common FIPS misconceptions that will fail an audit
The fastest way to clean up FIPS confusion is to strip away the myths vendors repeat and buyers absorb.
Myth 1: AES-256 means you are covered
Reality: Algorithm strength is not the same thing as validated implementation. A product can use AES-256 and still fail the compliance test if the underlying cryptographic module is not validated or not deployed in the way the validation requires. That distinction is where many teams lose time during evidence collection. How safe is Google Drive for CUI covers a concrete example of that gap.
Myth 2: FIPS compliant and FIPS validated mean the same thing
Reality: They do not. Self-declared FIPS compliance is not equivalent to CMVP validation. NIST has stated that using unvalidated modules is a FISMA violation. This gap is a primary cause of audit failures for defense contractors because unvalidated products may contain vulnerabilities unacceptable for federal work and can be rejected during a C3PAO assessment for CMMC Level 2.
Myth 3: If the operating system is validated, all apps are covered
Reality: Maybe, maybe not. Application teams often inherit a validated OS component and assume every crypto function in the application is automatically acceptable. Assessors usually do not grant that assumption. They want to know how the application uses the validated module and whether the operational configuration stays inside the validated boundary.
Myth 4: Higher FIPS level always means better compliance
Reality: A higher level means different trade-offs, not automatic fitness for the use case. Levels matter, but not the way many buyers think. A hardware device that needs tamper-evident protections has different needs than a software service supporting ordinary contractor workflows.
| Myth | Reality that usually holds up |
|---|---|
| Level 3 is always required | Many contractors operate effectively with Level 1 or higher, depending on system role |
| ”FIPS mode” alone solves it | Only when that mode ties to a validated module and is actually enforced |
| Vendor brochure proof is enough | Assessors want verifiable evidence |
| One validated component validates the stack | Scope still matters |
Myth 5: Once validated, always validated
Reality: Validation status can change, and configuration drift matters. Software updates, architectural changes, and undocumented deployment variations can create trouble if the vendor cannot explain what remains covered. Even where a product started in a compliant posture, the customer still needs to confirm that the version and configuration in use match the validated story being presented.
Common FIPS questions for contractors
Does a cloud provider’s FIPS posture automatically cover SaaS tools running on it?
No. A cloud provider may offer validated components, but that does not automatically validate every application on top of it. The provider, the software vendor, and the contractor’s own deployment choices each affect the compliance picture. Ask each vendor to explain which cryptographic module they rely on and how that maps to the service in use.
If software has a FIPS mode, is that enough?
Usually not. “FIPS mode” can be meaningful, but only when it points to a validated module and the vendor can show that the approved mode is the one operating in the customer environment. A settings toggle with no validation mapping is not enough.
What if the certificate is historical?
Do not ignore it, but do not panic either. A historical listing is a signal to ask more questions. The contractor needs to know whether the product still fits within accepted use for the relevant assessment context and whether the vendor has an active migration path where needed. If the vendor cannot explain that status clearly, move the issue into risk review before purchase or renewal.
Which FIPS level do most contractors actually need?
The answer depends on the product role. Level 1 validates basic algorithm use, Level 2 adds role-based authentication, and Level 3 requires tamper-evident physical enclosures. Most defense contractors target modules validated at Level 1 or higher for NIST 800-171 and CMMC Level 2 because that tends to balance security and usability without the stricter operational constraints associated with Level 4.
Should vendors still on 140-2 be rejected automatically?
No. The better question is whether the vendor has a credible and documented transition path to 140-3 on a timeline that works for the contractor’s obligations. The wrong move is accepting a hand-wavy answer and hoping the assessor sees it the same way.
What should an evidence file actually contain?
Keep it simple and usable:
- Vendor attestation. A written statement describing the validated module and deployment scope.
- Certificate reference. The exact identifier or CMVP record details.
- Architecture note. A short internal explanation of where the module is used.
- Configuration evidence. Proof that approved settings or FIPS mode are enabled where relevant.
That package will not answer every audit question, but it is a much stronger starting point than a PDF brochure and a verbal assurance from a sales rep. The practical answer to “what is FIPS compliant” is not “uses strong encryption.” It is “uses cryptography that can be proven, scoped, and defended during an audit.”
Related reading
Get the CMMC Level 2 readiness checklist
30 items across 11 control families, with what a C3PAO expects to see for each one. Subscribers also lock in founding member pricing when IRONKEEP launches.
Founding member pricing goes away at launch.